Cloud Computing - Advice for the profession
Cloud systems may provide an alternative means of storing and
processing data.
Depending on whom you talk to, "Cloud computing" may be simply
the latest IT buzz word or a dynamic infrastructure used by many
organisations. Cloud computing providers claim that they can offer
law firms a low-cost alternative to storing and processing data and
software on their own computer or local server. Instead, data
and software is stored and processed remotely in the cloud
provider's data centre, accessed as a service by using the
internet.
One of the main benefits of cloud computing is that it is paid
for on a service basis which avoids high initial investment and
ongoing upgrade fees associated with software licensing.
Other benefits cloud providers claim to offer include increased
flexibility for the user, the availability of support and
maintenance, the ability to respond more quickly to changing IT
demands and simplification of IT systems.
Like all IT developments, cloud systems present a new set of
risks and concerns. This advice note is intended to highlight
important cloud computing issues to help you decide if a cloud
system is right for you and your firm.
I.
Understanding the Risks and Benefits
When moving to a cloud based system you should start by
considering what you plan to use your cloud system for. If
you plan to use it to provide a service or to store confidential
client information you should consider how critical that service is
to your business and the importance of access to, and security of,
your client information given your duties to your clients and to
regulators.
For comparison, the risks and benefits of moving to a cloud
system should be analysed against your current IT arrangements.
These considerations should determine how stringent your Service
Level Agreement (SLA) and your diligence should be. A low
risk service with no confidential data needs less diligence than a
service which hosts your practice management system and
documents.
II. The
Service Level Agreement
The SLA will define your relationship with your cloud provider
and will cover:
- the services your provider will deliver and a definition of
each service;
- the method of determining whether the services are being
properly provided;
- the rights and responsibilities of both parties;
- remedies available if either party fails to meet the terms of
the SLA; and
- details of how the SLA will change over time.
A provider's standard SLA deserves close scrutiny because it
will typically be written in the provider's favour. You
should check the process and notice requirements for variation of
contract terms, in particular with regards to change of ownership
of your cloud provider.
At the outset you should establish which services are included
in the subscription and what will incur further cost.
Supplementary charges vary considerably among providers for system
availability guarantees, premium support and maintenance and extra
users and storage.
Particular areas of the SLA to look out for are as follows:
(a) System
availability
Cloud providers will generally state that "uptime" (the time the
system is operating) will be 99.5% or over. Care should be
taken in understanding how this percentage is calculated because it
will allow for service outages where your data will not be
available. For example, if a provider specifies an outage of
30 minutes, and the service is not functional for 29 minutes,
uptime will be 100 percent. You should check whether
these outages will be announced in advance and whether they will
occur outside of your normal working hours.
The definition of "up" is also important. Your cloud
system may be "up" according to your SLA if a number of features
are unresponsive provided that core systems are available.
You should ask your provider for evidence of their history of
downtime and the measures that have been taken to prevent similar
incidents in future. You may also wish to contact reference
customers of the cloud provider.
Your disaster recovery plan should also address other factors
which could cause you to lose access to your system such as failure
of your internet connection or a power cut. As part of
disaster recovery planning, you should regularly test and consider
doubling up on key resources, such as your internet service, so
that there is no single point of failure.
(b) Support and
maintenance
The SLA should detail the support and maintenance included in
your subscription. Support services often incur an additional
charge based on a percentage of the subscription fee.
Alternatively, basic support may be included in your package with
premium support available at an extra cost.
Particular attention should be given to helpdesk opening hours,
response times and procedure. The initial helpdesk response
may simply log the problem with a further call back to provide
substantive support rather than providing answers and support on
first contact.
Like most modern IT systems, cloud arrangements depend on
continuous availability of the internet. Furthermore, your IT
equipment will need to be of a certain technical specification in
order for you to access the cloud service. You should enquire
whether your provider will offer advice on, and support with
checking, the necessary equipment and internet connection required
for optimum cloud system performance. Your provider may also
advise on contingency plans for internet outages.
(c) Change in
business requirements
Be mindful of your business plan when you place your initial
order for your cloud service: are you intending to expand your
business? Think further than your short term
requirements. In some cases there may be little difference in
cost.
Any professional cloud supplier should ask about any plans for
expansion to enable them to design the best fit for your business -
not just for the short term but also for the medium term and long
term.
When specifying your requirements for your cloud services,
always ask for the prices in the event that you require to add more
applications, services, users and storage to ensure that these will
not be disproportionate to what you will be initially paying nor
obstructive to expansion.
Always ask if there will be any other additional costs for
increasing your services such as costs for configuration, project
management, implementation and support.
Equally you will want to know whether there will be charges or
notice periods for decreasing your service requirements.
(d)
Licences
One of the benefits of cloud computing is that ongoing upgrade
fees associated with software licensing can often be avoided,
depending upon the level of service being offered by the cloud
provider. You may still however require appropriate software
licences for products used within the cloud. To the extent
that the cloud provider is providing software necessary you should
ensure that it is the provider's responsibility to arrange and
manage any requisite software licences together with the payment of
any associated fees.
(e) Responsibility
for Security
In using a cloud computing system you will cede control to your
provider on a number of issues which could potentially affect the
security of your data. The SLA will generally state that the
provider is not solely responsible for the security of your data.
The SLA should contain a clear explanation of both the provider's
obligations and your obligations in relation to security.
It is therefore important that you understand the measures you
can take to protect the security of your data. This will
include requiring your staff to use strong passwords. You
should request your provider to adjust password settings so the use
of strong passwords by staff is mandatory, there is an automated
routine for passwords to be updated and the strength of user
passwords is audited.
Additionally, two-factor authentication can help reduce the
impact of human security weaknesses (such as writing the password
down and keeping it near the computer). With two-factor
authentication, a password ("something you know") is
coupled with a second authentication mechanism such as a smart card
or device that generates a single-use PIN ("something you
have").
Your cloud provider may also issue guidance on the use of
appropriate passwords and ideally offer regular staff training on
security, passwords, and other cloud issues.
(f)
Remedies
You should look for a clear explanation of your remedies in the
event of unscheduled downtime. The provider may seek to limit
your remedies to service level credits. These credits are
unlikely to compensate for failure of your system so, where
possible, try to re-formulate remedies so you are satisfied that
they are commensurate with damage that might be sustained to your
business. You should also pay particular attention to your
provider's rights and obligations with regards to notification for
breaches in security.
Be aware that you will need to review your insurance cover to
ensure it includes business disruption cause by cloud system
failure.
(g) Location of
data centre and legal requests for data
Instead of your data being stored within servers in your own
office, it will be located at the cloud provider's data
centre. It may be possible to specify that your data be
stored in data centres within a certain jurisdiction. With
most providers, however, the location of your data cannot be
guaranteed: it could be anywhere in the world at any given
time.
Given that the Data Protection Act 1998 prohibits the transfer
of personal data to countries outside the EEA that do not offer
adequate data protection, it is recommended that you require your
cloud computing provider to store your data within the EEA.
This is because data centres which are located in
"high risk" countries could be subject to local rules enforcing
disclosure to national authorities without your knowledge.
Check your provider's terms and conditions with regard to your
right to be notified of legal requests for your data and be aware
of local access rights of the jurisdiction that your provider's
data centre(s) are in.
Bear in mind that a solicitor has a responsibility to provide
certain data to the Law Society and Scottish Legal Complaints
Commission on request, and failure to do so could itself be a
conduct issue. You may also be required to provide data
under other legal requests for example under subject access
requests, repossession requests or requests by HMRC, lenders under
panel appointment arrangements or law enforcers.
Your SLA should therefore provide for the return of your data,
in a readable and understandable form, on demand even if your firm
is in breach of the terms of your SLA or is in a dispute with your
provider.
III. CLOUD
PROVIDER
Cloud computing involves moving your data and your client's data
into the possession of your provider and its data centre.
This raises a number of issues regarding data storage, treatment
and control. The provisions dealing with these issues in your
SLA will depend on whether your data is stored on a private cloud
(where servers are designated your organisation) or a public cloud
(where servers are shared by multiple organisations).
(h) Ownership of
data stored with your cloud provider
It is important that your cloud provider gives assurance that
the information will be treated as confidential and not used or
disclosed to third parties. You should retain full ownership,
in terms of intellectual property, in relation to the data that it
is stored on your provider's system. You should have an
explicit right to get your data back on demand.
You will also want to know your provider's policies and
procedures on data deletion on termination of your
relationship.
(i) Security of Data Centre
In addition to ascertaining the location of your data, it is
fundamental that your contract with your provider contains
appropriate assurances as to the technical specifications and
security of the data centre storing your data. The data
centre should:
- be in a safe facility with security monitoring;
- have strictly controlled access to personnel that have been
security vetted;
- have an effective fire detection and fire suppression
system;
- have air conditioning to prevent equipment overheating;
- have backup generators to sustain long power outages; and
- have a backup of everything so there is no single point of
failure.
Furthermore, your cloud provider should undertake to audit the
facilities of its data centre at least annually.
(j) Back
up
You should carefully examine the SLA for the frequency the cloud
provider will back up your data to a separate site. You
should be aware of any period of time where your data will not be
backed up and will therefore be lost should the cloud system
fail.
Your provider may recommend independent backup of data stored in
their cloud. This will negate some of the cost benefits
associated with cloud computing so it may be preferable for data to
be periodically returned to you on disk. If you do hold a
backup locally, you should check regularly that it is working
correctly by creating a test file, deleting it and restoring it
from your backup.
(k) Portability of
data
You should ensure that your provider offers a practical method
of moving your data back to your premises or to another provider on
demand. There should be a clear procedure that guarantees
that your data will be returned timeously in a usable format.
This process should be tested with a dummy set of data on a regular
basis as part of your ongoing disaster recovery planning.
Data should be portable even in the event of a failure of your
cloud provider or their data centre to ensure minimal disruption to
your business. A possible safeguard is to obtain the software
object code and to require your provider to place a copy of the
software source code with a recognised third party escrow
provider. This will allow another cloud provider to assist
with data recovery and reuse.
Alternatively, you could regularly back up the data held in the
cloud and store it locally. This will have technical and cost
implications but would reduce the risk of being denied access to
your data and would make the transfer to another supplier more
straightforward.
(l) Audit and
Independent Certification
You should ascertain your provider's willingness to be subjected
to audits by independent security certification authorities.
Indeed, some providers advertise certification summaries on their
data quality and data security.
A number of industry self-certification schemes exist but it is
not yet clear which represent a true "gold standard" so they should
be treated with appropriate care when selecting cloud providers who
use them to credential their services.
It is recommended best practice that the cloud provider complies
with:
- ISO 9001 (quality management) standard;
- ISO 27001:2005 (security management) standard;
- ISAE3402 (assurance reporting) standard;
- BS 27999 (business continuity management) standard; and
- the requirements of a Tier 3 data centre set out in the
Telecommunications Industry Association's TIA 942 standard
Is cloud computing right for
your firm?
Cloud computing provides another option to traditional IT
services and comes with many significant benefits. It also
presents its own set of risks and challenges.
The risks and challenges associated with cloud computing can be
addressed by making sure you are well informed before purchasing a
cloud computing solution. Indeed, many of the risks are not
new to cloud computing and a comparative analysis should be made
with storing data electronically on premises.
If you decide to move to a cloud based system, keep in mind that
you will have to make appropriate changes to your terms of
business.
Back to index