The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/624538
PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 16 Is your client data safely stored in the cloud? Hypervigilance is not only the responsibility of your provider; you need to focus your attention on understanding how it is set up as well. Here are four levels of safeguards you should be certain are in place. Physical: The physical environment of the data center is the first place to start. The general facilities need security measures in place that act as a barrier for the data center itself. This is where the business is run, so the security measures should have: • Restricted access controls creating role-based access • Logs, video surveillance, alarm systems and after-hours security The data center should be located behind general facilities security to create another buffer and should be protected by: • Multifactor authentication • Environmental controls • An uninterrupted power supply Technical: Although there are many ways to approach security technically and be correct in the process, the core focus should be a "defense in depth" mentality and deploying layered security measures. The best way to address these needs is to use your clients' technical security checklists to ensure your provider is creating the proper protocols to fit your clients' demands. Application: Whether your cloud service provider has created its own application or the software comes through a third party, the standards should follow the Open Web Application Security Project (OWASP) guidelines for secure Web application development. The application should be tested for vulnerabilities continually with each update. Ask your provider if it conducts such checks or is apprised of all tests on the application. Administrative: This is most important. Nearly all data breaches come from individuals not following the privacy and security program. The questions to ask are: • Is the provider diligent with a regular risk analysis? How often is risk reviewed? • Does the provider update its privacy and security policies with audits? • How does the service provider perform its penetration and vulnerability testing? • How are the employees trained? Does training outline strict privacy and security policies? As with all breakdowns in security, it only takes the weakest point to open up vulnerability. The best data privacy and security cultures address all four levels of safeguards. Cloud Security: The Four Safeguards by Rick Clark of TCDI