Last year I indicated that there were changes in Ontario which suggested that cloud computing had been implicitly authorized for lawyers. There was no other practical way to implement the new services rules under the amended Rules of Civil Procedure.
Despite these changes, there is still resistance to adopting cloud computing in practice, and sometimes with good reason. Security breaches of online databases have illustrated the enormous risk and problems created in a digital world.
The Ashley Madison hacks had many scurrying in embarrassment, and others concerned because their names had been used by the website without their permission. The process of dumping all of the information gleaned from a hack is known as organizational doxing, a concept popularized by Wikileaks.
Hacking activities directed towards the cloud increased significantly over the past year, largely because it is one of the most efficient and effective uses of their efforts. One group of researchers last year were able to hack the NSA’s website in just 8 hours using only $104.
More nefariously, North Korea is alleged to have hacked Sony after the the release of a controversial film. The Pentagon indicated the past year they could not track which data might have been stolen from any of their cloud servers. Some high school student managed to hack the CIA director. With vulnerabilities identified in hacking vehicles and even sniper rifles, you would think 2015 would be the year to end cloud computing for lawyers.
The level of security within a cloud system is based on the engineering invested into planning and technology, and the organization’s ability to operate these systems in a secure manner. For example, the Pentagon breaches over the past 3 years occurred due to a back door identified recently.
David Linthicum of InfoWorld states,
Although you may not control the data on your premises, you still own and control the data. You may not be able to visit the data center and have lunch in the server room, but you still can control both the data and the layers of security safeguarding it. I’ve yet to see a public cloud provider that does not allow this configuration. No, your data is only as vulnerable as your security protocols, cloud or not.
Although I don’t see massive data breaches in public clouds, I see businesses use public clouds improperly. The largest threat to security is the lack of qualified cloud developers, engineers, architects, and security experts who understand how to make cloud-based systems secure.
Dumb mistakes are much more of a threat than data breaches. As more enterprise systems move to the cloud, we’re bound to see more of those mistakes.
Vendors focusing on the legal industry are obviously acutely aware of the security concerns of their customers, and usually go above and beyond to ensure this. Where the vulnerabilities often emerge, as with any cloud computing, is how the cloud platform is used.
Some of the cloud computing platforms used in law allow for integration with third-party cloud services. The reason for this is the practice management software focuses on the management, things like dockets, billing, ticklers and conflicts. Actual documents related to the file are often stored in the cloud. It’s these documents which also probably contain the most sensitive client information.
An easy solution for these potential vulnerabilities is to employ a hybrid cloud, where more sensitive information is stored locally, and the management aspects are delegated to the cloud. This is not the same as maintaining a paper-based office, the greatest motivator for many lawyers to consider the cloud.
A hybrid cloud is typically accomplished by running some form of cloud service on the private infrastructure, and not just connecting a server to a public cloud provider. This can reduce access time and latency compared to public clouds, and ensures greater business continuity. Internal IT staff have greater control of the various components of the hybrid cloud, allowing for mere effective allocation of resources. Additional compute time can be provided to a litigation group currently going into trial, or a private equity work group dealing with a large M&A.
This private cloud usually benefits larger businesses because there is greater ability for self-provisioning, automation, and the costs involved with developing an elastic computing environment with on-demand self-service. With greater technological savvy of the employees, even mid-size and small businesses can benefit from a private cloud.
Hybrid clouds are not without their own vulnerabilities. But they are successfully employed in the financial sector next to the trade floor, because the security provided by a private cloud for trading algorithms is considered superior to what could be found in the public cloud.
A hybrid cloud configuration can also employ peer to peer file sharing in conjunction with an existing cloud vendor for additional security. Think of the old Napster, Demonoid or BitTorrent sites that people enjoy. Instead of sharing the file with the entire Internet, the files can be tightly controlled and shared on a case by case basis. A local startup, MBLOK, provides end-to-end encryption for additional security. Anton Kabanov, CEO and Founder at MBLOK said, “no one should have to choose between convenience and security, and that is why we built MBLOK.”
P2P is not without its own risks around confidentiality. The controls have to be carefully customized to ensure only the intended recipients have access to the files. Again, this is an engineering issue, and not an inherent vulnerability in the technology. Proper training can ensure that these systems are employed securely. MBLOK’s peer sharing allows for the links to specific files to expire over time.
Ultimately data is never completely secure, whether it’s in a public cloud, private cloud, stored locally on a computer, or even on paper in your drawer. Evangelists for cloud computing in law like myself are not necessarily being dismissive of the security concerns, we’re simply pointing out there are possible solutions for these risks.
I anticipate more sophisticated forms of hybrid clouds will be employed by law firms over the next year, as the security and customization of various components will be robust enough to satisfy most of these concerns. Customization of control, not blanket consternation, is what is needed here. Security does not have to be a choice at the expense of efficiency and convenience, and that will be the cloud of the future.