CIC Solutions Forums
Certified Independent Consultant Solutions Forums for
LexisNexis® Practice Management Products
Time Matters - PCLaw - Billing Matters - Browser Edition - HotDocs

Encryption of TM data

rated by 0 users
This post has 8 Replies | 5 Followers

Top 200 Contributor
Posts 7
Lee R. Posted: Sat, Mar 31 2012 12:26 PM

I would like to encrypt my TM data for security purposes since  the data base contains a lot of client confidential information. I use the latest version of TM.

My first question is how secure is the data given that I need to log in to access it using  TM? Is further encryption necessary?

If encryption is advisable, can that be done to the TM data using a program such as TruCrypt? Will it interfere with  the operation of the program?

Thanks as always.

Lee Raaen

Lee Raaen Law Office of G. Lee Raaen PO Box 31698 Seattle, WA 98103-1698
Top 25 Contributor
Posts 196
.CIC
TM CIC

Time Matters Data inside your network:

Your network should be secured properly in a way that outside, unpermitted connections cannot be made to your servers.  This is the tasks of an experienced networking administrator or vendor.  Inside your network, only those with security permissions and access to passwords (Time Matters or SQL Management Studio) should be able to access your data.  If your network, servers, SQL Server and Time Matters security are configured properly your data will be very secure.  Encryption is not needed.

Time Matters Data/Documents outside of your network:

Assuming the above is completed, encryption should only be needed when data is being transfered outside of your network over the internet or via laptop/USB where it could be intercepted. 

I recommend only using tools such as GotoMyPC or TeamViewer to get to Time Matters data remotely, following any network connection setup such as VPN. If you're really worried about data security, never carry your data out on a laptop or USB drive.

Syncing (ex. over the air Exchange sync):

I'm not 100% sure if an exchange sync is encrypted.  I'm also not sure if all phones/tablets encrypt data on their hard drive (I do beleive apple products do).  This area might be best suited for someone to answer who has more experience in mobile syncing than myself.

 

Of course these responses are in general and may not be suited for your exact setup or situation. I do hope it can help you in some way.  There are a few CIC's who are much more experienced in this area than I and maybe they will chime in.

Michael W. Gaines Jr.
Gaines Database Consulting
Time Matters CIC
Florence, SC 29501
(843) 615-8084
mgaines@gainesconsulting.com
http://www.gainesconsulting.com

Proud Southeastern Affiliate of Eastern Legal Systems, LLC
http://www.easternlegalsystems.com

Top 25 Contributor
Posts 417
.CIC
BM CIC
BMP CIC
HD CIC
TM CIC
Mark Deal replied on Tue, Apr 3 2012 11:56 AM

Why not use built in SQL data encryption?

Mark Deal (CIC/Moderator)
Document & Data Solutions, LLC
TMTools, LLC
Atlanta, Georgia
http://www.docsol.com
mdeal@docsol.com
(770) 888-1940
Time Matters | HotDocs | PCLaw | TMTools | DDSLink | Worldox

Top 25 Contributor
Posts 196
.CIC
TM CIC

Considering I've never attempted to encrypt data in a Time Matters database, would SQL encryption at the database or column level not break the Time Matters application?  I would think encryption would require application source code revisions and database structure revisions to column types and lengths etc.

Even if this were possible, I would think it would create a performance nightmare as well as break any third-party reporting utilities.

 

 

Michael W. Gaines Jr.
Gaines Database Consulting
Time Matters CIC
Florence, SC 29501
(843) 615-8084
mgaines@gainesconsulting.com
http://www.gainesconsulting.com

Proud Southeastern Affiliate of Eastern Legal Systems, LLC
http://www.easternlegalsystems.com

Top 200 Contributor
Posts 7
Lee R. replied on Tue, Apr 3 2012 6:01 PM

Thanks to everyone who replied. I guess I need to refine my question a bit.

My concern is not sending data off site, but the possibility that someone could get into the office and physically take my computer. The chance seems a bit remote, but on the other hand, it would be difficult to explain to clients why their information was so easily compromised.

Is the SQL data of TM encrypted within the program. I checked the setup options and could only find one that referred to encryption of messages outside of the program. Maybe I don't have a problem.

I run TM 11.1 on a single machine - no server.

Lee Raaen Law Office of G. Lee Raaen PO Box 31698 Seattle, WA 98103-1698
Top 200 Contributor
Posts 7
Lee R. replied on Tue, Apr 3 2012 6:02 PM

Thanks to everyone who replied. I guess I need to refine my question a bit.

My concern is not sending data off site, but the possibility that someone could get into the office and physically take my computer. The chance seems a bit remote, but on the other hand, it would be difficult to explain to clients why their information was so easily compromised.

Is the SQL data of TM encrypted within the program. I checked the setup options and could only find one that referred to encryption of messages outside of the program. Maybe I don't have a problem.

I run TM 11.1 on a single machine - no server.

Lee Raaen Law Office of G. Lee Raaen PO Box 31698 Seattle, WA 98103-1698
Top 10 Contributor
Posts 1,699
.CIC
BM CIC
BMP CIC
PCL CIC
TM CIC

I would go with a strong password to login in to your computer and a secure password to login to Time Matters. There are also other things that can be done to prevent someone getting to your data by rebooting the computer outside of your installed windows. 

If you really want to prevent access you could get a machine that has a removable hard drive and pull the hard drive each night and store it in a safe.

 

Caren Schwartz (Moderator/CIC)

35-45 Consulting

& Time & Cents Consultants, LLC

Southport, CT

www.3545consulting.com / www.timeandcents.com

203-254-7736

Software for Managing Time, Money & Information

Time Matters, Billing Matters, Billing Matters Plus, PC Law CIC

 

Top 50 Contributor
Posts 111
.CIC
HD CIC
TM CIC

There are a number of options, none of them completely satisfactory, but each level enhances security:

(1) Windows password needs to be robust, and change every 90 days

(2) Desktops need to lock on Screensaver and reqire login after 10 minutes of inactivity

(3) Supply ACCESS TIMES for Logins in Time Matters

(4) Apply strong Login Password, and setup for required change every 90 days.

(5) In SQL, modify the SA Password to something other than the DEFAULT.

(6) Contact a consultant about disabling Windows Authentication on the SQL Database.

(7) Consider moving SQL Server to a VIRTUAL SERVER and setting it up so that only a limited set of users have access.  There may be a way to use BITLOCKER on that virtual server for added security.

Of course, nothing prevents one of your OWN users from accessing the data.  On that level, I would also configure Time Matters security and decide to limit access by certain users.

Cheers,

Seth

Seth G. Rowland, Esq. (CIC) Basha Systems LLC (New York, NY) (800) 725-0326 or sgr@bashasys.com www.bashasys.com (c) 2009 by Basha Systems LLC
Top 100 Contributor
Posts 38

I looked at this question some time ago, and here's what I concluded: Using the data encryption tools of SQL Server (TDE) in some ways is the most elegant and certainly the most tested, but I was concerned about the complexity and the possible problems with replicating the database to a laptop (which is mostly where the encryption would be necessary). I have not yet implemented the SQL TDE, but will consider bringing in a contractor to do that when I change my computers next. I also concluded that TrueCrypt would be a satisfactory way to go. There might be a performance hit, since it's OTFE, but if the use is limited to laptops, that might not be a show stopper. I haven't implemented that, either, because my current equipment has disk security linked to separate security chips (real or emulated); that layer reportedly could be bypassed by someone with special knowledge, but that person is not likely to care about my TM data, so, for now, the threat assessment says I don't need to put the TM data on an encrypted volume. If TrueCrypt might work for you, you might experiment first with the tutor database.

Joseph Nierenberg
Nierenberg Employment Law, PLLC
Consulting – Litigation – Training
Minneapolis, Minnesota
www.nierenberg.com

Page 1 of 1 (9 items) | RSS