This article is one half of a two-part series on cloud security and Keeping Your Law Firm Safe in the Cloud. Read more about your law firm’s security in the cloud in the accompanying post, Keeping Your Law Firm Safe in the Cloud: Internal Factors.
Cloud-based storage comes with numerous benefits. You and your team can access information from anywhere, on any device, and you know that millions of dollars have been invested in streamlining and securing this self-maintained system.
Moreover, cloud storage is frequently based on a software as a service (SaaS) model, which means the product’s service is included as part of your subscription.
Yet cloud technologies are constantly evolving—and as a lawyer, it’s your responsibility to keep your clients’ information safe. Below, we’ll review security topics to discuss with the vendor you choose to store your firm’s information.
Data location
Even though the term “cloud” is used to describe stored data that you can access from anywhere, that data is still stored in a physical location on storage servers and data arrays. It’s important to know where that storage is—and particularly whether or not it’s in the United States.
Where your data is stored determines the security and privacy laws it’s subject to.
Encryption
Encrypted information is presented in a code that can only be unscrambled with the proper passcode. This prevents data from being read by anyone without that passcode, and it’s a key part of what makes cloud storage secure. Verify that your cloud vendor uses at least 256-bit encryption.
Law firms will also want to ensure their data is encrypted in transit, meaning when it’s being sent or accessed, and at rest, i.e., when it’s sitting there on the storage server. A provider that isn’t encrypting your data in both situations is leaving it vulnerable to being read by someone it’s not intended for.
Data back-up and redundancy
Ask your provider how often your data is being backed up. If something happens—say, your firm becomes a victim of ransomware or data gets deleted—the frequency of back-ups will determine how much data has been lost.
Likewise, you’ll want to know if there’s data redundancy, meaning if more than one copy of the information is being stored. If the provider stores two copies of your data in the same place, that doesn’t count as redundancy.
Data retrieval and ownership
It’s always a good idea to discuss with your provider what will happen if you cancel the contract. Ask what the data retrieval process looks like, and as always, check in on encryption and security.
Review who owns the data, too. In the event of a subpoena or a cloud vendor going out of business, you want to know what will happen with your data.
SOC1 and SOC2 certification
Service Organization Control (SOC) refers to auditing procedures that make sure your cloud service is handling your data in a way that protects your privacy. SOC1 covers the provider’s internal controls, and SOC2 audits address its overall security measures.
SOC1 and SOC2 compliance is increasingly becoming the standard for SaaS companies.
Security controls
Earlier in this blog, we mentioned that encrypted data can be unscrambled with the proper passcode—and this is where security controls enter into the conversation.
Multi-factor authentication (MFA) means that in addition to a password, the identity of the person trying to access the data will be checked in another way, too. It’s a highly recommended security measure, but even with MFA, there are different levels of security.
Sending an email to check identity is the lowest MFA security method, followed by text message verification. For better security, you can use an authenticator app, which generates time-sensitive numerical codes, or a hardware authenticator, which involves using a specific physical device.
Some level of MFA is strongly recommended for cloud storage access. It can also be a good idea to check in on user permissions, which can give other team members access to specific pieces of information. User permissions also let you determine their level of access—if they can only read the information or if they can read and edit it.
Ask questions
Cloud storage services are an increasingly common and necessary part of today’s professional world. They can offer robust security, but it’s important to ask questions so that you know what to expect should problems arise.
Having a conversation with your vendor can go a long way toward helping your firm find the right cloud-based services, including a cloud-based practice management solution that works for you.
To learn more, watch the complete on-demand webinar, Keeping Your Law Firm Safe in the Cloud (31:46).