Is cloud computing really less secure than the status quo?

Posted on November 16, 2009. Filed under: Cloud computing, Practice Management, The times they are a'changin', Uncategorized |

Drlogo11This week’s Daily Record column is entitled “Is cloud computing really less secure than the status quo?”

A pdf of the article can be found here and my past Daily Record articles can be accessed here.

*****

Is cloud computing really less secure than the status quo?Cloud computing, defined at Webopedia.com as the “sharing [of] computing resources rather than having local servers or personal devices to handle applications,” is a buzzword that has many lawyers up in arms.

For an even better description of cloud computing, watch this Common Craft video online at http://www.commoncraft.com/cloud-computing-video.

Examples of cloud computing used by many lawyers and their clients on a regular basis include Gmail and other Web-based e-mail services. Many platforms and services available to attorneys for use in their law practice that are cloud computing-based include practice management and document management software.

Cloud computing critics decry the trend of using cloud computing services in law practices. One of the main criticisms is that cloud computing may result in the loss or disclosure of confidential client data. Such concerns certainly are valid, and most certainly there are a number of issues that need to be addressed.

I would argue the security risks posed by cloud computing platforms are far less than the systems currently in place in most U.S. law offices. If the majority of law offices began using cloud computing services in their practice, client data would be far more secure than it is now.

Despite coverage in the mainstream media suggesting otherwise, the vast majority of lawyers are solo practitioners.  According to a 2006 report issued by the New York State Commission to Examine Solo and Small Firm Practice, more than 83 percent of New York attorneys are solo practitioners; 14.7 percent work in offices of between two and nine attorneys, and only 1.8 percent of attorneys work in large firms with 10 or more attorneys (See http://www.nycourts.gov/ip/solosmallfirmpractice/index.shtml.)

In other words, nearly 95 percent of New York lawyers work in very small law offices. The vast majority of those small firms don’t have IT support on staff, and most lawyers in those firms don’t know the first thing about computers.

Undoubtedly those attorneys continue to use systems and software from the late 1990s —at least, that’s the case in many law offices I’ve visited. Their anti-virus software is antiquated and their practice management software, if they even have it, has never been updated because most attorneys are too busy practicing law to bother with that “computer stuff.” Many don’t understand the importance of updating software and the security issues created when security patches are not installed.

For the vast majority lawyers, as long as their computers are basically functional, it’s business as usual because, as we all know, if it ain’t broke, don’t fix it.

I would argue these law offices —like the vast majority throughout the country —are walking security hazards. Anyone with minimal computer skills and a passing interest in hacking into a law office’s computer system could do so in a heartbeat.

Cloud computing providers are newcomers to the legal software market. Their products aren’t perfect, but they are responding quickly to concerns raised regarding security and other issues. The cloud computing providers that offer software services host the software and data at extremely secure facilities with high levels of bank-grade encryption and update their programs automatically. The attorneys using the services no longer need to worry about these issues and are, in my opinion, in far better shape security-wise than they were before they began using cloud computing services.

Discounting the technologies by using scare tactics and rhetoric is short-sighted and harms the profession in the long run. Cloud computing technology providers are receptive to feedback and continuously adapt their products to meet critics’ legitimate concerns. While the technologies may not be perfect, they are improving rapidly and are a much better alternative to the current computing status quo at most law offices.

Advertisements

5 Responses to “Is cloud computing really less secure than the status quo?”

RSS Feed for Practicing Law in the 21st Century-A Law & Technology Blog Comments RSS Feed

The other comparison you should look at is cloud computing versus the lost laptop. I see many more discussion of security breaches from the lost laptop than I do for a breach of network security.

Having worked in several small law practices in my pre-virtual life, I agree wholeheartedly. I was shocked that the security measures in these offices were far less than those that I used on my personal computer at home. The computer equipment was horribly out-dated and only a handful of us bothered to do security updates for software and operating systems.
And that doesn’t even mention the open files left on desks and easily overheard phone conversations as clients, delivery people, realtors, etc. came and went.
Cloud computing would have increased the security of these firms drastically rather than put them at risk.
Excellent post!

I think it is more about control rather than security. People somehow feel more secure if their data is sitting on a computer under their desk, rather than at a properly secured data center in the cloud. The large firms that do employ encryption for securing in-house databases, rarely properly secure backups of those databases. The justification for not encrypting the backups is that it makes the recovery process easy. Go figure!

Note: Apart from some niche Cloud Storage providers, most Cloud Computing vendors don’t employ encryption for Data At Rest. Encrypting data at rest requires huge amount of computing power. But they employ other mechanisms, e.g. physical controls and data sharding to ensure that data is not recoverable from a improperly discarded media.

I always say that the biggest risk of improper disclosure comes from Herbie in the file room. Anybody who really wants your information has only to convince Herbie to find it and give it to you. Since Herbie was most likely not vetted for security purposes a kind word and a great lunch may be the price of admission to your files.

I have tried to find something on the treatment of cloud computing applications under the new Rules of Professional Conduct (Part 1200), without success. Rule 1.6 (c) states that “a lawyer shall exercise reasonable care to prevent the lawyer’s employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidential information of a client.” Existing Bar Association ethical opinions hold that e-mail does not require the use of encryption, but as far as I (and Westlaw) know, no court has ruled on cloud computing. Logically, cloud computing should not be differnt from e-mail, but as in many things technological, we seem to be in uncharted legal territory.

For a non-legal perspective on these issues, the most recent issue of technology review featured a cover story entitled “Is the Cloud Safe? It Had Better Be- We All Work There.”


Comments are closed.

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: