Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1439196
36 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | W I N T E R 2 0 2 1 in 2015, or the multi-million fines against individual corporations for GDPR violations relating to personal data. Different End Users, Different Needs On top of this confluence of challenges, CLDs and law firms must contend with the fact that there is a variety of personas within the organization, each of whom has different security and compliance needs. To be sure, there are some common denominators. At a fundamental level, law firms and legal departments manage large volumes of documents as part of their core function. However, traditional document management systems (DMSs) were not designed to support unique requirements from legal professionals. Additionally, legal teams have strong security requirements but limited technology adoption. On top of this, they may also be operating in highly regulated industries, where all activity needs to be auditable. A quick review of key roles and responsibilities shows just how diverse the needs are within a legal organization when it comes to security and compliance: • Legal Operations: Empower legal professionals to deliver efficient legal services, with unobtrusive security protection • General Counsel: Be fully aware of the risks around data loss, regulatory penalties and issues related to the company's reputation • CIO/Head of IT: Oversee and maintain the technologies and processes that support the business • CISO/Head of Security & Compliance: Define, govern, and enforce the security and compliance policies for the entire organization • Legal Professional / End User: Needs access to documents anytime, anywhere Amidst this diversity of needs, a modern, properly architected cloud provides a way forward for both compliance and robust data security. How a Modern Enterprise Cloud Provides Data Security When a firm uses a well-architected modern cloud, it inherits strong protections against ransomware and other forms of cyber-attack. A modern cloud accomplishes this in several ways. If a modern cloud service is provided to customers as a web-only endpoint that sits outside a legal organization's computer network and has limited interaction with customer services inside the customer firewall, ransomware can't easily jump across, since it is not attached to the firm's network. Additionally, if documents are stored in a dedicated data store, there is no facility for any software to run in this data store, so ransomware can't locate them, edit them, or delete them. Encryption has a role to play as well. Foundational customer-specific encryption means that if ransomware were able to gain access to the files, they would be opaque to the attacker, and could not be used as proof of attack. Also, in a modern cloud, customers will not have direct access to the storage layer in the cloud. It is true that compromised credentials could allow bad actors to access encrypted documents, but this type of attack is not an entry point for ransomware. A modern cloud – while offering a foundational encryption architecture no matter who's holding the encryption keys – should offer the option of a Customer Managed Encryption Key (CMEK) for customers who want to take ownership of encryption and have mature F E A T U R E S