The Year of the Hybrid Cloud

Last year I indicated that there were changes in Ontario which suggested that cloud computing had been implicitly authorized for lawyers. There was no other practical way to implement the new services rules under the amended Rules of Civil Procedure.

Despite these changes, there is still resistance to adopting cloud computing in practice, and sometimes with good reason. Security breaches of online databases have illustrated the enormous risk and problems created in a digital world.

The Ashley Madison hacks had many scurrying in embarrassment, and others concerned because their names had been used by the website without their permission. The process of dumping all of the information gleaned from a hack is known as organizational doxing, a concept popularized by Wikileaks.

Hacking activities directed towards the cloud increased significantly over the past year, largely because it is one of the most efficient and effective uses of their efforts. One group of researchers last year were able to hack the NSA’s website in just 8 hours using only $104.

More nefariously, North Korea is alleged to have hacked Sony after the the release of a controversial film. The Pentagon indicated the past year they could not track which data might have been stolen from any of their cloud servers. Some high school student managed to hack the CIA director. With vulnerabilities identified in hacking vehicles and even sniper rifles, you would think 2015 would be the year to end cloud computing for lawyers.

The level of security within a cloud system is based on the engineering invested into planning and technology, and the organization’s ability to operate these systems in a secure manner. For example, the Pentagon breaches over the past 3 years occurred due to a back door identified recently.

David Linthicum of InfoWorld states,

Although you may not control the data on your premises, you still own and control the data. You may not be able to visit the data center and have lunch in the server room, but you still can control both the data and the layers of security safeguarding it. I’ve yet to see a public cloud provider that does not allow this configuration. No, your data is only as vulnerable as your security protocols, cloud or not.

Although I don’t see massive data breaches in public clouds, I see businesses use public clouds improperly. The largest threat to security is the lack of qualified cloud developers, engineers, architects, and security experts who understand how to make cloud-based systems secure.

Dumb mistakes are much more of a threat than data breaches. As more enterprise systems move to the cloud, we’re bound to see more of those mistakes.

Vendors focusing on the legal industry are obviously acutely aware of the security concerns of their customers, and usually go above and beyond to ensure this. Where the vulnerabilities often emerge, as with any cloud computing, is how the cloud platform is used.

Some of the cloud computing platforms used in law allow for integration with third-party cloud services. The reason for this is the practice management software focuses on the management, things like dockets, billing, ticklers and conflicts. Actual documents related to the file are often stored in the cloud. It’s these documents which also probably contain the most sensitive client information.

An easy solution for these potential vulnerabilities is to employ a hybrid cloud, where more sensitive information is stored locally, and the management aspects are delegated to the cloud. This is not the same as maintaining a paper-based office, the greatest motivator for many lawyers to consider the cloud.

A hybrid cloud is typically accomplished by running some form of cloud service on the private infrastructure, and not just connecting a server to a public cloud provider. This can reduce access time and latency compared to public clouds, and ensures greater business continuity. Internal IT staff have greater control of the various components of the hybrid cloud, allowing for mere effective allocation of resources. Additional compute time can be provided to a litigation group currently going into trial, or a private equity work group dealing with a large M&A.

This private cloud usually benefits larger businesses because there is greater ability for self-provisioning, automation, and the costs involved with developing an elastic computing environment with on-demand self-service. With greater technological savvy of the employees, even mid-size and small businesses can benefit from a private cloud.

Hybrid clouds are not without their own vulnerabilities. But they are successfully employed in the financial sector next to the trade floor, because the security provided by a private cloud for trading algorithms is considered superior to what could be found in the public cloud.

A hybrid cloud configuration can also employ peer to peer file sharing in conjunction with an existing cloud vendor for additional security. Think of the old Napster, Demonoid or BitTorrent sites that people enjoy. Instead of sharing the file with the entire Internet, the files can be tightly controlled and shared on a case by case basis. A local startup, MBLOK, provides end-to-end encryption for additional security. Anton Kabanov, CEO and Founder at MBLOK said, “no one should have to choose between convenience and security, and that is why we built MBLOK.”

P2P is not without its own risks around confidentiality. The controls have to be carefully customized to ensure only the intended recipients have access to the files. Again, this is an engineering issue, and not an inherent vulnerability in the technology. Proper training can ensure that these systems are employed securely. MBLOK’s peer sharing allows for the links to specific files to expire over time.

Ultimately data is never completely secure, whether it’s in a public cloud, private cloud, stored locally on a computer, or even on paper in your drawer. Evangelists for cloud computing in law like myself are not necessarily being dismissive of the security concerns, we’re simply pointing out there are possible solutions for these risks.

I anticipate more sophisticated forms of hybrid clouds will be employed by law firms over the next year, as the security and customization of various components will be robust enough to satisfy most of these concerns. Customization of control, not blanket consternation, is what is needed here. Security does not have to be a choice at the expense of efficiency and convenience, and that will be the cloud of the future.



  1. For a moment, lets set aside the lack of a coherent definition of what a Cloud is, let’s look at some issues. Cloud based solutions and services do have a place in today’s commercial world and provide value based on the context. The context depends, inter alia, on the nature of business, sensitivity / criticality of data, and threat /risk profile of the business processes (that consume that data).

    A Public Cloud today, in my opinion, is not a “comfortable” place to transmit, store and/or process when the data is highly sensitive (litigation discovery, medical records, privileged communications [such as spousal and attorney-client], etc. This is mostly because of the loss of control over data once it leaves an organizations premises (control), say the premises of a law firm, and gets stored in a Cloud service such as a case management system. From that point on there is no current working model that could provide some reasonable assurance that the data is not copied without authorization, or surreptitiously exfiltrated or distributed around. If someone hacks into my on-premises computer, using forensics and circumstantial evidence I can detect the breach, if I am vigilant and have the means; but in the Cloud I am at the mercy of the cloud provider or have to trust them.

    There are technical means available today but not in the mainstream cloud services offering that could provide customers with control over their data. Cloud providers can provide, with each of their service offering an option to encrypt (obfuscate) data with a key that only the customer controls which in turn can help with maintaining control over their data. But the cloud service providers are no providing such security solutions (integrated wth their service offerings) leading other vendors to step in which leads us to post-hoc means of securing data that is not only adds up cost but also takes the end user usability away to some extent. The Cloud vendor needs to address both security of the Cloud and security in the Cloud and show transparency about the security in the cloud instead of using “Trust Me” model of selling their services.

    Turning to the Private Cloud now. How the fusion of data transmission, processing and storage will look like between the Private and the Public Cloud is unclear. Consider the data a typical law office deals with. Most of the data is unstructured in the form of emails, motions, affidavits, notices, investigative reports, free form discovery documents, statements, deposition transcripts or recordings, etc. A way to neatly partition sensitive data from non-sensitive / non-critical and then orchestrate data to the private and the public cloud appropriately may not be impossible but it is not as easy as the recent hyped pitch on hybrid cloud make it sound like. Until there are integrated means of securing data which gives control to the customers over their data (instead of old fashion way of trusting the cloud vendor) there will be reluctance and hindrances in adoption of Cloud services.

  2. Asif,

    These are all important considerations.

    There are a number of public cloud companies which in fact do offer encryption and greater protection of data. The practice management public cloud services on the market for the legal industry largely focus on the components I’ve described above, not the actual sensitive documents and information that clients would be most concerned about.

    This data does not have to be unstructured. In the same way that physical files have a communications folder, a pleadings folder, an evidence folder – all of these divisions can be duplicated electronically. Existing paperless solutions like PrimaFact already provide this structure.

    Many of these divisions between sensitive and non-sensitive data already exist. The questions have largely been around where to keep the former.