Cloud Computing Security: More Opportunity, Less Threat

Cloud(y) Standards

So the $64,000 question remains: Can we develop cloud security best practices for legal professionals, including the initiation of standards, that will give the legal profession certainty as to the specific steps taken by technology vendors in keeping their data and their clients' data private and secure?

Such a cloud security baseline is exactly what the Legal Cloud Computing Association (LCCA), a consortium of the leading legal cloud computing providers, is aiming for. The LCCA's recently published cloud security standards doctrine addresses a range of issues related to law firms using cloud computing services, including:

• Geographic data location, data redundancy and disclosure requirements;
• Encryption and data integrity best practices;
• Data loss prevention measures and data retention policies;
• End user authentication and access controls; and
• Terms of service and privacy policies.

So do the cloud standards proposed by the LCCA go far enough? What about law firm clients and their security requirements?

As hackers and others with malicious intent evolve and innovate in order to gain access to confidential data, more than ever it's the responsibility of vendors and firms to stay ahead of these threats. Many clients demand it. Plus, security audits are increasingly forcing law firms to prove their compliance and security “readiness.”

So how can legal cloud computing vendors convert these security-related threats into future opportunities for their clients? Since security and compliance are not a static destination but rather an evolving improvement continuum, it is imperative that cloud applications improve through periodic releases and that their accompanying security and compliance measures keep pace with the software and delivery model. The end result is not just providing software-as-a-service, but also “security-as-a-service” that addresses firms' and firm clients' security challenges and requirements.

This is a service model more law firms are taking advantage of because they understand cloud companies can be better equipped to interpret, comply with, and even exceed global security standards, including cryptography implementation, flexible storage options for data sovereignty and information governance, and fully integrated compliance with national and international security requirements.

Encryption Is Key

If you look at the legal industry in general, you can probably count on one hand the number of mission critical applications (document management, OCR, docket management, etc.) which are actually encrypting data held by the firm. This represents a serious security weakness. If banks can be hacked, law firms can be hacked. And if defense intelligence agencies can have insider breaches, so can law firms ' and of course, it's already happened. So what can cloud vendors do to help law firms deal with these risks? One suggestion is for vendors to work closely with internal and client technology and IT security teams to not only strengthen perimeter defenses to the utmost level, but also implement and maintain best practice internal security controls.

As part of this process, firms should be encouraged to implement solutions to ensure all types of data ' documents, e-mails and so on ' are encrypted at rest and when in transit. At-rest encryption should be applied by the applications to avoid hardware-based encryption weaknesses and should use industry recognized encryption, such as Advanced Encryption Standard (AES) 256 cryptography. Encryption can be further strengthened by using strategies such as unique encryption keys for each data file, using separate master encryption keys to encrypt individual document encryption keys, and allowing separate, firm-controlled encryption keys to be applied to documents or matters. Each layer of encryption increases the overall security of the service by orders of magnitude ' but it also greatly increases the complexity of the systems. But firms can shift this technical burden to the cloud service providers, gaining all of the security benefits without having to assume the implementation and ongoing maintenance costs and responsibilities of the underlying technologies.

Encryption should also be applied to all inbound and outbound data transmissions and should follow industry standards, such as https, with the most recent TLS protocols. The combination of encrypted data transmissions with multilayered encryption at rest means firms can meet current security requirements as well as upcoming regulations, such as the new European Data Protection Act, IP/12/46, which is scheduled to be adopted later this year.

Certification Soup and Salad

So how can a firm know if its cloud service provider is offering a service that meets security requirements? Currently there are several national and international certifications which specifically evaluate and certify security implementations. Two of the most widely recognized are SOC 2 audits and ISO 27001 certification.

SAS No. 70 to SSAE No. 16

For nearly 18 years, Statement on Auditing Standards, (SAS) No. 70, Service Organizations, was the authoritative guidance followed by service organizations in the United States to disclose their control activities and processes to customers in a uniform reporting format. In 2011, Statement on Standards for Attestation Engagements (SSAE) No. 16 took effect and replaced SAS 70 as the authoritative guidance for performing a service auditor's examination. SSAE No. 16 establishes the requirements and guidelines for examining and reporting on a service organization's description of its system and its controls which are relevant to financial reporting.

Service Organization Controls (SOC)

An examination of a service organization's description of its system and its controls for security, availability, or processing integrity of its system or the confidentiality or privacy of the information processed by the system is known as a SOC 2 engagement. A SOC 2 engagement follows AT Section 101 and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2), using the Trust Services Criteria. Service providers may undergo a Type 1 SOC 2 audit, which is a “snapshot” look at what controls have been implemented, or a Type 2 SOC 2 audit which evaluates the effectiveness of the security controls over a defined period of time. In addition to these standards, a consortium of global banks is currently developing an additional set of controls to complement a SOC 2 audit (SOC 2+ controls) to provide an even deeper analysis of the security architecture implemented by a service provider.

ISO 27001

ISO 27001 is an international standard published by the International Standardization Organization (ISO), and it describes how to manage information security in a company using an information security management system (ISMS). An ISO 27001 certification means a company has been independently audited against the ISO 27001 requirements and controls and, within the scope of the audit, is in compliance with the international standard.

In addition to these two benchmark security standards, some U.S. government agencies, such as the Department of Health and Human Services (HHS) and the National Institute of Standards and Technology (NIST) have put in place rules and standards which covered entities are required to follow. However, there is no official certification process for companies to become “certified” against these standards.

Conclusion

To summarize, law firms can ensure they are implementing security best-practices by selecting technology partners which have a 'security and compliance first' culture when developing and innovating their cloud applications. Firms can measure and validate a vendor's security status by carefully evaluating the vendor's security audits and certifications. While security may be a key firm challenge, by partnering with a cloud provider with demonstrated security credentials to make security a top priority, firms can leverage security as a competitive advantage when vying for client work.

David Hansen is Director of Compliance for NetDocuments and a certified public accountant. Prior to joining NetDocuments, David served in executive positions in IT, Finance, Human Resources, Operations, and Marketing for private, not-for-profit, and higher education organizations. He can be reached at [email protected].