Divining the future is tricky business. But as several trends start to coalesce around cloud, it becomes easier to look ahead and see where the cloud is headed and what that direction means for law firms.
Increasingly, 2021 appears poised to be the year that “zero touch” becomes a non-negotiable requirement for any cloud vendor operating in the legal space. Given how foundational the cloud has become within law firms and corporate legal departments in recent years, and the fact that these clouds routinely handle scores of sensitive and privileged data, this shift towards zero touch is the logical next step in cloud architecture and cloud security.
Zero Trust is Just the Start, Not the Finish
To understand why organizations and the industry are moving in the direction of a zero touch future, it’s helpful here to back up and look at developments like “zero trust” that came beforehand, setting the stage for this current moment. Zero trust started to make greater inroads in the legal industry in 2020, exposing the fallacy that a cloud environment from one vendor is the same as any other cloud environment.
Fact is, not all clouds are created equal: one built on the zero trust security framework is essential to providing the highest level of protection for critical assets.
The zero trust security framework challenges the idea of trust in any form, whether that’s trust of networks, trust between host and applications, or even trust of super users or administrators. Boiled down to its essence, zero trust says that the best way to secure a network is to assume absolutely no level of trust.
Here, however, is where we come to another “not all clouds are created equal” moment. A zero trust framework is only as good as the number of people who have hands-on access to sensitive data.
In other words, zero trust only works if zero touch is at the center of it.
Preventing Vulnerabilities Through Automation
So, what is zero touch? This approach centers around ensuring that nobody – not even the small number of trusted resources that most cloud vendors typically allow for – is provided with access to the customer data.
As long as there is a human with access to the servers where services are running and customer data is located, there will be potential for security issues. Possible exposure or exploitation of the data can occur a multitude of ways when this human access exists: It can occur knowingly via an insider threat or some other bad actor, or it can occur unknowingly through a perfectly innocent mistake (for example, an administrator who accidentally leaves a setting unsecured or clicks on something they shouldn’t).
Utilizing AI, machine learning and new forms of automation help remove the human from the equation so that there is no way to access sensitive customer data, creating a “hands free” zero touch environment.
For instance, if a customer of a typical cloud provider wanted that vendor to gather some information on their data, that cloud provider would have one of their trusted individuals access the servers, and manually type on a keyboard to run queries against the customer data.
This is a low risk scenario, but it bears repeating: As long as a human is physically involved, risk is introduced.
In a zero touch approach, by contrast, the vendor doesn’t have hands-on access to the data. When presented with an information request from a customer, the engineering team would have to write an app that would then be pushed into the production environment to collect the information from the servers in a secure way. There would be no human, hands-on involvement with the data.
A similarly hands-off approach would apply to more common scenarios, like server patching or routine server maintenance. No one person or account should be able to solely execute a change to the system that can affect the security of the system – and automating out human vulnerabilities and moving towards zero touch is a way to make that a reality.
Look Ahead to Zero Touch
Cloud adoption within legal organizations continues to gain momentum for the slew of benefits that cloud delivers, which only makes the underlying security of the cloud even more important. Zero touch points the way forward, and increasingly savvy legal customers in 2021 will look to ensure that any cloud vendors they do business with have made zero touch a foundational aspect of their approach to securing the sensitive data that has been entrusted to them.