Practicing Law on the Road: The Role of the Cloud and the Emergence of the Virtual Law Firm

Even as recently as the early 2000’s, the idea of achieving full in-office productivity while traveling on the road seemed difficult to imagine. The laptop, smartphone, cloud infrastructure, and internet access technologies of the day simply weren’t capable or ubiquitous enough to match in-office facilities and resources. But fast forward to 2010, and these ingredients have evolved and shifted significantly.

Firms like Heritage Law are predicated on the reality that any lawyer or staff member can work effectively from practically any remote office on a full time basis with nothing more than a Voice Over IP (VoIP) telephone, a broadband internet connection, a netbook grade PC, and combined printer/scanner. In this game changing model, each user is remotely served by the same set of highly integrated applications from their own personal Microsoft Windows desktop. These virtual desktops are hosted on servers in a centrally located, private and secure cloud. The private cloud is 100% firm owned and operated and is connected to the internet over a high speed dedicated line.

On the Road in the Virtual Firm

In a virtual firm, the requirements necessary to maximize productivity as a ‘traveling lawyer’ shrink dramatically when compared to the traditional IT deployment model, which requires the installation, periodic rebuilding and maintenance of every core application on both individual PCs and separate laptops for out-of-office travel. In the hosted or Desktop as a Service (Daas) model, the requirements for nomadic access from the road reduce to:

1. A sub $300 netbook PC running a basic installation of Windows from vendors such as Acer, Asus, Dell, or HP; depending on preference and budget, this “thin client” PC could be more capable with a larger screen, or even an Apple Macbook running a Terminal Services client, the key point being that compute requirements on the client side are minimal and therefore the required hardware cost very low;

2. A smartphone such as an iPhone, Blackberry, or Google Nexus One with 3G broadband wireless data connectivity and an unlimited data plan:
– The phone tethers to the netbook to enable broadband data access from practically anywhere with 3G wireless coverage, and delivers sufficient downstream bandwidth for hosted desktop access even where only 2.5G (EDGE equivalent) data coverage is available;
– All calls from the VoIP telephone back in the office are set to simultaneously ring this phone to ensure a single number dialing; and
– This phone serves as the primary telephony device for outbound calls.

If physical paper document scanning is absolutely required, a portable scanner like the Pentax DS Mobile 600, or Xerox Travel Scanner 100 suffice to generate PDF files from relatively small multi-page paper documents collected in the field. Effective portable document printing is somewhat more difficult to realize, and is impractical if volumes are high. Depending on the resources at hand, the best option is probably to bulk together multiple print jobs and leverage the use of a nearby business center or shared guest office printer. Portable battery powered printers from vendors like Cannon are available when document length is small and total portability critical.

The Virtual Desktop – A Single Integrated Productivity Suite in the Cloud

Virtual desktops in the private Heritage cloud consist of a highly integrated collection of document management, practice management, and collaboration applications. The Microsoft Office Suite is standard for working with Microsoft Word documents, Excel spreadsheets, and PowerPoint presentations. We host an Exchange server for e-mail, calendaring, and contact management. Critical document management functions are provided by the Worldox GL product sold by World Software. Worldox is the central repository for all firm documents, regardless of format. All documents are filed by client and matter number and fully enabled for text search. Lexis Nexus Time Matters and PCLaw are used together for practice management, contact management, scheduling, matter management, conflicts checks, accounting, and several other core functions. Time Matters connects with Outlook to support full bidirectioal contact and calendar synchronization. Together, Time Matters and PCLaw also integrate with Worldox to ensure that all client matter information is unified under a single matter reference system. HotDocs (formerly a Lexis Nexus product, recently sold to Capsoft) is used for document automation and assembly, and greatly enhances the productivity in our estate planning practice, in particular.

When accessing the virtual desktop as a traveling lawyer, a typical working session might last anywhere from a few minutes to a few hours or even a whole working day. The venue could equally be a coffee shop, a commuter train in a well served 3G broadband corridor, an airport, or even in a doctor’s office waiting room. The goal is to enable productivity equal to that which is realizable when sitting at a desk in the home office.

The Role of the Smartphone

Beyond the nomadic scenario discussed thus far, where the assumption is that working sessions last at least a few minutes, there are many occasions when the task at hand is short or the situation simply doesn’t warrant powering up the laptop and tethering the smartphone to establish the broadband connection. When time is short and convenience paramount, the smartphone is the ultimate tool. At Heritage Law, we have no strict smartphone requirement; some lawyers use the RIM Blackberry, and others the Apple iPhone. We have not yet tested the Google Nexus One, as it remains unavailable in Canada at this time. Ideal basic requirements include:
1) Full bidirectional contact and calendar synchronization with the Microsoft Exchange server; and
2) A rich e-mail experience with full universal keyword search and the ability to open and view all standard Microsoft Office attachments and Adobe Acrobat PDF documents.

The iPhone works particularly well in the Heritage infrastructure because we’ve standardized on Microsoft Exchange, and the device includes full Exchange ActiveSync for live push calendar, contact, and e-mail synchronization without the need for the separate BES infrastructure required to accomplish the same thing with Blackberry devices. With the voice activation features on the new 3GS model, dialing client numbers from the road is as straightforward as pressing the headset button and speaking the client name. The iPhone also includes native support for all of the standard Microsoft Office file formats, including Word, Excel, PowerPoint, and the popular Adobe Acrobat PDF document format. And when full hosted desktop access is required for system Administrators and power users, an Application called WinAdmin (available for download through the App Store) provides an excellent solution that works very well with the iPhone multitouch interface. Another time saver is the TomTom application, which turns the iPhone into a GPS navigation system that’s equally as capable as a dedicated GPS navigation unit. The navigation app will guide you to client meetings in even the most remote corners of town with just a few touches of the screen, and is fully integrated with the phone contact database, which remains constantly synchronized with Exchange.

Some will continue to bemoan the lack of a physical keyboard on the iPhone as compared to all Blackberry models (with the exception of the Storm). We agree to a point, but believe that text entry is much improved with the 3.1 software, particularly after a bit of practice on the snappy 3GS when used in the landscape (wide) orientation.


Security rightfully gets a lot of play in the context of remote access, particularly in the legal IT community. In this regard, the hosted desktop model comes out ahead on a number fronts. Because no firm or client data is stored locally on the PC used to access the hosted desktop, security requirements reduce to ensuring that the connection between the server and the access PC benefit from strong encryption. The RDP protocol used by Microsoft Terminal Services for remote desktop access uses the 128-bit RC4 encryption algorithm, the same algorithm used by SSL for HTTPS and WEP for wireless (without suffering from the same vulnerabilities well documented in the case of WEP). Of course, data center security must be considered along with strict secure password policies on the server side.

Consider that without full hard disk encryption, laptops in the traditional IT deployment model pose a significant risk when lost or stolen, because firm data is available to the thief indefinitely. Further, no work is possible the moment the laptop is lost, stolen, or breaks. Compare those limitations to the hosted desktop model, where a new generic laptop can be purchased on the road or shipped overnight from the head office without requiring any configuration.

In the case of the smartphone, the risk of theft or loss are higher because the device downloads contacts, e-mail, and other firm data. This vulnerability has been discussed extensively in the industry press, with some articles targeting the iPhone in particular. With the 3GS and software release 3.0, these concerns have largely been addressed; the device now leverages hardware accelerated 256-bit AES encryption to secure all phone data on the fly, and completes a remote wipe command issued from the Exchange Server instantaneously. Server side ActiveSync polices should be configured to enforce the use of a non-trivial password on the iPhone, preventing thieves from gaining access to any data should the device end up stolen.

Working “Offline”

One of the admitted limitations of the hosted desktop IT model in the virtual firm is the strict requirement for high speed broadband internet access at all times. In spite of the fact 2.5 and 3G wireless data coverage is now approaching 90% in some countries, there are still some places out of reach. While some will argue that no access is a sign you should simply pack up the laptop and catch up with your reading on Amazon’s kindle, the Sony Reader, or the Barnes and Noble Nook (the electronic book is another great device for the mobile lawyer), there are others who demand the ability to get work done from places like an airplane on a cross country flight. Although not currently deployed in the Heritage infrastructure, there are VDI (virtual desktop infrastructure) technologies available which allow lawyers to take whole copies of their hosted desktops offline. Those desktop copies are then available on the laptop for a working session, and then automatically resynchronized with the centrally hosted desktop once the laptop is reconnected to broadband. If a basic review of e-mail is all that is required while flying, the smartphone is always a viable option.

The Role of Browser Based SaaS Solutions

Some would argue that emerging browser based SaaS offerings such as Clio from the Canadian company Themis Solutions offer the same benefits to the traveling lawyer as the ‘heavier’ DaaS (hosted desktop) architecture described in this paper. SaaS based offerings certainly come with some benefits – such as access from literally any browser and cost effective monthly subscriptions – however there are several limitations. One is that, in spite of significant continuous innovation in browser technologies, they simply are not yet able to faithfully reproduce the full desktop experience. Another is that offerings from several vendors must be combined to deliver all of the elements required to enable a typical lawyer; one SaaS application for practice management, a potentially separate application for hosted e-mail, and others for various specialized functions. The moment more than one SaaS application is required, data sharing between them becomes challenging. So do managing multiple user accounts and login credentials. Solutions are emerging to address these challenges and enable the seamless integration of SaaS offerings from multiple complementary vendors, but are still a long way from the level of maturity required to match established desktop offerings.

The most effective way to leverage SaaS offerings in the hosted desktop model is to access them from a web browser running on the hosted desktop itself. This offers the best of both worlds, combining the integration and maturity of the standard desktop with the best browser based SaaS applications.


Whether lawyers and staff are working from their home offices or a small coffee shop on the road, cloud hosted virtual desktops enable the full productivity experience from practically any PC connected over broadband. The proliferation of 3G grade wireless data access makes access possible from almost anywhere. Security, IT management burden, and consistency of experience all benefit in the model. Together with a smartphone for e-mail, calendaring, contact management, document review, and telephony, the combination is difficult to match – even when compared with emerging browser based SaaS offerings, which can be always be accessed through a browser on the hosted desktop as required.


  1. Good article highlighting the idea of working remotely and using ‘the cloud’, specifically virtual desktops. Especially when it comes to law firms where traditionally change is slower than some other technological industries.

    I do think that the security aspect is being downplayed when it comes to cloud computing, laptop security, and pda security.

    Cloud computing brings with it many new security issues that law firms will have to address. You indicated a ‘private’ cloud, an option being considered by many lately. While it offers the benefit of 100% control, it also offers the increased security risk. Do you have a security team that can keep up with all the latest security risks in the cloud at the same level as Amazon or Google? Most likely not, in which case one can argue that using Google or Amazon from a security perspective is a better choice.

    Private cloud maintenance is another issue. Cloud computing is a ‘new’ technology (for purposes of this entry), does your law firm have the resources to pay to keep the cloud active and up-to-date? Again you are competing with the likes of Amazon and Google in this area.

    With a laptop and your data on a private cloud, encryption and laptop security is not necessary. Yet if I was a person interested in obtaining information about a particular case, installation of a trojan that lets me capture keystrokes, screen shots would be all that is needed and there are many of those around today. Why attack Google or Amazons security, when chances are the laptop of the end user is the weakest link and will get me what I am interested in?

    When you mention PDA security, you explain using security policy enforcement on iPhones and Blackberries. Currently the iPhone has very limited security. The password is easily bypassed and doing so is readily available on the Internet. Forensic imaging of the Iphone is easily done as well for later analysis. While the Blackberry currently offers a much more robust security and management architecture, wiping of the password remotely assumes the Blackberry is accessible even if stolen. If one is serious about obtaining data, simple use of a faraday bag, signal jammer, or going underground will neutralize any remote access attempt.

    Security is risk assessment and needs to be decided by all firms as they decide and migrate to the cloud, remote access etc. It is important that you properly consult with security experts that can assist you to minimize your exposure and point out where you will be exposed in your new solutions. In this way, you can consciously manage the risk.

  2. SaaS management systems for law firms are close to eliminating the need for any desktop solution at all. You mentioned non-integration of email into some SaaS products as a drawback. What about Gmail (SaaS)? It isn’t difficult to manage your practice in a SaaS environment like GoMatters or Clio and simply open another tab in your browser for your email or open your documents in Google Docs.

    To log back into the office on a remote desktop to manage things is not “the cloud”. Remote desktops are just that, your desktop and not the cloud. The fact you can access it over the internet doesn’t mean you’re using the cloud.

  3. Jason,

    So far as multiple SaaS application integration is concerned, the issue is not one of access — no question this is solved through any multi-tab browser as you rightly point out — but rather data and document sharing among them, as well as unified authentication. As mentioned, SaaS applications have the potential to add tremendous value and are can certainly still serve as part of a total solution in the hosted desktop model.

    With respect to what exactly constitutes “the cloud” – noting that it is an evolving concept and a topic of current debate.

  4. In addition to solutions like Clio, Time59 ( is a lower cost SaaS option that manages time and billing.

  5. We see a need for both DaaS and SaaS. While Google Apps hosts our email, calendaring and working documents, Some of our legacy software will only run on a Windows desktop OS. Concordance for example. What we have done is custom built a Linux live CD/USB that will boot from any computer. The OS is customized to start in 10 seconds and allows the user to access SaaS and DaaS (Virtuozzo VDI) services w/o configuration, just a pass key/login. Nothing is stored on the device and the memory is dumped on shutdown so there is no security risk of loss or theft. The Google Apps SaaS has an \Off line\ mode for non service areas. We also have a product from that allows DaaS access in a normal web browser window. While security should always be on your IT team’s minds, the risk of having data on a portable device is far greater than securing cloud services.

  6. @james
    “While security should always be on your IT team’s minds, the risk of having data on a portable device is far greater than securing cloud services.”

    That is not necessarily true and more a subjective than objective statement. There are laptop configurations where getting the data off that device would be a lot more difficult than from a cloud service. It really depends on how you manage your devices, and the security of the cloud service provider. All of which should be assessed by competent and qualified security teams.