For those already using cloud for hosting, data storage, applications or email, understand that your data is dispersed a lot more than it used to be. Many firms don’t truly comprehend the extent to which the cloud can present security risks — and that can leave them vulnerable to breaches or downtime. To fortify your IT stance in the cloud, assess these key risk areas.
1. KNOW WHO HAS ACCESS
Having any amount of data in the cloud means that you are using a third party. Any software as a service (SaaS) application your firm is using accesses the cloud, too. It’s important to know what a vendor’s IT stance is and how they intend to handle your data and mitigate security threats.
With the rollout of GDPR data guidelines in the European Union, knowing who has access to your data is more important than ever. Firms with clients under regulatory requirements must also meet strict standards of data control. Who can share information, and how is it shared? If there’s a breach or disruption, who has access to recover your IT systems? All unwarranted avenues of data sharing should be closed because they represent vulnerabilities. Better safe than sorry — the resounding effects of data loss and exposure are similar to other disasters now.
2. KNOW WHO CAN MAKE CHANGES
Who owns what responsibilities and capabilities? You want to understand if your cloud provider will or will not be able to make changes to your cloud environment on your behalf, such as adding security controls, making firewall updates or executing a recovery plan. Even though changes should only occur with your permission, this can still be a sensitive area to delineate.
The best way to draw the line of responsibility is to do testing, not just on your cloud environment but also on all third-party applications. This gives your firm and third parties the chance to coordinate a range of scenarios and know with complete certainty how things will pan out. It’s also crucial to see your third party’s testing results. If they go down, you probably will too.
3. KNOW WHAT DATA IS KEPT WHERE
Data is much more dispersed in the cloud by nature of its availability benefits. On-premises environments may look different from a private cloud; likewise, a hosted cloud in a SaaS provider’s data center has its own set of risks. For this reason, it’s important to note who can retain data from your firm and in what circumstances. Lay it out in your contract with the cloud provider. Make sure that they can’t limit your use of your data if there’s a dispute and that you know what will happen if they go out of business.
It’s also important to know where your data is stored and how many of your SaaS-based applications are storing data in the same place. For example, you firm may be using a dozen or more different SaaS applications. If all these applications store their data in the same cloud data center, what happens when that cloud vendor has an issue? You don’t lose access to just one application; you lose access to dozens.
PREPARING FOR THE CLOUD JOURNEY
There will always be shared responsibilities around data handling and processing, no matter the technology setup. So it's important for firms to be clear on who within the firm is responsible for what, what vendors are responsible for and what shared responsibilities exist between the firm and third parties. Even firms that manage the cloud in their own data centers encounter risks. Any cloud usage involves shared responsibilities and security gaps.
Yet, despite the downsides of the cloud, it still tends to be more secure than most physical infrastructure in use at law firms. Why? Law firms are under intense scrutiny and possess a lot of sensitive data, which often contributes to an overburdened and underfunded IT team. As a result, law firms are often a dream target for cybercriminals.
Therefore, most law firms are moving to the cloud in some form; some are even offloading data center management entirely. The cloud is usually better positioned to deal with new security threats: The crux of a cloud provider’s business model is to deliver a secure environment for crucial assets, so experts are constantly in the cloud and have resources to continually monitor, test and shore up a good security position.
