Cloud Security Considerations:
A Best Practice guide for UK Law Firms
Cloud computing, or “Cloud” as it is becoming known, is a new choice of IT platform for lawyers in the UK and, indeed, around the world, with firms moving their IT processing and data, to servers which are located outwith their own law offices. For many of these law firms, Cloud has been an appropriate choice for them because it is a flexible and affordable alternative to traditional or ‘on premise’ server and desktop-based platforms.
Despite these benefits and the continued growth of cloud computing both by the business and legal worlds, there are still concerns that the adoption of cloud technology by law firms in the UK may bring with it security, confidentiality and data protection issues. These concerns are indeed justified if cloud computing is not implemented under expert IT guidance, particularly where the firm has no in-house IT support. Nevertheless when addressed properly, these concerns can be alleviated.
This White Paper, “Cloud Security Considerations: A Best Practice guide for UK Law Firms”, sets out to stimulate discussion about the key issues and provide practical guidelines to help law firms in the UK settle on a solid position for their cloud computing model.
Does your law firm have and implement a defined security policy?
From a security perspective, all of the firm’s data should be secured from any threats of unauthorised access in every way possible. For this purpose, great attention should be given to passwords, as your firm’s network, whether this is held physically on premise or virtually in the Cloud, is only as secure as the weakest password.
It is recommended that firms ensure that staff use strong passwords, with separate passwords used for access to the firm’s network and for access to the legal practice management software itself. This can be enforced by switching on a strong password policy in Windows. A strong password is at least 8 characters in length and should include characters and numbers and other symbols (!”£$%^&*;:) with a mix of upper and lower case letters. Furthermore, it is recommended that a policy of changing passwords should be implemented on a regular cycle of no more than 60 days. This can also be implemented by Windows policy. Certainly, passwords should not be shared or written down and particularly not left in the vicinity of the computer.
Additionally, high risk behaviours such as downloading unauthorised applications and documents, browsing potentially dangerous websites, using an unauthorised email service, responding to phishing e-mails with confidential information or transferring confidential information onto a USB memory stick or other storage device should be monitored and avoided. All anti-virus & malware protection products should be updated daily on all machines in the office. These are included in Windows nowadays and you can purchase others, so switch them on and configure them to automatically update themselves and scan your computer every day. If such regular security updates are not installed as soon as they become available, the firm’s and clients’ data may be vulnerable to security breaches.
Where is your client data held? (Within the UK? or at least in the EU?)
Security in the Cloud should be approached and treated in the same way as security in a physical shared environment. If a law firm utilises cloud computing, its data and its client data will not be located within servers in its own law offices. It is therefore vital to know where that data is being held.
The UK enacted the Data Protection Act 1998 following the EU’s Data Protection Directive of 1995, which in very broad summary requires all EU Member States to protect people's fundamental rights and freedoms and, in particular, their right to privacy with respect to the processing of personal data,, which includes the storing of data. It also directed that personal data should not be transferred to a country or territory outside the European Economic Area, except to countries which are deemed to provide an adequate level of protection. Some exceptions to this rule are provided, for instance when the controller himself, such as a Cloud provider, can guarantee that the recipient will comply with the data protection rules.
Even if personal data is transferred to such a country with an adequate data protection regime, appropriate terms should be provided for in the Service Level Agreement (“SLA”), and it is imperative that a law firm makes clients aware and seeks clients’ consent to such transfer prior to it occurring. Further, if the data is held elsewhere, a different governing law or jurisdiction may become active, demanding additional legal consideration, not solely in the governing law and jurisdiction clauses of the SLA. Further, electronic discovery, which involves having client data available for any potentially legal proceedings, may become more complicated.
This distinction becomes potentially blurred where public Clouds, such as those provided by Yahoo, Google or Amazon, are used. Public Clouds are offered globally to all sorts of individuals and organisations and have servers located throughout the world. With public Clouds there is a real risk of client data leaving the EU. It is therefore essential that your provider of Cloud services is willing and able to provide transparency to allow you to make correct decisions.
For these reasons it is best practice for law firms in the UK to check that their Cloud computing provider is storing their data within the UK or, at the very least, solely within the EU.
How safe is your physical data?
It is important to research and select a Cloud provider carefully. In addition to checking that your data is being held within the EU, it is also fundamental to examine how resilient your Cloud provider’s data centre actually is.
You need to be confident that your Cloud provider has implemented all security provision practically possible to ensure that your data is safe. This includes physical provisions such as a secure facility that is manned and monitored 24/7/365 with strict physical access controls to their data centre. The data centre should be resilient, with fire suppression, environment monitoring, platform monitoring, backup power supplies or generator, dual independent network path, dual independent Internet connection and two of everything to ensure that there is no single point of failure within the system.
Of particular comfort will be a backup data centre. In the event of a total catastrophe occurring to the main data centre does your Cloud provider have a backup data centre and how quickly is this available with your applications in a useable state is a question that helps identify the quality of Cloud providers.
How secure is your data over the Internet?
A common misconception of Cloud services is that anyone should be able to log into a law firm’s Cloud system and, thus be able to access all client data from anywhere, provided that they have a username and password. Three key features of best practice should be implemented to prevent this from happening:-
First, this can be achieved through the implementation of a private infrastructure, as opposed to a public cloud service. Through this private infrastructure, authorised PCs should only be able to access the Cloud with a unique token, which is a small piece of encryption software installed on a user’s PC. This token is required in addition to a correct username and password (see below). This should be contrasted with an entirely public Cloud service, which is the standard web access solution, where users have no control as to how this is delivered, monitored and to some extent accessed. Private infrastructure, on the other hand, is effectively your own firm’s network, but extended to encompass a Cloud solution, which grants privacy, security and full control as to how it is accessed. This network should be encrypted for additional protection, which is why each PC requires a token. The token is a decrypting key that unscrambles the data so that it can be viewed on screen correctly;
Second, the Cloud service should only be available via a secure and strong username and password that is separate from those used to access the computer. As discussed previously, this password should be changed periodically and on a recurring cycle; and
Third, the legal practice management software or other applications accessible via the Cloud should also only be available via a separate secure and strong username and password, which, as discussed above, should be changed periodically, on a recurring cycle and independent of the operating software or connection passwords.
In respect of encryption, it is also good practice for the Cloud provider to have an encryption key, such as an SSL encryption certificate, and to use this for all connectivity and data traffic. With an SSL, all traffic between two points on the Internet is encrypted using a secure and sophisticated algorithm. One end encrypts; the other end decrypts. It is almost impossible to decipher the encrypted data without knowing the encryption key itself. Thus, in the very unlikely event of a breach, sound encryption practices will ensure that confidential data remains confidential.
What happens if your laptop is lost or stolen?
Imagine the worst case scenario, where your laptop, which has access to your law firm’s private infrastructure, is lost or stolen. One of the most significant questions that follow is: will the person who finds or steals your laptop be able to access the Cloud and, thus, your firm’s client data? For the reasons above, the answer should be no, provided that the person who finds or steals the laptop does not know or can find out three different usernames and passwords:- those required to access the laptop in the first place, those to access the Cloud and those to access the legal practice management software within the Cloud. In addition you should report the loss of your laptop to the Cloud provider as soon as possible; they will disable the token, thus rendering access impossible.
Is your data always available?
It is important to have a realistic view of SLAs and to contract with a provider who guarantees response times. It is not uncommon for providers to offer a financially backed SLA which means they will refund you a portion of a fee for the times when your system is unavailable. Whilst this may provide a level of reassurance, it is more pragmatic to choose a provider who will guarantee to have your system rebuilt, restored and available within a reasonable period of time, such as, for example, 2 to 4 hours of a failure. You should also find out the times at which your Cloud provider attends to general maintenance and software updates on your Cloud. Preferably, these should be outside of your normal working hours.
For comparison purposes it is worth questioning how quickly you could restore your current on premise systems if such an event happened at your own offices. Business continuity and disaster recovery are very real threats that only become apparent when a catastrophic failure occurs. You must have your contingency plans ready, tested and workable.
Is your Cloud management system technically well designed?
When utilising Cloud services, it is best practice to have your systems secured behind a firewall. Firewalls protect against both internal and external attacks being able to gain unauthorised access to the network and to your data, and are commonly hardware devices and/or software based. It is recommended that your system is secured behind a hardware and software firewall.
Connection to your Cloud provider is usually through a browser or remote connectivity tool. You should ensure that whichever the connection method, it uses a secure and up to date authentication method and that your operating system on your device takes regular updates. Having the latest service packs and hotfixes applied is essential to ensure that vulnerabilities are minimised.
You should always question your Cloud provider’s hosted environment, ensuring it is based on an industry standard, secure and protected architecture. Industry standard secure architectures will commonly use “domain controllers” to apply security policies; they will also ensure that all data is segregated and that it is not possible for one firm’s data to cross over into to another firm’s segment in a shared “virtual” network environment. This protocol is normally executed by defining separate “organisational units” for each firm and for each individual user within the units. Security policies are then applied to the firms’ databases, document repositories and all shared resources and to any other individual element of data pertaining to a firm to ensure absolute segregation.
Cloud computing is the way forward for law firms and lawyers: it is tested, proven and is here to stay.
For many firms, Cloud computing offers a range of benefits. It’s very quick to implement and as such is an affordable and secure alternative to traditional server or desktop-based software platforms. It offers great mobility for access from different locations and has the flexibility to adjust the number of users both up and down in order to help firms grow and contract in turbulent times.
However, with those benefits come security and ethical concerns which must be taken seriously. Cloud providers must be transparent and responsive in meeting such security concerns.
If implemented with thought and care, as Richard Susskind has noted, it is probable that a first-rate Cloud provider, chosen wisely, will be able to offer better security than many law firms can provide for themselves.
Finally, nothing beats experience. Cloud providers that have experience in delivering services to law firms will have encountered many of the questions raised in this paper before and will therefore have answers that are reassuring with policies and procedures that are secured in place.
Why not read more about our statement of responsibilities