Cloud security – pay attention to your data with Ascertus
For many years, one of the biggest objections to cloud technology adoption was security risk. Today of course we know that cloud offers the highest levels of security, and so this is no longer a barrier to the technology’s adoption.
Securing the cloud
This said, I recently read an interesting quote – cloud architecture is no fine wine when it comes to security. It got me thinking – it’s true, unlike fine wine, in the context of security, cloud architecture that is already deployed doesn’t get better with age. To the contrary, the cloud provides a wide attack surface, and with rapidly advancing technology and cyber criminals continually evolving their attack methods, security measures have to be constantly enhanced for them to remain effective.
At the technology and platform level, there is no doubt that cloud providers (Microsoft, Google, Amazon) are making significant investment in security – to an extent that no single business can compete with if they were to try to do the same on-premises – but cloud adoption still requires you to pay continuous attention to security. Just being in the cloud does not give your firm all the security.
If you have moved your firm’s business applications to the cloud, here are some things to think about:
Are your business applications cloud native?
There’s a world of difference between traditional applications (often referred to as “monoliths”) that have been “retro-fitted” with cloud technology versus those that are cloud native – i.e., built with cloud technology from the ground up. Without going into the technicalities, cloud native applications offer modern UX and CX, are easy to enhance with new features and functionality, can be scaled up quickly, and due to their very nature, can be integrated with other third-party solutions to help create seamless, digital work environments based on the needs of your firm.
The nature of your cloud application has a bearing on your security risk. So, if you are in the cloud on a business application that has been tailored for the environment, then it is possible that you may not have the advantage of security technologies such as Zero Trust (where no one person can make change a system in a way that affects it security) or Zero Touch (where no one – not even IT administrators can access customer data).
Do you have multifactor authentication active for your cloud applications?
Yes I know, your users will likely tell you that multifactor authentication really gets in the way of their work, but given how clever and sophisticated cyber criminals are, this measure must be in place to help prevent data breaches. Likewise, check that encryption at transit and at rest is standard.
Where exactly is your data?
Just because your cloud vendor has a datacentre in region, where they say your data is domiciled, doesn’t mean that your firm’s data always remains in that region. If you have a cloud solution covering multiple jurisdictions, there are multiple datacentres where your data could reside. To comply with client requests and the numerous country-specific data protection laws, you may need to ensure that some functions of cloud solutions only perform tasks in certain designated datacentres. So, if the data leaves a jurisdiction even for a fraction of the time, it could result in non-compliance.
Join our monthly In The Know newsletter to stay up to date with the latest news and blogs posts
Do users have secure access to the data they need?
Especially in a hybrid world, it’s important that users have access to the data they need to efficiently do their jobs. Cloud technology enables this beautifully – today people can work from anywhere, from any device and at any time. This ease of data access can pose a substantial security risk too, so it’s essential that your firm configures its business-critical systems to ensure that information is only ever available to employees on a need to know basis. For example, in your document management system, users should have the capability to – with a click of a mouse – apply security policy for each and every document, to a granular level. To illustrate, if needed, a lawyer could apply security to a document such that individual A would not be able to even view the information, but individual B could both view and edit due to their close involvement in the activity.
Likewise, in the cloud business systems should have capabilities activated so that your IT administrators are alerted in the event of untoward activity. If suddenly 100s of documents are being downloaded by an employee that is uncharacteristic of their normal behaviour, it may well be a malicious attack – in which case, your IT department could instantaneously shut down the part of the network in question to mitigate or avert a disaster.
These kind of capabilities embed security without creating unnecessary constraints within employees day-to-day workflows.
Do you know how your cybersecurity insurance will play out in the unfortunate event of a breach?
Law firms are ripe targets for cyber criminals due to the highly sensitive nature of information that they work with. Taking out cybersecurity insurance is a no-brainer today. However, make sure that your insurance will indeed provide the protection your firm would need if the worst were to happen. Often there are exclusions and limitations in insurance policies, which firms find out to their horror at the time of an attack. For instance, in many insurance policies, the cover excludes attacks from state sponsored actors.
So, when you take insurance, make sure you have an in-depth understanding of exactly how the policy will play out, should a security breach take place.
Have you considered security, GDPR compliance and certifications?
Certifications help embed best practice for data and cybersecurity in the firm, making the processes business as usual. Think about certifying to Cyber Essentials. In association with the National Cyber Security Centre, this accreditation is a government backed scheme that focuses on five important technical controls that are designed to guard against the most common internet-based cybersecurity threats.
Similarly, UKAS issues UK GDPR certification against ICO approved certification scheme criteria. In fact, the first certification for Legal Services is due to be approved by the ICO imminently. The ISO 270001 certification is a good goal too.
It’s worth noting that most cybersecurity insurance policies demand evidence that strong security measures are in place, or the cover isn’t granted. These above mentioned certifications provide the necessary proof. Such measures can also help reduce your insurance premiums – and over a length of time, the cost saving can be significant.
No organisation today can afford to become complacent with security – and this is even more so in a cloud-based and hybrid working environment. The ‘tools of trade’ that cyber criminals use, alongside their tactics and strategies are continuously advancing. After all, criminal activity is their day job! You must continually stress test, re-stress test, and fine-tune your security measures and processes to ideally ensure that breaches are pre-empted, but if disaster strikes, the impact is negligible. It’s critical that you are always on your “A” game in the cloud, when it comes to security.