by Bill Lederer on August 17, 2017
This post was originally published by Law Journal Newsletters. We thought it provided useful insights about e-discovery security in the cloud.
A common discussion point these days involves the cloud as the end-all, be-all solution for hosting data or running applications. It certainly offers a lot of conveniences. You can easily find excellent file sharing, long-term storage, and subscription-based services. Plus, many of your favorite retail options—from bookstores to shoe shops to quick deliveries of your favorite meal—are based in the cloud.
Now for a really wild thought: why not make the cloud a key component of your legal practice? For e-discovery experts, with their massive data workflows, it’s a daunting possibility.
There are a number of reasonable questions to ask about such a move. What advantage does the cloud provide exactly? How can you tell if it is working, particularly when you can’t walk over and see the blinking lights on the server rack? How can you be sure that the server holding your data is in the proper jurisdiction and follows all applicable laws, rules, and regulations? Or that your data will stay secure?
These questions are particularly important for sensitive e-discovery data. When you have a complex case with tens of millions of documents that need to be accessed, reviewed, and preserved, you need to be sure it’s secure and accessible.
The cloud might seem like “someone else’s servers,” but major vendors are sensitive to the business need for security, availability, and confidentiality. Many public services host credit card data, health information, other forms of personal information, and confidential proprietary information. With sensitive, high-value data like that, cloud providers are keenly aware they need to get security right.
On balance, cloud providers are so good at what they do, that it is starting to look like it’s time to supplement on-premises e-discovery with e-discovery in the cloud.
What Advantages Does the Cloud Provide?
Public utility clouds are built around providing users with high availability of key resources. That means that network, storage, and CPU power are built to be redundant so you won’t have to worry about hardware failure. Cloud providers expect hard drives to fail regularly; to handle this they copy your data across many disks. Additionally, they provide SSD devices in addition to spinning disks for low-latency, high-throughput applications—that means you can store more information and retrieve it faster.
Another plus is that the cloud is global. Want more insurance? You can leverage a cloud provider’s platform to ensure a copy of your data is made in separate data centers for complete disaster recovery. This offers redundancy so that if one data center goes down or is inaccessible, your data and service is still available on the Internet.
As data volumes grow, so too does your server infrastructure. Switching to a cloud provider does away with maintenance of a growing data center. With distributed storage mechanisms that can automatically grow, you won’t have to worry about procuring additional capacity and rebalancing your data. Not having to worry about hard disk failure, running out of disk space, or a catastrophic event in the place where you keep your data are compelling reasons for storing your data in the cloud.
The underlying capabilities of major cloud vendors give you a platform that you can build on, with many services that enable you to offer security to the users of your data that you put into the cloud. Examples include robust authentication systems, such as two-factor authentication, and integration with other cloud-based products, such as email, which is a critical connection for e-discovery. These integrations provide a streamlined workflow where data is secured throughout the process.
How Secure Is the Cloud?
Security might be the best argument for moving your practice and your data to the cloud. If you have tiptop network administration skills—as many e-discovery service providers do—you may be OK storing data in your own environment. Still, the harsh fact is that there are too many vulnerabilities to manage, and even the smallest miss in securing your environment will lead to unauthorized access. The hacker mentality is about bypassing in-place protections.
Utility cloud providers know that this is the cornerstone of their business. They invest heavily in securing their infrastructure and platform services—the places where customer data lives—and they hire the world’s best security experts to do it. For example, Microsoft employs a “red team,” an internal hacking team, which looks for even the smallest vulnerability to exposure on platforms like Office365. They also have a “blue team,” the security responder, which detects and mitigates threats in real time. They have a sophisticated worldwide detection mechanism to alert on malware campaigns in real time.
These cloud providers also commit to meeting the certification needs of customers—many having met certifications such as SOC 2, FedRAMP, ISO 27001, HIPPA, and PCI to name a few. A good example of a certification is ISO 27001. This is a standard that covers what is called ISMS: Information Security Management Systems. This system enumerates the risks to the integrity of the system and details controls that address each of these risks. ISO 27001 isn’t a one-time checkpoint. After certification the first time, certified organizations must improve their controls year after year. With how fast technology has changed the legal industry in the past few years, it should be a comfort to know cloud providers will keep moving along with you.
In the same way providers can heavily invest in software security, they can focus on physical security as well. Physically securing data centers requires careful planning and investment. First, there is the authentication to physical entry. You want to pre-register anyone who would have access to your data center. Photo ID check is a must, and perhaps you have a fingerprint or retinal scanner to verify identity. Once you are who you say you are and are cleared to enter, a good data center will have a phone booth-sized entry gate that opens only one side at a time. Advanced centers will have a scale to be sure that it is only one person at a time entering. On top of that, a keycard is required to enter various zones of the center. In highly secure data centers, the card is actually shredded in a blender so that it cannot be misused. Setting all that up is time-consuming, expensive, and technical; wouldn’t you rather focus on clients and cases instead?
What About Server Jurisdiction?
Data has gone global, and e-discovery is a fact of life for legal professionals around the world. As e-discovery gets more complex, it will become harder to keep up with rules and regulations. Consider the case of localized regulations. European e-discovery and e-disclosure practitioners have restraints on where data resides; cloud providers have worldwide locations that suit this requirement, and their compliance is suited to the local market.
Because these issues are only becoming more complicated—take the huge e-discovery implications of Brexit, for example—it will be a boon to distribute data instead of working with servers in now-uncoupled jurisdictions.
Now or Never? Not Quite.
The cloud can speed up e-discovery and help cut costs. With infrastructure, volume, and storage all handled by a provider, you can focus on the work. That means that the lead-time to standing up an e-discovery solution in the cloud is significantly faster.
If you were to build a data center from scratch, how long would it take to order the servers, provision the physical space, install and provision the servers, and spin up the networks? If you do this in the cloud, it would seem like a heartbeat. No cord to trip over, no plug to pull out, no VESD (Very Early Smoke Detection) to deploy and debug. Just dial up your favorite cloud provider and you’re there in no time. And it is likely you will more easily secure your cloud presence, and be ready to provide your users with top-notch CIA (Confidentiality, Integrity, Availability) for the data stored there.
It’s a scary switch to completely change the way you do business. A hybrid approach combining on-premises and cloud options may be the best for your business. Many providers will continue to support on-premises delivery, and e-discovery technology companies will continue to grow with them. Some will consider the hybrid solution, which combines both cloud and on-premises data centers, into a responsive, integrated ecosystem of data, taking away the fear or risk of doing things just one way or the other. Others, however, are making the leap to the cloud, where speed and security will become the cornerstones of litigation strategy.
No matter how you choose to deploy, it is clear that a mature cloud services marketplace opens up a whole new level of possibility in legal technology.
Perry Marchant was vice president of engineering at Relativity, where he guided the design and functionality of the company’s e-discovery platform. Before joining Relativity, he helped develop industry-leading security solutions for Symantec and McAfee.
Bill Lederer was chief security officer at Relativity, leading a team dedicated to maintaining secure environments for customers and employees.