The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/624538
PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 64 ASK THE EXPERT Which do you prefer from a security perspective: up high (in the cloud) or down low (on the premises)? Butch: Definitely down low. I like to maintain a little control. The exposure in the cloud sometimes mitigates the risk and puts the responsibility on somebody else, but the exposure is a lot larger when you're talking about an Amazon or an Azure. They have more attack vectors and surface area to expose. We can be sort of unnoticed keeping things physically on the premises. David B.: My firm prefers a hybrid approach. We try to keep most security devices onsite, but some security services are in the cloud. Cloud-based systems bring a level of expertise that can be especially helpful for small and midsize firms. We have a limited amount of staff, and they cannot be expected to know the ins and outs of every system. There can also be cost savings when systems are in the cloud. The main advantage, though, is deployment time. If you find a new threat or have something you need to protect quickly, deploying a client or server in the cloud can be considerably faster than setting it up onsite. Peter: Absolutely on the premises. It might be the IT guy in me; we like to be able to touch things when they break. My firm also has a particular problem: we are located in Canada and Europe, and many primary cloud providers are based in the U.S. We have clients that refuse to have any of their data outside of Canada, outside of a province or outside a region in the U.K. For now, we have to avoid the cloud. When thinking about the cloud, the first question is how do you protect your client data from foreign eyes? And more questions come up, such as: • If you use the cloud and want your data back, how do you get it back? • When you get it back, how do you know they didn't keep a copy? • What happens if the company that stores your data in the cloud goes bankrupt? There haven't been a lot of those cases yet, but people have lost data when it happens. For a law firm to put their data in the cloud, they have to trust the provider, because they are in control of your data. Jon: We have some services in the cloud already, and we hold and manage the encryption keys. We don't even let our vendors into our environment. They provide a platform on which to put things in the cloud, and while they could delete our stuff or disable our environment if they wanted to, they can't see into it, and that's important. When you're up high in the cloud, make sure you own your encryption keys, and keep your own backup in case anything happens. Don't rely on one cloud vendor to both store your data and back it up. David R.: I'll give a lawyerly answer: It depends on the circumstances and on the cloud service provider (CSP). If you perform due diligence, you have a strong service contract and a CSP with strong security, including multifactor authentication and end-user controlled encryption. Often, a CSP can be more secure than keeping data onsite, particularly for small and midsize firms. However, there are cloud providers designed as consumer services with weak protection and contracts, which is much less secure than what even the smallest law firms can do themselves. When you're up high in the cloud, make sure you own your encryption keys, and keep your own backup in case anything happens.