A Critical Step in Cybersecurity: Vetting Your Cloud Vendors
It goes without saying: The cloud is now mainstream. Early in Rocket Matter’s history this was not the case, and we worked with bar associations and consumers to educate them on how cloud technology works and what the true risks are.
Now we’ve reached a tipping point. It used to be perceived as more secure to keep all of your data on-premise. However, at this time, what sounds safer to a client: That you secure the data yourself in your office or that you’re using cloud storage at an Amazon or Rackspace data facility? Unless you’re skilled in cybersecurity or have specialized rooms and security systems in place, storing data on-premise is now actually deemed the less secure option.
The problem is, not all cloud providers are created equal. Some, like Rocket Matter, have stood the test of time and have responsible security protocols. However, this is not the case with all vendors, and it is your responsibility to figure this out. State bars, in their ethics opinions on cloud computing, have issued “reasonable care” guidelines that instruct attorneys to learn about the security practices of their vendors.
In order to give guidance to law firms and bar associations in terms of best security practices for cloud vendors, Rocket Matter, along with other leaders in the legal technology space, formed the Legal Cloud Computing Association and issued a set of security guidelines to help you make decisions. There’s a lot to know, but the biggest items you need to determine are the following:
- You should own your data. The cloud provider should not own it.
- You should be able to get your data out of a cloud system at any time in a usable format.
- Encryption should be used to safeguard client information.
- The cloud provider should be able to spell out their backup policies.
- You need to determine who at the cloud provider has access to see your data and under what circumstances. You must be comfortable with the answer.
- Find out if the company has had a breach before. If so, how did they respond to it?
- What measures does the cloud company take to ensure cybersecurity on an operational level? In other words, aside from the application you’re spending money on, is the organization itself safe? Do they conduct background checks on employees? How do they manage passwords internally?
- Does the application limit attempts to log in to prevent brute force and dictionary attacks?
- Can you use two-factor authentication?
- How does the company handle data destruction? It is important when you leave a service that copies of your data are not lying around.
Many state bar associations publish their own list of due diligence questions for bar associations, but the points listed above are the major ones to consider.