We are in the midst of a pair of revolutions that already have changed the face of how both individuals and businesses use technology. Mobile technologies such as smartphones and tablets change the way we access and interact with data, while cloud computing is in the process of changing the way we store and process information. While independent, these new paradigms complement each other, and the successes in one drive development and innovation in the other.
These technologies have the potential for providing great gains in efficiencies and responsiveness to legal professionals, but they can add significant risks if not implemented with appropriate planning and forethought. In this article I'll share some critical points to consider to keep your mobile devices and cloud deployments safe and secure.
While I'm sure that everyone has a clear picture what mobile devices are, there is significant confusion about just what exactly the "cloud" is. "Cloud" is a marketing term that encompasses a wide variety of techniques, methodologies, and service delivery models about which nobody agrees. The two main commonalities that most cloud services have are a "pay as you use" model and "hosting," a term often used in earlier times for not owning or controlling the hardware that the data is stored and processed on.
Many services that the legal industry uses are available today via cloud providers: e-mail, spam-filtering, backup, file storage, document management, customer relationship management, timekeeping, and even complete server environments. These are just a few of the things that can be outsourced to cloud providers. Today, it's possible to start and run a law office without purchasing a single piece of software or hardware beyond a desktop PC.
When selecting a cloud provider, you need to ask careful questions about how they will store and secure your data, and what their internal controls look like. Any service handling your sensitive information needs to be vetted. Many cloud services are built to handle consumer data, with no true security safeguards, no ability to audit, and no redundancy or backups. Many providers advertise that they've completed SAS 70 audits. These audits show that a provider has and follows a set of internal controls surrounding and including an assessment of the effectiveness of those controls. When assessing outsourced providers, I consider having a successful SAS 70 audit as a minimum baseline for evaluating the security capabilities of a cloud provider.
The second factor to keep in mind is whether or not you can extract, export, or download all of your data from the service. For some applications, like file storage or backup, this isn't a huge problem or concern. However, for more specific applications, like time or document management, gaining possession of your data may be a Sisyphean task. Ensure that any agreement includes clear provisions for defining your right to extract your own data, in a format that is compatible with other industry applications.
One of the biggest benefits of adopting cloud solutions is that they are designed around being accessed remotely over the Internet. Due to that design, it is usually equally easy to access these services from a fixed office location, from home, or even from the road. In many cases, laptop computers are falling out of favor and are being replaced by tablets and smartphones. While these mobile devices bring immense gains in portability, they add new risks that need to be addressed.
Due to the size of today's mobile devices, they're easy to leave behind accidentally, and are attractive targets for thieves looking to make a quick buck. To combat this, we need to insure that only the legitimate user of the device can access it without special tools, to be able to track the physical location of the device, and to be able to remotely destroy any sensitive data on the device.
Requiring the use of a passcode or password on the device is an important first step. Some devices can be configured to automatically wipe themselves if an incorrect password is attempted several times in a row. If you are dealing with sensitive information that may be present in your e-mail, this really is the absolute minimum step that you should have in place.
Enable the device's native tracking technology, so if you lose the device, you can determine a rough location. Bear in mind that this functionality depends on both GPS and data connections, and varies in accuracy. The utility of this function should be weighed against the risk of an attacker subverting this function to track the location of the device's owner.
Have a policy in place regarding when to remotely wipe a missing device. Depending on risk level, this could range from a multi-day waiting period to a requirement that devices be wiped immediately after being found missing. Each type of mobile device has its own mechanism for performing remote wipes, and most devices that can integrate with Microsoft's Exchange e-mail server can be wiped via that software.
Think about your backup strategy: Most mobile devices have a means to wirelessly back up data to a cloud service, as well as local backups to a computer via a connector cable. Make sure that these backups are complete, and are encrypted to prevent outside parties from accessing the contents.
Be careful what apps you install. Mobile devices are the next big thing for malicious software authors. Recently, malicious software has been found in the wild for ALL major smartphone and tablet operating systems.
Setup a Virtual Private Network (VPN) to secure communications from the device to your office network from eavesdropping. Any time you access the Internet via a guest wireless network, such as those found at hotels and coffee shops nationwide, you open up the possibility that your communications can be intercepted.
As a final security measure, it may be worth developing a virtual desktop solution that is accessible from mobile devices. In this type of setup, the mobile device will securely connect to a system at your office. No sensitive data is ever stored on the mobile device, and you gain the benefit of having a consistent user experience.
The confidentiality, integrity, and availability of sensitive client and firm data is of paramount importance, but with proper risk mitigation, both mobile devices and cloud services can safely enhance the IT capabilities of your firm. A little due diligence, and some common sense are all it takes.
Back to Contents