Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1472128
53 I L T A N E T . O R G I n this era of digital transformation, more businesses are relying on cloud services than ever before. While working in the cloud can bring significant advantages to law firms and their clients, the associated risks and vulnerabilities require a greater focus on ensuring the service providers have implemented appropriate compliance controls. Doing so helps firms avoid suffering security and financial risks and losing clients' trust. A significant benefit for users of cloud platforms like NetDocuments is "inheriting" the security and compliance controls the cloud provider has implemented within its infrastructure. In fact, the security and compliance provided by a true native cloud service to all customers, independent of firm or legal department size or complexity, are among their most important — but often overlooked — potential benefits. I say "potential" because these controls need to be independently validated for customers to rely on them. The cloud provider can (and should) validate the security of its services architecture by having its compliance controls independently audited and certified, and they also can (and should) make their security credentials, like ISO certificates and Type 2 SOC 2 audit reports, available to customers, on demand. This not only addresses aforementioned risks and vulnerabilities, but also checks important compliance and security boxes. Inheritance from a native cloud environment works something like wills and succession planning… the provider can supply the assets (in this case, the governance, certifications, and controls) necessary for compliance, but taking advantage of the inherited benefits is up to, in this case, the firm. Ultimately, the provider and the firm create a security succession. The firm controls and manages its users and how client data is used, and the service provider offers tools and functionality that let the firm meet their obligations — to themselves and their clients. Sixteen Compliance and Security Checks You Can Use to Evaluate Your Cloud Provider With much at stake, law firms should be thinking about how to demonstrate their compliance with industry-recognized standards like NIST, GDPR, HIPAA, and ISO to help give their clients assurance in the firm's security. This especially includes looking at the compliance status of cloud service providers used by your firm. When you conduct those reviews, it's important to hold your providers accountable to the same industry- recognized standards, with certification audits conducted by independent, accredited compliance auditors. Don't be misled; a simple questionnaire filled out by the vendor, a "self-attestation" of compliance, or even complying with some other "standard" that is "equivalent" to a recognized credential are not substitutes for true independent validation of compliance with the real requirements! "The security and compliance provided by a true native cloud service to all customers are among their most important potential benefits."