Menu

Cloud Security: a Best Practice guide for UK Law Firms.

Cloud computing, or “Cloud” as it is becoming known, is a new choice of IT platform for lawyers in the UK and, indeed, around the world, with firms moving their IT processing and data, to servers which are located outside their own law offices. For many of these law firms, Cloud has been an appropriate choice for them because it is a flexible and affordable alternative to traditional or ‘on premise’ server and desktop-based platforms.

Despite these benefits and the continued growth of cloud computing both in the business and legal worlds, there are still concerns that the adoption of cloud technology by law firms in the UK may bring with it security, confidentiality and data protection issues. These concerns are indeed justified if cloud computing is not implemented under expert IT guidance, particularly where the firm has no in-house IT support. Nevertheless when addressed properly, these concerns can be alleviated.

Does your law firm have and implement a defined security policy?

cloud securityFrom a security perspective, all of the firm’s data should be secured from any threats of unauthorised access in every way possible. For this purpose, great attention should be given to passwords, as your firm’s network, whether this is held physically on premise or virtually in the Cloud, is only as secure as the weakest password.

It is recommended that firms ensure that staff use strong passwords, with separate passwords used for access to the firm’s network and for access to the legal practice management software itself. This can be enforced by switching on a strong password policy in Windows. A strong password is at least 8 characters in length and should include characters and numbers and other symbols (!”£$%^&*;:) with a mix of upper and lower case letters. Furthermore, it is recommended that a policy of changing passwords should be implemented on a regular cycle of no more than 60 days. This can also be implemented by Windows policy. Certainly, passwords should not be shared or written down and particularly not left in the vicinity of the computer.

Additionally, high risk behaviours such as downloading unauthorised applications and documents, browsing potentially dangerous websites, using an unauthorised email service, responding to phishing e-mails with confidential information or transferring confidential information onto a USB memory stick or other storage device should be monitored and avoided.

All anti-virus & malware protection products should be updated daily on all machines in the office. These are included in Windows nowadays and you can purchase others, so switch them on and configure them to automatically update themselves and scan your computer every day. If such regular security updates are not installed as soon as they become available, the firm’s and clients’ data may be vulnerable to security breaches.

Where is your client data held? (Within the UK? or at least in the EU?)

cloud securitySecurity in the Cloud should be approached and treated in the same way as security in a physical shared environment. If a law firm utilises cloud computing, its data and its client data will not be located within servers in its own law offices. It is therefore vital to know where that data is being held.

The UK enacted the Data Protection Act 1998 following the EU’s Data Protection Directive of 1995, which in very broad summary requires all EU Member States to protect people’s fundamental rights and freedoms and, in particular, their right to privacy with respect to the processing of personal data,, which includes the storing of data. It also directed that personal data should not be transferred to a country or territory outside the European Economic Area, except to countries which are deemed to provide an adequate level of protection. Some exceptions to this rule are provided, for instance when the controller himself, such as a Cloud provider, can guarantee that the recipient will comply with the data protection rules.

Even if personal data is transferred to such a country with an adequate data protection regime, appropriate terms should be provided for in the Service Level Agreement (“SLA”), and it is imperative that a law firm makes clients aware and seeks clients’ consent to such transfer prior to it occurring. Further, if the data is held elsewhere, a different governing law or jurisdiction may become active, demanding additional legal consideration, not solely in the governing law and jurisdiction clauses of the SLA. Further, electronic discovery, which involves having client data available for any potentially legal proceedings, may become more complicated.

This distinction becomes potentially blurred where public Clouds, such as those provided by Yahoo, Google or Amazon, are used. Public Clouds are offered globally to all sorts of individuals and organisations and have servers located throughout the world. With public Clouds there is a real risk of client data leaving the EU. It is therefore essential that your provider of Cloud services is willing and able to provide transparency to allow you to make correct decisions.

For these reasons it is best practice for law firms in the UK to check that their Cloud computing provider is storing their data within the UK or, at the very least, solely within the EU.

How safe is your physical data?

It is important to research and select a Cloud provider carefully. In addition to checking that your data is being held within the EU, it is also fundamental to examine how resilient your Cloud provider’s data centre actually is.

You need to be confident that your Cloud provider has implemented all the security provisions that are practically possible to ensure that your data is safe. This includes physical provisions such as a secure facility that is manned and monitored 24/7/365 with strict physical access controls to their data centre. The data centre should be resilient, with:

  • fire suppression
  • environment monitoring
  • platform monitoring
  • backup power supplies or generator
  • dual independent network path, dual independent Internet connection
  • two of everything to ensure that there is no single point of failure within the system.

Of particular comfort will be a backup data centre. In the event of a total catastrophe occurring to the main data centre does your Cloud provider have a backup data centre and how quickly is this available with your applications in a useable state. This question is key when identifying a quality Cloud provider.

How secure is your data over the Internet?

A common misconception of Cloud services is that anyone should be able to log into a law firm’s Cloud system and, thus be able to access all client data from anywhere, provided that they have a username and password. Three key features of best practice should be implemented to prevent this from happening:-

  • Firstly, this can be achieved through the implementation of a private infrastructure, as opposed to a public cloud service. Through this private infrastructure, authorised PCs should only be able to access the Cloud with a unique token, which is a small piece of encryption software installed on a user’s PC. This token is required in addition to a correct username and password (see below). This should be contrasted with an entirely public Cloud service, which is the standard web access solution, where users have no control as to how this is delivered, monitored and to some extent accessed. Private infrastructure, on the other hand, is effectively your own firm’s network, but extended to encompass a Cloud solution, which grants privacy, security and full control as to how it is accessed. This network should be encrypted for additional protection, which is why each PC requires a token. The token is a decrypting key that unscrambles the data so that it can be viewed on screen correctly;
  • Secondly, the Cloud service should only be available via a secure and strong username and password that is separate from those used to access the computer. As discussed previously, this password should be changed periodically and on a recurring cycle; and
  • Thirdly, the legal practice management software or other applications accessible via the Cloud should also only be available via a separate secure and strong username and password, which, as discussed above, should be changed periodically, on a recurring cycle and independent of the operating software or connection passwords.

As far as encryption is concerned, it is also good practice for the Cloud provider to have an encryption key, such as an SSL encryption certificate, and to use this for all connectivity and data traffic. With an SSL, all traffic between two points on the Internet is encrypted using a secure and sophisticated algorithm. One end encrypts; the other end decrypts. It is almost impossible to decipher the encrypted data without knowing the encryption key itself. Thus, in the very unlikely event of a breach, sound encryption practices will ensure that confidential data remains confidential.

What happens if your laptop is lost or stolen?

cloud securityImagine the worst case scenario, where your laptop, which has access to your law firm’s private infrastructure, is lost or stolen. One of the most significant questions that follow is: will the person who finds or steals your laptop be able to access the Cloud and, thus, your firm’s client data?

For the reasons above, the answer should be no, provided that the person who finds or steals the laptop does not know or cannot find out three different usernames and passwords:- those required to access the laptop in the first place, those to access the Cloud and those to access the legal practice management software within the Cloud. In addition you should report the loss of your laptop to the Cloud provider as soon as possible; they will disable the token, thus rendering access impossible.

Is your data always available?

It is important to have a realistic view of Service Level Agreements and to contract with a provider who guarantees response times. It is not uncommon for providers to offer a financially backed SLA which means they will refund you a portion of a fee for the times when your system is unavailable. Whilst this may provide a level of reassurance, it is more pragmatic to choose a provider who will guarantee to have your system rebuilt, restored and available within a reasonable period of time, such as, for example, 2 to 4 hours of a failure. You should also find out the times at which your Cloud provider attends to general maintenance and software updates on your Cloud. Preferably, these should be outside of your normal working hours.

For comparison purposes it is worth questioning how quickly you could restore your current on premise systems if such an event happened at your own offices. Business continuity and disaster recovery are very real threats that only become apparent when a catastrophic failure occurs. You must have your contingency plans ready, tested and workable.

Is your Cloud management system technically well designed?

cloud securityWhen utilising Cloud services, it is best practice to have your systems secured behind a firewall. Firewalls protect against both internal and external attacks being able to gain unauthorised access to the network and to your data, and are commonly hardware devices and/or software based. It is recommended that your system is secured behind both a hardware and software firewall.

Connection to your Cloud provider is usually through a browser or remote connectivity tool. You should ensure that whichever the connection method, it uses a secure and up to date authentication method and that your operating system on your device takes regular updates. Having the latest service packs and hotfixes applied is essential to ensure that vulnerabilities are minimised.

You should always question your Cloud provider’s hosted environment, ensuring it is based on an industry standard, secure and protected architecture. Industry standard secure architectures will commonly use “domain controllers” to apply security policies; they will also ensure that all data is segregated and that it is not possible for one firm’s data to cross over into to another firm’s segment in a shared “virtual” network environment. This protocol is normally executed by defining separate “organisational units” for each firm and for each individual user within the units. Security policies are then applied to the firms’ databases, document repositories and all shared resources and to any other individual element of data pertaining to a firm to ensure absolute segregation.

Conclusions.

Cloud computing is the way forward for law firms and lawyers: it is tested, proven and is here to stay.

For many firms, Cloud computing offers a range of benefits. It’s very quick to implement and as such is an affordable and secure alternative to traditional server or desktop-based software platforms. It offers great mobility for access from different locations and has the flexibility to adjust the number of users both up and down in order to help firms grow and contract in turbulent times.

However, with those benefits come security and ethical concerns which must be taken seriously. Cloud providers must be transparent and responsive in meeting such security concerns.

If implemented with thought and care, it is probable that a first-rate Cloud provider, chosen wisely, will be able to offer better security than many law firms can provide for themselves.

Finally, nothing beats experience. Cloud providers that have experience in delivering services to law firms will have already encountered many of the questions you have to ask and will therefore have answers that are reassuring with policies and procedures that are secured and in place.

Created for the lawyer who wants to work in a smart and secure environment that is accessible from just about anywhere, LawCloud is an ideal mix of traditional practice meets innovative technology, all of which is operated within a secure, personalised environment.

With LawCloud you have a trusted partner to help you along the way. Through LawCloud’s step-by-step learning programme, one of our training advisors will:

  • Assess your Cloud readiness
  • Develop robust business systems
  • Identify business entry points

LawCloud aims to make your technology journey easy, not leaving you at the first hurdle. Our dedicated team of experts are here for you to provide the most innovative technology and first class customer service.

Join over 350 law firms across the United Kingdom.

Our clients range from small start-up legal practices to multi-partner, multi-site firms.

As the first commercial user of LawWare back in 1998, we have had no hesitation in remaining with the product through its development. We thoroughly recommend it to any firm looking for a practice management system.

Alastair Hart & Co.
Alastair Hart

The helpdesk is exceptionally good. Whatever the query there is always a human being there to help. No leaving messages or being advised to go to a website. The best computer service for solicitors I have ever used!

South Forrest
Irene Yule

The linking of documents and casefiles saves so much time! I have experience of several accounts packages and I like that LawWare is simple to use and easy to learn. Support is quick and effective and staff are helpful and courteous.

Sprang Terras
Fiona Allison

I have worked with a number of Case Management providers over the years but have not come across anything with the attention to detail and thoroughness of LawWare. My colleagues and I have not been disappointed.

Brymer legal Ltd.
Professor Stewart Brymer

I can’t imagine trying to be a law firm in the 21st Century without 21st Century IT systems. Having a ‘single system’ that underpins all the work, whether we are in the office or out, is an integral part of what we are building.

Sneddon Morrison
Eric Lumsden

The level of support is the main benefit using this system.  The system itself once you have had training is simple and easy to use. We have a great relationship with LawWare and the ongoing support is second to none.      

Linda George Family Law
Sharon Rodger

Significant preparation was required to configure and import the data from our old firm. We had to get all clients onto the new system and then learn how to use it. We just find it very easy to use, much easier than our old system.

Scanlon Ewing
Maureen Ewing

It’s a big help that you can speak to the boss directly. The support team takes a lot of the technological stress away and, as LawWare continues to build relationships and integrations with other suppliers, it makes our life much easier.

Matthew Cohen & Associates Ltd.
Matthew Cohen

Being a busy litigator with a growing firm it is incredibly useful to be able to view my files from any location with some form of internet connection. I am a fan, and want to keep working with LawWare to make a good product great.

Helix Law Limited
Jonathan Waters

The LawWare team bend over backwards to help and I have no hesitation in recommending LawCloud to start-up law firms.

It was  the right product at the right time for me.

Moore Law
Tris Moore

The switch to the new LawCloud system, which is still on-going, has gone very well. We found the LawWare team without exception to be very helpful and knowledgeable. All queries are followed up and dealt with promptly.

Cullen Kilshaw
Ross Kilshaw

interested in

Explore LawWare

Connect With Us