Dispositive Questions Every Law Firm Should Ask of the Cloud

The Digital Landscape of the Cloud

Whether you leverage the channel or do it yourself, understanding the digital landscape ahead when pondering the cloud is paramount. While we can't possibly cover in one article the hundreds of questions one should ask when searching for the right CSP, a glimpse of the big picture, plus highlighting some of the most dispositive questions, will help steer the conversation in the right direction.

• Choices. What cloud products do you need? Hosted virtual servers, physical servers, virtual desktops, cloud storage, applications, regulatory concerns/security, business continuity, failover and redundancy, plus much more. Finding out who offers these ' and who doesn't ' narrows the field considerably and quickly.
• Migration. How do you get there from here? Cloud migrations can make or break you. Where does your data live today? On a storage area network, your local hard disk, or another cloud provider, such as Dropbox or others? Getting stuck half-way in a migration could cripple your firm.
• Interoperability. Will you migrate everything to the cloud? If not, then how do your remote offices and workers interact with the cloud? This is where virtual desktops and other mechanisms come into play, that is, if the CSP even offers them. Know your current needs and at least some future requirements.
• Hidden Fees and Limitations. The dark side of the cloud that few want to talk about! Are there data transfer fees for every byte of data moving in and/or out of the cloud? Who is responsible for backups/snapshots? What are the limitations around performance ( e.g. , CPU/memory/disk)? Where does the CSP's support obligations end, yours begin, and how do you fill the gaps which are important to your firm?
• Security and Regulatory Schemas. Which cloud architectures help, and which hinder your goal to keep data secure in a world where data and identity theft are rampant? What about liability and indemnification? How are unforeseen risks or concerns mitigated?
• Performance, Failover, and Other Critical Metrics. How do you get the biggest bang for the buck out of the cloud? Is your chosen provider and/or solution set going to be able to scale with your business across the different metrics that matter to you, such as geography, performance, features, etc.?
• Exit Strategy. Knowing how to get out of the cloud is just as important as getting in . How much notice is required? What format options are available to get your data back? Is migrating out all your responsibility, or what other options exist?

Five Dispositive Cloud Questions, and Why You Need to Ask Them

1. Where are your datacenters located and do you give tours?

Some of the largest cloud providers on earth will waiver on this simple question, and for good reason. Some of these so-called “datacenters” are merely renovated shopping malls, or other commercial/industrial spaces, which were never originally designed for the task they now serve (but have been utilized nonetheless). If your provider isn't using a reputable datacenter provider, or isn't giving tours to back up its lofty claims of “high security” with “guards, cameras, man-traps, cages, etc.” then don't buy into the hype.

Personally, I never pick datacenters that are in downtown areas because it's harder to get personnel or fuel to the site in an emergency because the roads shut down quickly when chaos erupts. Facilities which are newer, close to airports (where the personnel and fuel are flown in), and not in flood, earthquake, fire zones are optimal. Additionally, physical security is just as important outside as it is inside. For example: someone rents a moving truck, packs it with explosives, and drives right up to the datacenter (there's no defensible space, fencing, concrete barriers, etc.) ' the datacenter can be taken down without ever busting in at all.

Additional questions to ask specific to the datacenter include:

• If you're augmenting cloud with colocation of equipment (assuming your CSP offers both and there's gear you just want hosted in a better datacenter), does the datacenter have smart hands support 24×7? You might need something done at 2:00 am, and not having to drive down to the datacenter location can be a life saver.
• Does the datacenter have onsite mechanical engineers 24×7? Be wary of sites that rely on all contract-based workers, because when emergencies happen on a city-wide or regional level those contractors are few and far between to respond.
• Is the datacenter SSAE16 compliant? Ask for a copy of the annual report. You may not be in the financial sector, but this is a common certification for datacenters that meets the financial industry's requirements and in turn, often meets your own. There are a lot of standards one can support, but this one is so ubiquitous that if the site doesn't have it, think twice about hosting there.

2. How will you migrate all my existing servers, data etc. to the cloud?

This is where most cloud providers drop the ball. It's either “not their problem” or they claim they can do it, but don't have the right certified experts on staff or tools to get the job done. The more you ask them for examples, details and references, the more you will find the truth. Look for a cloud provider who knows what it is doing. It should be able to migrate a physical server into a virtual server or provide colocation of that resource, ingest data over the wire or via removable disks you ship them, and offer a variety of replication, backup and data migration tools to get the job done. The devil is in the details, so if you're not hearing specifics then recognize sales speak for what it is: an empty promise that could leave you in the lurch.

Beware of data transfer fees. It's okay to charge a fixed fee to onboard your firm, but look out for complex cost calculators and again, more subterfuge. One trick cloud providers use is making inbound data free, but charging a small amount for outbound data. This is nonsense because nearly every communication is bidirectional. Ninety-nine percent of data moving applications in the world use an underlying protocol known as TCP and it's always a two-way communication: packets are always heading outbound not just inbound and charges will incur therein if your provider has “data transfer fees.” Find a cloud provider that doesn't charge data transfer fees and has fixed-fees for everything else it does. They exist, but you will have to hunt.

3. Does the CSP offer virtual desktops?

Any cloud provider can host your servers and data, but only a few actually host virtual desktops. Desktops/servers have a client/server relationship (the closer together they are, the better they work together), plus, in a major disaster, your PC, laptop, and other devices might become lost, destroyed, or somehow unavailable. The ability to have every resource you need to get back to work immediately is essential to your survival.

4. How will you protect my data?

This should happen in several different forms:

• Daily or Hourly Replication. Any cloud provider worth its salt offers replication. Make sure you use it to replicate your environment to another datacenter, which is at least 1,000+ miles away to avoid regional emergencies or outages of any kind. I've seen datacenters on fire, flooded, crashed into, experience extended power outages or the cooling system gets impaired or destroyed, downtowns turned into anarchy zones ' you name it. If you see trouble around the corner, getting your business out of there is a key to survival.
• Daily Backups/Snapshots. Make sure you have a daily backup and/or snapshot of your entire cloud environment. I can't even count the number of customers we saved last year from Ransomware like CryptoLocker and others using this strategy. The ability to roll back the clock to a time before disaster struck is sweet music indeed.
• Encryption. If a cloud provider can't encrypt your data at rest (on disk) and in flight (over P2P VPN or private connections between you/them) using state of the art AES256 or better methods, then run!
• Two-Factor Authentication. If a cloud provider isn't requiring two-factor authentication of all its customers, then you might be the next star of a “Murder in the Amazon Cloud” type scenario.
• Traffic Filtering. If a cloud provider isn't filtering all of its traffic in/out of the cloud to prevent botnets, malware and brute force attacks, then look for one that does. In my opinion, failure to do this means it either doesn't care, isn't secure, or wants to charge you those dreaded “data transfer fees” for a lot of “noise traffic,” which has nothing to do with you, but was aimed at your niche in its cloud, thus incurring a charge. Talk about adding insult to injury! Internet “sewage” should be stopped at the Internet border routers, not passed on to customers for a profit.

5. How do I get OUT of the cloud?

You may want to transfer all and/or part of your service to a different cloud simply because someone else is doing that piece better, cheaper, or faster. Or, maybe your current provider has let you down one too many times. Perhaps you just want to stare at some servers again. The choice is yours, or at least it should be, if you ask the right questions up front:

• Will your current cloud provider put all your virtual resources, files, etc., onto a removable drive and ship them to you? Are over the wire transfers an option? What is the turnaround time, fees, etc., for each option?
• You might have entered the cloud from a VMware ESXi, Microsoft Hyper-V, or Linux KVM environment. Years from now, you may want those exported to a different format then how they were originally imported/hosted. Is that an option with the cloud provider?

Conclusion

Despite any caveats, the real question isn't, “Do you leverage the cloud at all?,” but rather, “How many clouds should you leverage?” As CTO of a CSP, I can certainly differentiate my company's value from the competition, but I'm still a fan of advocating a cloud strategy for my customers that isn't all about us. For example, I advocate keeping a customer's loose files (e.g., the “stuff” scattered all over your PC's C: drive or on network file shares) on the Egnyte cloud and Outlook e-mail over at Microsoft Office365. But one thing is clear: Leveraging the power of a multi-cloud strategy is the best way to protect your investment, keep costs down, and use technology as a bridge to get to revenue in your business that you couldn't otherwise reach while letting you sleep great at night.

'

Mike L. Chase serves as the EVP/Chief Technology Officer for dinCloud, a cloud services provider that helps both commercial and public sector organizations migrate to the cloud through business provisioning, provided via its strong channel base of VARs and MSPs.

'

SPECIAL OFFER:'Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to'LJN's Legal Tech Newsletter'for'only $299.'Click'here, select'Digital Only'and use promo code'LTNOL299'at checkout.'This offer is valid for new subscribers only.

'

Cloud service providers (CSPs) offer myriad choices to law firms of all sizes who, in return, have become one of the fastest adopters of hosted cloud infrastructure worldwide. Nonetheless, asking the right questions is essential to learning cloud limitations, similarities, differentiators, caveats and benefits. From niche providers to the top five, not everything is as it seems when it comes to what is offered, how it's offered, and the up-front and hidden costs of each.

Getting Started: Leveraging the Cloud Channel

Setting up a new law firm or transitioning an existing law firm to realize the power and savings of the cloud can be a daunting, if not distracting, task. Enter the cloud channel: national/international resellers, such as CDW and Insight Enterprises, and specialized resellers that focus on the legal vertical, like Binary Pulse, LLC, utilize cloud portfolios filled with various providers, professional and managed service teams. These partners can perform due diligence on what you have, what you need, and where to get them at pre-negotiated prices. In addition, they can monitor and maintain various aspects of your infrastructure, wherever they may exist, over the long term.

The Digital Landscape of the Cloud

Whether you leverage the channel or do it yourself, understanding the digital landscape ahead when pondering the cloud is paramount. While we can't possibly cover in one article the hundreds of questions one should ask when searching for the right CSP, a glimpse of the big picture, plus highlighting some of the most dispositive questions, will help steer the conversation in the right direction.

• Choices. What cloud products do you need? Hosted virtual servers, physical servers, virtual desktops, cloud storage, applications, regulatory concerns/security, business continuity, failover and redundancy, plus much more. Finding out who offers these ' and who doesn't ' narrows the field considerably and quickly.
• Migration. How do you get there from here? Cloud migrations can make or break you. Where does your data live today? On a storage area network, your local hard disk, or another cloud provider, such as Dropbox or others? Getting stuck half-way in a migration could cripple your firm.
• Interoperability. Will you migrate everything to the cloud? If not, then how do your remote offices and workers interact with the cloud? This is where virtual desktops and other mechanisms come into play, that is, if the CSP even offers them. Know your current needs and at least some future requirements.
• Hidden Fees and Limitations. The dark side of the cloud that few want to talk about! Are there data transfer fees for every byte of data moving in and/or out of the cloud? Who is responsible for backups/snapshots? What are the limitations around performance ( e.g. , CPU/memory/disk)? Where does the CSP's support obligations end, yours begin, and how do you fill the gaps which are important to your firm?
• Security and Regulatory Schemas. Which cloud architectures help, and which hinder your goal to keep data secure in a world where data and identity theft are rampant? What about liability and indemnification? How are unforeseen risks or concerns mitigated?
• Performance, Failover, and Other Critical Metrics. How do you get the biggest bang for the buck out of the cloud? Is your chosen provider and/or solution set going to be able to scale with your business across the different metrics that matter to you, such as geography, performance, features, etc.?
• Exit Strategy. Knowing how to get out of the cloud is just as important as getting in . How much notice is required? What format options are available to get your data back? Is migrating out all your responsibility, or what other options exist?

Five Dispositive Cloud Questions, and Why You Need to Ask Them

1. Where are your datacenters located and do you give tours?

Some of the largest cloud providers on earth will waiver on this simple question, and for good reason. Some of these so-called “datacenters” are merely renovated shopping malls, or other commercial/industrial spaces, which were never originally designed for the task they now serve (but have been utilized nonetheless). If your provider isn't using a reputable datacenter provider, or isn't giving tours to back up its lofty claims of “high security” with “guards, cameras, man-traps, cages, etc.” then don't buy into the hype.

Personally, I never pick datacenters that are in downtown areas because it's harder to get personnel or fuel to the site in an emergency because the roads shut down quickly when chaos erupts. Facilities which are newer, close to airports (where the personnel and fuel are flown in), and not in flood, earthquake, fire zones are optimal. Additionally, physical security is just as important outside as it is inside. For example: someone rents a moving truck, packs it with explosives, and drives right up to the datacenter (there's no defensible space, fencing, concrete barriers, etc.) ' the datacenter can be taken down without ever busting in at all.

Additional questions to ask specific to the datacenter include:

• If you're augmenting cloud with colocation of equipment (assuming your CSP offers both and there's gear you just want hosted in a better datacenter), does the datacenter have smart hands support 24×7? You might need something done at 2:00 am, and not having to drive down to the datacenter location can be a life saver.
• Does the datacenter have onsite mechanical engineers 24×7? Be wary of sites that rely on all contract-based workers, because when emergencies happen on a city-wide or regional level those contractors are few and far between to respond.
• Is the datacenter SSAE16 compliant? Ask for a copy of the annual report. You may not be in the financial sector, but this is a common certification for datacenters that meets the financial industry's requirements and in turn, often meets your own. There are a lot of standards one can support, but this one is so ubiquitous that if the site doesn't have it, think twice about hosting there.

2. How will you migrate all my existing servers, data etc. to the cloud?

This is where most cloud providers drop the ball. It's either “not their problem” or they claim they can do it, but don't have the right certified experts on staff or tools to get the job done. The more you ask them for examples, details and references, the more you will find the truth. Look for a cloud provider who knows what it is doing. It should be able to migrate a physical server into a virtual server or provide colocation of that resource, ingest data over the wire or via removable disks you ship them, and offer a variety of replication, backup and data migration tools to get the job done. The devil is in the details, so if you're not hearing specifics then recognize sales speak for what it is: an empty promise that could leave you in the lurch.

Beware of data transfer fees. It's okay to charge a fixed fee to onboard your firm, but look out for complex cost calculators and again, more subterfuge. One trick cloud providers use is making inbound data free, but charging a small amount for outbound data. This is nonsense because nearly every communication is bidirectional. Ninety-nine percent of data moving applications in the world use an underlying protocol known as TCP and it's always a two-way communication: packets are always heading outbound not just inbound and charges will incur therein if your provider has “data transfer fees.” Find a cloud provider that doesn't charge data transfer fees and has fixed-fees for everything else it does. They exist, but you will have to hunt.

3. Does the CSP offer virtual desktops?

Any cloud provider can host your servers and data, but only a few actually host virtual desktops. Desktops/servers have a client/server relationship (the closer together they are, the better they work together), plus, in a major disaster, your PC, laptop, and other devices might become lost, destroyed, or somehow unavailable. The ability to have every resource you need to get back to work immediately is essential to your survival.

4. How will you protect my data?

This should happen in several different forms:

• Daily or Hourly Replication. Any cloud provider worth its salt offers replication. Make sure you use it to replicate your environment to another datacenter, which is at least 1,000+ miles away to avoid regional emergencies or outages of any kind. I've seen datacenters on fire, flooded, crashed into, experience extended power outages or the cooling system gets impaired or destroyed, downtowns turned into anarchy zones ' you name it. If you see trouble around the corner, getting your business out of there is a key to survival.
• Daily Backups/Snapshots. Make sure you have a daily backup and/or snapshot of your entire cloud environment. I can't even count the number of customers we saved last year from Ransomware like CryptoLocker and others using this strategy. The ability to roll back the clock to a time before disaster struck is sweet music indeed.
• Encryption. If a cloud provider can't encrypt your data at rest (on disk) and in flight (over P2P VPN or private connections between you/them) using state of the art AES256 or better methods, then run!
• Two-Factor Authentication. If a cloud provider isn't requiring two-factor authentication of all its customers, then you might be the next star of a “Murder in the Amazon Cloud” type scenario.
• Traffic Filtering. If a cloud provider isn't filtering all of its traffic in/out of the cloud to prevent botnets, malware and brute force attacks, then look for one that does. In my opinion, failure to do this means it either doesn't care, isn't secure, or wants to charge you those dreaded “data transfer fees” for a lot of “noise traffic,” which has nothing to do with you, but was aimed at your niche in its cloud, thus incurring a charge. Talk about adding insult to injury! Internet “sewage” should be stopped at the Internet border routers, not passed on to customers for a profit.

5. How do I get OUT of the cloud?

You may want to transfer all and/or part of your service to a different cloud simply because someone else is doing that piece better, cheaper, or faster. Or, maybe your current provider has let you down one too many times. Perhaps you just want to stare at some servers again. The choice is yours, or at least it should be, if you ask the right questions up front:

• Will your current cloud provider put all your virtual resources, files, etc., onto a removable drive and ship them to you? Are over the wire transfers an option? What is the turnaround time, fees, etc., for each option?
• You might have entered the cloud from a VMware ESXi, Microsoft Hyper-V, or Linux KVM environment. Years from now, you may want those exported to a different format then how they were originally imported/hosted. Is that an option with the cloud provider?

Conclusion

Despite any caveats, the real question isn't, “Do you leverage the cloud at all?,” but rather, “How many clouds should you leverage?” As CTO of a CSP, I can certainly differentiate my company's value from the competition, but I'm still a fan of advocating a cloud strategy for my customers that isn't all about us. For example, I advocate keeping a customer's loose files (e.g., the “stuff” scattered all over your PC's C: drive or on network file shares) on the Egnyte cloud and Outlook e-mail over at Microsoft Office365. But one thing is clear: Leveraging the power of a multi-cloud strategy is the best way to protect your investment, keep costs down, and use technology as a bridge to get to revenue in your business that you couldn't otherwise reach while letting you sleep great at night.

'

Mike L. Chase serves as the EVP/Chief Technology Officer for dinCloud, a cloud services provider that helps both commercial and public sector organizations migrate to the cloud through business provisioning, provided via its strong channel base of VARs and MSPs.

'

SPECIAL OFFER:'Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to'LJN's Legal Tech Newsletter'for'only $299.'Click'here, select'Digital Only'and use promo code'LTNOL299'at checkout.'This offer is valid for new subscribers only.

'