Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cloud Computing Security: More Opportunity, Less Threat

By David Hansen
May 01, 2016

If you follow the legal technology headlines you might have noticed that we've come full circle on cloud security. Rewind seven or so years, and mainstream cloud computing adoption was being thwarted by grave concerns about data security, data governance and data access. As the cloud became more pervasive in many industries globally, the legal market took note and slowly but surely more law firms went to the cloud. Thanks to persistent market education and the realization that cloud benefits ' such as flexibility, cost savings, mobility/accessibility and resource savings ' outweighed potential security issues, the legal cloud gained momentum. As security concerns became more pronounced and difficult to effectively address in-house, law firm CIOs and information governance leaders realized that reputable cloud providers were much better positioned to tackle security.

Fast forward to 2016. Security is still a major concern. The 2015 ILTA/InsideLegal Technology Purchasing Survey cited security as the top challenge facing legal IT leaders, including concerns about providing a secure environment for information and file sharing in the cloud. Law firm clients are now demanding their outside counsel complete regular security audits, with global firms routinely being audited in the double digits. Protecting a firm's IP and work product is increasingly important to corporate clients, especially in regulated industries.

One huge realization for law firms is that with a very well-built cloud computing model, security can be much more ironclad than they can afford to implement in-house. Compliance and security, far from driving people away from the cloud, are moving them into it because the defenses, encryption technologies and security certifications maintained by cloud providers far exceed what most firms are capable of installing and maintaining on-premise or in a hosted model.

Cloud(y) Standards

So the $64,000 question remains: Can we develop cloud security best practices for legal professionals, including the initiation of standards, that will give the legal profession certainty as to the specific steps taken by technology vendors in keeping their data and their clients' data private and secure?

Such a cloud security baseline is exactly what the Legal Cloud Computing Association (LCCA), a consortium of the leading legal cloud computing providers, is aiming for. The LCCA's recently published cloud security standards doctrine addresses a range of issues related to law firms using cloud computing services, including:

  • Geographic data location, data redundancy and disclosure requirements;
  • Encryption and data integrity best practices;
  • Data loss prevention measures and data retention policies;
  • End user authentication and access controls; and
  • Terms of service and privacy policies.

So do the cloud standards proposed by the LCCA go far enough? What about law firm clients and their security requirements?

As hackers and others with malicious intent evolve and innovate in order to gain access to confidential data, more than ever it's the responsibility of vendors and firms to stay ahead of these threats. Many clients demand it. Plus, security audits are increasingly forcing law firms to prove their compliance and security “readiness.”

So how can legal cloud computing vendors convert these security-related threats into future opportunities for their clients? Since security and compliance are not a static destination but rather an evolving improvement continuum, it is imperative that cloud applications improve through periodic releases and that their accompanying security and compliance measures keep pace with the software and delivery model. The end result is not just providing software-as-a-service, but also “security-as-a-service” that addresses firms' and firm clients' security challenges and requirements.

This is a service model more law firms are taking advantage of because they understand cloud companies can be better equipped to interpret, comply with, and even exceed global security standards, including cryptography implementation, flexible storage options for data sovereignty and information governance, and fully integrated compliance with national and international security requirements.

Encryption Is Key

If you look at the legal industry in general, you can probably count on one hand the number of mission critical applications (document management, OCR, docket management, etc.) which are actually encrypting data held by the firm. This represents a serious security weakness. If banks can be hacked, law firms can be hacked. And if defense intelligence agencies can have insider breaches, so can law firms ' and of course, it's already happened. So what can cloud vendors do to help law firms deal with these risks? One suggestion is for vendors to work closely with internal and client technology and IT security teams to not only strengthen perimeter defenses to the utmost level, but also implement and maintain best practice internal security controls.

As part of this process, firms should be encouraged to implement solutions to ensure all types of data ' documents, e-mails and so on ' are encrypted at rest and when in transit. At-rest encryption should be applied by the applications to avoid hardware-based encryption weaknesses and should use industry recognized encryption, such as Advanced Encryption Standard (AES) 256 cryptography. Encryption can be further strengthened by using strategies such as unique encryption keys for each data file, using separate master encryption keys to encrypt individual document encryption keys, and allowing separate, firm-controlled encryption keys to be applied to documents or matters. Each layer of encryption increases the overall security of the service by orders of magnitude ' but it also greatly increases the complexity of the systems. But firms can shift this technical burden to the cloud service providers, gaining all of the security benefits without having to assume the implementation and ongoing maintenance costs and responsibilities of the underlying technologies.

Encryption should also be applied to all inbound and outbound data transmissions and should follow industry standards, such as https, with the most recent TLS protocols. The combination of encrypted data transmissions with multilayered encryption at rest means firms can meet current security requirements as well as upcoming regulations, such as the new European Data Protection Act, IP/12/46, which is scheduled to be adopted later this year.

Certification Soup and Salad

So how can a firm know if its cloud service provider is offering a service that meets security requirements? Currently there are several national and international certifications which specifically evaluate and certify security implementations. Two of the most widely recognized are SOC 2 audits and ISO 27001 certification.

SAS No. 70 to SSAE No. 16

For nearly 18 years, Statement on Auditing Standards, (SAS) No. 70, Service Organizations, was the authoritative guidance followed by service organizations in the United States to disclose their control activities and processes to customers in a uniform reporting format. In 2011, Statement on Standards for Attestation Engagements (SSAE) No. 16 took effect and replaced SAS 70 as the authoritative guidance for performing a service auditor's examination. SSAE No. 16 establishes the requirements and guidelines for examining and reporting on a service organization's description of its system and its controls which are relevant to financial reporting.

Service Organization Controls (SOC)

An examination of a service organization's description of its system and its controls for security, availability, or processing integrity of its system or the confidentiality or privacy of the information processed by the system is known as a SOC 2 engagement. A SOC 2 engagement follows AT Section 101 and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2), using the Trust Services Criteria. Service providers may undergo a Type 1 SOC 2 audit, which is a “snapshot” look at what controls have been implemented, or a Type 2 SOC 2 audit which evaluates the effectiveness of the security controls over a defined period of time. In addition to these standards, a consortium of global banks is currently developing an additional set of controls to complement a SOC 2 audit (SOC 2+ controls) to provide an even deeper analysis of the security architecture implemented by a service provider.

ISO 27001

ISO 27001 is an international standard published by the International Standardization Organization (ISO), and it describes how to manage information security in a company using an information security management system (ISMS). An ISO 27001 certification means a company has been independently audited against the ISO 27001 requirements and controls and, within the scope of the audit, is in compliance with the international standard.

In addition to these two benchmark security standards, some U.S. government agencies, such as the Department of Health and Human Services (HHS) and the National Institute of Standards and Technology (NIST) have put in place rules and standards which covered entities are required to follow. However, there is no official certification process for companies to become “certified” against these standards.

Conclusion

To summarize, law firms can ensure they are implementing security best-practices by selecting technology partners which have a 'security and compliance first' culture when developing and innovating their cloud applications. Firms can measure and validate a vendor's security status by carefully evaluating the vendor's security audits and certifications. While security may be a key firm challenge, by partnering with a cloud provider with demonstrated security credentials to make security a top priority, firms can leverage security as a competitive advantage when vying for client work.


David Hansen is Director of Compliance for NetDocuments and a certified public accountant. Prior to joining NetDocuments, David served in executive positions in IT, Finance, Human Resources, Operations, and Marketing for private, not-for-profit, and higher education organizations. He can be reached at [email protected].

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.