Cloud v. On-Premise Security

Pop quiz! Of the following attacks, which of them breached cloud systems and which of them successfully accessed on-premise systems?

  • NSA Snowden leaks
  • JP Morgan Chase breach
  • Home Depot breach
  • Jennifer Lawrence iCloud photos
  • Target breach
  • North Korean SONY attacks

Answer: the lone attack in that list to hit a cloud system was the Apple iCloud hacking of Jennifer Lawrence’s pictures. Moreover, the intruders gained entry through poor user password usage, not through fancy cyber hacking or security issues with iCloud itself. The other attacks were breaches of on-premise corporate systems guarded by IT departments.

We’ve reached a point where the conversation about on-site versus cloud security may have flipped. It’s time we reexamine the true risks to cyber security. We’re at a point where legal professionals deserve serious dialog and educational content around the realities of our cyber landscape.

Some legal technology consultants maintain that lawyers need to take extra precautions when moving data to the cloud. This made sense in the early days of legal cloud computing, as it was important for these IT consultants to cast a wary eye towards storing data in an offsite location. A significant amount of legal technology consultants have now embraced the cloud. They understand the benefits to productivity and security. Furthermore, many state bar association ethics opinions have come down in favor of cloud usage by informed lawyers.

However, some legal IT departments continue to insist that on-site technology is safer than cloud technology, when that assertion is clearly up for debate. We are living in a highly connected world where computer systems, cloud or not, are accessible via networks. Every system is at risk.

It can be reasonably argued that in 2015, we’re at the point where cloud providers have the upper hand when it comes to providing secure storage for your critical information. It is a primary focus for cloud providers. Law firms, especially smaller ones, are not in the business of becoming security experts, and cannot reasonably afford the measures needed to guard their systems in an age of cyber warfare.

If you’re wondering what your law firm would need to have security on-par with a leading cloud provider, ask yourself the following:

  • Does your local office have biometrically protected server access that requires a hand-scan to go near the server?
  • Are there security cameras monitoring your equipment 24/7?
  • Are you paying someone every night to probe your systems for vulnerabilities?
  • Do you or your IT staff reliably and consistently apply critical security patches to your servers, before the exploited vulnerabilities make headlines on CNN?
  • In terms of disaster recovery, what happens if your office is inaccessible for some reason?
  • Does your law firm have three different electric utilities supplying it, and do you have two weeks of generator capacity to run your firm if you lose power?
  • Are your backups happening continuously every day and do you perform geo-redundant backups?

I ask these questions to prove a point: lawyers need real, honest dialog about the pros and cons of on-premise versus cloud systems. The truth of the matter is this: no system is 100% bulletproof. Even the most impenetrable system can be sabotaged by the simple, duplicitous act of a disgruntled employee. Cloud computing, when done correctly by the right provider, has its security advantages. On premise, when done correctly with the right IT staff, is also reasonably secure and safe for confidential client information.

Lawyers are due an unbiased discussion about their security risks with both on-premise and cloud systems. Their livelihoods and our collective faith in confidentiality depends on it.

About Larry Port

Larry Port

Larry Port, Rocket Matter founder and CEO, is a speaker and award winning writer at the crossroads of the legal profession, cutting edge technology, and law firm marketing. Larry speaks to an international audience on technology, productivity, and the business of law and was recently recognized by Fastcase as one of the 50 top innovators in the field of law. He is the author of two books, The Law Firm of Tomorrow and Legal Productivity and also writes extensively for legal publications, including Legal Management, Law Technology News, Law Practice Today, ILTA’s Peer to Peer, FindLaw, Chicago Lawyer, and Legal Productivity. He frequently discusses design and efficiency, and quality techniques that can be leveraged by lawyers. He has worked with his client law firms to help them plan their online presence and is aware of what truly works online.

Check Also

Cyber attacks

How to Launch a Pre-Emptive Strike Against Costly Downtime and Cyber attacks

Cyber attacks are continuing to cripple organizations around the world.  Law firms are particularly vulnerable to these attacks.

  • Ben W

    Let’s start with the fact that the author probably meant to compare “on premises” as opposed to “on premise,” which means something different entirely. Next, perhaps an open disclaimer at the outset that this piece was written by a vendor who sells a hosted (i.e. cloud) platform would probably put it into context for many.

    The issue isn’t comparing on premises security to hosted security; the issue is access – be it physical or electronic. Edward Snowden would have had the same access to data regardless of where it sat; there was never any suggestion that he walked into the records vault and physical removed documents – he had access, electronically, that enabled him to take data whether it was located on premises where he sat or in the cloud (wherever that is for the NSA).

    In fact, I would challenge the author of this piece to provide proof that each of the security breaches he points to would have been any different had the data been stored off-site. The biggest threat to security is people. Social engineering is the simplest. You don’t need to be Tom Cruise and lower yourself on a wire into the NSA vault to steal data – all you need is to get someone’s credentials or to plant malware (think keylogger) onto someone’s computer and you’re in.

    Articles such as this only serve to confuse people or give them a false sense of security. Rather than pumping people full of misinformation in an effort to get them to buy-into your subscription software, how about offering some constructive feedback on training their personnel to avoid being taken advantage of via social engineering.

    • TechLawGuru

      Excellent points. In terms of a lawyer’s ethical duties, one of the key obligations is to protect the confidentiality of the client’s information. Few cloud vendors have adequate encryption and/or confidentiality provisions in their Terms of Service. Does the vendor’s service agreement affirmatively impose a confidentiality, non-disclosure, and non-use obligation on the vendor? Does the cloud provider provide for encryption of data using a private encryption key held only by the law firm?

      This article also raises several points that are not terribly relevant to the “internal” vs “external/cloud” data storage question. For example, our firm does not have two weeks of generator capacity, and having such capacity would be pointless. If our office was without power for two weeks, what is the likelihood that our attorneys would have power at their homes to be able to remotely connect to a cloud service provider? (And how many people can afford to have two weeks of generator capacity for their homes?)

      I am much more concerned about storing client data offsite with unknown third party employees having access to the data than I am about interruptions due to loss of electrical power. As the recent Germanwings incident reaffirms, people are a huge security risk. When it comes down to it, I trust our law firm’s employees more than I trust the employees of cloud service providers.

  • Shawn Miller

    Great thoughts! To shares confidential files securely, first thing is to avoid storing it on external server. Instead, use Binfer which will transfer files directly between sender and reciever without uploading online. See secure file sharing for legal.