Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1356436
37 I L T A N E T . O R G C loud computing has irrevocably changed the way companies do business in recent years, and its popularity continues to rise. Today, nearly every law firm relies on cloud computing to handle at least some aspect of business. As cloud technologies continue to evolve, firms are increasingly placing more information and processes in the cloud. Cloud computing offers law firms a wide range of benefits, including improved security, easier scalability, better access, and enhanced compliance protocols. However, with these benefits come increased risk and complexity in a cybersecurity landscape where attacks are on the rise and constantly evolving. In order to fully reap the benefits of cloud computing and combat the ever-present security threat, law firms need to be extremely diligent when selecting a new cloud provider or auditing a current cloud provider. Many factors are crucial to selecting a secure cloud provider, including cybersecurity strategy and controls, application management, and business continuity and disaster recovery solutions. The following is a practical checklist of systems, technologies, and processes to consider when selecting or monitoring your cloud provider. Cybersecurity Strategy and Controls As the saying goes, the best defense is a good offense. What may have worked in the past to protect you from hackers and other security threats is likely no longer sufficient as methods of attack become increasingly more sophisticated. There are, however, many cybersecurity strategies and controls that law firms can implement in order to significantly reduce the likelihood of a successful attack and minimize the resulting damage if attackers do gain access to systems. Every firm should be implementing the following measures in order to ensure the safest possible cloud computing environment. • Password Requirements. Passwords are the first line of defense against illegal access to your systems and information. You should have strict requirements for employee passwords that ensure length, complexity, and randomness. You should also have a system- wide requirement that your employees change their passwords at frequent intervals. • Multifactor Authentication Policy. Multifactor authentication is one of the best ways to prevent unauthorized access to email accounts and systems. A multifactor authentication policy requires a user to have two pieces of information to gain access, not simply a password. This prevents attackers from gaining access even if user passwords or credentials have been compromised. • Role-Based Access Control. Role-based access control is a neutral access policy that restricts every user's access rights solely on the basis of the role they play within the organization, with specific access granted to specific roles. Also known as a zero trust model, this approach restructures access within your firm's systems based on a "never trust, always verify" philosophy targeted specifically at preventing improper access. • Strong Encryption at Rest and in Transit. Strong encryption is crucial to protecting your data from outside eyes, and you need to be sure that your data is secure at all times, regardless of where it is or how it's being used. Strong encryption must be in place