Michelmores in Exeter solved its business continuity IT problems by building a system enabling more people to work outside the office, reports Rupert White


Exeter-based full-service firm Michelmores has 32 partners and more than 260 staff, some in a London office. In charge of all these people's IT needs is Simon Clarke (pictured right), a New Zealander with an engineering background who came to the UK in 2001.



By June 2006, Mr Clarke wanted to give the firm remote access for when solicitors and staff were out of the office, but he needed a system that matched his stringent security requirements. He also knew the firm needed a good business continuity/disaster recovery solution.



What he decided to do was roll these concepts together, getting a system for remote access that can double as a method of reacting to disasters.



His primary challenge was the primary challenge of all remote working: make it as usable as possible for staff without compromising on security, because client data protection is paramount. 'I wanted all of our customers to feel sure that their information is secure,' said Mr Clarke of the solution the firm implemented. 'We wanted to work from remote locations, and from home on occasion, without compromising security.'



The solution is a remote-access device that acts as a gateway to the firm's network, so staff can access information securely. Mr Clarke hopes to expand the set-up to business partners and, in the future, to clients, to provide a secure portal for access to case information. The current system has been up and running since February 2007.



Unless users are accessing the firm's network using Michelmores laptops, which are only issued to senior staff, they could be using any system, from home PCs to terminals in other offices, so a set-up for any machine was needed. In hardware terms the solution is a 'box' by AEP Networks, supplied by Community Internet, with a spare back-up unit located outside the firm. The system on it, a AEP Netilla Security Platform (NSP) secure sockets layer virtual private network (SSL VPN), performs an in-depth integrity scan of any user's device, such as a PC, wanting access before allowing it on to Michelmores' wide area network, via Citrix. Using Citrix to present applications remotely, said Mr Clarke, meant being able to just use web browsers on any machine to allow access to company information.



Most users can only 'see' information. Mr Clarke's team set up the system to allow only one level of access, the top, to change or affect data, 'so we don't have any risks of viruses or transfer or contamination of information, and users can't take information away from our network and use it', he explained.



Usability v security

This did not all come easily, however. Allowing Microsoft Outlook access was hard work, said Mr Clarke, because it was difficult to determine or predict which ports it wanted to use to talk to the outside world. In the end, Mr Clarke's team had to open a large tunnel to let Outlook synchronise between server and local data. Implementing the Citrix solution was also not without problems. Mr Clarke wanted this to be 'clean, with no confusion', so some work had to be done from the default set-up to streamline the user experience.



Fundamentally, there is an inescapable trade-off in usability when security is paramount. 'This is the more secure solution, but the more secure it is, the less usable it is,' explained Mr Clarke. 'I had to manage expectations in the firm that there was a good reason why we were doing this. We might be making it five to six seconds longer for them to log on, but look at the benefits.'



Another key advantage of the solution is how it helps Michelmores deliver robust business continuity capability from users' homes. 'In the south-west, there is not a great opportunity to relocate staff in the event of a disaster,' said Mr Clarke. 'So they need to be able to work from home. Staff relocation in a disaster is a major problem for us. This solution enables us at least to operate in some capacity in the event of a major failure.'



Two into one

Using a thin-client solution for most remote users, where Michelmores' applications are served out to web browsers that do not hold any information beyond the session length, satisfies most security needs. But Mr Clarke needed to deal with laptop users who wanted email access away from a network connection.



'The biggest bugbear in any remote solution is having to be connected to be able to see anything,' he said. So Mr Clarke's team use an encryption solution to secure Outlook files on laptops that are in the field. 'Should that device get stolen, no one's going to get access to that information.'



Remote-user access is determined in a highly secure way, using what is called 'two-factor authentication'. Users use a 'normal' password as well as a time-limited (30 seconds) one-time password generated by their mobile phone.



This combination of getting real, obvious business benefit - remote access - with more abstract but vital business continuity with the same solution made the 'sell' to partners fairly simple, said Mr Clarke. But the best selling point was the price. 'We didn't have to make the outlay of buying laptops for people, and what I didn't want was for our IT department to start supporting 250 home users.'



So Michelmores can serve its applications to anyone in front of a computer, wherever they are, without paying for a remote physical location, and without the cost of hundreds of laptop machines. All of which makes Mr Clarke a very happy IT manager.