Private cloud offerings including SaaS are growing in our industry largely due to the expense in maintaining hardware and security protocols for client data that law firms have traditionally managed. The expanding data volumes and security requirements complicate those efforts. Data breaches continue to occur, and with companies like AT&T getting stuck with $25 million in fines, as happened recently, the need for diligence becomes even more pressing. Although our industry isn’t a hot target compared to large corporate data, our client data is, and clients want to be sure it is secure and protected.
Service Partners and Cloud Security
With cloud usage meaning many things across industries, and even within our own legal market, one of the largest concerns relates to ensuring delivery of data privacy and security by those that host sensitive data. This article will focus on guidelines to help confirm data is safe with your third-party providers. While it is not intended to be the end-all authoritative word on data privacy and security, the principles presented here will put you on the right path toward assessing whether or not you can trust the hosting provider you are evaluating.
Sound data privacy and security require a cohesive mix of policies/practices, facilities, technology and people. Weakness at any point is a weakness overall. Privacy and security should be baked into the culture of the providers you are considering, and you should be able to see it and feel it when you visit or talk with them.
The outline below can be a reference guide as you interview partner providers. It can be employed as a list of questions to start a security dialogue that will paint the picture of how a provider operates.
Physical Safeguards: Harden and Secure the Physical Facilities
We will start with the most obvious and arguably easiest point to assess. The physical environment can readily be viewed and evaluated. This is also a great place to begin when interviewing a partner about handling your client data. If you don’t see strong controls here, it is a real red flag. Also keep in mind many providers don’t manage their own facilities but instead lease space, and sometimes even equipment, from a co-location facility. This is not bad in itself as there are many very good co-location facilities, but you have to ask yourself whether or not you want another separate entity to manage and monitor.
- General Facilities
- Does the provider have restricted access controls that limit who can go where within the facility? This is often managed through an electronic cardkey-type system. Find out whether or not the provider uses security groups that define physical access based on need.
- Does the provider positively identify, log and physically escort visitors in all areas of the facility?
- Does the facility have an intrusion alarm system? Does it sound an audible alarm as well as being monitored for a law enforcement response?
- Is there video surveillance monitoring of all points of entry and exit? Are the video surveillance recordings kept for a reasonable period of time?
- Are physical workspaces conducive to privacy for phone calls and visible work material (e.g., paper, computer monitors)?
- Does the provider have armed security after hours? This may not be a requirement, but it certainly signals a level of seriousness.
- Data Center Facilities
- Are the data center facilities located behind a primary layer of physical security?
- Is multifactor authentication (e.g., biometrics) used for access to the data center facilities and is the access list highly restricted?
- Is video surveillance used inside the data center to monitor activity around the servers?
- Are visitors logged in separately to the data center and escorted at all times?
- Are there environmental controls and fire detection/suppression conducive to data center operations?
- Does the data center have an uninterrupted power supply (UPS) and generator backup ensuring the continuous delivery of electrical needs?
Technical Safeguards: Harden the Border and Reduce the Attack Surface
Physical security is certainly the starting point, but generally, the technical elements of any data center will be where data defense is most intricate. Technical safeguards are also the most customizable with flexibility in deployment. There is no “one way” to accomplish your security goals. The elements outlined by the questions below are crucial to success, but your IT team has autonomy in how they want their networks configured.
- Does the provider segregate its corporate network from the client (“production”) network? These two networks should not be the same. There are people in the provider’s corporate network who should never have access to client data. Having this data on the same network puts them one step closer and makes ensuring restricted access more difficult.
- Are the client networks isolated from each other? Many companies demand their own environment with fully segregated network segments and no commingling of data on shared hardware. With today’s levels of logical security, this is not an absolute, but if it is a requirement, ensure your partner provider can accommodate you.
- Is the provider using multitenant environments? This is standard among many of the partner providers. In these cases, make sure logical and application security layers are in place to partition client data; when configured correctly, this will make it impossible for users to access another client’s data.
- Is IP address filtering in place? As an added layer, any access from an unknown IP address will be rejected. This makes your site inaccessible to unknown sources.
- Is multifactor authentication available? We are all familiar with authentication by username and password. But you may want to consider an additional factor to help ensure users are who they say they are. Today the options are many, including tokens with revolving pass codes, PINs sent to mobile phones or even device profiling, behavioral profiling and second-level identity confirmation.
- Does the provider implement a layered security approach? This is a defense in depth strategy intended to address technical security from several angles (e.g., network, operating system, application, database) that, when combined, form multiple interacting layers of protection which mitigate the risk of successful attacks.
- Are outward- and inward-facing firewalls deployed? Firewalls are often thought of as providing a protective layer against unwanted inbound traffic from the Internet. But what about protection from unwanted access within the provider’s network? Whether it is a pivot from an outside attacker or an inside job, the client network should be shielded from all directions.
- Does the provider have an intrusion detection system/intrusion prevention system? These systems scan for anomalies and suspicious traffic matching signatures of common attacks. They monitor, alert and help stop the bad guys before they get in.
- What data loss prevention technology has it deployed? DLP technology can be extensive and prevent data infiltration and exfiltration from email, the web and even physical devices. Use of this technology should be thoughtful and supported by policies with teeth.
- Does the provider have appropriate encryption policies and practices? All things being equal, data encryption is good. The full extent of the encryption you require may depend on overall risk mitigation, but at the very least encryption should be required for portable media devices, backup media, external storage media and data at all times when in transit.
- What is the provider’s approach to malware protection? Malware is pervasive in today’s computing world, and diligence is needed to stay ahead of it. Be sure your provider can show you evidence that it takes these threats seriously and works to keep its environment free from malware.
- Does the provider have an active patch management program? It seems like new security vulnerabilities pop up every day. Your provider should have a robust process of monitoring for and appropriately patching all systems, servers and software.
Many partner providers choose to purchase off-the-shelf software and deploy it in their environment for client access and use. If that is the case, gaining transparency into the software company’s development practices may be difficult, but it is something in which you should still be interested. If your provider develops its own software, it should be easier for you to gain a level of comfort about its approach. The questions below focus on guidelines and standards and are a great place to start.
- Is there a documented development life cycle? A development life cycle shows the process used for the development and versioning of the software. These documents are important and indicate the discipline in place for the evolution of the platform being used.
- Do the developers use secure software development practices (e.g., OWASP for secure web application development)? There are published principles guiding secure development practices for the various types of software and software environments. Ask what practices developers are trained in and held to.
- Are code reviews performed? Code reviews serve to find and remove vulnerabilities, thereby enhancing software security. These reviews can be automated or performed on a peer-to-peer level.
- Are there access controls around source code and code libraries? Securing source code is an important step in keeping it clean and unadulterated. There should be access controls in place that monitor the checking in and out of code.
- Is application vulnerability testing performed? Applied in the software development process, application vulnerability testing is intended to find weaknesses that can be corrected before the software is released for general use.
Although we’re talking about administrative safeguards last, they actually form the foundation of a privacy and security program. Generally speaking, administrative safeguards are the policies, guidelines, practices and structure within the organization that will deliver the actions needed to ensure data privacy and security. Most data breaches are due to faulty practices or a breakdown in an established procedure. You can have great security on the perimeter, but if you give away a multifunctional printer, anything that MFP scanned or printed has likely gone with it. A full discussion of administrative safeguards is beyond the scope of this article, but here are some key areas you will want to look for in any provider you are considering:
- Does it perform a regular risk analysis? Basically, a risk analysis is a process that sheds light on an organization’s exposure by evaluating the interplay between threats, vulnerabilities and the mitigating controls in place.
- Are the privacy and security policies robust and up to date? This covers a lot of ground. Your provider should have a comprehensive set of information privacy and security policies and guidelines governing overall security approaches and management of the networks, servers, data and behavior of users. Do audits ensure policies and practices are followed? It is not enough to just have policies in place. The very best policy is not much good if nobody complies with it. Your provider should be able to supply you with evidence, through audits (e.g., SOC2 Type II), that its policies are sound and everyone adheres to them.
- Does your provider perform regular penetration and vulnerability testing? As stated above, new vulnerabilities are discovered almost daily, and regular testing should be performed in deployed environments. Ask about the scope and frequency of this testing. Also ask about remediation actions since it doesn’t do much good to test if there is no remediating.
- Does it adhere to applicable privacy laws and regulations? Depending upon the type of data being hosted by your provider, you need to make sure the privacy laws and regulations involved (e.g., HIPAA) are observed.
- Does it conduct privacy and security training with employees? Many of the largest data breaches have been tracked back to a poor decision or action by a human. This makes employees the weakest link in the security chain. Active awareness and training will help to secure everyone involved.
The information here is a starting point for evaluating partner providers. Without a doubt more questions can be added given the evolving landscape of how data can be compromised, but these areas of focus come from over 27 years of experience in large, complex and scalable eDiscovery and case management involving highly confidential information. This outline is a recommendation for opening a dialogue to help educate everyone in continuing best practices.