Division B: Cloud Computing - Advice for the profession
Cloud systems may provide an alternative means of storing and processing data.
Depending on whom you talk to, "Cloud computing" may be simply the latest IT buzz word or a dynamic infrastructure used by many organisations. Cloud computing providers claim that they can offer law firms a low-cost alternative to storing and processing data and software on their own computer or local server. Instead, data and software is stored and processed remotely in the cloud provider's data centre, accessed as a service by using the internet.
One of the main benefits of cloud computing is that it is paid for on a service basis which avoids high initial investment and ongoing upgrade fees associated with software licensing. Other benefits cloud providers claim to offer include increased flexibility for the user, the availability of support and maintenance, the ability to respond more quickly to changing IT demands and simplification of IT systems.
Like all IT developments, cloud systems present a new set of risks and concerns. This advice note is intended to highlight important cloud computing issues to help you decide if a cloud system is right for you and your firm.
I. Understanding the Risks and Benefits
When moving to a cloud based system you should start by considering what you plan to use your cloud system for. If you plan to use it to provide a service or to store confidential client information you should consider how critical that service is to your business and the importance of access to, and security of, your client information given your duties to your clients and to regulators.
For comparison, the risks and benefits of moving to a cloud system should be analysed against your current IT arrangements.
These considerations should determine how stringent your Service Level Agreement (SLA) and your diligence should be. A low risk service with no confidential data needs less diligence than a service which hosts your practice management system and documents.
II. The Service Level Agreement
The SLA will define your relationship with your cloud provider and will cover:
- the services your provider will deliver and a definition of each service;
- the method of determining whether the services are being properly provided;
- the rights and responsibilities of both parties;
- remedies available if either party fails to meet the terms of the SLA; and
- details of how the SLA will change over time.
A provider's standard SLA deserves close scrutiny because it will typically be written in the provider's favour. You should check the process and notice requirements for variation of contract terms, in particular with regards to change of ownership of your cloud provider.
At the outset you should establish which services are included in the subscription and what will incur further cost. Supplementary charges vary considerably among providers for system availability guarantees, premium support and maintenance and extra users and storage.
Particular areas of the SLA to look out for are as follows:
(a) System availability
Cloud providers will generally state that "uptime" (the time the system is operating) will be 99.5% or over. Care should be taken in understanding how this percentage is calculated because it will allow for service outages where your data will not be available. For example, if a provider specifies an outage of 30 minutes, and the service is not functional for 29 minutes, uptime will be 100 percent. You should check whether these outages will be announced in advance and whether they will occur outside of your normal working hours.
The definition of "up" is also important. Your cloud system may be "up" according to your SLA if a number of features are unresponsive provided that core systems are available.
You should ask your provider for evidence of their history of downtime and the measures that have been taken to prevent similar incidents in future. You may also wish to contact reference customers of the cloud provider.
Your disaster recovery plan should also address other factors which could cause you to lose access to your system such as failure of your internet connection or a power cut. As part of disaster recovery planning, you should regularly test and consider doubling up on key resources, such as your internet service, so that there is no single point of failure.
(b) Support and maintenance
The SLA should detail the support and maintenance included in your subscription. Support services often incur an additional charge based on a percentage of the subscription fee. Alternatively, basic support may be included in your package with premium support available at an extra cost.
Particular attention should be given to helpdesk opening hours, response times and procedure. The initial helpdesk response may simply log the problem with a further call back to provide substantive support rather than providing answers and support on first contact.
Like most modern IT systems, cloud arrangements depend on continuous availability of the internet. Furthermore, your IT equipment will need to be of a certain technical specification in order for you to access the cloud service. You should enquire whether your provider will offer advice on, and support with checking, the necessary equipment and internet connection required for optimum cloud system performance. Your provider may also advise on contingency plans for internet outages.
(c) Change in business requirements
Be mindful of your business plan when you place your initial order for your cloud service: are you intending to expand your business? Think further than your short term requirements. In some cases there may be little difference in cost.
Any professional cloud supplier should ask about any plans for expansion to enable them to design the best fit for your business - not just for the short term but also for the medium term and long term.
When specifying your requirements for your cloud services, always ask for the prices in the event that you require to add more applications, services, users and storage to ensure that these will not be disproportionate to what you will be initially paying nor obstructive to expansion.
Always ask if there will be any other additional costs for increasing your services such as costs for configuration, project management, implementation and support.
Equally you will want to know whether there will be charges or notice periods for decreasing your service requirements.
One of the benefits of cloud computing is that ongoing upgrade fees associated with software licensing can often be avoided, depending upon the level of service being offered by the cloud provider. You may still however require appropriate software licences for products used within the cloud. To the extent that the cloud provider is providing software necessary you should ensure that it is the provider's responsibility to arrange and manage any requisite software licences together with the payment of any associated fees.
(e) Responsibility for Security
In using a cloud computing system you will cede control to your provider on a number of issues which could potentially affect the security of your data. The SLA will generally state that the provider is not solely responsible for the security of your data. The SLA should contain a clear explanation of both the provider's obligations and your obligations in relation to security.
It is therefore important that you understand the measures you can take to protect the security of your data. This will include requiring your staff to use strong passwords. You should request your provider to adjust password settings so the use of strong passwords by staff is mandatory, there is an automated routine for passwords to be updated and the strength of user passwords is audited.
Additionally, two-factor authentication can help reduce the impact of human security weaknesses (such as writing the password down and keeping it near the computer). With two-factor authentication, a password ("something you know") is coupled with a second authentication mechanism such as a smart card or device that generates a single-use PIN ("something you have").
Your cloud provider may also issue guidance on the use of appropriate passwords and ideally offer regular staff training on security, passwords, and other cloud issues.
You should look for a clear explanation of your remedies in the event of unscheduled downtime. The provider may seek to limit your remedies to service level credits. These credits are unlikely to compensate for failure of your system so, where possible, try to re-formulate remedies so you are satisfied that they are commensurate with damage that might be sustained to your business. You should also pay particular attention to your provider's rights and obligations with regards to notification for breaches in security.
Be aware that you will need to review your insurance cover to ensure it includes business disruption cause by cloud system failure.
(g) Location of data centre and legal requests for data
Instead of your data being stored within servers in your own office, it will be located at the cloud provider's data centre. It may be possible to specify that your data be stored in data centres within a certain jurisdiction. With most providers, however, the location of your data cannot be guaranteed: it could be anywhere in the world at any given time.
Given that the Data Protection Act 1998 prohibits the transfer of personal data to countries outside the EEA that do not offer adequate data protection, it is recommended that you require your cloud computing provider to store your data within the EEA. This is because data centres which are located in "high risk" countries could be subject to local rules enforcing disclosure to national authorities without your knowledge.
Check your provider's terms and conditions with regard to your right to be notified of legal requests for your data and be aware of local access rights of the jurisdiction that your provider's data centre(s) are in.
Bear in mind that a solicitor has a responsibility to provide certain data to the Law Society and Scottish Legal Complaints Commission on request, and failure to do so could itself be a conduct issue. You may also be required to provide data under other legal requests for example under subject access requests, repossession requests or requests by HMRC, lenders under panel appointment arrangements or law enforcers.
Your SLA should therefore provide for the return of your data, in a readable and understandable form, on demand even if your firm is in breach of the terms of your SLA or is in a dispute with your provider.
III. CLOUD PROVIDER
Cloud computing involves moving your data and your client's data into the possession of your provider and its data centre. This raises a number of issues regarding data storage, treatment and control. The provisions dealing with these issues in your SLA will depend on whether your data is stored on a private cloud (where servers are designated your organisation) or a public cloud (where servers are shared by multiple organisations).
(h) Ownership of data stored with your cloud provider
It is important that your cloud provider gives assurance that the information will be treated as confidential and not used or disclosed to third parties. You should retain full ownership, in terms of intellectual property, in relation to the data that it is stored on your provider's system. You should have an explicit right to get your data back on demand.
You will also want to know your provider's policies and procedures on data deletion on termination of your relationship.
(i) Security of Data Centre
In addition to ascertaining the location of your data, it is fundamental that your contract with your provider contains appropriate assurances as to the technical specifications and security of the data centre storing your data. The data centre should:
- be in a safe facility with security monitoring;
- have strictly controlled access to personnel that have been security vetted;
- have an effective fire detection and fire suppression system;
- have air conditioning to prevent equipment overheating;
- have backup generators to sustain long power outages; and
- have a backup of everything so there is no single point of failure.
Furthermore, your cloud provider should undertake to audit the facilities of its data centre at least annually.
(j) Back up
You should carefully examine the SLA for the frequency the cloud provider will back up your data to a separate site. You should be aware of any period of time where your data will not be backed up and will therefore be lost should the cloud system fail.
Your provider may recommend independent backup of data stored in their cloud. This will negate some of the cost benefits associated with cloud computing so it may be preferable for data to be periodically returned to you on disk. If you do hold a backup locally, you should check regularly that it is working correctly by creating a test file, deleting it and restoring it from your backup.
(k) Portability of data
You should ensure that your provider offers a practical method of moving your data back to your premises or to another provider on demand. There should be a clear procedure that guarantees that your data will be returned timeously in a usable format. This process should be tested with a dummy set of data on a regular basis as part of your ongoing disaster recovery planning.
Data should be portable even in the event of a failure of your cloud provider or their data centre to ensure minimal disruption to your business. A possible safeguard is to obtain the software object code and to require your provider to place a copy of the software source code with a recognised third party escrow provider. This will allow another cloud provider to assist with data recovery and reuse.
Alternatively, you could regularly back up the data held in the cloud and store it locally. This will have technical and cost implications but would reduce the risk of being denied access to your data and would make the transfer to another supplier more straightforward.
(l) Audit and Independent Certification
You should ascertain your provider's willingness to be subjected to audits by independent security certification authorities. Indeed, some providers advertise certification summaries on their data quality and data security.
A number of industry self-certification schemes exist but it is not yet clear which represent a true "gold standard" so they should be treated with appropriate care when selecting cloud providers who use them to credential their services.
It is recommended best practice that the cloud provider complies with:
- ISO 9001 (quality management) standard;
- ISO 27001:2005 (security management) standard;
- ISAE3402 (assurance reporting) standard;
- BS 27999 (business continuity management) standard; and
- the requirements of a Tier 3 data centre set out in the Telecommunications Industry Association's TIA 942 standard
Is cloud computing right for your firm?
Cloud computing provides another option to traditional IT services and comes with many significant benefits. It also presents its own set of risks and challenges.
The risks and challenges associated with cloud computing can be addressed by making sure you are well informed before purchasing a cloud computing solution. Indeed, many of the risks are not new to cloud computing and a comparative analysis should be made with storing data electronically on premises.
If you decide to move to a cloud based system, keep in mind that you will have to make appropriate changes to your terms of business.