3 Tips for Understanding Your Risk Profile in the Age of the Cloud
The growth of cloud computing has upped the expectations for how available law firms should be to client needs, but firms looking to make the move to cloud should not do so without a sound strategy to get there. First, ask why you want to leverage the cloud. The answer to this question will point your firm toward key objectives to accomplish during and after the move.
For those already using cloud for hosting, data storage, applications or email, understand that your data is dispersed a lot more than it used to be. Many firms don’t truly comprehend the extent to which the cloud can present security risks — and that can leave them vulnerable to breaches or downtime. To fortify your IT stance in the cloud, assess these key risk areas.
1. KNOW WHO HAS ACCESS
Having any amount of data in the cloud means that you are using a third party. Any software as a service (SaaS) application your firm is using accesses the cloud, too. It’s important to know what a vendor’s IT stance is and how they intend to handle your data and mitigate security threats.
With the rollout of GDPR data guidelines in the European Union, knowing who has access to your data is more important than ever. Firms with clients under regulatory requirements must also meet strict standards of data control. Who can share information, and how is it shared? If there’s a breach or disruption, who has access to recover your IT systems? All unwarranted avenues of data sharing should be closed because they represent vulnerabilities. Better safe than sorry — the resounding effects of data loss and exposure are similar to other disasters now.
2. KNOW WHO CAN MAKE CHANGES
Who owns what responsibilities and capabilities? You want to understand if your cloud provider will or will not be able to make changes to your cloud environment on your behalf, such as adding security controls, making firewall updates or executing a recovery plan. Even though changes should only occur with your permission, this can still be a sensitive area to delineate.
The best way to draw the line of responsibility is to do testing, not just on your cloud environment but also on all third-party applications. This gives your firm and third parties the chance to coordinate a range of scenarios and know with complete certainty how things will pan out. It’s also crucial to see your third party’s testing results. If they go down, you probably will too.