Published on March 3rd, 2021 📆 | 8394 Views ⚑0
3 questions you need to ask your cloud vendors
One of the biggest concerns for any law firm making the move to the cloud is security. For lawyers and firm leaders, the idea that confidential client data resides outside the firm’s local network can seem risky. Even IT professionals who understand the benefits of cloud solutions have questions about encryption, data centers, and firewalls. Here are the three of the most important things to know about cloud security and key questions to ask your vendors.
Is my data stored in a multi-tenant or single-tenant environment?
There are hundreds of cloud services available today. From simple document storage (think Dropbox) to a comprehensive legal workflow platform like HighQ. One key differentiator among these services is how data is stored. For most consumer-grade cloud offerings, your data is stored on the same servers as everyone else’s. While your data is locked behind a password, it lives right next to data that isn’t yours. This is called a multi-tenant or public cloud. Typically, this means lower costs for customers and less complicated infrastructure for providers to manage. Public clouds are often owned by one company (ex. Amazon) and rented for vendors to use.
However, public clouds can present some security risks. First, you have no way of knowing where your data is stored. Are your files in your country? Your continent? Natural disasters, connectivity failures, or simply distance can cause serious issues in accessing and ensuring the security of your data. Likewise, public clouds can make it easier for a hacker to access data across clients. For instance, if another user’s account is breached, your data may be at risk simply because it’s stored on the same server.
In contrast, private cloud solutions offer all the benefits of the public cloud – anywhere access, no upgrades, easy signup – without these security risks. Private clouds utilize a single-tenant model which is exactly what it sounds like. Each client has their own dedicated storage instance separate from others. This eliminates the risk of a security breach caused by a different client. And since private clouds are more sophisticated to deploy, vendors own their servers and often have data centers located in your country or region, granting faster speeds and better security.
What are your information security standards, and are you ISO certified?
Every enterprise cloud vendor will claim to have world-class security standards. Anyone outside your IT department will have a difficult time knowing whether this is true. But one easy way to tell if a vendor is serious about information security is to ask about their ISO (International Organization for Standardization) certification. The ISO created standards to ensure security across industries. The most common ISO certification for information security is ISO 27001.
Achieving ISO certification requires that organizations are:
Regularly, systematically evaluated on their security risks.
Required to implement comprehensive information security controls to the satisfaction of the ISO.
Required to adopt an approved management process to ensure ongoing compliance.
Alongside robust security infrastructure, rigorous security standards are crucial to ensuring the safety of your data.
How do you test your platform’s security?
The best cloud vendors know they need to test the security of their offerings. Most conduct regular internal audits, but the best way to find out if your security measures are up to snuff is to have a third party try to break in. Often called penetration tests, these simulated cyber attacks are conducted by external security experts.
But these tests are not simply pass/fail. Savvy cloud vendors use penetration tests to uncover several useful pieces of information. These fall into two broad categories – infrastructure vulnerabilities and human vulnerabilities.
Several key infrastructure questions should be answered by a penetration test:
Are the public-facing security measures sufficiently reducing risk to keep bad actors out?
Are there any device-level security vulnerabilities if a hacker gets past a firewall?
Are the vendor’s security policies effective – can doing things “by the book” create vulnerabilities?
Human vulnerabilities often fall under the banner of employee security awareness. We’ve all heard of things like phishing and social engineering – scams that attempt to trick people into divulging passwords or other information that can be used to access a secure system. Penetration tests can reveal weaknesses in training and identify employees who need additional reminders.
Finally, if the worst happens and there is a security breach, these tests can reveal how IT and security teams react. Unfortunately, there is no perfect security system, and an effective response to security incidents can be the difference between a problem and a catastrophe.
Knowledge is power
While an IT professional will always be your best asset in evaluating a cloud vendor, it helps to have a basic understanding of the kinds of security issues at stake. Top-tier cloud vendors should be able to answer (and provide documentation for) these kinds of questions easily.
Armed with this knowledge, you can make more informed decisions about the role cloud plays in your firm’s technology roadmap and see the benefits of the cloud for yourself.
originally appeared on Source link