By Mark Lanterman
Recently, the CIA awarded a diversified contract for cloud computing, including the housing of top-secret data, to Amazon Web Services, Microsoft, Google, Oracle, and IBM. “Under the C2E contract vehicle,” reports an article at Nextgov, “the companies will compete for specific task orders issued by the CIA on behalf of itself and the 16 other agencies that comprise the intelligence community.”1 This is a huge contract for the companies awarded, and it underscores a movement toward cloud computing even in matters involving the utmost in secrecy. For law firms, the question of whether to use the cloud is especially critical given the unparalleled importance of protecting client confidentiality.
In our digital age, organizations, companies, and firms are constantly creating, gathering, and storing mass amounts of data—data that can be compromised by cybercriminals. Due to the costs associated with managing data, cloud computing has become the norm and will continue to be an important resource.
Cloud computing is essentially an infrastructure that allows for on-demand access to organizational assets, especially data, over the internet, typically through commercial providers via a public cloud. Many organizations use multiple clouds and a layered approach, meaning that they use several public cloud options, or a combination of public and private options. This would describe the CIA’s approach to cloud computing, opting for several service providers to better allow for customization.
Cloud computing is easily adaptable. As organizations grow in number of employees and physical locations, the cloud allows for easy access to data without the need for physical proximity. With a growing number of devices, and an ever-increasing need for data storage and computing abilities, the cloud is a sensible option for its flexibility, cost, and ease of use.
Staying secure
From a security perspective, it is important that organizations consider their risk appetites in migrating data to the cloud. Like any technology, cloud computing is neither perfectly secure nor fail-proof. Consider exactly what service, or type of infrastructure, is being used. Understand how your private, public, or hybrid plan is set up to ensure cloud security. How does the vendor protect your data? What are the practices for data encryption? How are data backups conducted? What are the policies and procedures for reporting a data breach, and how will you be notified? What is the vendor’s history with data breaches and breach response? There are many questions to consider when assessing and selecting a cloud service provider. Apart from the cybersecurity issues, law firms should also review how the vendor responds to subpoenas or other third-party requests.
Not all cloud providers are going to be the right fit for your organization, and it may be more appropriate to use several different options. Deciding to trust a third party with your data requires ample research and abiding management. Data access control policies should be regularly reviewed and updated, and employees should be trained in their individual roles and responsibilities in securely accessing the cloud.
Your data, your responsibility
Ultimately, many organizations and firms find that moving to the cloud is necessary and that cloud service providers are often in a better position to protect data than an organization relying completely on its own resources and abilities. But don’t forget that no matter where your data is being stored and by whom, you are ultimately responsibly for keeping it secure. When constructing your cloud infrastructure, accept the fact that paying more now for increased security is better than paying much more later in the event of a breach.
The cloud is a convenient and efficient tool. It can help simplify data management and for many organizations it’s become a necessity. But balancing the benefits of cloud technology with its risks requires careful research, planning, and management. In the words of the 2019 ABA Tech Report, “If you take only one thing from this… it should be to up your game on cloud security, for your sake and, even more so, for the sake of your clients.”2 Identifying options, researching vendors, and staying apprised of best practices is critical in making the best choice for your organization and your data.
Notes
1 https://www.nextgov.com/it-modernization/2020/11/exclusive-cia-awards-secret-multibillion-dollar-cloud-contract/170227/
2 https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/cloudcomputing2019/
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.