9/14/12

The Inevitable Cloud



Several months ago I was asked by a partner to review the privacy policies and terms of service for a number of consumer cloud storage providers and to rank them according to how well they met his requirements based on firm policies, ABA missives, and a handful of other relevant opinions about client confidentiality and the cloud.  Long story short, they all failed miserably.  None of them came close to meeting the “requirements”.  

The partner was hoping to be able to tell his fellow attorneys that the firm doesn’t approve of consumer cloud storage for client related information, however, if you are going to use a consumer solution for “personal information” we recommend provider X.  My pessimistic report made even that a difficult statement.  Still hoping to salvage something from this conversation he asked a follow-up question. 

“Do any of these services provide anything close to the level of security we have in email?”

Had I sipped my coffee a second earlier I surely would have showered my office with stale joe.

“Excuse me”, I said, “Could you ask that again?”

"Attorneys send client confidential information all the time via email, so do any of these services come close to meeting the standards for email security?”

That’s what I thought he meant.  I broke the news to him slowly, explaining it this way. “I wouldn't put anything in consumer cloud storage that I wouldn’t leave in a file folder on the front seat of my locked car.  But, I wouldn't put anything in an email that I wouldn’t write on the back of a postcard and hand to a stranger on the street to mail for me.  The least secure of these consumer cloud storage solutions is many, many times more secure than a standard unencrypted email.  In fact, some of them have much better security protocols than your average law firm.”

The partner was flummoxed.  “Then what’s the big deal about this cloud thing?”

I was reminded of this incident when I attended the ILTA conference a couple of weeks ago.  In the vendor hall I saw a lot of vendors pushing their cloud-based SaaS solutions and a lot of firms saying, "Sorry, we have to host all of our own data."  Typically the vendor went on to explain the value of allowing them to host the data. The product is constantly monitored, backed up, and securely encrypted in transit and at rest.  The product and mobile apps are updated multiple times a day. They simply can't provide such a high level of service if you insist on hosting the product behind your firewall.  

These conversations went back and forth for a long while.  I never once heard a cloud vendor acquiesce and say, "Well, OK. We'll let you host it yourself."   Chances are good that if you host their service, you will have a less than ideal experience.  And if you have a less than ideal experience, they will have to spend a lot of time and money to make you happy, which will eat into their profits.  They would rather not have you as a customer at all, than to have you be a less-than-completely-satisfied customer.  It seems some vendors have learned a lesson that many law firm's have not: not all revenue is profitable. 

Taken together I think these incidents are representative of a larger paradigm shift. Traditional IT services, even the big traditional Legal software vendors, are moving to the cloud.  Attorneys will eventually figure out how to work with the cloud and still meet their ethical obligations, or they will just get used to the risks and ignore them like they have with email in the last 20 years.  The ABA will eventually make some coherent and unambiguous statements about the acceptable use of cloud services. And all of these will come together at the same time that firms begin to realize the economic benefits of not supporting an entire service infrastructure in-house.

Once that happens law firms will look back on all of the sturm und drang surrounding the Cloud, Software as a Service, and the Consumerization of IT, and they'll wonder what all the fuss was about.  They'll probably also wonder what all those nice people who used to run their network are doing now.

Bookmark and Share

3 comments:

Andy Wilson said...

Excellent email analogy Ryan. Hope you don't mind, but I'm going to be using it, often. Considering we offer 100% eDiscovery in the cloud we hear a lot of the same.

But these same people don't seem to care too much when their lit support analyst or paralegal ships customer evidence off in an "unlocked" cardboard box to a local copy shop or eDiscovery vendor that may or may not have adequate security protocols in place for locking doors.

Similar to your email analogy they will figure it out sooner or later and realize they are better off.

Moira Vasquez said...

Hello. This is a great article. Last year at an IAPP conference. This is a group of serious data privacy professionals and lawyers interested in protecting data. In technology forecast sessions, many presenters felt cloud providers of the next generation will understand that data security and compliance are market differentiators. I believe that is true and we see a number of these emerging now. A google search will find providers that have achieved HIPAA compliance for a scope of services (e.g. the hosting portion of their services) or an SSAE-16 SOC 3 audit with minimum deficiencies.

I do believe that law firms will have cultural and economic difficulty applying the level of rigor passing a SSAE-16 SOC 3 audit requires at a fast pace. If they do achieve this pace, they may find it financially unfeasible to sustain over time. This is where cloud providers have a big advantage to help.

Ryan McClead said...

Adam Carlson at C&W Security Blawg has a terrific article following up on this post from a security perspective.
Check it out here: http://www.securityblawg.com/2012/09/what-cloud-security-fuss-should-be-about.html

 

© 2014, All Rights Reserved.