Unity: A Study in Security Best Practices

As we explored in Everything You Need to Know about the Cloud, cloud-based technology and services have entered the mainstream and are here to stay. Cloud apps have become a regular part of our daily lives, and their underlying technologies have matured to the point where they can meet the demanding requirements of a busy law practice.

Concerns about security and privacy have, until recently, delayed the migration of legal professionals to the Cloud. Legal professionals operate in a “zero-fail” environment where the security and confidentiality of client data are paramount, and any sort of breach is intolerable. As many firms have increasingly experienced, providing this security themselves is becoming increasingly cost prohibitive with new types of threat being discovered all the time. When a law office chooses to embrace a cloud-based practice management solution, that solution needs to offer security that’s superior to what they already have in place – and instill the confidence that it will stay secure in the future.

To ensure the protection and security of your firm and customer information, DoProcess puts security at the center of all our development processes. When you look under the hood, you find that Unity®, our cloud-based practice management platform, is, in fact, a collection of security best practices working together to keep you and your data safe. In this post we are going to explore Unity’s security features and dig into some of the underlying technologies that are at work.

Unity’s security features: Peeling back the layers

The ability to access Unity anytime, anywhere, is certainly a key benefit. This convenience is made possible by a layered security framework that’s quietly chugging away in the background.

There are three main security layers. The first layer deals with how you (and your coworkers) access Unity. Security professionals call this “identity and access management infrastructure.” The second layer deals with secure data transmission. This has to do with how data is securely transmitted from your computer to the Cloud, and back again. The last layer deals with how and where your information is stored and protected. Let’s take a look at each in detail.

Knock, knock. Who’s there?

The identity and access management security layer is pivotal to modern cloud applications and is concerned with authentication and authorization. Put another way, this layer requires you to prove to the application that you are who you say you are, so it will let you in. The controls around this in Unity are extensive.

To access Unity, customers are required to provide three matching identifiers: a firm account ID, a unique user ID, and a password. Passwords are required to be robust, meaning they can’t be too short and need to include a mix of different character types such as uppercase and lowercase letters, numbers, and symbols.

Furthermore, when you change your password, it can’t be identical to the passwords you used the previous five times. If anyone makes too many unsuccessful attempts to log into your account, it will be locked. So be careful about how many attempts you make if you’ve forgotten your password! All access to Unity is logged and monitored to make sure nothing untoward is going on. For good measure, Unity also has you change your password every 90 days.

All of this is to make sure that only you have access to your Unity account. Passwords and related security controls are an important first step. But to truly make sure Unity knows who you are, we use an additional security best practice called Two-Step Verification.

Two-Step Verification (also called Two-Factor Authentication or 2FA) is exactly what it sounds like. It’s a second step in verifying who you are. When you log into Unity for the first time (or you log in from a new computer or reset a forgotten password), Unity will text you a short code to enter to prove that it’s you. That’s it. One of the best parts is that with 2FA, you don’t need to remember the answer to obscure personal questions anymore. It’s an extra layer of security that quickly lets Unity know you are an authorized user – and lets you safely get to work. Phishing attacks, in which a bad actor pretends to be a trusted contact in order to get you to share sensitive information, have become very common. 2FA is an excellent defence mechanism against phishing attacks on your Unity account. Even if your account ID, user ID, and password are stolen, the time-limited 2FA code sent to your phone won’t be accessible to them and will prevent their accessing your account. Plus it will alert you to the fact that someone else has tried to use your Unity information so that you can change your password to prevent future attempts.

What’s encryption, and why does it matter?

The second layer in Unity’s security deals with safely transmitting information from your browser to Unity and back again. To make sure your client and firm data are unable to be read while it travels to and from the Cloud, Unity uses bank-grade encryption.

Like the Cloud, the term “encryption” gets bandied about increasingly often but its significance isn’t always well understood. But it should be as encryption is a fundamental building block of modern secure communications. At its most basic, encryption ensures that only the intended recipient of a piece of information can view it. When people talk about encryption, they are really talking about a mathematical technique (that’s been around for quite some time) that turns information into unreadable code (AKA encrypted data). That encrypted data can only be read when it’s decoded (AKA decrypted) by the intended recipient. Here’s a common example: when you send an encrypted text from your phone, the message you type is converted to unreadable code for transmission that can only be deciphered and made into a readable message again by the phone of the person you are texting. This is encryption at work!

So, why is this important? Well, for any data that travels across the Internet, there is no guarantee that a third party or bad actor won’t try to intercept it. But if data is encrypted, it adds a layer of protection to that information during transmission because it will be unreadable by the third party.

Unity makes extensive use of encryption technologies. All data that you send to and receive from Unity is encrypted using bank-grade 256bit SSL encryption. Without going into the boring details, this is a very strong level of encryption and, together with the other technologies covered in this post, underscore our commitment to top-notch security.

Your data is locked up tight

One of the many benefits to using a cloud-based application is that we perform Unity’s expert (and frequent) updates to malware and virus protections for you. We also take care of backing-up your data securely. So where is your data saved, and how exactly is it protected?

In a previous post, we shared a picture of a data-centre made up of servers that deliver a cloud-based service (in that case, the example was Netflix). Similarly, Unity is hosted in a data-centre equipped with servers to deliver Unity to customers over the Cloud. When you log into and use Unity via your browser, you are connecting to these servers.

What’s important to understand is that your data is securely hosted on servers that are owned, operated and maintained by DoProcess. Unity isn’t hosted on rented infrastructure and, our servers are dedicated to delivering Unity, and only Unity. No third parties share those servers or have access to them. Secondly, Unity’s servers are located in Canada. That means your data – and it is your data, you retain 100% ownership – is located in Canada at all times. This means you needn’t worry about your business-critical information being located outside the country and potentially subject to the laws of another jurisdiction.

For additional protection, personally identifiable information is encrypted on our servers as are all documents created or loaded into Unity. For peace of mind, all your firm’s matters and client information are segregated from other firm’s matters and client information. Your data is stored in a single dedicated database that can only be accessed by you, the authorized firm that owns the data.

Physical access to the cloud servers that host Unity is accessible only to authorized DoProcess personnel. They are located in high-security location (that has all the cameras and 24/7 monitoring you would expect) with extensive environmental controls to keep things running no matter what might happen (such as power outages or natural disasters). Your precious data is always safe and secure.

A commitment to data security

The security of cloud-based apps, like any other technology solution, is underpinned by the on-going commitment to security of the company that provides them. At DoProcess we take seriously our responsibility to ensure all mission-critical systems are protected against threats. The protection of your firm and client data is our primary concern. We have a dedicated security operations team overseeing the security of all applications, and everything must adhere to our stringent corporate security policies. Unity is the epitome of this commitment. From robust access protocols to bank-grade encryption technologies and extensive physical data security, Unity protects your precious data end-to-end.

You can find more information about Unity’s security features here.