Lock and key: Data protection and governance in the cloud

 

‘Cloud computing’ is an overhyped metaphor for shifting your law firm’s information and parts of its technology infrastructure outside of your physical control. We are finally moving towards a point where marketing blather is giving way to more precise definitions, one of the best known being from the National Institute for Standards and Technology.

Once you have stripped the marketing hyperbole from cloud computing, it has some very real benefits for law firms. The elasticity and measurability of the systems can improve the delivery of technology services to your lawyers, staff and clients. It can redeploy your resources from managing server farms to managing the information flow.

Mobile access to information can also be improved, whether as an opportunity for a more distributed workforce or merely to enable your people to get access when they need it, not just when they’re in the office or at a prescribed terminal.

However, the cloud isn’t always a good answer for the ?question you’re asking. Security and governance in the cloud present the same challenges they do within your law firm. ?Weak internal practices and governance failures will be ?duplicated and exacerbated if moved to remote services ?without an intermediate review.

Cloud basics

Your cloud provider’s offering should make you feel as if you’re standing in a rather shadowy warehouse. You can’t see the back of it – it may be infinite – but you can use as much of it as you need. You can license additional square feet as you need them, and you and your provider can both see how much you are using. Space and hardware resources in the cloud are elastic and metered.

The remoteness of these off-site resources raises concerns about securing your firm’s information as well as its governance. Information technology staff may go from managing hardware and applications directly to working through third-party providers, extending the notion of law firm supervision of non-lawyers.

Information managers involved with governance are now working on content that may be accessible in ways that are new and more distributed. Moving your information to the cloud can provide an opportunity to update your firm’s information handling practices.

It is standard for your information to be encrypted on cloud services. Similarly, the default method of transmitting and receiving data should also be encrypted. You do this when you bank online: your web browser switches the address to one beginning with ‘https’ so that you are using an encrypted connection.

Client confidential and private information should not be stored unencrypted. The point being that your data, once in the cloud, is quite secure. More secure, if you are not encrypting your data on your firm’s laptops and mobile devices.

No system is impenetrable, but your data in the cloud is probably as secure as it would be on your internal network. Your cloud service provider should be providing the same code security against attacks (like SQL injection), intrusion detection and attack defence that you have implemented internally.

Since encryption is a default in any serious cloud option, the question then becomes what that means in practice. If your firm uses consumer-oriented cloud storage services, it is likely that the file structure of your files is not secured.

Think about driving down a street in a suburb. You can’t ?see what’s in each house, but you can see what the house looks like – its street number is visible, and so on. This metadata is equivalent to your content file names if you store discrete files in the cloud. Employees of your cloud service may be able to view this information about a file, even when they can’t see the information inside.

Choosing providers

Not all cloud services are created equally. Consumer use of the cloud tends to be through software-as-a-service, which really includes providers like cloud storage services – you access software to perform a function on their servers.

Larger firms can take advantage of other models, including infrastructure-as-a-service or platform-as-a-service. These are similar to traditional third-party hosted services – you place a dedicated server in a remote location – except that those providers tend not to offer the elasticity and metering of the cloud.

A well-known example of this wider world is Amazon’s web services. It provides infrastructure support so that a firm can deploy its own cloud services and use Amazon’s cloud storage and systems. It has regional centres so that companies can ?comply with US or European regulatory requirements on systems within those zones.

Amazon’s cloud storage service, S3, offers a particular security advantage over consumer-oriented options. Instead of the cloud provider managing the encryption keys, this responsibility can be retained by your firm’s IT staff.

Your investigation into cloud services should dig into how granular the division of labour between your internal staff and your provider staff can be. The onus on lawyers to supervise non-lawyers handling confidential information may be more easily managed if your staff are able to retain oversight of the encryption roles.

Even if the cloud service you use doesn’t provide this option, there are other ways to manage cloud resources that mirror your internal controls. Again, it is important to distinguish consumer-oriented cloud options from those that are developed for businesses. In some cases, the same company provides both options, so you should not blanch at a product or solution merely because of the provider’s notoriety in the consumer market.

Dropbox and Box.com are two strong options for remote storage. They are mature cloud providers that have developed both a consumer and business line of software-as-a-service options.

Dropbox for Teams and Box for Business both provide substantially more options for companies to manage their information. Both install a small software application on your local systems and synchronise files from one local system to the cloud and, potentially, back to other local systems.

Their enterprise versions provide audit and user controls that resemble tools available on the file system within a firm. Unlike the free-for-all perception of cloud storage, administration is centralised and can be handled by the same staff who handle it now. They can create and delete user accounts, provide access to folders and files in the file storage and terminate access.

Aligning systems

As with any new system, the auditing and user management tools offered by a cloud provider may not align with your current systems. Fortunately, you can take your current practices, compare them to what’s available and find out if there are any gaps or if it’s a matter of different but equal functionality.

Cloud computing can provide a quick implementation of systems that your firm may not yet have implemented. If we return to the cloud storage example, you can search across your entire document system. If your firm does not yet have enterprise search, you may find that this is a quick win for providing both a manageable remote file system as well as the ability to search across that content.

Similarly, if your firm does not have a document management system, cloud-based file storage can provide you with version control and fast restoration of deleted files. Your current backup regimen may support this, but not in a way that your firm’s lawyers and staff can rapidly use themselves.

Access management

Governance remains a challenge, though, and audit tools are only part of the solution. One of the most significant weaknesses in cloud system use is the failure of organisations and individuals to deal with their passwords properly.

If you can find a system that integrates with your Windows Active Directory authentication, creating a virtual single sign-on, ?you should investigate it. Otherwise, your best case may be a periodic download and upload of credentials between your ?systems and the remote provider, or the creation of an entirely parallel login environment.

Password strength and change is more important in the cloud because your systems are potentially accessible by those outside your law firm. You may be able to limit access to your cloud systems from people within your firm. However, if you have mobile users, you may find that this restriction defeats some of the benefits of moving to the cloud. The obvious solution of applying a virtual private network (VPN) merely provides a slower encryption layer to the one already provided by the cloud service.

Firms that have relied on security through obscurity – where a lawyer can have the password ‘password’ for his entire career – will need to rethink their processes. This is not a technical issue so much as it can become a change management issue, as staff are using stronger passwords and changing them more frequently. The more you can use technology and primary authentications within your firm to power cloud-based authentication, the better.

Data control

Law firms can use software-as-a-service cloud providers to increase the mobility of their workforce. This increased distribution of employees and devices can raise issues of information control. User accounts can be centrally managed and authentication can be enforced with technology. Once the information leaves its home repository, the firm needs to be policing its location.

Your firm is probably already using some process or technology to check documents or other information out to smartphones, tablets and laptops. This process will need to be extended to the cloud.

We frequently don’t think about the privacy duties inherent in managing client contact data, beyond the business card elements that we carry in our phones. This is layered onto the lawyer’s duty to protect confidential information, as all businesses are required to practice personal data privacy.

Encryption should be a rule on all devices and drives departing your firm or containing information accessed from your firm’s cloud services. Many tablets and smartphones are now offering encryption capabilities. Laptops can often use their operating system’s built-in encryption or an application like Truecrypt.

Preventive measures should also be in place to remotely locate and wipe devices that are lost. Again, these are not due to cloud computing usage but become more obvious as your firm takes advantage of the mobility options it may not have had before. Using cloud computing can untether your lawyers and staff in ways that were impossible when rigid perimeter security required their access from within a physical location.

One reason that cloud computing raises the spectre of these essential security methods is that hackers have moved to the cloud as well. A recent high-profile password crack was accomplished by running the attack through a cloud-based dictionary cracking tool. Cloudcracker.com (naturally) will attempt to crack passwords, wireless network protection and document encryption for the low price of $17.

David Whelan is the legal information manager at The Law ?Society of Upper Canada (www.lsuc.com)

Endnote

1. For further information, ?see Practice Law in ?the Cloud, David P. Whelan, Canada Law Book, 2012