Is the cloud more secure than you think? Clients entrust their attorneys with their most personal and important materials — tax returns, divorce settlements, intellectual property, lawsuit documents, financial investments, copyrights. Should this information fall into the wrong hands, it could be disastrous for a client and ruin a law firm’s reputation.

Gatekeeping your data

Not long ago, it was a simpler world. Law firms kept paper files in locked drawers or in secure storage facilities; papers were shredded once they weren’t needed. Digital information was stored in password-protected databases. After catastrophic events like the terrorist attacks of September 11, off-site backup database storage facilities grew in importance. Still, many firms kept most of their vital information in-house, whether in cabinets or servers.

A key question a firm should ask today is: who is the gatekeeper of my data? Is my data being fully protected?

What are the barriers—physical and digital—that currently exist between your confidential information and those that want to illegally obtain it? How much of a fail-safe plan does your firm have in the event of an emergency or cyber-attack? If you back up your data into servers that are physically located in your office, is that truly enough protection?

Ruby Lee, a senior product manager at Thomson Reuters, recommends that firms rank their data security in 5 ways, and then compare the internal assessments to what a top cloud provider offers:

1. Physical security – What is the level of security of the location where your data is housed?
2. Digital security – What is the strength of your protection against hacks?
3. Intruder detection – How soon do you know if you’ve been compromised?
4. Disaster recovery – How soon can you get up and running after an emergency?
5. Security processing – How can clients securely access their data?

For all of these areas, she believes many cloud services should receive 5 out of 5 stars, while the legal industry would generally range between 2 to 4 stars at best. The reasoning is simple: even a law firm that’s wholly committed to database security lacks the financial and physical resources at the level of many cloud service providers.

Blocking intruders

Take intruder detection and response, for example. Microsoft’s Azure Cloud Solutions routinely runs “war games” with its programmers. These maneuvers involve about 2,000 employees, half of which attempt to hack into Azure while the other half try to detect and prevent the attack. Afterwards, the two teams consult and the attackers disclose any weaknesses they found. Then they run the game again, with the defenders now the attackers.

“We’re constantly trying to compromise our own system,” notes Rick Weyenberg, an Azure Cloud Solutions Architect at Microsoft, adding the goal is one of perpetually finding and correcting any perceived vulnerabilities. No matter what a law firm’s size and budget, this sort of routine and intensive threat detection process is beyond their capabilities.

Physical protections

Another likely weak link in a law firm’s data security is the location of its servers and databases. Assess what physical barriers exist to protect your data.

If your servers are located in your office, who has access to them? Is the security of your office adequate? If servers are located off-site, what protections do their storage facilities offer?

At the same time, many cloud service providers take hardware security as seriously as any government. For example, Azure’s cloud servers are housed in facilities that are 4 miles long in some cases, surrounded by military-style fences that extend 25 feet underground, says Azure's Weyenberg, adding that there are various checkpoints within each facility manned by armed guards and surrounded by bulletproof glass. No one gets in without a substantive background check.

Given this imbalance of scale, a law firm’s efforts to physically secure its databases and servers will fall short while becoming an unending source of expenses. Even if an off-site storage facility is currently up to date, servers and software protections need continual upgrades. Further, the sheer scale of cloud services can greatly reduce costs for law firms. For example, if your business needs 10 servers running at peak but only one for off-peak hours, in the cloud you can essentially “turn off” 9 servers when you’re not using them and not pay for them.

If a law firm has clients overseas, there’s also the issue of data sovereignty. Some countries like Canada have very restrictive data transfer protocols. Should a firm have to move its data out of a particular country in response to an attack, they could violate that country’s regulations. Microsoft has responded by building 2 cloud facilities in nearly every country in which it does business. Each facility is near a major telecommunications hub and away from fault lines or flood plains. Should one facility be compromised, all client data is automatically secured in the country’s other facility: a data transfer that doesn’t violate regulations.

Encryption: building the digital wall

The ever-increasing complexity of data encryption adds another tier of protection to the cloud. With encryption, as Mark Gendein, architecture manager at Thomson Reuters Elite™, said, “We layer on what we do on top of what cloud providers do.”

The overarching idea of encryption is to create a series of impenetrable walls within the cloud. There are no links or connections between various client accounts within a cloud system. Instead, “We create a separate container for each customer. So even if there was a penetration, you still couldn’t get from customer A to customer B,” Gendein said.

Encryption can be done in a number of ways. A client may use its own encryption service (such as a third-party vendor approved by its cloud provider) or it may ask the cloud provider to encrypt its data. Data is often classified into low-business-impact, medium-business-impact, and high-business-impact. This means that any medium-or high-business-impact data automatically receives additional layers of encryption upon being uploaded, where low-business-impact data receives standard encryption.

Protection from the cloud provider itself

Law firms also should make it clear that their cloud provider itself shouldn’t be able to access their data. This is yet another security step, and one that some cloud vendors may overlook. “When you’re working with your cloud vendor, you need to know what data, if any, your cloud provider claims ownership to,” Weyenberg says.

When talking to prospective vendors, firms should ask if privacy controls are built into the provider’s design and operations. In the event of an emergency or an upgrade, it may be necessary for a cloud provider to have access to the client’s data. If so, this needs to be a very short-term, quickly expiring access for which the client gives express consent.

Make the process work for you

What makes the cloud different from previous generations of digital information storage is partly that the industry knows it needs to prove its security to customers. Convincing clients to move their information into the cloud is still a leap of faith for many, which gives cloud providers extra incentive to keep increasing their security levels and protection protocols.

So, while it may appear to a law firm that moving into the cloud means your data will have more potential for access and exposure, the opposite is true. The name “cloud” itself is something of a misnomer, as the cloud ironically offers more protection than many fortresses on the ground.