Security in the Cloud

WHITE PAPER

Cloud Security Considerations:

A Best Practice guide for UK Law Firms


2 March 2011

Executive Summary

Cloud computing, or “Cloud” as it is becoming known, is a new choice of IT platform for lawyers in the UK and, indeed, around the world, with firms moving their IT processing and data, to servers which are located outwith their own law offices. For many of these law firms, Cloud has been an appropriate choice for them because it is a flexible and affordable alternative to traditional or ‘on premise’ server and desktop-based platforms.

Despite these benefits and the continued growth of cloud computing both by the business and legal worlds, there are still concerns that the adoption of cloud technology by law firms in the UK may bring with it security, confidentiality and data protection issues. These concerns are indeed justified if cloud computing is not implemented under expert IT guidance, particularly where the firm has no in-house IT support. Nevertheless when addressed properly, these concerns can be alleviated.

This White Paper, “Cloud Security Considerations: A Best Practice guide for UK Law Firms”, sets out to stimulate discussion about the key issues and provide practical guidelines to help law firms in the UK settle on a solid position for their cloud computing model.

Does your law firm have and implement a defined security policy?

From a security perspective, all of the firm’s data should be secured from any threats of unauthorised access in every way possible. For this purpose, great attention should be given to passwords, as your firm’s network, whether this is held physically on premise or virtually in the Cloud, is only as secure as the weakest password.

It is recommended that firms ensure that staff use strong passwords, with separate passwords used for access to the firm’s network and for access to the legal practice management software itself. This can be enforced by switching on a strong password policy in Windows. A strong password is at least 8 characters in length and should include characters and numbers and other symbols (!”£$%^&*;:) with a mix of upper and lower case letters. Furthermore, it is recommended that a policy of changing passwords should be implemented on a regular cycle of no more than 60 days. This can also be implemented by Windows policy. Certainly, passwords should not be shared or written down and particularly not left in the vicinity of the computer.

Additionally, high risk behaviours such as downloading unauthorised applications and documents, browsing potentially dangerous websites, using an unauthorised email service, responding to phishing e-mails with confidential information or transferring confidential information onto a USB memory stick or other storage device should be monitored and avoided.  All anti-virus & malware protection products should be updated daily on all machines in the office. These are included in Windows nowadays and you can purchase others, so switch them on and configure them to automatically update themselves and scan your computer every day. If such regular security updates are not installed as soon as they become available, the firm’s and clients’ data may be vulnerable to security breaches.

Where is your client data held? (Within the UK? or at least in the EU?)

Security in the Cloud should be approached and treated in the same way as security in a physical shared environment. If a law firm utilises cloud computing, its data and its client data will not be located within servers in its own law offices. It is therefore vital to know where that data is being held.

The UK enacted the Data Protection Act 1998 following the EU’s Data Protection Directive of 1995, which in very broad summary requires all EU Member States to protect people's fundamental rights and freedoms and, in particular, their right to privacy with respect to the processing of personal data,, which includes the storing of data. It also directed that personal data should not be transferred to a country or territory outside the European Economic Area, except to countries which are deemed to provide an adequate level of protection. Some exceptions to this rule are provided, for instance when the controller himself, such as a Cloud provider, can guarantee that the recipient will comply with the data protection rules.

Even if personal data is transferred to such a country with an adequate data protection regime, appropriate terms should be provided for in the Service Level Agreement (“SLA”), and it is imperative that a law firm makes clients aware and seeks clients’ consent to such transfer prior to it occurring. Further, if the data is held elsewhere, a different governing law or jurisdiction may become active, demanding additional legal consideration, not solely in the governing law and jurisdiction clauses of the SLA. Further, electronic discovery, which involves having client data available for any potentially legal proceedings, may become more complicated.

This distinction becomes potentially blurred where public Clouds, such as those provided by Yahoo, Google or Amazon, are used. Public Clouds are offered globally to all sorts of individuals and organisations and have servers located throughout the world. With public Clouds there is a real risk of client data leaving the EU. It is therefore essential that your provider of Cloud services is willing and able to provide transparency to allow you to make correct decisions.

For these reasons it is best practice for law firms in the UK to check that their Cloud computing provider is storing their data within the UK or, at the very least, solely within the EU.

How safe is your physical data?

It is important to research and select a Cloud provider carefully. In addition to checking that your data is being held within the EU, it is also fundamental to examine how resilient your Cloud provider’s data centre actually is.

You need to be confident that your Cloud provider has implemented all security provision practically possible to ensure that your data is safe. This includes physical provisions such as a secure facility that is manned and monitored 24/7/365 with strict physical access controls to their data centre. The data centre should be resilient, with fire suppression, environment monitoring, platform monitoring, backup power supplies or generator, dual independent network path, dual independent Internet connection and two of everything to ensure that there is no single point of failure within the system.

Of particular comfort will be a backup data centre. In the event of a total catastrophe occurring to the main data centre does your Cloud provider have a backup data centre and how quickly is this available with your applications in a useable state is a question that helps identify the quality of Cloud providers.

How secure is your data over the Internet?

A common misconception of Cloud services is that anyone should be able to log into a law firm’s Cloud system and, thus be able to access all client data from anywhere, provided that they have a username and password. Three key features of best practice should be implemented to prevent this from happening:-

First, this can be achieved through the implementation of a private infrastructure, as opposed to a public cloud service. Through this private infrastructure, authorised PCs should only be able to access the Cloud with a unique token, which is a small piece of encryption software installed on a user’s PC. This token is required in addition to a correct username and password (see below). This should be contrasted with an entirely public Cloud service, which is the standard web access solution, where users have no control as to how this is delivered, monitored and to some extent accessed. Private infrastructure, on the other hand, is effectively your own firm’s network, but extended to encompass a Cloud solution, which grants privacy, security and full control as to how it is accessed. This network should be encrypted for additional protection, which is why each PC requires a token. The token is a decrypting key that unscrambles the data so that it can be viewed on screen correctly;

Second, the Cloud service should only be available via a secure and strong username and password that is separate from those used to access the computer. As discussed previously, this password should be changed periodically and on a recurring cycle; and

Third, the legal practice management software or other applications accessible via the Cloud should also only be available via a separate secure and strong username and password, which, as discussed above, should be changed periodically, on a recurring cycle and independent of the operating software or connection passwords.

In respect of encryption, it is also good practice for the Cloud provider to have an encryption key, such as an SSL encryption certificate, and to use this for all connectivity and data traffic. With an SSL, all traffic between two points on the Internet is encrypted using a secure and sophisticated algorithm. One end encrypts; the other end decrypts. It is almost impossible to decipher the encrypted data without knowing the encryption key itself. Thus, in the very unlikely event of a breach, sound encryption practices will ensure that confidential data remains confidential.

What happens if your laptop is lost or stolen?

Imagine the worst case scenario, where your laptop, which has access to your law firm’s private infrastructure, is lost or stolen. One of the most significant questions that follow is: will the person who finds or steals your laptop be able to access the Cloud and, thus, your firm’s client data? For the reasons above, the answer should be no, provided that the person who finds or steals the laptop does not know or can find out three different usernames and passwords:- those required to access the laptop in the first place, those to access the Cloud and those to access the legal practice management software within the Cloud. In addition you should report the loss of your laptop to the Cloud provider as soon as possible; they will disable the token, thus rendering access impossible.

Is your data always available?

It is important to have a realistic view of SLAs and to contract with a provider who guarantees response times. It is not uncommon for providers to offer a financially backed SLA which means they will refund you a portion of a fee for the times when your system is unavailable. Whilst this may provide a level of reassurance, it is more pragmatic to choose a provider who will guarantee to have your system rebuilt, restored and available within a reasonable period of time, such as, for example, 2 to 4 hours of a failure. You should also find out the times at which your Cloud provider attends to general maintenance and software updates on your Cloud.  Preferably, these should be outside of your normal working hours.

For comparison purposes it is worth questioning how quickly you could restore your current on premise systems if such an event happened at your own offices. Business continuity and disaster recovery are very real threats that only become apparent when a catastrophic failure occurs. You must have your contingency plans ready, tested and workable.

Is your Cloud management system technically well designed?

When utilising Cloud services, it is best practice to have your systems secured behind a firewall. Firewalls protect against both internal and external attacks being able to gain unauthorised access to the network and to your data, and are commonly hardware devices and/or software based. It is recommended that your system is secured behind a hardware and software firewall.

Connection to your Cloud provider is usually through a browser or remote connectivity tool. You should ensure that whichever the connection method, it uses a secure and up to date authentication method and that your operating system on your device takes regular updates. Having the latest service packs and hotfixes applied is essential to ensure that vulnerabilities are minimised.

You should always question your Cloud provider’s hosted environment, ensuring it is based on an industry standard, secure and protected architecture. Industry standard secure architectures will commonly use “domain controllers” to apply security policies; they will also ensure that all data is segregated and that it is not possible for one firm’s data to cross over into to another firm’s segment in a shared “virtual” network environment. This protocol is normally executed by defining separate “organisational units” for each firm and for each individual user within the units. Security policies are then applied to the firms’ databases, document repositories and all shared resources and to any other individual element of data pertaining to a firm to ensure absolute segregation.

Conclusions

Cloud computing is the way forward for law firms and lawyers: it is tested, proven and is here to stay.

For many firms, Cloud computing offers a range of benefits. It’s very quick to implement and as such is an affordable and secure alternative to traditional server or desktop-based software platforms. It offers great mobility for access from different locations and has the flexibility to adjust the number of users both up and down in order to help firms grow and contract in turbulent times.

However, with those benefits come security and ethical concerns which must be taken seriously. Cloud providers must be transparent and responsive in meeting such security concerns.

If implemented with thought and care, as Richard Susskind has noted, it is probable that a first-rate Cloud provider, chosen wisely, will be able to offer better security than many law firms can provide for themselves.

Finally, nothing beats experience. Cloud providers that have experience in delivering services to law firms will have encountered many of the questions raised in this paper before and will therefore have answers that are reassuring with policies and procedures that are secured in place.

Authored by

This e-mail address is being protected from spambots. You need JavaScript enabled to view it
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

LawWare Ltd

Why not read more about our statement of responsibilities

 

A business partner case study:-

LawWare has grown by 20% since working with hosted infrastructure expert Rise...


13 June 2011

An opportunity for growth Based in Edinburgh, LawWare is a leading developer of software for the legal profession. The company provides practice-management software for more than 20% of law firms in Scotland. Warren Wander, Managing Director at LawWare, says: “I started LawWare to produce software for law firms; a simple premise, but one that continues to serve us well 15 years later.”


In March 2010, however, LawWare recognised that many small law firms lacked the IT infrastructure to support the latest systems. These firms often found the upfront costs of new IT prohibitive – an issue exacerbated by the recent economic climate. LawWare identified an opportunity to give these firms the infrastructure and systems they needed at a price they could afford. The company knew the legal community was familiar with cloud technology and saw a hosted system as a way to grow its business.


Wander’s vision was LawCloud – an enterprise-level hosted version of the LawWare suite, which also includes Microsoft Office. But before he could realise his vision, he needed to find a hosting partner he could trust. He was looking for an organisation that would give him the security and resilience his clients needed.

Finding a trusted partner

After extensive research, Wander came across Rise, an expert in hosted IT infrastructure. He was immediately impressed. “I went through a rigorous process to select a partner,” says Wander. “However, once I started talking to the people at Rise, I found their expertise, friendliness and willingness to help to be a really good match for my business.”


Rise’s Data Center on Demand offered LawWare the opportunity to run a virtual data centre that would give customers a resilient platform and 24/7 support. In addition, Wander liked Rise’s innovative approach. For example, he found that he could increase server capacity simply by using a slider in the control panel screen. Most importantly, however, Rise offered LawWare a true partnership – one that would help improve business, not just infrastructure.


LawWare became a Rise partner and started working with a trial server nine months before the launch of LawCloud. The company optimised its system to run as a hosted service and interest in LawCloud grew quickly. Before it officially launched the service, LawWare had 25 firms up and running on LawCloud.

 

LawWare grows by 20% with competitive hosted service

Since launching LawCloud, LawWare has grown by 20%. As Wander expected, the hosted service taps into the needs of law firms for a flexible, low-cost system. Moreover, because LawCloud accommodates the requirements of the Scottish and English legal systems, LawWare is set to expand into the rest of the UK during 2011. “In the current economic climate, it’s very hard to get credit,” says Wander. “Consequently, customers find our low monthly cost an attractive alternative to the high upfront cost of servers and software licences.” Thanks to its partnership with Rise, LawWare is now stronger and competes with much larger businesses. Wander says: “Rise has really helped us level the playing field with our competitors. We expect to double our online users from 60 to 120 in a matter of months.”

Customers gain peace of mind from secure systems

LawWare knows how important it is for law firms to protect confidential information. It also knows that by offering customers a secure platform with a robust disaster recovery plan, it’s more likely to retain customers and win new business. “Law firms appreciate the peace of mind they get from LawCloud,” says Wander. “Legal professionals can sleep at night because they know that their confidential information is backed up and protected with a level of security that is often out of reach for smaller organisations.” In addition, many UK legal firms need to store their data in the UK, so that it falls under the UK’s data protection laws. LawWare meets this need because Rise’ data
centres are located in the UK. “With Rise as our partner, we can be confident that we give our customers peace of mind,” says Wander.

Company enhances relationships with customers

LawWare has enhanced relationships with its customers by simplifying their IT. Customers don’t need to plan and budget for infrastructure and upgrades because their monthly payments cover everything. “We’re closer to our customers now,” says Wander. “In the past, a separate hardware supplier would have been involved, but now customers have a single point of contact. It makes things simpler for them and means we can resolve issues faster.”
As a result, LawWare frequently exceeds its customers’ expectations. “Working with Rise has changed us as a business,” says Wander. “It has brought us a new lease of life and made us more agile and responsive.”


For instance, when a lawyer phoned one Friday to say he was starting a business on the following Monday, LawWare set him up on LawCloud in just a few hours. This flexibility is a hallmark of LawCloud. Users can access it from anywhere they have an Internet connection. “Rise has really helped us level the playing field with our competitors. We expect to double our online users from 60 to 120 in a matter of months.”

To learn more about how LawWare and LawCloud can benefit your business, visit, www.lawware.co.uk, www.lawcloud.co.uk or email, This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

To learn more about how Rise’s Partnership as a Service approach can help your business grow, visit http://uk.rise.co/cloud/

Click here to download the original article