Cloud Computing Security (for Alternative Law Firms and Others)
CLE 
Yaacov P. Silberman · October 19, 2011
In my first two blogs on the subject of cloud computing for lawyers, we learned the basics of cloud computing and how it’s being used by lawyers. We also briefly explored the principal ethical implications for lawyers who use such virtual law technologies in their practice. Lawyers practicing in alternative law firm models are increasingly relying on such technologies as a way to stay connected to their fellow lawyers and to their clients, and also as a way to to keep down operating costs.
How should operators of alternative law firms evaluate the myriad cloud offerings available to lawyers?
When evaluating vendors of cloud computing services, law firms need to examine two major components: security and privacy. Security is a broad category and encompasses both physical security and application security.
Physical Security
Physical security refers to aspects of the physical location where a company’s data is stored. A data storage facility belonging to a cloud vendor contains storage racks, servers, hard drives, power generators, etc. When examining a vendor’s physical security, we must ask questions such as:
- Is the facility in a geologically secure area, or one prone to earthquakes or other natural disasters?
- In how many different locations will my data be stored? This is referred to as “redundancy” and is one of the most important types of protection for your data. Important data should be stored in at least two separate physical locations.
- Who can access the storage facility and how does the vendor limit access to unauthorized persons? What sort of alarm system, guards, monitoring, etc. exist at the facility?
- What sort of backup power does the data facility have?
This is only a sample of the questions you should ask. The best way to get answers to these questions is by asking the vendor. Many of these issues might be addressed on the vendor’s website, but you can also ask the company’s representatives if questions remain.
There are also independent certification bodies that evaluate a vendor’s security practices. The most well-recognized certification that examines physical security is SAS 70. 
SAS 70 is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants. (The current standard is now called Service Organization Control Reports). The SAS 70 mark represents that a service organization has been through an in-depth audit of their control activities, security processes, and other measures they’ve taken to safeguard their customers’ data. You can always request the actual report from the cloud computing vendor.
Application Security
Application security refers to the security measures that are built into a particular application (or program) to guard against threats, attacks and vulnerabilities.
Data encryption is one of the most important aspects of application security and is also one of the most common. Encryption (referred to as Transport Layer Security or TLS) allows applications to communicate across a network in a way designed to prevent eavesdropping and tampering. In very simplified terms, a person’s computer and the website the person is using will exchange a private encryption code, and all data communicated between the computer and the website is scrambled using that code. In the event someone were to intercept the data, the interceptor would only see garbled incomprehensible code.
In addition to data encryption, an application should have other security measures built in. For instance, the application could require that passwords contain a minimum number of letters, numbers and special characters or require that users reset their passwords at regular intervals. The application might also “lock out” users if they repeatedly and unsuccessfully try to log in to the application.
The principal certification that addresses application security is McAfee Secure seal. 
This mark means that the site is tested daily for potential breaches, viruses, intrusions by malware, and more.
It’s also useful examine who the service provider’s customers are and how those customers are using the service. It’s far from a guarantee, but if a company counts among its clients 98% of Fortune 500 companies, that can be an indication that the cloud service provider is trusted in the industry.
In my next blog post, we will examine how to evalute a cloud computing vendor’s privacy practices and terms of use.
