Raining on the Cloud Parade
Every cloud has its silver lining but it is sometimes a little difficult to get it to the mint.
The law technology pundits are all about “the cloud” these days and it seems as though they never miss an opportunity to promote using “the cloud” to better your practice. I’m actually a fan of both “the cloud” and “Software as a Service”. I think both do offer real, practical and tangible benefits for solo and small firm practitioners. But when people tout the benefits and ignore the pitfalls, they aren’t doing you any favors. To make the best of technology you should understand its limits and, more importantly–the ways it can fail, so you can be prepared to mitigate those potential issues.
So what is the problem with “the cloud”? The two biggest “gotchas” lurking out there are data failure and security. There’s some overlap in these categories as well. Sometimes a failure of security can lead to a failure of data. But broadly speaking, those are the limitations.
Let’s talk about data failure. The most common way that people lose data is through failed disks. That’s why pundits typically say that cloud computing is more reliable than your local machine or data storage, because your data is always sitting safe in the cloud, where it’s reliably accessible and your data is professionally managed. But that attitude ignores the real possibilities of failure.
Just because your data is in the cloud, it doesn’t mean you will always be able to get to it. Network wide outages on the Internet are not common, but they happen. And more often than the entire Internet going down is the reality of your local ISP, the one that connects your office or home to the Internet, having an issue. Local and regional ISPs go down with alarming frequency. So how do you get to that data that’s in the cloud if your Internet connection is down? Do you pack up and go to snarf some public wi-fi, potentially exposing confidential data? Or do you move to your mobile device and suffer from slower download speeds? Or do you rely on a local backup?
Having local copies of your data can allow you to keep working, even if your cloud should somehow be unavailable. Speaking of backups, as I’ve mentioned this before, you should have a backup plan that doesn’t rely on your cloud provider. Why? Even the biggest, expertly-managed clouds fail. And when they do, it’s your responsibility to be able to get to your data.
Amazon runs one of the largest cloud computing platforms in use today: Amazon Web Services (AWS). AWS spawned from Amazon’s own data needs, but now offers cloud server and storage solutions to businesses directly and indirectly due to the number of startups that use Amazon’s AWS services. In early 2011, a massive outage on AWS took out some very high-profile sites, like Quora, Reddit, FourSquare and Everyblock, to name a few. While the outages were caused by failures at AWS, as Everyblock points out in Lessons From a Cloud Failure: It’s Not Amazon, It’s You, the ultimate responsibility for keeping your own business running is you. So what are your contingency plans if your cloud provider fails? How do you fall back to your own locally backed up data? What software do you use as a backup? And what procedures do you have in place to make it happen with as little impact to your firm and your clients as possible?
Recently, Baxter, Baker, Sidle, Conn & Jones had an issue with a lost hard drive. The ABA Journal post prompted cloud advocates to respond that if the firm had been using the cloud, this never would have happened. That may well be, but it misses the point on several levels.
First, as the article notes, the drive that was lost was a backup drive that was being taken off-site for safe keeping. Now, perhaps they should review who takes care of off-site backups and how transportation is managed, but the reality is that off-site and local backups are a good idea. You can use the cloud for off-site backups. Many companies do. But the issue here isn’t that “using the cloud” would have saved the data. Clouds can be compromised, too. (More on that later). The real issue here is: how was the data stored. Be it on a local, portable drive, or in the cloud, the data should be encrypted. If the drive in question was encrypted (which it appears to have been) then the data on it is every bit as safe as it is in the cloud (maybe more so). I wouldn’t want to have to send that letter out to clients alerting them to the data loss because of a lost hard drive anymore than I would want to send out a letter saying our cloud service had been compromised. They are really the same thing to a client looking at a breach of confidentiality.
So why do some people assume the cloud is so much safer than an encrypted hard-drive? Well, it can’t be left on a train, for one. But the security of your cloud data isn’t as secure as the bullet point in your service providers sales pitch might lead you to believe.
Yes, all of the major cloud storage providers (Dropbox, SugarSync, etc.) encrypt your data in the cloud. The same is true of software providers like Rocket Matter or Clio. But what about your password to access it? That’s usually the weak link in the chain. And that’s one way cloud data gets compromised. Oh, but you use a strong password?Maybe so. But how many employees have access to the cloud data? How strong are their passwords?
Getting hacked in the cloud can be a nightmare. Recently, James Fallows recounted the story of when his wife’s Google Mail account was compromised in Hacked! Take some time to read the article and see what a nightmare it could be to regain control of your account, to say nothing of the nightmare of trying to recover the data that may be lost. Do you use Google for your e-mail? What about Google Voice? Or Google Apps? How would you recover the account and the data if your cloud services or accounts were compromised?
The best way to plan for these kinds of disasters, of course, is to do everything you can to avoid them in the first place. Start with your passwords. Passwords don’t get a lot of thought, for the most part, even though they are the lock on the door to your data. No password is 100% secure. You need to know that and accept it. But there are some steps you can take to make your passwords more secure than others.
For starters, make sure you use a strong password. You’ll be somewhat restricted by the password requirements of your service provider, but the longer the password, the better. And it doesn’t have to be hard to memorize to be effective.
Second, don’t have a single password. I have around a half-dozen passwords that I use for various services. Some, for public websites that require registration (e.g. The New York Times, etc.) aren’t as strong as the ones used for financial services. I also advocate using a password manager, such as 1Password or KeePass to keep my passwords in an encrypted vault, rather than writing them down someplace in order to remember them.
Finally, with some services, notably Google, you can use a process called two-step authentication. This requires an app you can run on your iPhone or Android device. When you log into Google, you launch the app and are given a key to enter in addition to your password. It seems like an inconvenience to go through this just to check your e-mail, but again, go read Hacked! If that doesn’t convince you the added security is worth the inconvenience, nothing will.
You can take things another step further with regards to cloud stored data: encrypt your own files. If you use Dropbox or another service to shuffle client files around, encrypt the files yourself as an added layer of protection. That way, should your password ever be compromised, the files themselves (encrypted with a different password!) would still be protected.
No security measures, no matter how diligent, can ever be 100%. But you can still plan for the worst, by protecting your data with backups, strong passwords and encryption. If you follow those guidelines and you do get compromised, you’ll still be in the embarrassing position of having to disclose the compromise to your clients. However, if you’ve planned for disaster and executed those plans, instead of apologizing for a major failure of confidentiality and confidence, you’ll be able to demonstrate the steps you took to ensure that the client’s data is most likely still secure, and that your work on their matters has barely skipped a beat. That would be using “the Cloud” responsibly.