Previously:
The Sad State Of Law Office Software
I’m going to work up to specific products, but let’s start with the concept of storing valuable, confidential data in the cloud, on servers run by some big company.
As a lawyer in a small firm, think of the scariest example you can imagine – say, your highly sensitive letter to a client outlining the risks in your litigation strategy, or notes on the phone conversation with a client where she confessed to killing Colonel Mustard in the library with a candlestick. Save the file as a Word document on the server in the file room. Now imagine saving it instead in the air on a server run by Microsoft or some other faceless corporation. What are your concerns?
More and more lawyers are realizing that their instinctive fear of storing files offsite does not reflect any real increased security or confidentiality risk.
There is a debate under way about the level of security required from companies offering hosted services, whether storing files offsite raises any new ethical obligations or requires any additional disclosures to clients, and where liability will lie in the event of breaches. There will be close scrutiny of threatened or real attacks by hackers, like the Chinese attacks early this year. You’ll see lots of articles about the pros and cons of “software as a service” (known as SaaS in the biz), and cloud computing.
Those are all healthy conversations, but let me tell you how it looks to me: The best of the hosted services already meet any and all realistic requirements to make them comparable to or safer than local storage of files in a computer down the hall. Microsoft has 40 million subscribers, mostly in large companies, using Microsoft Online Services for mail and online file storage and collaboration. Most Fortune 500 companies make use of hosted services from Salesforce.com. The hard work has been done to harden the security of careful hosted service providers.
Here’s an article that criticizes the move to the cloud and makes a pitch for a turnkey setup of an HP server running Time Matters down the hall.
The focus on ‘cloud computing’ using third party services is all wrong. Your clients trust you with their confidential data. Rather than take this private data and store it ‘somewhere out there’, shouldn’t your clients know that you are managing and controlling their data 1.) within your own office, 2.) under your full control and 3.) as their lawyer have provided each client secure ‘private cloud’ type access when appropriate. In other words you should be providing private clouds for your clients.
Well, maybe.
Let’s look at a few considerations about the security and cost of having your files stored in a server down the hall.
- The primary security risk to your data is the one that no one thinks of: if someone steals your server, your data is compromised. For all intents and purposes, nothing can be hidden from someone who has physical possession of your computer. (There are methods to encrypt data that are virtually never used in small businesses or small law firms.) You lock your door when you leave. Is that better security than Microsoft has for its servers?
- Most small businesses have set up some method of remote access to their files. Small Business Server facilitates logging into office workstations remotely through a portal on the server. LogMeIn and GoToMyPC provide free or inexpensive remote access to workstations or servers. The pitch above proposes a “private cloud” for clients, meaning remote access to a portal on the server by clients. Do you trust the security of those products more than the security maintained by, say, Salesforce.com? I think all those options are sufficiently secure for a small firm – but that’s my point. Your data is at risk from remote attacks against the computers inside your office, exactly like you fear it is at risk on a hosted provider’s computer.
- Your server has an Internet connection and some level of firewall preventing hackers from getting to it. Maybe that’s a business-class SonicWall firewall appliance, but in a lot of businesses it’s a Linksys router from the shelves of Best Buy. Now that you think about it, that’s not likely to be as secure as the firewall that Google has at its data center, is it?
- The remote access to your server or your desktop computer is controlled by a login name and a password. That’s exactly the same as the access to the servers run by hosted services. Do you have a strong password? If you have a weak password for remote access to your computer – well, you forfeit any right to claim to be concerned about the security of hosted services.
- The security of your server and your business programs can only be maintained if security updates are installed promptly and correctly. I just spent too many hours installing Time Matters 10 Service Release 3 (now with new improved hotfix!). It installed smoothly on the server and three workstations. It blew up badly on three other computers, requiring reinstallation and tweaking and twiddling. The advantage of hosted services is that updates and backups are someone else’s problem. If you have a good provider, those things will be done invisibly.
The traditional fear of hosted services for small firms is being cut off from getting work done if the Internet connection goes down. That’s a legitimate fear; there’s no cost effective way for a small firm to maintain a backup Internet connection. The DSL line is already crucial to running the business and it would be an even bigger crisis to have the line go down if the firm’s data was offsite. There are ways to mitigate that (some services have an offline component, for example), but the reality is that Internet connections have become very stable in most offices. The equipment inside the office can fail – a switch goes bad, a router dies – but that would just as likely cut off the onsite server from the workstations.
If your data is hosted, the Internet connection might go down; if your data is onsite, your server might crash. That’s not quite 50-50 in my experience; I think I’ve dealt with server crashes more often than extended Internet outages. And the server crash is more likely to result in a longer, more difficult, and more expensive outage.
I’m not trying to argue that hosted services are clearly the right answer. Instead, I want you to keep some perspective when you think about your own misgivings. The new cloud services have some interesting advantages and you may want to consider them sooner rather than later.
Next: the demo that got me interested in all this.
I hear you on all the technical points. But what worries me is the kind of “voluntary disclosure” in the name of “national security” that has lead to rampant data mining by our own government through private companies like the telcos. Back in the early GWB War on Terror, the phone companies /completely/ rolled over for the feds. Google and Microsoft might have the best firewalls in the universe, but what if President Cheney convinces their legal staff that my client is a potential terrorist threat? I simply don’t see those companies going to the barricades for the Fourth Amendment – quite the opposite.