Nishith Desai Associates keeps business risk at bay with infosec

A look at how information security enables Nishith Desai Associates, a Mumbai-based law firm, to drive its business and mitigate business risks.

Milind Mundarkar, the CTO of Nishith Desai Associates has a tough job. His firm deals in a lot of confidential information, which consists of legal agreements and sensitive data of many organizations — Mundarkar's team is the custodian. "Before signing business deals, our clients enquire about our information security practices," says Mundarkar.

More corporate infosec success stories:
Reliance Capital's DRM and DLP team up for data protection

Managed security service for risk management: The Kotak Mahindra story

Dawnay Day AV India's information security risk management mantras

As a leading legal firm, Nishith Desai has to ensure that all document exchange happens in a highly secure manner. In its early days, the firm realized that it needs a strong network security framework. Its information security policy (which came into existence in 1990), is regularly updated to compensate for growing automation of processes and introduction of new devices. Surprisingly, although it deals in sensitive information, the company has developed an open, transparent and trust-based work culture. "In this work culture, we have to be careful while implementing certain information security policy and restrictions for people," says Mundarkar. "We have to justify the reasons for certain restrictions." Although it's contradictory to company's nature of business, it has been able to successfully maintain a trust-based work culture. Nishith Desai has not experienced any misuse of information by employees. However, Mundarkar believes that from a system point of view, information security cannot be ignored; his firm has taken several efforts to secure even minute details.

In order to ensure confidentiality of information, Nishith Desai decided to host its Microsoft Exchange and database servers in-house, instead of using a third party data center. The company has established VPN connections between all the office locations (which include Mumbai, Bangalore and California). Besides, it also has MPLS VPN connectivity between its Mumbai and Bangalore locations. The firm ensures that there is no use of personal mail. Since every Nishith Desai employee has a Blackberry device, the firm has a separate corporate policy on Blackberry usage. The Blackberry servers have an integrated system to monitor logs. Nishith Desai uses a solution from Ironport for policy based email monitoring and blocking spam. "Our prime aim was to ensure that no traffic moves through the public Internet," explains Mundarkar.

Nishith Desai has set up two data centers (at Mumbai and Bangalore). These data centers are claimed to be protected using Fortigate firewalls with Z level security. To ensure the security of endpoint devices like CD-ROM and USB drives on the network, Nishith Desai uses Symantec's Enterprise Suite (for virus protection and device blocking). The firm also uses Microsoft System Center essentials for patch management and health monitoring. This system generates e-mail alerts that provide details about all systems on a daily basis.

Although it deals in sensitive information, Nishith Desai has managed to develop an open, transparent and trust-based work culture.

In order to ensure smooth and secure document exchange with its clients, the Nishith Desai uses digital signatures from Verisign. "Certain clients who are apprehensive about confidentiality of information want us to authenticate and upload the information directly on their server," says Mundarkar.

According to Mundarkar, although its current network security framework sufficiently protects his company, security is a perpetual challenge. Due to this realization, Nishith Desai believes in keeping at least 60% of its technology budget for information security.

Even after setting up all these network security controls, Mundarkar wants to offer maximum flexibility to its users. The company has a work-from-home policy for lawyers who are often on the move. The company uses Elite 3E software to track the time spent by lawyers on each case. In order to secure remote log-ins of this particular system, Nishith Desai plans to use an authentication solution from RSA, which uses "digital cards". This digital card will provide a third level of authentication for system log ins. Nishith Desai plans to provide these cards on Blackberry devices, so that users don't need to carry traditional smart cards. Besides, he is also looking forward to invest in a document rights management solution to further secure Nishith Desai's intellectual property.

Read more on IT risk management