Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1439196
38 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | W I N T E R 2 0 2 1 an attacker to communicate with its command and control systems or to exfiltrate that content. It's important to note here that a zero-trust framework is only as good as the number of people who have hands- on access to sensitive data. In other words, zero trust only works if zero touch underpins it. This approach is based on the fact that nobody – not even a small number of trusted resources, which is what most cloud vendors typically allow for – has access to the customer data. When a human has access to the servers where services are running and customer data is located, there will always be potential for security issues. Possible exposure or exploitation of the data can occur multiple ways: It can occur knowingly via an insider threat or some other bad actor, or it can occur unknowingly through an innocent mistake like accidentally leaving a setting unsecured or clicking on something that shouldn't be clicked on. New forms of automation for everything from routine maintenance and upgrades to troubleshooting help remove the human from the equation, creating a "hands free" zero touch environment that fully delivers on the promise of zero trust architecture. Complex Governance, Simplified As much as a modern cloud helps law firms and CLDs to address some of the primary data protection threats they face, it also assists with governance, putting the proper controls in place to mitigate these challenges. A modern cloud provides matter- and project-centric 'need-to-know' access, where access to information is only accessible to the team working on that matter or project. This segregation of content helps significantly minimize the impact of a successful breach. Crucially, security policies need to be able to be deployed at scale for frictionless collaboration. This means having a product that is simple enough to administer that end users don't need to be information security specialists and can easily manage access controls at a project or team level. Additionally, propagation of access policies should be seamless, ensuring that permissions cannot be broken, reducing human error of exposing confidential content. The cloud's capabilities should also include defensible disposition of content for both electronic and physical data, along with fully audited, flexible retention schedules that allow full alignment with industry and/or regional legislations with regards to retention and disposition. This unified governance should apply ethical walls and corporate policies across all content –extending security beyond the DMS or primary repository to include other content repositories like Windows file shares, SharePoint, Teams, and so on. The ability to segregate information and enforce need-to-know access and ethical walls across this range of locations ensures that end users are protected while still being able to collaborate securely. The key here is the ability to provide a programmatic application of security to content. CLDs and law firms shouldn't rely on people to enforce security – that's not a scalable approach. With the proper cloud offering, organizations can take the management and application of security policies out of the hands of people; instead, people define the policies, and then the application itself handles the application of those policies. A final aspect of governance concerns geo residency. It's all too easy for a CLD or law firm to run afoul of specific geographic requirements for where data needs to be domiciled. A modern cloud addresses this challenge as well, ensuring that data is not only stored in a specific geographic location, but that all processing of that data – indexing, OCR, and other services – takes place there as well, maintaining full compliance from end-to-end. F E A T U R E S