When we talk about contracts, in the era of digitalization, we have the right to wonder about the protection of this particularly sensitive data (especially when we frequently hear about malware* in the press). This is why we at Hyperlex wanted to talk to you about security. In this article, we share our tips to help you protect your online contract data from threats.
The cloud: your data in the cloud
What is the cloud?
Nowadays, many technologies are accessible via what is known as the "cloud", more precisely "cloud computing". It is also known as IaaS (Infrastructure as a Service) and SaaS (Software as a Service).
In concrete terms, the cloud is a way of providing computing, storage and network resources as an online service. Very widespread today, companies often use it, for example for their ERP, their CRM or their Legaltech.
Why is the cloud so popular?
This success is no accident. Indeed, the cloud has many advantages. To name a few:
- The cloud does not require complex installation or infrastructure. Usually a browser and the creation of an account is all that is needed to access your software online. In other words, you don't need to be a computer scientist!
- The cloud is accessible anywhere, anytime and on any device (mobile, tablet, computer). Deployment is easy for geographically dispersed teams: no need to open servers or manage remote installations. From France to Brazil, everything is deployed in one click!
- The cloud facilitates document sharing and collaborative work: no more endless and confusing email exchanges or screen sharing... You and your colleagues use the same working environment, the same tools, in real time and in a simple way.
- Cloud-based software is often intuitive, relatively easy to learn, scalable and scalable: no need to update, manage obsolete versions or pay for upgrades. This is the advantage of "all inclusive": you are always on the most recent version and always up-to-date with your security updates.
The cloud: is there a risk?
Despite its many benefits, a logical question is likely to burn in the minds of its users: "if I am connected, is my data at risk?" First of all, no more than on your computer, which is itself connected to the rest of the web via various tools such as your mailboxes, browser, etc. Don' t forget that security also depends on you (updates, controls) and on the vigilance of your IT teams (update cycles, internal technical audit, etc.)
Secondly, the growing success of the cloud in recent years provides the first answer: it now has demanding standards and security measures. But which ones? Good question. And this is indeed where the solution lies for the user: before subscribing to online software, the best way to ensure that your data is protected is to ask the right questions. Let's see what they are.
Questions to ask your software partner to ensure the security of your contractual data
The infrastructure
The infrastructure is in a way the skeleton of your information systems: servers, network, software, data... it is the ecosystem that ensures the proper functioning of your digital tools and consequently of your daily work, if you are used to using a computer! Security starts here.
Ask your partner what measures are in place in their infrastructure. For example, is there an intrusion prevention system (IPS )? This system analyses network traffic, detects cyber attacks and helps block them.
As another example, are there any anti-flooding measures? These measures prevent actions that consist of sending a large amount of obsolete data in order to flood a network and make it unusable.
Or: is the architecture multi-tier? This is an IT architecture in which an application is executed by several separate components. In other words, an infrastructure based on several independent layers. We talk about segregation: imagine compartments separated by fire doors that prevent the spread of a fire... This way the most sensitive services (e.g. your database) are not directly exposed to the web, which reduces the risk of data leakage in the event of a security breach.
In the example below with three levels, there are :
- the user interface in front of his workstation (front),
- the server applications that contain the business rules and access the data stored in the database (back),
- Finally, the database itself.
The three levels are separated by "firewalls" or "firewalls " designed to protect information on a network, filtering inputs and controlling outputs according to rules defined by the administrator.
This is important because in the event of a ransomware attack on your company, this malware will not be able to propagate to your database at Hyperlex. Your contracts will therefore be protected from this type of attack.
💡 DID YOU KNOW?
As an additional security measure, dual authentication consists of associating a password known to the user with a connected object that he or she holds, such as his or her phone. With this measure, if the password is leaked, the user's account remains protected from intrusion!
The data
After the infrastructure, it is necessary to consider the protection of your data itself, but also of the "pipe" (channel or protocol) that carries it. This is where encryption comes in. Encryption is the process of converting data from a readable format to an encoded (or encrypted) format that can only be decoded after decryption using a key. Three questions then arise: what is really encrypted? when is the document encrypted? and where is the key stored to decrypt it?
Protocol protection
To understand this, we will give you our own example. At Hyperlex, all data transmissions are encrypted using the TLS 1.2 (Transport Layer Security) protocol, which complies with the highest security standards and allows for server and client side authentication, confidentiality and data integrity. This prevents a malicious person listening in on the Internet connections between your company and our servers from being able to see the data in circulation.
Data encryption
By encrypting the data itself, you increase their security. This way, even in the event of interception, your documents are protected from prying eyes. At Hyperlex, the document uploaded to the application is encrypted with a unique key from the client's browser and remains encrypted from end to end until it is next viewed by the client. At no time is data transmission or storage unencrypted. In addition, each client creates document-specific encryption keys via a key management service hosted on a different infrastructure, or may have its own key management service.
The organisation
Another point to watch out for is the organisation of your software partner. And yes, beyond a technology, your partner is also a company with its own staff, its own service providers and its own tools. A good way to ensure that your data is in good hands is to find out about their organisation. In other words, what means are used to guarantee you this much sought-after security?
For example, you can find out about certifications and audits carried out, but also about operational practices within the company.
Technologies and malware are constantly evolving. The best way to ensure the security of your data is to regularly question the technical and organisational security of your information system. The same goes for a software publisher: regular penetration tests and feedback are essential. It is also a way of questioning your own organisation: when was the last time you had an intrusion test?
👉 Want to know more about security at Hyperlex? See our page dedicated to security.
Backups
You will sometimes hear the term "back-up" used. This means making regular backups (or security copies) of your data. Here, we are no longer talking about prevention. In fact, two precautions are better than one: in addition to the protection measures put in place, your legaltech must also think about recovery measures. This is an additional guarantee of trust that you can expect from your partner.
Backups therefore reinforce the security of your data by meeting a simple challenge: that of being able to recover it in the state it was in before it was corrupted or lost.
So ask your legaltech if it implements backups and according to what cycle. This cycle, or frequency of backups, is also called the "RPO": Recovery Point Objective. This is the maximum duration of data recording that is acceptable to lose, for example during a breakdown. This notion is completed by the "RTO": Recovery Time Objective. This is the maximum acceptable time during which an IT resource may not be functional following a service interruption, or in other words, the time required to get back into service.
These concepts cover a wider area than the threats of intrusion, theft or hacking, as they will also be useful in the event of a breakdown. This is known as "resilience" or the ability of a computer system to continue in the event of any incident.
On the user side: managing access rights
Exchanging with your software partner is good. Implementing your own best practices is better. So, to complete this overview of contract data security, here is a simple tip to apply within your contract management and analysis software.
The principle of segregation, as we have seen above with multi-tier infrastructures. Beyond the infrastructures, you can also compartmentalise your contractual base within the interface itself by simply managing the access rights of the various users. Not everyone needs access to all the company's contracts.
In Hyperlex, you can grant access rights by team or by user, and levels of access rights (read, modify, etc.), both when generating the contract and when monitoring it in your contract database. Managing user rights in your software is an additional security measure that is entirely up to you. In addition, this functionality facilitates the processes specific to each business line in the company. You might as well take advantage of it!
Finally, do not forget the suspension and/or transferability of rights when a team member leaves the company or moves internally. There are two possibilities: either you have to think about modifying the user's access, application by application (which can be both restrictive and a source of error), or you can use an SSO (Single Sign-On), a method that allows you to centralise the user's rights and therefore make the modification only once for all the applications to which he or she was connected.
You are now informed of the measures to take to secure your contracts against threats. And if you still have any doubts, do the right thing: just talk to your IT team and your legaltech!
Want to know more? Download our brochure!
*malware: a term that simply means malicious software designed to harm your computer systems and data.
On the same subject :
- What is ISO 27001?
- What is compliance?
- How to secure corporate legal data in the cloud?
- Security: why protect your contractual data?