5 Questions Every Law Firm Should Ask About Cloud Security and Control

Kenneth Johnson / February 19, 2015

Many law firms that I encounter would love to be enjoying the benefits of cloud computing but are unable to do so, not for technical reasons but for political ones. Every firm includes members for whom the idea of being able to touch a physical machine in a room where their data are stored somehow gives comfort. This is certainly the false comfort enjoyed by the care-free swimmers in shark movies, but lack of clarity about how to assure themselves of security coupled with perceived loss of control in the cloud paralyzes them and prevents their firms from enjoying the dramatic benefits of cloud, which should include, first and foremost, security and control of the firm’s data.

If you find yourself in this camp, this article is for you. This article is about how to assess the level security and control a cloud provider is able to offer you with respect to your clients’ data.

1. What security standard certifications are supported by my cloud provider?

Because cloud Infrastructure as a Service requires geographic redundancy and scale, these services are delivered across vast global footprints comprising hundreds of datacenters. It is not feasible for every customer to go and inspect the security procedures at every data center. When you think about it, it would also be highly undesirable for the locations of datacenters to be disclosed to anyone who wished to visit– much less access to the data centers granted to such visitors.

This is why independent security auditors are so important. As industry best practices change these auditing standards change to meet new and unforeseen threats. Independently established standards inspected by independent professional auditors should give you far more comfort than your own ability to inspect a data center or physically touch a server.

What are the standards you should ask for? Well, to a degree, it depends on your specific needs, the types of data you, store and the industries you serve. Do you store Personally Identifiable Information (PII) or Personal Healthcare Information (PHI)? Then you should really be concerned about HIPAA. ISO 9001 and 27001 as well as SOC 1-3 are also very rigorous general standards. Below is a representative list:

Before entrusting your data and mission critical applications to any provider, understand whether they support ALL of the certifications that are important not only to you but to your clients. Once you establish that your provider supports the standard, ask for the most recent audit reports. Once you have seen the reports, give up your need to see the data center to feel good about security.

2. Can I control the geographic location of my data?

For many firms operating globally the need to control the location of data is paramount. Requirements vary from jurisdiction to jurisdiction, but many will not allow client data to be stored outside of the jurisdiction. And even for firms operating only in a single jurisdiction, clients often become nervous at the possibility of their data being moved offshore. Cloud providers are architected differently and most do not have the ability to guarantee that your data will remain in a geographic region that you specify. Understand the infrastructure and storage products of your provider. Which storage products operate beyond the limits of a region? How can you ensure that your data will stay where you want it to reside. And don’t forget your email data. If you use a hosted email service the need to specify the location of your data applies there as well.

3. Does my provider support encryption of data at rest and in transit?

In this age of state-sponsored cyberattacks, hackers no longer move on at the first sign of difficulty to an easier target. State-sponsored hackers persist until their missions are accomplished. It is more important than ever that data be encrypted.

In-transit encryption means using HTTPS, FTPS, SFTP or some such protocol when moving data over the public internet, establishing IPSec tunnels when possible or avoiding internet routing altogether with a direct connection to your cloud resources. This last option has the added benefit of dramatically increasing performance. Understand which of these in-transit encryption options are supported by your vendor.

Equally important is encryption at rest. Find out what the encryption at rest capabilities are of your provider and whether performance is impacted by the supported encryption methods. The gold standard would be that the vendor let YOU determine the encryption method, but you may be comfortable with your vendor’s proprietary encryption method. The main thing is ENCRYPT!

4. Can I control my encryption keys?

Wise firms rightfully consider the possibility of a cloud provider being compelled by a court or other government authority to turn over the firm’s data to a third party without the firm’s consent. This could be disastrous for the firm and its clients. The cloud providers historically will vigorously resist such a demand, but the way to ensure against it is to maintain control of the keys used to encrypt your data on the platform. In this way, the provider is unable to comply with the demand, and the firm has the ability to contest. Today, the most mature platform in this regard is Amazon Web Services, which supports encryption with 3 differently levels of client control.

5. What is my provider’s uptime record in the previous year?

So your data is secure and protected. Congratulations, but that does you little good if it is not always available to you. The first thing to remember is that the worst uptime record of any provider is likely better than your current on-premises or collocated infrastructure’s uptime record, so assuming that your IT group tracks such statistics (most don’t) take a look at your own record first as a point of comparison. The second thing to remember about uptime is that there are two parts of the equation. The first is the uptime of the base infrastructure that the provider maintains and the 2nd part is the toolset that the provider gives you to architect for high availability and fault tolerance assuming failures. Cloud Harmony publishes great data on every cloud provider that they track independently. Their data, though accurate, pertains to the first part of the equation. The toolset is perhaps more important than the base uptime.  See my post for cloud harmony data and a discussion of uptime.

Finally, once you have selected the best cloud provider based on your security and uptime requirements it is critical that a firm fully appreciate the “shared responsibility” model of cloud security. This video by Amazon Web Services gives a very good summary of the concept. Essentially, shared responsibility refers to the fact that a cloud IaaS provider is responsible for the security of the base infrastructure while you maintain control and responsibility for the security of the operating system and application as well as the security configuration that you put in place utilizing the platform tools such as security groups, subnets, VPCs etc. This underscores the need for a competent and experienced cloud partner to navigate the waters for you. It is critical to find a partner with the attitude toward security that is compatible with your requirements and the expertise to ensure your requirements are met. In addition an experienced partner has the architecture expertise to take full advantage of the high-availability tool set that your partner provides so that your firm can realize all of the benefits that your prudence has afforded you.

Blue Sentry is an advanced-tier Amazon Web Services (AWS) consulting partner specializing in application and data migrations, expert managed services and virtual desktops for law firms and health care firms.. Blue Sentry serves clients globally, with operations in North Carolina and South Carolina.