By: iDiscovery Solutions on 11/2/2020
Law firms have historically not been on the leading edge of information technology, but the pandemic and changes in how we work have impacted every organization. Law firms have not been immune. The need for remote work capabilities has driven many firms to evaluate how they do what they do and the technology that supports those processes.
While many in the IT world have recognized that migrating their applications and data to the cloud can improve, not compromise, security, many law firms are reluctant to store sensitive data on servers they do not own and cannot physically see.
While there are certainly risks associated with cloud computing, the reality is that, properly implemented cloud solutions are typically safer and can be much safer than housing sensitive data on your own systems on your own network. If you think about it, who do you think spends more on security – your law firm or Amazon, for example? Whose data center would be easier to get into, yours or Microsoft’s?
A holistic view of cybersecurity means that you contemplate the cybersecurity CIA triad, which is Confidentiality, Integrity and Availability. Most people think only of the confidentiality dimension, but cloud computing allows firms to dramatically reduce the risk of an availability issue. Once your applications and data are in the cloud, it becomes a very easy and inexpensive exercise to create redundancy that protects you from the loss of access or loss of power to a single facility.
While there are many dimensions to cloud security, there are a few considerations that are critical, especially for law firms. First, if you are using any sort of cloud computing resource, that means you are moving your data over the internet. It is vitally important then that you ensure that your firm implements and requires strong encryption to protect your data. Encryption is simply the process of encrypting/encoding data before it is sent and encrypting all data at rest in your cloud environment.
Second, identity and access management is another vital tool to restrict access to data on computers that are visible on the internet. IAM, as it is called, involves identity verification through multi-factor authentication combined with access controls based on user identity.
Multi-factor authentication (“MFA”) simply means that you must have multiple different ways of proving that you are who you claim to be. Historically, we used single factor authentication of something you know – a username and password. With MFA we combine something you know with something you have like a token that generates numbers or a code that is generated on your smartphone.
Access management requires that you specifically identify who is allowed to access your systems, and once they do what information they can access and what they do to and with your data. Best practices here are to not try and manage each individual user, but rather to create clearly defined groups and add users to groups. Also, you can do the same thing with case teams and matters. Only the case team can access to specific matters or groups of matters.
Overall, it is important to remember that a cloud environment is no more vulnerable to threats than your own data center. In fact, given the resources that most cloud providers have, they are likely to have better system up time, better security policies and likely advanced security tools that most law firms cannot afford.
iDiscovery Solutions is a strategic consulting, technology, and expert services firm – providing customized eDiscovery solutions from digital forensics to expert testimony for law firms and corporations across the United States and Europe.