3 Reasons Why the Cloud is
More Secure
than Your Server
Joshua Lenon – Lawyer-in-Residence
@joshualenon
Doug Edmunds – Ass...
Agenda
•  Cloud Overview (5 minutes)
•  3 Reasons the Cloud is More Secure
– Economies of Scale (5 minutes)
– Cybersecurit...
Instructors
Joshua Lenon
•  Lawyer, admitted in New York
•  Lawyer-in-Residence for Clio
Doug Edmunds
•  Assistant Dean fo...
CLOUD OVERVIEW
NIST Cloud Definition
“Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network
access to a share...
Cloud Defined
Cloud Defined
3 REASONS THE CLOUD IS
MORE SECURE
ECONOMIES OF SCALE
Cloud Economies
Dedicated(Security(
Team(
Greater(Investment(in(
Security(Infrastructure(
Fault(Tolerance(and(
Reliability...
Law Firms Current Security
•  47% have no documented disaster recovery
plan
•  Only 39% have intrusion detection system
• ...
Federal Labor Relation Authority
(FLRA) Case Management System
•  88% reduction in total cost of ownership over a
five yea...
CYBER-SECURITY FRAMEWORK
Cybersecurity Framework
•  “Framework for Improving Critical
Infrastructure Cybersecurity”
•  Published by NIST in Februar...
Cybersecurity Framework: Cores
Source:(NIST,(“Framework(for(Improving(Cri0cal(Infrastructure(
Cybersecurity,”(02/14/2014(
Cybersecurity Framework: Tiers
•  4 Tiers:
– Tier 1: Partial
– Tier 2: Risk Informed
– Tier 3: Repeatable
– Tier 4: Adapti...
Cybersecurity Framework: Tiers
•  Tier 3: Repeatable
–  Formal risk management policies with reviews
–  Organization-wide ...
Cybersecurity Framework: Profiles
•  Current: security outcomes being achieved
•  Target: outcomes needed to meet goals
• ...
CYBERSECURITY FRAMEWORK
VS. CONFIDENTIALITY DUTIES
Model Rules of Professional Conduct
•  Rule 1.1 – Competency
– “lawyer should keep abreast of changes in the
law and its p...
Model Rules of Professional Conduct
•  Rule 5.3 - Responsibilities Regarding
Nonlawyer Assistant
– “person's [nonlawyer] c...
Cloud Computing Ethics Opinions
Source:(American(Bar(Associa0on(
Framework vs. Ethics Opinions
Framework helps
map, measure, & migrate
cost benefit analysis
Cybersecurity Framework: Tiers
•  Tier 3: Repeatable
–  Formal risk management policies with reviews
–  Organization-wide ...
Framework vs. Ethics Opinions
Opinions fail to discuss
regulatory requirements.
Framework vs. Ethics Opinions
Cloud services allow easier
regulatory compliance
LIGHTNING ADVANCEMENTS
28% of solo and small firms
have no process for updating
their computers.
Source:(2013(ILTA(Tech(Survey(
Lightning Advancements
•  Cloud Services move at the speed of the
internet.
•  Real-time monitoring and upgrades keep
your...
Heartbleed
“When weaknesses are discovered in
cryptographic systems, the system will not
necessarily become suddenly insecure.”
Sourc...
“Such discoveries impel migration to more
secure techniques, rather than signifying that
everything encrypted with that sy...
GUEST: DOUG EDMUNDS
Carolina Law - Background
•  Part of UNC-Chapel Hill, nation’s oldest
degree-granting public university
•  Law school foun...
Clinical Program - Challenges
•  Aging hardware
•  Bad software support
•  Short staffing
•  Limited funding
•  Campus sec...
Old Model vs. New Model
Time Matters - Local
•  Poor support for Macs
•  Software upgrades difficult
•  No redundancy – si...
Security
Local Solution
•  Security = just one thing
your organization does
•  Cobbled together,
piecemeal
•  Few if any g...
Policies & Procedures
•  Rule #1 - Cloud adoption should not be
based solely on convenience
•  Rule #2 – Implement consist...
Mobility & Agility
•  True anytime,
anywhere access
•  Security is “baked in”
rather than “bolted
on”
•  Accessible across...
TAKEAWAYS
Takeaways
•  Cloud computing economies of scale provide
security and service that cannot be matched by
individual installa...
Action Items
•  Read state ethics opinions on technology
•  Commit to a cybersecurity review.
– Document
•  Cores
•  Tiers...
ClioWeb
Planning to move to the Cloud now?
Try Clio for free & get 25% off your first 6 months
QUESTIONS
Thank You
Doug Edmunds
edmunds@unc.edu
@unclawinfotech
linkedin.com/in/
dougedmunds
Joshua Lenon
joshua@goclio.com
@Joshua...
Upcoming SlideShare
Loading in …5
×

3 Reasons Why the Cloud is More Secure than Your Server

564 views
380 views

Published on

The days of VPN, desktop practice management software and ftp file sharing have given way to online applications like Google Apps, Dropbox and online practice management solutions. Fast, cost-effective, and easy-to-use, law firms of all sizes are moving to cloud-based systems to run their operations.

How secure is a cloud-based system though?

Learn about:

- Risks of servers and why securing data in the cloud is a better option
- Procedures every law firm can use to make cloud data storage highly effective
- How cloud applications can help firms meet strict statutory requirements

Published in: Law, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
564
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

3 Reasons Why the Cloud is More Secure than Your Server

  1. 1. 3 Reasons Why the Cloud is More Secure than Your Server Joshua Lenon – Lawyer-in-Residence @joshualenon Doug Edmunds – Asst. Dean for Information Technology @unclawinfotech
  2. 2. Agenda •  Cloud Overview (5 minutes) •  3 Reasons the Cloud is More Secure – Economies of Scale (5 minutes) – Cybersecurity Framework (10 minutes) •  Framework vs. Confidentiality Duties – Lightning Advancement (10 minutes) •  Guest: Doug Edmunds (20 minutes) •  Takeaways (5 minutes) •  Questions (5 minutes)
  3. 3. Instructors Joshua Lenon •  Lawyer, admitted in New York •  Lawyer-in-Residence for Clio Doug Edmunds •  Assistant Dean for Information Technology at University of North Carolina at Chapel Hill - School of Law
  4. 4. CLOUD OVERVIEW
  5. 5. NIST Cloud Definition “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” Source:(NIST(Defini0on(of(Cloud(Compu0ng;(Special(Publica0on(800>145(
  6. 6. Cloud Defined
  7. 7. Cloud Defined
  8. 8. 3 REASONS THE CLOUD IS MORE SECURE
  9. 9. ECONOMIES OF SCALE
  10. 10. Cloud Economies Dedicated(Security( Team( Greater(Investment(in( Security(Infrastructure( Fault(Tolerance(and( Reliability( Greater(Resiliency( Hypervisor(Protec0on( Against(Network(AMacks( Simplifica0on(of( Compliance(Analysis( Data(Held(by(Unbiased( Party( Low>Cost(Disaster( Recovery(and(Data( Storage(Solu0ons( On>Demand(Security( Controls( Real>Time(Detec0on(of( System(Tampering( Rapid(Re>Cons0tu0on(of( Services( Source:(Cloud.CIO.gov(
  11. 11. Law Firms Current Security •  47% have no documented disaster recovery plan •  Only 39% have intrusion detection system •  Only 36% have intrusion prevention system •  32% never have outside security assessments performed •  Only 14% have server logs •  2% have ISO 27001 certification Source:(2013(ILTA(Tech(Survey(
  12. 12. Federal Labor Relation Authority (FLRA) Case Management System •  88% reduction in total cost of ownership over a five year period •  Eliminated up-front licensing cost of $273,000 •  Reduced annual maintenance from $77,000 to $16,800 •  Eliminated all hardware acquisition costs •  Secure access from any Internet connection •  Ability to operate and access case information from any location in the world, supporting the virtual enterprise Source:(Cloud.CIO.gov(
  13. 13. CYBER-SECURITY FRAMEWORK
  14. 14. Cybersecurity Framework •  “Framework for Improving Critical Infrastructure Cybersecurity” •  Published by NIST in February 2014 •  Provides Core, Tiers and Profiles
  15. 15. Cybersecurity Framework: Cores Source:(NIST,(“Framework(for(Improving(Cri0cal(Infrastructure( Cybersecurity,”(02/14/2014(
  16. 16. Cybersecurity Framework: Tiers •  4 Tiers: – Tier 1: Partial – Tier 2: Risk Informed – Tier 3: Repeatable – Tier 4: Adaptive “Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.”
  17. 17. Cybersecurity Framework: Tiers •  Tier 3: Repeatable –  Formal risk management policies with reviews –  Organization-wide approach with training –  Collaborates with outside partners on risk management •  Tier 4: Adaptive –  Adapts security based on lessons & predictions –  Security is part of corporate culture with continuous improvement –  Actively shares information with partners
  18. 18. Cybersecurity Framework: Profiles •  Current: security outcomes being achieved •  Target: outcomes needed to meet goals •  Compare Current and Target Profiles to identify gaps in security processes
  19. 19. CYBERSECURITY FRAMEWORK VS. CONFIDENTIALITY DUTIES
  20. 20. Model Rules of Professional Conduct •  Rule 1.1 – Competency – “lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…” •  Rule 1.6 – Confidentiality – “lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation…”
  21. 21. Model Rules of Professional Conduct •  Rule 5.3 - Responsibilities Regarding Nonlawyer Assistant – “person's [nonlawyer] conduct is compatible with the professional obligations of the lawyer…”
  22. 22. Cloud Computing Ethics Opinions Source:(American(Bar(Associa0on(
  23. 23. Framework vs. Ethics Opinions Framework helps map, measure, & migrate cost benefit analysis
  24. 24. Cybersecurity Framework: Tiers •  Tier 3: Repeatable –  Formal risk management policies with reviews –  Organization-wide approach with training –  Collaborates with outside partners on risk management •  Tier 4: Adaptive –  Adapts security based on lessons & predictions –  Security is part of corporate culture with continuous improvement –  Actively shares information with partners
  25. 25. Framework vs. Ethics Opinions Opinions fail to discuss regulatory requirements.
  26. 26. Framework vs. Ethics Opinions Cloud services allow easier regulatory compliance
  27. 27. LIGHTNING ADVANCEMENTS
  28. 28. 28% of solo and small firms have no process for updating their computers. Source:(2013(ILTA(Tech(Survey(
  29. 29. Lightning Advancements •  Cloud Services move at the speed of the internet. •  Real-time monitoring and upgrades keep your Software-as-a-Service on the cutting edge.
  30. 30. Heartbleed
  31. 31. “When weaknesses are discovered in cryptographic systems, the system will not necessarily become suddenly insecure.” Source:(Bruce(Schneier,(‘Cryptanalysis(of(SHA>1’(
  32. 32. “Such discoveries impel migration to more secure techniques, rather than signifying that everything encrypted with that system is immediately insecure.” Source:(Bruce(Schneier,(‘Cryptanalysis(of(SHA>1’(
  33. 33. GUEST: DOUG EDMUNDS
  34. 34. Carolina Law - Background •  Part of UNC-Chapel Hill, nation’s oldest degree-granting public university •  Law school founded 1845 •  Charter member of ABA – 1920 •  Approx. 740 students; 63 tenure track faculty; 35+ adjuncts •  6 clinics with 70-80 students per year
  35. 35. Clinical Program - Challenges •  Aging hardware •  Bad software support •  Short staffing •  Limited funding •  Campus security policies •  Skepticism of university counsel Photo(source:(hMp://0nyurl.com/lk5hy4u(
  36. 36. Old Model vs. New Model Time Matters - Local •  Poor support for Macs •  Software upgrades difficult •  No redundancy – single server in place •  Vendor difficult to reach •  Students frustrated, faculty jaded Clio - Cloud •  Operating system agnostic •  Software upgrades totally transparent •  Geolocation of data centers and fully redundant •  Excellent vendor support and self-help resources •  Students and faculty love it
  37. 37. Security Local Solution •  Security = just one thing your organization does •  Cobbled together, piecemeal •  Few if any guarantees •  Knowledge deficient •  No formal access controls Cloud Solution •  Data center’s rep & business depend on it •  Multi-layered, robust •  Guarantees in Service Level Agreement •  Expertise •  Monitored, controlled environment
  38. 38. Policies & Procedures •  Rule #1 - Cloud adoption should not be based solely on convenience •  Rule #2 – Implement consistent metadata/ tagging standards •  Rule #3 - Leverage version control •  Rule #4 - Require security awareness training •  Rule #5 – Prohibit “rogue agents”
  39. 39. Mobility & Agility •  True anytime, anywhere access •  Security is “baked in” rather than “bolted on” •  Accessible across platforms/devices •  No downtime due to server outages Photo(source:(hMp://0nyurl.com/l7wgd45(
  40. 40. TAKEAWAYS
  41. 41. Takeaways •  Cloud computing economies of scale provide security and service that cannot be matched by individual installations •  Organizations large and small are shifting to cloud-based services for increased savings •  Robust frameworks for measuring and mitigating risks are being developed for cloud services •  Cloud services are best suited for cutting edge implementations
  42. 42. Action Items •  Read state ethics opinions on technology •  Commit to a cybersecurity review. – Document •  Cores •  Tiers for Firm and Vendors •  Current vs. Target Profiles •  Download the Cybersecurity Framework Core Exercise on GoClio.com/Blog
  43. 43. ClioWeb Planning to move to the Cloud now? Try Clio for free & get 25% off your first 6 months
  44. 44. QUESTIONS
  45. 45. Thank You Doug Edmunds edmunds@unc.edu @unclawinfotech linkedin.com/in/ dougedmunds Joshua Lenon joshua@goclio.com @JoshuaLenon linkedin.com/in/joshualenon

×