Cloud computing: What firms need to know
Firms can benefit from the cost savings, workplace efficiencies, and security advantages of cloud technology, but cloud providers must have robust compliance and cybersecurity processes in place, advises Neal Suggs
If you counsel businesses, chances are most of your clients are either already using cloud technology or trying to figure out how they can take the plunge and start using it to further their business objectives.
This technological shift to the cloud is having a significant impact on legal practices. In an era of cyber threats and a complex web of legal obligations for protecting privacy, clients need help assessing risks and ensuring compliance. They must weigh data protection authorities, Safe Harbour privacy frameworks, cybersecurity, and the jurisdictional limits of law enforcement requests for data among a myriad of other issues as they consider the move to the cloud.
One vertical that lags behind in moving to the cloud, however, is the legal profession. Given our roles and responsibilities (professional as well as legal), it's particularly important to ensure the right diligence. For lawyers, who are constantly on the move and working with numerous clients, the cloud can bring enormous efficiencies. Using any device, anywhere, with internet access allows you to reach your most important data whenever you need it. So the question is not whether the cloud can benefit you, but how a lawyer or firm can move into the cloud and how you know you can trust it.
What is the cloud?
A quick search turns up almost as many definitions as vendors offering cloud services, but, at its core, 'the cloud' refers to computing and storage that is delivered over the internet, rather than on locally used machines. However, the cloud can go way beyond this to describe an approach to computer program architecture and design. It is not simply putting up a copy of Microsoft Word on a server and letting people access it over the internet. Cloud computing enables new features, such as real-time document collaboration and robust ediscovery tools, which were not possible in the client-server model. Cloud computing allows for a resource efficiency not seen with client-server technology.
For businesses, the rise of hyperscale cloud providers like Microsoft, Amazon, and Google also increases cost savings. These vendors can operate enormous server farms (often several floors within the footprint of a football pitch) efficiently and more cost effectively than even the largest customers can on their own. Combined with a constant update and patching capability to tackle the newest and most invasive security threats, many customers - even the world's largest banks - are recognising that cloud computing can offer cost savings, workplace efficiencies, and security advantages that in-house capabilities just can't match.
Is cloud computing right for everything?
Obviously, no technology or tool is right for every situation. Law firms may need to consider whether they, like certain other professional services firms, have existing commitments with large corporate clients to only use technical systems that are owned and controlled by the firm for any work performed for the client's benefit.
If subject to such a restriction, you may either have to get client permission to use a cloud provider like Microsoft, or consider other solutions, such as a private cloud with a smaller partner designed solely for your use or deploying a cloud environment on your own equipment.
But it is the rare business scenario that can't benefit from some form of cloud technology. Small businesses have been some of the earliest adopters of the technology. In fact, the cloud can level the playing field for small business owners, allowing them to consume what they want for a lower up-front cost and then add resources as they grow and need them. Large enterprises increasingly realise that cloud technologies can give them a competitive advantage as well. The trick is to determine the best use of the cloud in your environment and work with a cloud provider that offers flexible solutions to meet your needs. As cloud technology and investments have evolved, you have more choices than ever for designing a solution that meets a company's unique needs.
Interestingly, the UK government is defining an approach that more customers should consider. Aside from describing the scenarios that make sense for cloud usage, the UK has taken the next step of classifying data into different buckets to better understand the actual and perceived risks and needs regarding where the data should sit: in the cloud, in country, or on government-owned or controlled architecture. This makes it possible to more quickly identify the right technology for each scenario. How data is classified will vary from customer to customer, but going through the classification process actually speeds up decision making on the best solutions for your specific scenario.
Which vendor should I use?
Once you have determined that a cloud solution makes sense and where it might fit your organisation's technology needs, you need to
find a vendor. It's a simple formula, really: it all comes down to trust. Having a trusted cloud partner is vital, particularly for law firms, which themselves have a trusted and confidential relationship with their clients. Microsoft focuses on four areas that customers demand before
they can comfortably move into the cloud: compliance, privacy, security, and transparency.
- Compliance: In today's complex regulatory environment for data privacy, you should be seeking compliance controls designed to operate effectively with stringent safeguards. It is not enough just for a cloud provider to comply with applicable regulations: it must engineer cloud solutions to enable customers to meet their regulatory obligations, too. Microsoft helps enable that compliance by adhering to international standards, certifications, and applicable regulatory requirements, and routinely undergoes independent audits to certify that its cloud solutions are compliant. Further, it's important to remember that it's one thing to comply with today's regulation; it's another to adapt to evolving regulatory environments and even to work to shape the law. Microsoft is doing both to help customers stay continuously compliant in an ever-evolving regulatory landscape;
- Privacy and control: Customers are understandably concerned with losing a degree of control over their data as they transition from an on-premise solution to the cloud. One consideration is the amount of control you have over the privacy of and access to your data. Another consideration is whether your data remains your property, even as you put it into the cloud. Microsoft's enterprise cloud services operate on the principles that you own your data and you are in control of it. As a result, Microsoft does not use customers' data for advertising or commercial purposes, customers are able to delete their data or take it with them should they leave the company's services, and customer information is not disclosed outside Microsoft, except with their consent or when required by law. Customers have the choice to store their data in a region close to them, including in a new UK data centre that is coming soon. In other words, Microsoft treats your data like it's yours. These promises are backed up in writing by Microsoft's contractual commitments, as well as by compliance with EU Model Clauses and alignment with the first international standard that governs how personal information in processed and protected: ISO/IEC 27018;
- Security: Microsoft employs state-of-the-industry security technology and processes, including encrypting data transferred between its data centres, and physical security measures designed to protect against unauthorised data centre access and access to data generally. Microsoft has also developed, through its Digital Crimes Unit, the Microsoft Cybercrime Center, a unit completely focused on stamping out criminal activity targeting customer data, whether on Microsoft’s systems or customers’ devices. Using the Azure cloud-computing platform and its big data analysis capability, as well as working with law enforcement and courts around the world, Microsoft is able to take control of criminal server farms designed to deliver malware to users that would otherwise steal data. From control of these servers, it is then able to partner with internet service providers and customers to identify potential threats behind their firewalls; and
- Transparency: In order to truly control your customer data in the cloud, you need to understand as much as possible about how that data is handled. There should be clearly stated and readily available policies and procedures so you know where your customer data is stored and how it is secured, as well as who can access it and under what circumstances. For Microsoft, these details are part of the cloud contracts, backed up by third-party audit reports and certifications verifying that it meets the standards it sets.
A law firm, like any business, can benefit from
the scalability, efficiencies, and innovative nature of cloud computing. Today there are a range of solutions available that are flexible enough to meet the unique needs of any business. When choosing a provider or counselling your clients, you can reduce risk by ensuring cloud providers keep information secure, private, under
your control, and in compliance with tough international standards. It's time for our profession to join the growing ranks of business customers that are making cloud computing
work for them. SJ
Neal Suggs is vice president and associate general counsel for Microsoft’s Worldwide Sales Group