What security must my cloud storage have?

Bar associations recommend that attorneys evaluate the security of cloud storage in the same way they evaluate the security of their paper files by taking reasonable steps needed to safeguard confidential information stored on the cloud. The following are some of the factors attorneys should consider when determining whether a cloud storage service is secure enough to store confidential client information^[1][2]:

1. Where are the company’s servers located? If the server is located in a country with looser privacy laws, your confidential data may not be as secure.^[3]
2. What physical security does the company have where it’s servers are located? The company should keep its servers in a building that has strong physical locks and restricts physical access to the servers only to technicians.^[4] This ensures that a thief cannot get into the server room and download your data onto a portable hard drive.
3. Does the company do penetration testing?^[2] The company should consistently test for and identify vulnerabilities that hackers can exploit to access the server and then fix those problems.
4. Does the company have backup servers in a different physical location than the main servers? If the company stores your data on one server only, then if anything happens to that server your service will be interrupted. If the company has backup servers in a different physical location than the main server, they will be able to ensure continuous access to your files even if a disaster or equipment failure makes the main server inaccessible.^[4]
5. Is the data encrypted on the server? If someone does gain access to the server, you want to make sure that they are not able to read the data you have stored on it.^[5]  If the data is encrypted with a strong key, then your data would be unintelligible unless the thief managed to get a hold of your encryption key.^[4] Only 9.4% of cloud providers encrypt data at rest on the server so you will need to verify that your cloud provider does so.^[6]
6. Is the data encrypted in transit? When you upload files to the company’s server the  information is visible to third parties unless it is encrypted during the upload process.  You should double check with the specific cloud storage company.^[7]
7. Does the company have a policy about destruction of data once you have removed it and closed your account? If you change cloud storage providers it is important to make sure that your data is completely removed and erased from the old company’s server.^[8]
8. Does the company’s agreement/terms and conditions address the ownership of the data?^[3] Your client’s data belongs to them. If the cloud storage company says that the stored data becomes the cloud storage company’s then your clients lose its rights to it, which is a violation of confidentiality among other things.
9. Does the company’s agreement/terms and conditions address the cloud storage provider’s ability to access your data stored on their servers? You want your client’s confidential data to remain confidential, so your the storage provider should not have the ability to access or decrypt your stored files. Consider using a zero-knowledge cloud storage^[9]
10. Does the company’s agreement/terms and conditions require them to notify you before the company goes out of business so that you can get your data off of the server before they shut down? If the company goes out of business without notifying you, you could lose access to all of your files and your client’s confidential data would remain on the company’s server after the company shuts down.^[10]
11. Is the company a reputable one with sufficient resources to stay in business? If the company doesn’t have sufficient resources to stay in business, it increases the risk that the company could go out of business without notifying you.^[11]
12. Does the service have sufficient log in security measures?^[12] You don’t want a hacker to brute force their way into your cloud storage – use a computer program to guess at your username and password until it finds the correct combination. You also don’t want a hacker to use the password reset to gain access to your cloud storage account. So you want to find a company that uses two-factor authentication and has a robust password reset process.
13. Does the company have procedures to comply with a litigation hold? Electronic records need to be preserved during discovery in the same manner that you would preserve paper records. This means that you have to identify records which cannot be modified and make sure they are sufficiently protected. Your cloud storage company should have a method for you to deal with this.^[13]
14. Does the cloud storage have audit logging features? It is important for you to see who has accessed your cloud storage system and if they made any changes to your files.

If a law firm takes the proper care selecting a reputable cloud storage company with sufficient security and uses appropriate log on security (including two-factor authentication), then the firm may store confidential client data in the cloud.

References

1. Cloud Computing Ethics
2. Attorney Confidentiality, Cyber Security and the Cloud
3. Major Risks with Cloud Storage
4. Selecting Online Storage Provider
5. Office 365 Encryption
6. Cloud Providers Data Encryption
7. End to End Data Encryption
8. Cloud Data Destruction
9. Zero Knowledge in Cloud
10. Cloud Provider Goes Out of Business
11. Choosing a Cloud Provider
12. Password Security Guide
13. MS Exchange Policy and Compliance