Previously, I observed how the evolution of the cloud has led to considerable growth in cloud solutions within legal environments. At the same time, concerns about the security and privacy of cloud environments have created obstacles to adoption among the profession. For the legal community, the contradictory opportunities and risks presented by the legal cloud results in a tension between attitudes that, at their extremes, we can refer to as “cloud complacence” (or an uncritical trust in cloud providers) and “cloud anxiety” (an uncritical refusal to consider cloud solutions). Cloud-complacent and cloud-anxious attitudes both work, in effect, to increase law firms’ vulnerability to risks, on the one hand, or to deprive them of the real benefits of a cloud solutions, on the other.
Part of the problem is that both cloud anxiety and cloud complacence stem from very reasonable responses to cloud computing. It is not unreasonable to believe that cloud providers (who by the very nature of their expertise and business models) will invest in the security and integrity of their solutions, generally with a sophistication that is lacking at law firms. Nor is it unforgivable to feel uncertain about the sufficiency of these efforts, particularly given some high profile incidents which have erupted over the past year. In fact, for a reasoned articulation of (and response to) cloud anxiety, see Sam Glover’s take on Lawyerist. The trick lies in understanding how much trust or suspicion (or both) is reasonable to find a way that balances the risks and benefits of the cloud. This requires understanding the nature and sensitivity of the data that you putting into the cloud, and how a particular solution protects and potentially exposes that data.
There are a several relevant factors to consider here. First, a basic understanding of what’s involved in data security when using mobile-cloud (the successor to the endpoint-server paradigm):
1) Servers – Generally, cloud offerings transfer data that was held on dedicated hardware physically located within the walls of the firm to remote, shared servers controlled by third parties. What those third parties do to protect and maintain the integrity of these servers is thus an important aspect of cloud security. It is also the most obvious element to consider. Other important questions here relate to multi-location failure, and the extent to which server space is shared or dedicated.
2) Transfer – For the cloud to work, the data and applications stored on remote servers must be accessible by users through their computers and mobile devices. How this data is exposed or protected in transit between cloud servers and these access points is also a crucial element of the overall security of the cloud. The core questions here typically relate to identity encryption and secure data transfer.
3) Access Points –One of the advantages of the cloud is how it opens up the freedom to access data from a wide variety of devices and locations. This also increases the opportunities for exposure. Many devices automatically log into cloud systems and save local copies of the files stored on the cloud servers. As such, we need to be concerned with the security of the device itself, as well as the ability to control it after it leaves physical possession of the firm. The security literacy of users is often an important element here as well.
Different providers take different approaches in how they address these needs, leaving firms with a range of options to consider. Let’s look at a few basic approaches to provide some context for these strategies, and what they mean for your firm’s use of the cloud.
Again, we’ll start with the obvious option. Many legal cloud vendors have responded to the market’s concerns by improving encryption and server security. The need for strong security has prompted vendors to use security efforts as a matter of differentiation. Key factors here are the security certifications and protocols used by the cloud provider. Firms with dedicated IT resources can suss out the meaning of the terms that are used in these environments, but smaller firms often lack the background to translate the terms and standards referenced into a practical understanding of how secure it will be.
While a little self-education is a healthy thing, vendors often opt to use a number of shorthand tricks to signal the trustworthiness of their platforms by highlighting the:
- Number of certifications obtained. For example, cloud practice management provider Clio highlights that it possesses three certifications (by VeriSign, TRUSTe, and McAfee Security), even if the standards themselves are somewhat redundant, primarily verifying the use of Secure Sockets Layer (SSL) encryption (although the TRUSTe certification also identifies incorporation of its privacy standards).
- Adoption of known security standards or industry requirements. For example, Box and Microsoft Matter Center for Office 365 both underline their compliance with HIPAA and EU security and privacy standards as a way to indicate their appropriateness for legal environment. (Microsoft also lists ISO 27001 and Federal Information Security Act compliance, and goes so far as to identify its own security expertise as a consultative value-add for legal customers.) MyCase (which leases cloud space from Amazon Web Services EC2) and cloud ediscovery provider Logikcull both take pains to identify that they leverage “bank grade” security (which again is largely SSL).
- Physical security at data center sites. Box and MyCase highlight the physical security and disaster precautions of their data centers. Kroll Ontrack goes further, identifying steps taken to ensure temperature control and power supply redundancy.
Moving to a Private Cloud
Generally speaking, when we refer to cloud offerings (in the legal sector or otherwise), we are speaking of “the public cloud,” or cloud resources that are available for public use. On public clouds, server space is shared, and an individual user’s data might be distributed across multiple servers and data center locations. In this way, public cloud offerings maximize the economies of scale that supply the cost advantages of cloud solutions, and can potentially create exposures and a lack of transparency regarding data location and control.
Private clouds represent an effort to avoid the latter issues through dedicated cloud resources. While they can be provided by third parties (or maintained internally), private clouds are distinguished in that the servers involved are only used to support a single organization. This helps maintain the control over the network. In addition, hybrid clouds offer a middle ground to segregate data between private and public clouds as appropriate.
Typically, legal cloud providers are public cloud providers, with private and hybrid offerings generally offered by core IT infrastructure vendors, such as IBM, HP, VMware, and others. The leading voice for private clouds in the legal technology space has been Abacus Law. While its roots lie in practice management, Abacus Law has recently made strides as a hosted legal infrastructure provider through its Abacus Private Cloud environments. The provider takes an agnostic approach to its private cloud offerings that do not tie customers to its practice management solutions, or any sort of solution. In fact, the company has indicated its willingness to run other vendors’ solutions within its environments, effectively adding an extra layer of assurance for cloud offerings and flexibility for other applications.
Private clouds reduce some risk of public clouds, but are not a panacea. In particular, they do not necessarily alleviate the need to perform complete due diligence. Firms still need to understand the security related to servers and data transfer, particularly with respect to hosted solutions. Private clouds also do not protect the end access points of the solution.
A third approach taken by vendors is to maintain flexibility in deployment, offering customers the ability to select cloud or on-premises options, rather than force them to use a particular offering. Generally speaking, these efforts are dictated by a desire to maintain flexibility to meet varying customer need. As such, in some part, they function as accommodations to cloud anxieties. Prominent examples of this strategy include Microsoft’s Matter Center for Office 365 and Amicus Attorney, both of whom have stressed the flexibility to offer public cloud, hybrid cloud, and on-premises offerings. Ediscovery vendors, who frequently encounter tensions between data storage, multi-party access, and high privacy sensitivity, have been particularly open to maintaining the flexibility of deployment options. To this end, Guidance Software, kCura, Recommind, Kroll Ontrack, and LexisNexis Concordance (to name a just a few) all offer options for hosted and on-premises solutions.
Ultimately for the vendors, this approach is about preserving opportunities by adapting to end-user comfort levels. For end users, it’s about obtaining the desired software capabilities with the flexibility to select or avoid the risks of cloud deployment. However, while this approach offers multiple paths, it does not necessarily answer questions about the vendor’s cloud solutions. In other words, while vendors falling into this category can often respond to end user preferences for deployment, firms selecting cloud options will still need to perform full due diligence regarding the solution.
Securing Access and Collaboration
The final category we’ll consider is primarily about securing the access points we mentioned above as much as anything else. If the other categories described largely related to differentiating solutions through reassuring firms about server and data transfer security, this category is about mitigating the risks associated with the expanded accessibility of cloud offerings. In other words, we’re discussing approaches intended to neutralize access-point risks.
Because this is a by-product risk of the legal cloud, rather than a barrier to adoption, this area has not received the same amount of focus as the approaches mentioned above. That said, a few players have sought ways to combat these issues, primarily by partnership with providers focused on supporting mobile environments. The primary strategy in this context has been to supply enterprise mobile management (EMM) or mobile data management (MDM) providers with expertise in supporting the distribution and control of data across large and diverse sets of device users. Leaders in this area include LexisNexis for its integration of Firm Manager with WatchDox, and kCura for its integration of Relativity Binders with MobileIron. Generally speaking, these integrations focus on combatting end-user risk by providing the capability to monitor, manage, and eliminate cloud access and data use on individual devices.
While the opportunities created by these integrations largely turn on the use of a particular legal function-oriented vendor (typically practice management), other vendors have focused on this particular need. To this end, EMM vendor AirWatch has sought to provide device and mobile content management capabilities independent of other solutions. Similarly, Box has focused on providing similar capabilities for managing and monitoring access to file permissions, access, and use from its storage environments. Microsoft’s Matter Center product responds to these concerns by keeping all data within cloud environments, eliminating local data exposures.
By and large, major movements in this area relate to either dedicated offerings, or integrations involving cross-enterprise providers tailored within the legal space. That does not mean that other options are not available. In particular, the last year has seen the entrance of TitanFile. TitanFile stands out as a provider focused on offering a secure collaboration platform for the legal space, without tying users to a particular data or document management environment. Rather, TitanFile encrypts files at the end-user source and serves as a content management and secure collaboration layer for attorney and client communications and document sharing.
Determining the Fit to Your Organization
Given the variety of paths that vendors take across these needs, it can be difficult for firms to compare providers to determine exactly what they need. In practice, this reinforces the need for self-education on the part of firms regarding the mechanics of the legal cloud. At the same time, it points to the need for a dedicated data security standard within the legal industry. The closest we currently come is ILTA’s LawSec efforts to disseminate ISO 27000 within the legal industry. While ISO 27000 is a prominent and well-regarded standard, it is not tailored to the legal sector.
There is a significant opportunity here for solution providers, firms, state bars, and professional associations to come together to develop a meaningful set of requirements and certifications for the industry. Even if it’s just an application of ISO 27000, the creation of industry-specific standards will go a long way to facilitate law firms’ understanding (and likely adoption) of security practices as well as help navigate a path through the extreme responses to the legal cloud.