The days of VPN, desktop practice management software and ftp file sharing have given way to online applications like Google Apps, Dropbox and online practice management solutions. Fast, cost-effective, and easy-to-use, law firms of all sizes are moving to cloud-based systems to run their operations.
How secure is a cloud-based system though?
Learn about:
- Risks of servers and why securing data in the cloud is a better option
- Procedures every law firm can use to make cloud data storage highly effective
- How cloud applications can help firms meet strict statutory requirements
3 Reasons Why the Cloud is More Secure than Your Server
1. 3 Reasons Why the Cloud is
More Secure
than Your Server
Joshua Lenon – Lawyer-in-Residence
@joshualenon
Doug Edmunds – Asst. Dean for Information Technology
@unclawinfotech
2. Agenda
• Cloud Overview (5 minutes)
• 3 Reasons the Cloud is More Secure
– Economies of Scale (5 minutes)
– Cybersecurity Framework (10 minutes)
• Framework vs. Confidentiality Duties
– Lightning Advancement (10 minutes)
• Guest: Doug Edmunds (20 minutes)
• Takeaways (5 minutes)
• Questions (5 minutes)
3. Instructors
Joshua Lenon
• Lawyer, admitted in New York
• Lawyer-in-Residence for Clio
Doug Edmunds
• Assistant Dean for
Information Technology at
University of North Carolina at
Chapel Hill - School of Law
5. NIST Cloud Definition
“Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network
access to a shared pool of configurable
computing resources (e.g., networks, servers,
storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider
interaction”
Source:(NIST(Defini0on(of(Cloud(Compu0ng;(Special(Publica0on(800>145(
11. Law Firms Current Security
• 47% have no documented disaster recovery
plan
• Only 39% have intrusion detection system
• Only 36% have intrusion prevention system
• 32% never have outside security
assessments performed
• Only 14% have server logs
• 2% have ISO 27001 certification
Source:(2013(ILTA(Tech(Survey(
12. Federal Labor Relation Authority
(FLRA) Case Management System
• 88% reduction in total cost of ownership over a
five year period
• Eliminated up-front licensing cost of $273,000
• Reduced annual maintenance from $77,000 to
$16,800
• Eliminated all hardware acquisition costs
• Secure access from any Internet connection
• Ability to operate and access case information
from any location in the world, supporting the
virtual enterprise
Source:(Cloud.CIO.gov(
14. Cybersecurity Framework
• “Framework for Improving Critical
Infrastructure Cybersecurity”
• Published by NIST in February 2014
• Provides Core, Tiers and Profiles
16. Cybersecurity Framework: Tiers
• 4 Tiers:
– Tier 1: Partial
– Tier 2: Risk Informed
– Tier 3: Repeatable
– Tier 4: Adaptive
“Progression to higher Tiers is encouraged
when such a change would reduce
cybersecurity risk and be cost effective.”
17. Cybersecurity Framework: Tiers
• Tier 3: Repeatable
– Formal risk management policies with reviews
– Organization-wide approach with training
– Collaborates with outside partners on risk
management
• Tier 4: Adaptive
– Adapts security based on lessons & predictions
– Security is part of corporate culture with continuous
improvement
– Actively shares information with partners
18. Cybersecurity Framework: Profiles
• Current: security outcomes being achieved
• Target: outcomes needed to meet goals
• Compare Current and Target Profiles to
identify gaps in security processes
20. Model Rules of Professional Conduct
• Rule 1.1 – Competency
– “lawyer should keep abreast of changes in the
law and its practice, including the benefits and
risks associated with relevant technology…”
• Rule 1.6 – Confidentiality
– “lawyer shall not reveal information relating to
the representation of a client unless the client
gives informed consent, the disclosure is
impliedly authorized in order to carry out the
representation…”
21. Model Rules of Professional Conduct
• Rule 5.3 - Responsibilities Regarding
Nonlawyer Assistant
– “person's [nonlawyer] conduct is compatible
with the professional obligations of the
lawyer…”
24. Cybersecurity Framework: Tiers
• Tier 3: Repeatable
– Formal risk management policies with reviews
– Organization-wide approach with training
– Collaborates with outside partners on risk
management
• Tier 4: Adaptive
– Adapts security based on lessons & predictions
– Security is part of corporate culture with continuous
improvement
– Actively shares information with partners
28. 28% of solo and small firms
have no process for updating
their computers.
Source:(2013(ILTA(Tech(Survey(
29. Lightning Advancements
• Cloud Services move at the speed of the
internet.
• Real-time monitoring and upgrades keep
your Software-as-a-Service on the cutting
edge.
31. “When weaknesses are discovered in
cryptographic systems, the system will not
necessarily become suddenly insecure.”
Source:(Bruce(Schneier,(‘Cryptanalysis(of(SHA>1’(
32. “Such discoveries impel migration to more
secure techniques, rather than signifying that
everything encrypted with that system is
immediately insecure.”
Source:(Bruce(Schneier,(‘Cryptanalysis(of(SHA>1’(
34. Carolina Law - Background
• Part of UNC-Chapel Hill, nation’s oldest
degree-granting public university
• Law school founded 1845
• Charter member of ABA – 1920
• Approx. 740 students; 63 tenure track
faculty; 35+ adjuncts
• 6 clinics with 70-80 students per year
35. Clinical Program - Challenges
• Aging hardware
• Bad software support
• Short staffing
• Limited funding
• Campus security
policies
• Skepticism of
university counsel
Photo(source:(hMp://0nyurl.com/lk5hy4u(
36. Old Model vs. New Model
Time Matters - Local
• Poor support for Macs
• Software upgrades difficult
• No redundancy – single
server in place
• Vendor difficult to reach
• Students frustrated, faculty
jaded
Clio - Cloud
• Operating system agnostic
• Software upgrades totally
transparent
• Geolocation of data
centers and fully
redundant
• Excellent vendor support
and self-help resources
• Students and faculty love it
37. Security
Local Solution
• Security = just one thing
your organization does
• Cobbled together,
piecemeal
• Few if any guarantees
• Knowledge deficient
• No formal access controls
Cloud Solution
• Data center’s rep &
business depend on it
• Multi-layered, robust
• Guarantees in Service
Level Agreement
• Expertise
• Monitored, controlled
environment
38. Policies & Procedures
• Rule #1 - Cloud adoption should not be
based solely on convenience
• Rule #2 – Implement consistent metadata/
tagging standards
• Rule #3 - Leverage version control
• Rule #4 - Require security awareness training
• Rule #5 – Prohibit “rogue agents”
39. Mobility & Agility
• True anytime,
anywhere access
• Security is “baked in”
rather than “bolted
on”
• Accessible across
platforms/devices
• No downtime due to
server outages
Photo(source:(hMp://0nyurl.com/l7wgd45(
41. Takeaways
• Cloud computing economies of scale provide
security and service that cannot be matched by
individual installations
• Organizations large and small are shifting to
cloud-based services for increased savings
• Robust frameworks for measuring and
mitigating risks are being developed for cloud
services
• Cloud services are best suited for cutting edge
implementations
42. Action Items
• Read state ethics opinions on technology
• Commit to a cybersecurity review.
– Document
• Cores
• Tiers for Firm and Vendors
• Current vs. Target Profiles
• Download the Cybersecurity Framework
Core Exercise on GoClio.com/Blog