Cloud 201: Defining, Using and Securing the Next Generation

Extract from article by Zach Warren

On Securing the Cloud

“We still see that with IT security and legal compliance, even as far as it’s come in the past couple years, when it comes to migration and planning out the cloud, legal is coming in late,” [Rachi] Messing said. Many attorneys don’t realize that a move to the cloud gives them “an opportunity to re-evaluate the policies and procedures they have in place. … Generally, there is a huge disconnect there, and we see the need for education.”

[Doug] Austin noted that “whether you’re a public or a private cloud provider, there are certain things you want to look for.” These include ISO 27001 and other security certifications, multifactor authentication, and industry-specific guidelines such as Health Insurance Portability and Accountability Act for health care. He also suggested perusing EDRM’s security audit questionnaire as an additional guideline. These, taken in tandem, can help spur the IT/legal conversation.

[Kelly] Twigger also suggested a checklist of what needs to get done. “The thing that I find with most of my clients, if there is a good liaison relationship between IT and legal, those issues get addressed,” she explained. She added that “a lot of those [issues] will depend on the clients you have, the locations you are, if there is data overseas.”

And finally, [Ari] Kaplan warned not to forget to not only vet third parties, but also the outside companies and individuals that those third parties work with. He said these so-called “fourth parties” are the biggest security issue facing legal organizations today.

“From a practical standpoint, are you doing enough due diligence? Nobody is making the step of asking that additional question,” Kaplan said. “Whether it’s legal or IT, right now that distinction is blurred.”