Addressing the High Cost of Cloud Computing Due Diligence

Last week I wrote on The High Cost of Cloud Computing Due Diligence, and asked readers what thoughts they had on how the burden of cloud computing due diligence could be reduced.

In his post on The Myth of Due Diligence, David Whelan questions the assumption that we should apply more strict due diligence requirements to the cloud than to traditional desktop-based software:

If due diligence is called for – and something is, whether it needs that name or not – then it should apply equally to the wireless routers, operating systems, and locally installed software within law practices. When the concept is applied only to the cloud, it creates the idea that this is somehow a new obligation and, potentially, easier to do with Internet-based systems.

Nate Russell suggests in a comment that one way of addressing the burden of due diligence would be to elevate the task of performing due diligence to a centralized authority:

One way to lessen the burden of due diligence in this context would be if a certifying authority (like a law society or professional association) did due diligence on a number of SaaS providers based on a jurisdiction’s rules or guidelines, and then certified that provider.

Would bar associations and law societies be willing to take this on? For many I imagine the potential liability ramifications would create a lot of inertia for such a project. There would have to be strong demand from the bar association’s or law society’s membership for such an undertaking to get off the ground.

Without the support of an association or other body helping create some economies of scale around the due diligence process, the simple reality is that most firms, especially solos and small firms, simply won’t undertake the onerous due diligence demands being placed on them. They will do their best to act “reasonably,” as their ethics rules dictate, but they will justifiably question whether it is reasonable to invest tens of hours in screening each and every cloud provider utilized by their law office.


  1. It seems unnecessary for bar associations to become involved in a process that already has a “centralized authority.” The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) promulgated SOC 3 SysTrust/WebTrust standards. An SOC3 certificate can provide lawyers and law firms with assurance on the Cloud vendors controls related to security, availability, processing integrity, confidentiality, and/or privacy.

  2. ” …. and/or privacy”, is it? So I may be able to have it all, but maybe not. Or do some cloud vendors offer some on the list, and some offer another combination, and the CAs and CPAs will give us their assurance that some are covered? Given my obligations under PIPEDA, I’d be inclined to hold out for “… and privacy” myself. (Fortunately the actual accountants are prepared to engage themselves more directly. Their version says “… and privacy”.)

    Has anyone relied on the CA/CPA certificate? Looked behind it? Compared it to the due diligence standards for lawyers that Jack and others have been talking about? It would be helpful to know.

    Do cloud providers actually have the Webtrust seals of approval, at any level? If not, what does that mean: supreme self-confidence? strong bargaining power? ignorance of this kind of benefit?

  3. @John – Service providers can choose which of the controls they want to be audited for, and then they pay the auditor to test their controls against the benchmarks of a SOC 2/3 and produce a report.

    So it would be prudent to actually read your cloud vendor‘s report instead of just looking at a Webtrust seal of approval as a symbol of trust or due diligence on their part to ensure they have the proper controls in place. Same goes for any other type of audit report.

    I’m not affiliated with them, but the Cloud Security Alliance has attempted to put together a Cloud Controls Matrix as a controls framework for service providers:

  4. @John G: Vendors who satisfy the standards often display the Trust Services seals because of the marketing benefits. As @Thu Pham notes, you should not assume from the fact that the vendor displays a WebTrust or SysTrust seal that they have meet the standards for every category of controls (which is why I wrote “and/or”). The SOC2 and SOC3 reports replaced SAS 70 Type II reports only in June 2011, so many Cloud vendors are only now undertaking their first audits under the new regime. SOC2 reports are intended for limited distribution, unlike the SOC3, which can be freely distributed. You should check to see the coverage in the report to ensure the controls audit actually covered privacy. You can find more information on SOC reports on the AICPA website here.

  5. Looks like I’m a little late to the picnic here, but this thread just came to my attention.
    Perhaps in addition to asking “Would bar associations and law societies be willing to take this on?” we can ask “If would-be certifying authorities could be the very same organizations which insure lawyers and administer practice standards, then why would they NOT want to contain a risk they are already exposed to as insurers?”
    If lawyers are flocking to cloud services of various kinds (and is it safe to say more and more are, some with less diligence than others?), once a lawyer (or whole firm) gets burned, it will be of little consolation to the insurer/regulator that it declined to opine on the sufficiency of the SaaS provider’s policies, etc., when there was still a chance to guide one of its insured members, from a claim. Is there really the fear that a law society would look bad if loss befell users of a cloud service it vetted? Even if the service was diligently vetted according to that law society’s own due diligence protocol?