No doubt you've read in BigLaw about all the midsize and large firms equipping their lawyers with iPads — or at least supporting iPads purchased by their lawyers. For example, the BigLaw Pick of the Week earlier this month, Damon Morey Makes iPads Standard Equipment.
Many methods exist for integrating iPads and other mobile devices into your legal environment. For example:
• Should you license, build, and configure mobility servers or gateways (e.g., WorkSite Mobility Server)?
• Should you create a VPN connection to encrypt connections from your devices to your LAN?
• Should you implement an expensive and involved enterprise security solution (e.g., MobileIron)?
• Should you require that the IT Department authenticate/approve each device manually before it can be used to connect to your network?
• Should you require that all documents be synced when the device is on your LAN, or even when it is physically plugged into your computers, all of which must then run iTunes?
• Do you need access to applications other than document management, or web-based reference/resource apps? Wouldn't it be nice to be able to access all of your firm's various applications — from Elite to Concordance and everything in between?
Here's One Solution That Works Well
These questions can all seem daunting. There are no wrong answers or approaches necessarily. But some approaches and solutions are easier to implement than others, and some approaches are more or less secure.
Many firms want to use the iPad for a terminal services solution (e.g., Citrix or Microsoft's Remote Desktop Services) as a way to meet this challenge with a degree of simplicity. But what about security? If an employee loses his device, is there a window of opportunity in which a compromised device could be used to breach your network?
At Wolf, Greenfield & Sacks, my team and I have developed an easy-to-implement solution that is secure, and provides full access to your application environment for your iPad users. Here's what your firm will need:
1. A Windows 2008 R2 Remote Desktop Services (RDS) Server. Or a server farm if your environment could benefit from the load balancing/failover features of two or more application servers working in concert — and who couldn't really?
2. A Windows 2008 R2 Server configured as a Remote Desktop Services Gateway Server.
4. An RDP client that supports Secure Gateways. Some possibilities include iTap RDP App for the iPad or Xtralogic Remote Desktop Client for Android, both with the Secure Gateway option, purchased from the App Store or Android Market respectively.
Security First: The Advantages of Two-Factor Authentication
So what is two-factor authentication? Two-factor authentication is based upon what you have (a digital certificate, a mobile phone, or land-line phone) and what you know (a valid login for your firm's network, and a valid password for the same). Two-factor authentication has been in use for many years (perhaps most readily recognizable in the form of an RSA SecurID token key fob), and is superior to other forms of security because it requires that you have both.
For example, if someone were to learn your password they would still be unable to connect to your firm's network without your mobile phone or a valid firm-issued digital certificate. And conversely, it is not enough simply to have the "key" (the digital certificate or cell phone) — one must also have a valid login and password pair to gain access to the network.
Using an employee's mobile phone as a physical token is an elegant way to achieve two-factor authentication. Employees will always have it with them. And use of their mobile phone to effect this authentication is as easy as (1) entering your user name and password (what you know) at the RDS Gateway, (2) answering your phone (what you have) when the service calls you to confirm the login, and (3) pressing "#" to complete the authentication process. For convenience, firm-owned laptops can be equipped with digital certificates (again, what you have) that permit access without requiring a call-back.
Install and configure the RDP client on your mobile devices
The key here is the Secure Gateway support, which permits you to specify both an externally accessible gateway (via IP or DNS), and an internal hostname for pass-through to your RDS Server or Server Farm itself once the two-factor authentication has been achieved.
This solution will work not only with iPads, but also on any Android OS tablet (Samsung Galaxy, Motorola Xoom, etc.) — so long as you purchase an RDP client app for the device that supports Secure Gateways (Xtralogic, iTap).
For that matter, any non-Windows-based remote computer (Unix, Linux, Mac) can connect using this infrastructure as well — again, so long as an RDP client that supports Secure Gateways is available (and they are).
And of course you need not worry about an RDP application when your employees use Windows PCs. With employee mobile phones serving as the "what you have" component of a two-factor authentication solution, employees can securely use any Windows computer (e.g., a kiosk computer at a conference) to remotely access your network.
If your firm has struggled with architecting a solution that provides the level of access to firm applications you would like to support, I think you can recognize the simplicity, security, and power of the solution provided above.
Written by Matthew Berg, Director of IT at Wolf, Greenfield & Sacks, P.C..
How to Receive BigLaw
Many large firms have good reputations for their work and bad reputations as places to work. Why? Answering this question requires digging up some dirt, but we do with the best of intentions. Published first via email newsletter and later here on our blog, BigLaw analyzes the business practices, marketing strategies, and technologies used by the country's biggest law firms in an effort to unearth best and worst practices. The BigLaw newsletter is free so don't miss the next issue. Please subscribe now.