This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

Employees are increasingly using the cloud to access their personal email, documents, music and other data from anywhere at any time. They expect their employers' digital data will be similarly accessible. Beyond user experience, cost and complexity provide compelling reasons for moving your law firm's technology operations to cloud providers. This article discusses what to look for in a cloud service provider and other issues that will help determine if moving to the cloud is the right move for your firm.

Challenges for SMBs

The growth of technology has created many challenges for small- to medium-size businesses (SMBs), including law firms: continually upgrading hardware, staying abreast of the latest in security developments and hiring multiple staff members with different skills.

First, SMBs typically purchase server hardware with the expectation it will last for years. A year or two later, they discover they need to double the capacity of that system in order to meet technology needs. These costs are often not budgeted.

Additionally, security has moved from a simple firewall and anti-virus software to very expensive, hard-to-manage security systems, including log review and correlation (SIEM) systems, next-generation firewalls, host intrusion detection systems and sandboxing of all incoming files. Your IT department can no longer consist of one person wearing many hats, including maintaining infrastructure, ensuring data security and providing end-user support. To reduce this complexity and its associated costs, many firms are moving to the cloud.

Kinds of Cloud

Cloud services can be broken down into three major categories: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).

Software As a Service

SaaS requires the least amount of technical knowledge and, as a result, allows for the least amount of IT administrative control. In the SaaS model, a cloud provider is responsible for everything from the hardware to the application. These types of services are all run primarily from a Web browser and require nothing to be downloaded or installed on the client's workstation. Examples of SaaS solutions include Dropbox, Salesforce, GoToMeeting and Office 365.

Platform As a Service

PaaS allows for more control but requires more technical knowledge than SaaS solutions. PaaS cloud solutions take care of the hardware and the operating system, allowing the user to focus on the applications. This is an ideal solution for application developers, who don't need knowledge of the underlying OS or hardware. Examples of PaaS solutions are Force.com, Apache Stratos and OpenShift.

Infrastructure As a Service

IaaS requires the greatest amount of technical knowledge and grants administrators the most control. IaaS cloud providers are responsible for the underlying hardware or infrastructure through a host of virtual devices, including firewalls, networks and virtual servers and workstations. The company is responsible for managing the OS and the applications. This is the most flexible cloud-computing model and is highly scalable. Examples of IaaS are Amazon AWS, Microsoft Azure and Google Compute Engine.

Security Considerations

Security considerations are still paramount when migrating to a cloud solution. Maintaining good security and operational practices is a critical and nonnegotiable factor. In fact, these policies, standards and procedures are more important than ever to ensure that you are appropriately protecting your cloud implementation. Since cloud solutions are Internet accessible, if they are not appropriately secured, malicious actors can sometimes get in more easily than if the equipment is on your own premises.

Vendor Risk Management Plan and Business Continuity Plan

When an IT service provider proposes that you use a cloud system implemented by that vendor, it's critical you also implement a vendor risk management plan (VRMP) so you can make sure your managed service provider is following appropriate security procedures to protect your data. A VRMP will also let you assess whether the cloud solution you are considering is appropriately secure as well. And, finally, it is important you have a business continuity plan in place so your employees and your managed service provider know what to do if your cloud system fails, suffers a hacking attack or has otherwise been rendered unavailable.

Making the Move

Moving to the cloud by yourself is not a simple process, and any organization should carefully consider the pros and cons of such a shift. Determining if moving to the cloud is right for your organization can be broken down into several steps:

1. Clearly define the problem which you are trying to resolve. Are you facing heavy infrastructure and maintenance costs associated with running a proper data center? Are there business continuity issues which need to be addressed, such as utilizing multiple locations to protect against specific regional natural disasters like earthquakes? Are there certain controls or customizations the organization currently has that may not be feasible in a cloud-based solution? All these questions need to be answered to ensure the cloud solution you choose is appropriate.
2. Determine if your organization must adhere to specific compliance requirements, standards or regulations. These could range from the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI) standards to the new California Consumer Privacy Act (CCPA) and many other statutes. While a number of these compliance regulations have overlapping requirements, not adhering to specific ones can result in hefty fines. Don't forget to ensure protections are in place for personally identifiable information, if it is present on your network — and it likely is.
3. Ensure your IT provider understands its technical capabilities and what it's willing to manage. Ensure managed service providers and cloud service providers have clear delineations on management responsibility. Some solutions only require users to understand how to employ a specific web application while the cloud provider supports the balance of the platform. Other solutions may provide virtual infrastructure, meaning someone besides the cloud provider must be able to support all aspects of the OS and applications.
4. The organization must understand the total costs involved in moving to the cloud so it can budget accordingly. If your IT provider is setting this up for you, ask for a total cost of ownership for the cloud operations to make an effective decision. Charges can add up, so understanding the costs upfront will allow for proper budgeting. Many organizations have dived headfirst into the cloud only to realize the services exceeded their initial of cost assumptions.

Cloud Service Providers

Migrating IT services to a client service provider (CSP) benefits law firms by reducing their technology infrastructure's physical footprint in their offices, including built-in redundancy, easy scalability with better physical security and access to advanced security features. Ultimately, this all results in lower IT capital expenditures.

When utilizing a CSP, firms no longer need to find additional space to house servers or ensure sufficient power and cooling for these systems. A CSP can offer almost unlimited room for growth. Additionally, a proper data center must have redundancies to ensure that no single failure results in lost data or downtime. A well-run CSP already has redundancies, ranging from power and cooling to storage and security, built in. Further, most major CSPs have multiple data centers around the globe, allowing for regional diversity at the push of a button to prevent downtime and lost data in the event a natural or manmade disaster takes one data center offline.

Many organizations need to expand and reduce their IT resources as needed, such as during peak- and slow-use times. Because new hardware requires a large initial investment and then ongoing operational costs to maintain, SMBs simply cannot always scale on their own. CSPs allow organizations to rapidly spin up and turn off IT resources based on demand. They offer a “pay as you go” (or “pay as your grow”) model, so organizations only pay for what they use.

Data centers must be physically secured to prevent unauthorized physical access. Well-run CSPs have dedicated facilities to house all physical servers and supporting equipment and typically go to great lengths to ensure no unauthorized access is allowed. Some CSP data centers can be compared to a military installation with multiple checkpoints and armed security.

Building a proper data center can be an expensive endeavor that requires a lot of upfront capital expenditures. Technology is also still advancing at a rapid pace, so ensuring that your data center is utilizing the latest options means maintaining a relatively rapid and expensive refresh rate. CSPs make this easier because you rent your equipment and can easily replace it. Additionally, with virtualization technologies, you can easily move your devices from old hardware to new hardware.

Shared Responsibilities

Cloud service providers are utilized by a wide variety of clients from many different sectors, including government, health care and financial services. As a result, CSPs must adhere to specific security and compliance standards issued by regulatory organizations for all these fields. However, firms need to understand that not all security, compliance standards and regulatory responsibilities are passed on to the CSP. When a company engages a CSP to assist with satisfying these security and regulatory requirements, it must understand what the cloud provider is responsible for and what the firm will still be responsible for.

On the other hand, because of the requirement to have security elements in place, CSPs like AWS and Azure allow you to implement tools which evaluate your organization's configurations to create a gap analysis showing where you need to address vulnerabilities. These tools are based on industry best practices and are usually referenced by compliance standards and regulatory organizations.

Both AWS and Azure have security tools that can be leveraged to assist in providing law firms the next level of protection. Most of these tools would be extremely costly if purchased separately. By taking advantage of a CSP, the cost of entry becomes significantly more affordable. Some of the services businesses should consider include:

• Security Information and Event Management (SIEM). SIEM allows for event log correlation for multiple sources to assist in quickly identifying potential threats.
• Web Application Firewall (WAF). A WAF is a purpose-built appliance designed to protect web servers from attacks from Web-based traffic. While the lines have become blurry between next-generation firewalls and WAFs, the WAF can be utilized to prevent security attacks such as SQL injection, cross-site scripting, file inclusion and other security misconfigurations.
• Hardware Security Modules (HSMs). HSMs are dedicated security devices designed to safeguard and manage keys for strong encryption.
• Automated Security Assessments. CSPs can automatically run specific security assessments against cloud resources that will identify gaps and weaknesses in an organization's configuration to help plug any vulnerabilities.

Conclusion

Cloud service providers can remove many of the day-to-day burdens of maintaining IT infrastructure in law firms and allow them to concentrate on their core business functions. Law firms in the cloud can scale IT infrastructure to meet their current demands, giving firms many of the benefits of IT in larger organizations without the costs associated with maintaining technology or hiring expensive experts.

 *****

Michael Smith is a security architect at Citadel Information Group. He has over 20 years' experience in managing information technology and information security. With experience in corporate, nonprofit and classified networks, Michael has extensive experience across numerous technologies and how to secure them. Michael holds a Bachelor of Science in Information Technology from Arizona State University. He can be reached at [email protected]. Mike Paul is the chief technology officer at Innovative Computing Systems and has over 15 years of experience in the legal field. In his current role, along with evaluating new technologies and designing various systems around providing these solutions to the legal community, he also provides the glue for the internal technology Innovative uses. Paul holds a bachelor's degree from Northern Arizona University. He can be reached at [email protected].