Is the cloud more secure than you think? Clients entrust their attorneys with their most personal and important materials — tax returns, divorce settlements, intellectual property, lawsuit documents, financial investments, copyrights. Should this information fall into the wrong hands, it could be disastrous for a client and ruin a law firm’s reputation.
It’s understandable why a law firm would resist putting their data into the cloud: that is, uploading their data to a secure cloud provider. Many firms still rely on tried-and-true storage methods like external hard drives or even locked file cabinets. After all, it seems like every week there’s a new story about a company being hit by ransomware, or a massive database hack that exposes the accounts of thousands of customers. Is moving all your vital information into the cloud taking a massive risk?
As it turns out, it isn’t. Cloud computing offers far more extensive security than any law firm could provide on its own. Cloud databases lie within intricate, multitiered security networks that are constantly being upgraded and tested for potential weaknesses. There are backups within backups, all meant to protect your information in the event of a hack or a natural disaster.
A growing transformation
In the latest ABA 2019 Legal Technology Survey, cloud usage grew slightly among law firms in 2019, with almost 60% of survey participants indicating their use of the cloud increased over the past year. Interestingly, solos and small law firms led the way, adapting to the cloud at a quicker rate.
The real growth in cloud usage may be on the horizon, however, as the survey indicated lawyers are letting go of previous fears of the cloud, and now are actually citing such former obstacles—such as security—as a benefit of cloud use. Indeed, almost 30% of survey respondents said the cloud gives them greater security than their firms can provide on their own.
Not surprisingly, this growth mentality is starting to be reflected in the sales of public cloud services, which are expected to more than double to above $260 billion by 2023, compared to about $130 billion in sales in 2017, according to market research firm IDC. This estimate reflects a strong 21% compound annual growth rate.
This data appears to show the legal industry may be getting over its initial fear of cloud-based services, even though some trepidation remains.
Still, many market observers are surprised that cloud usage has not grown at a faster rate. Of course, there may be a number of reasons for this. A firm may still be very paper-oriented, and vital information may be stored in tape libraries or on legacy mainframe architecture. The firm may have made substantial investments in database protections and believes that moving data into the cloud could compromise its own efforts. And the firm may not be familiar with current cloud protections and defense protocols, considering the cloud to be as flimsy, security-wise, as a public Dropbox account.
Moving to the cloud will mean a change in perspective and will likely be a necessary move at some point. Indeed, one that’s likely to be demanded by clients.
Gatekeeping your data
Not long ago, it was a simpler world. Law firms kept paper files in locked drawers or in secure storage facilities; papers were shredded once they weren’t needed. Digital information was stored in password-protected databases. After catastrophic events like the terrorist attacks of September 11, off-site backup database storage facilities grew in importance. Still, many firms kept most of their vital information in-house, whether in cabinets or servers.
A key question a firm should ask today is: who is the gatekeeper of my data? Is my data being fully protected?
What are the barriers—physical and digital—that currently exist between your confidential information and those that want to illegally obtain it? How much of a fail-safe plan does your firm have in the event of an emergency or cyber-attack? If you back up your data into servers that are physically located in your office, is that truly enough protection?
Ruby Lee, a senior product manager at Thomson Reuters, recommends that firms rank their data security in 5 ways, and then compare the internal assessments to what a top cloud provider offers:
- Physical security – What is the level of security of the location where your data is housed?
- Digital security – What is the strength of your protection against hacks?
- Intruder detection – How soon do you know if you’ve been compromised?
- Disaster recovery – How soon can you get up and running after an emergency?
- Security processing – How can clients securely access their data?
For all of these areas, she believes many cloud services should receive 5 out of 5 stars, while the legal industry would generally range between 2 to 4 stars at best. The reasoning is simple: even a law firm that’s wholly committed to database security lacks the financial and physical resources at the level of many cloud service providers.
Take intruder detection and response, for example. Microsoft’s Azure Cloud Solutions routinely runs “war games” with its programmers. These maneuvers involve about 2,000 employees, half of which attempt to hack into Azure while the other half try to detect and prevent the attack. Afterwards, the two teams consult and the attackers disclose any weaknesses they found. Then they run the game again, with the defenders now the attackers.
“We’re constantly trying to compromise our own system,” notes Rick Weyenberg, an Azure Cloud Solutions Architect at Microsoft, adding the goal is one of perpetually finding and correcting any perceived vulnerabilities. No matter what a law firm’s size and budget, this sort of routine and intensive threat detection process is beyond their capabilities.
Another likely weak link in a law firm’s data security is the location of its servers and databases. Assess what physical barriers exist to protect your data.
If your servers are located in your office, who has access to them? Is the security of your office adequate? If servers are located off-site, what protections do their storage facilities offer?
At the same time, many cloud service providers take hardware security as seriously as any government. For example, Azure’s cloud servers are housed in facilities that are 4 miles long in some cases, surrounded by military-style fences that extend 25 feet underground, says Azure's Weyenberg, adding that there are various checkpoints within each facility manned by armed guards and surrounded by bulletproof glass. No one gets in without a substantive background check.
Given this imbalance of scale, a law firm’s efforts to physically secure its databases and servers will fall short while becoming an unending source of expenses. Even if an off-site storage facility is currently up to date, servers and software protections need continual upgrades. Further, the sheer scale of cloud services can greatly reduce costs for law firms. For example, if your business needs 10 servers running at peak but only one for off-peak hours, in the cloud you can essentially “turn off” 9 servers when you’re not using them and not pay for them.
If a law firm has clients overseas, there’s also the issue of data sovereignty. Some countries like Canada have very restrictive data transfer protocols. Should a firm have to move its data out of a particular country in response to an attack, they could violate that country’s regulations. Microsoft has responded by building 2 cloud facilities in nearly every country in which it does business. Each facility is near a major telecommunications hub and away from fault lines or flood plains. Should one facility be compromised, all client data is automatically secured in the country’s other facility: a data transfer that doesn’t violate regulations.
Encryption: building the digital wall
The ever-increasing complexity of data encryption adds another tier of protection to the cloud. With encryption, as Mark Gendein, architecture manager at Thomson Reuters Elite™, said, “We layer on what we do on top of what cloud providers do.”
The overarching idea of encryption is to create a series of impenetrable walls within the cloud. There are no links or connections between various client accounts within a cloud system. Instead, “We create a separate container for each customer. So even if there was a penetration, you still couldn’t get from customer A to customer B,” Gendein said.
Encryption can be done in a number of ways. A client may use its own encryption service (such as a third-party vendor approved by its cloud provider) or it may ask the cloud provider to encrypt its data. Data is often classified into low-business-impact, medium-business-impact, and high-business-impact. This means that any medium-or high-business-impact data automatically receives additional layers of encryption upon being uploaded, where low-business-impact data receives standard encryption.
Protection from the cloud provider itself
Law firms also should make it clear that their cloud provider itself shouldn’t be able to access their data. This is yet another security step, and one that some cloud vendors may overlook. “When you’re working with your cloud vendor, you need to know what data, if any, your cloud provider claims ownership to,” Weyenberg says.
When talking to prospective vendors, firms should ask if privacy controls are built into the provider’s design and operations. In the event of an emergency or an upgrade, it may be necessary for a cloud provider to have access to the client’s data. If so, this needs to be a very short-term, quickly expiring access for which the client gives express consent.
Make the process work for you
What makes the cloud different from previous generations of digital information storage is partly that the industry knows it needs to prove its security to customers. Convincing clients to move their information into the cloud is still a leap of faith for many, which gives cloud providers extra incentive to keep increasing their security levels and protection protocols.
So, while it may appear to a law firm that moving into the cloud means your data will have more potential for access and exposure, the opposite is true. The name “cloud” itself is something of a misnomer, as the cloud ironically offers more protection than many fortresses on the ground.