What law firms need to know about cloud cyber security
The cloud is a fundamental technology solution option that truly solves all kinds of law firm business and legal IT challenges including innovation, security, governance and global availability, writes Alvin Tedjamulia.
Modern law firms want the efficiency, the security and the global access of the cloud, while satisfying the security demands of their clients.
Recent high-profile data breaches of internal IT systems at major international firms are causing clients to increase the scrutiny of their outside counsels’ cybersecurity efforts.
Now, more than ever, it’s essential to ensure law firms are doing everything they can to safeguard their clients’ data against ever-evolving threats.
At times, this seems like it might require a PHD in security and data governance … a role even a law firm chief information security officer is not singularly equipped to take on.
Rather than trying to address today’s increasingly demanding security requirements all on their own using traditional systems and means, law firms and corporate legal departments are increasingly looking to trusted cloud-based solutions that have been purpose-built to safeguard client data. A 2015 Cloud Security Alliance (CSA) survey of 200 IT and security professionals revealed that “64.9 per cent of IT trusts the cloud as much or more than on-premises.”
The recent 2015 ILTA Technology Survey further underscores this trend, stating that only 4 per cent of law firm respondents cited “cloud apps/data security” as a major security challenge compared to the broader concern of “balancing security with usability.”
In 2017, modern cloud solutions provide world-class levels of security and data privacy, including encryption at rest with the strongest levels of cryptography, Hardware Security Modules (HSMs) for the protection of cypher keys, unique encryption keys per document, customer custody over encryption keys, best-in-class perimeter defense, and denial of service prevention, just to name a few.
Law firms large and small can leverage cloud-based security to protect themselves from future data breaches and safeguard their client data. Here’s a “short list” of essential cloud security realities and benefits every firm should take to heart:
Encryption at rest … Accounting for the essentials
Knowing where firm documents and especially firm client documents reside, and who can access them, are seemingly a basic security necessity.
When the data stored in a DMS is not encrypted, law firms are effectively commingling sensitive data from all their different clients in one big unencrypted library, and also exposing sensitive data in “clear text” to potential external and internal hackers, including system administrators.
Surprisingly, many law firms today still have not implemented basic encryption at rest with their traditional DMS due to cost, complexity, and lack of native support for encryption at rest in traditional systems. Thus, encryption at rest has become a baseline standard to protect against unauthorized access to sensitive information. M
odern cloud platforms can automatically encrypt all data at rest, with the encryption keys securely managed, processed, and stored inside hardened, tamper-resistant Hardware Security Modules (HSMs).
Unique file encryption … The next frontier
While ensuring that client data in the DMS is encrypted at rest is extremely important, equally important is how that data is encrypted.
If a single cryptographic key is used for all data stored in a DMS, a hack of that single key could expose the sensitive data for all of a firm’s clients. Cloud platforms can provide a separate and unique encryption key for each document.
Under this model, in the unlikely event of an encryption key being compromised, only a single document would be exposed, as opposed to all of a firm’s client data.
The latest cloud solutions also enable companies to maintain custody over matter or workspace encryption keys, giving law firms the ability to completely revoke the cloud service provider’s access to data at any time. Hardware Security Modules (HSMs) for the protection of cypher keys, unique encryption keys per document, customer custody over encryption keys, best-in-class perimeter defense, and denial of service prevention, just to name a few.
Leverage ‘built-in’ security and compliance
It is increasingly not enough to simply host traditional systems in third-party datacentres that have obtained security certifications.
In a native cloud environment, the actual software platform itself, as well as the internal operations of the vendor delivering the infrastructure, is able to achieve the highest levels of built-in compliance and security. In this manner, law firms can “inherit” the levels of security and compliance that will give clients peace of mind and help fulfill the most stringent security audit requests.
Hybrid cloud solutions: A viable security and compliance option
While most experts agree that modern cloud platforms provide higher levels of security and compliance than individual law firms can offer, there are still certain client-driven requirements that will require locally stored data for data sovereignty and client information governance reasons.
In this case, applications such as a firm’s DMS can still be delivered via the cloud, but designated data storage may remain locally within a firm’s specified location(s). To ensure a seamless experience for end users, it’s essential that the storage location (cloud or on-premises) be configurable on individual clients/matters all within a single repository or library.
Built-in advanced security protections for end users and devices
Modern cloud platforms can not only improve the safeguarding of client data from a back-end standpoint, but also from the front-end/end user standpoint through enforcement of: 1) strong passwords through federated identity integration; 2) two-factor authentication at all times and on all devices; 3) restricted access based on devices and IP addresses; 4) validated audit trails and history logs; and 5) access control restrictions for externalising or e-mailing specific documents.
If built into cloud solutions, these end-user and device security controls ensure comprehensive but seamless security.
Law firms of all shapes and sizes are moving to the cloud at an unprecedented rate to improve security and compliance.
The pace of innovation in the cloud is many times faster than a hosted or an on-premises implementation.
Modern cloud platforms have been purpose-built to safeguard data and, coupled with proper internal training and controls, provide a robust “Security as a Service” solution for client data. This unique value proposition will increasingly be a key driver as law firms look to increase competitiveness and enhance their value to clients.
The inevitability of the cloud is here as on-premises and hosted on-premises systems simply can’t keep up with native cloud security innovation.
According to IDC, growth for cloud services and related IT spending is eight times greater than the overall IT services market. The cloud question becomes not “if ” but “when” and “what goes first".
The dramatic shift and speed of innovation requires IT groups to change the way they operate, moving from a one-time technology purchase/project mentality to a service-based mindset.
However, once they do, they will inherit a world class security platform that far exceeds internal capabilities and satisfies the toughest client requirements.
Alvin Tedjamulia is NetDocuments’ CIO and an original co-founder. He frequently writes and speaks on topics of DMS security and world-class software-as-a-service and security-as-a-service delivery.