Navigating the Fog of Cloud Computing
Cloud computing may raise ethical questions. It also requires technical competence. Are you ready?
Published as: Shannon Brown, Navigating the Fog of Cloud Computing, The Pennsylvania Lawyer 18–22 (Sept./Oct. 2011).
Cloud computing. For some a fog — what is cloud computing? For others, a storm front — an ethics disaster waiting to happen. For still others, puffy white clouds — the new frontier for the profession. Cloud computing may provide benefits but also poses significant challenges for the legal community. The biggest challenge is the growing expectation of technical competence in addition to legal competence.
Recently, the Pennsylvania Bar Association’s Committee on Legal Ethics and Professional Responsibility issued Ethics Informal Opinion 2010-060 (Jan. 11, 2011). The opinion grappled, in part, with cloud computing and concluded “[a]n attorney may ethically allow client confidential material to be stored in ‘the cloud’ … provided the attorney makes reasonable efforts to assure that the material is confidential.”
Thus, in this early analysis, the Pennsylvania Rules of Professional Conduct may conditionally permit the use of cloud computing. But a lawyer must carefully and knowledgeably analyze the technical aspects of cloud computing before using a cloud service to assure compliance with the “reasonable efforts” condition. The technical issues involved with cloud computing are probably more complex than many lawyers realize. Thus, an introduction to cloud computing and overview of some of the technical issues may help lawyers to evaluate the cloud.
Defining Cloud Computing
In a nutshell, public cloud computing describes the sharing of remotely accessible computer resources through the Internet. Essentially, cloud computing distributes costs, systems management and risks by allowing entities with similar needs to share computer resources (sometimes called multitenancy). Each subscriber to the sharing arrangement has a dedicated allocation of disk space or a software application. A subscriber to the cloud computing solution usually accesses the resource with a Web browser and a user account (login). In public cloud computing, a third-party vendor owns or controls the remote hardware, software and facilities, distinguishing public clouds from private clouds used by large enterprises.
The cloud makes access to data possible through mobile computing devices. The days of waiting to get back to the office to check the computer wane. A lawyer and client may expect ready access to e-mail, client files, billing information, research tools and Web resources from any location and from any device.
Introducing Common Cloud Computing Forms
When investigating public cloud computing, four acronyms abound: STaaS, SaaS, PaaS and IaaS. The first two are the most common forms for public cloud computing and are the focus of this article. (PaaS, Platform-as-a-Service, and IaaS, Infrastructure-as-a-Service, are typically enterprise-level forms of cloud computing. Most law firms are unlikely to directly encounter these forms.) Recognize, however, that vendors may combine attributes of various forms to create hybrids.
Storage-as-a-Service (STaaS) includes online backups, data synchronization and file storage (sometimes with collaboration or sharing capabilities). STaaS usually involves (1) disk space, (2) remote access via the Internet and (3) a user account. Online backups, as a complement to local backups, may be a compelling option for law firms. Some lawyers also use online data synchronization to permit access to files from mobile devices. Examples of STaaS are CoreVault, MozyPro, DropBox, JungleDisk and Carbonite. Windows Live SkyDrive, iGoogle, MobileMe and UbuntuONE also offer STaaS-like file storage along with other features.
Lawyers already familiar with cloud computing probably think first of Software-as-a-Service (SaaS). While exact implementations vary, SaaS vendors typically offer (1) a software application hosted remotely (in the cloud), (2) available through the Internet and (3) accessible by a user account. The Web-based software applications deliver functionality similar to traditional software. However, rather than buying software and installing the software on a local computer, the subscriber merely pays for access to the cloud provider’s software application. The SaaS vendor typically takes care of maintenance, systems administration, updates and (possibly) security.
Today, almost all traditional software applications have cloud complements — word processing, case management tools, accounting, billing and client management. Examples of SaaS are SalesForce.com (customer relationship management), Google Apps for Business (office productivity suite), Office 360 (Microsoft Office in-the-cloud), LotusLIVE for Symphony (office productivity suite) and Zoho (office productivity suite). Law-practice-specific SaaS offerings include RocketMatter, Clio, MyCase, FirmManager and RealPractice.
Cloud Computing Issues Specific to Lawyers
Lawyers, as lawyers, face unique issues when evaluating cloud computing. At minimum, use of cloud computing potentially implicates the preamble (Competence, Diligence, Responsibilities to Clients), 1.1 (Competence), 1.6 (Confidentiality), 1.15 (Safekeeping Property), 5.1 (Supervision), and 5.3 (Responsibility Regarding Non-lawyers) of the professional conduct rules. However, lawyers also need to recognize the potential damage to reputation (Pennsylvania might require disclosure of data breaches, 73 P.S. §§ 2301, et seq.) and lurking malpractice issues when using cloud computing. (Think of the implications of a script kiddie hacker posting your client’s, unencrypted confidential data to Twitter).
As the recent ethics opinion suggests, lawyers may use cloud computing as long as the lawyer “makes reasonable efforts” to assure confidentiality. The opinion includes some helpful, general guidance on reasonable actions. But recognize that the rules objectively measure reasonableness (see 1.0(h)). An objective test implies an emerging expectation of technical competence by lawyers and necessity for understanding technology best practices. Thus, while cloud providers extol the ease and simplicity of cloud computing, for lawyers considering cloud computing, the considerations are complex with few easy answers. There are no short-cuts.
Understanding Technology Best Practices
Foremost, lawyers cannot necessarily rely on the generic claims made by cloud computing vendors. Vendors often promote solutions that are available to a wide variety of industries or for personal use (consumer products). Even if a vendor claims law-specific focus, the lawyer must still take a hard look to assure compliance with the Pennsylvania rules.
Best practices include basic familiarity with:
- encryption to limit third party access to cloud data,
- knowing where the cloud data resides, and
- adequate disaster recovery.
Note that the discussion here is not intended as comprehensive. The discussion, rather, focuses on illustrating the complexity and suggesting potential best practices.
By definition, use of the public cloud presumes some degree of access by third parties to the materials stored in the cloud — cloud provider and network providers. Therefore, reasonably maintaining the confidentiality of client data involves the proper application of encryption technologies. The lawyer, however, cannot simply rely on generalized claims by the cloud provider that the data is encrypted. Competently knowing exactly what is encrypted and when and for how long is essential.
What is encryption? Simply put, encryption scrambles data (files) using a mathematical algorithm and an electronic “key.” An encrypted file looks like gibberish so an unauthorized person with access to the file cannot read the encrypted file. Theoretically, only the holder of the key can unscramble the data.
Transmission Encryption vs. Storage Encryption
The cloud involves two types of encryption: transmission encryption (transient) and storage encryption (persistent). Distinguishing the two is important because they have specific roles.
Cloud providers commonly use Secure Sockets Layer (SSL/HTTPS) encryption to secure data traveling through the Internet between the subscriber’s local computer and the remote cloud provider. (Some providers tout SSL as bank-grade security or credit-card-transaction security.) Think of this form of encryption as transient because SSL only protects data while in transit.
In contrast, storage encryption persistently stores the data in an encrypted state. Storage encryption thus protects the data while stored on DVD, hard drive, USB drive or in a backup set. Common storage encryption technologies include AES, 3DES and public-key (PKI) encryption.
Practical Encryption Issues
If using SaaS (online software including Web e-mail), SSL should be used to encrypt all communications between the lawyer and the SaaS provider. Otherwise, the data transmitted from the lawyer’s computer (for example, typing a word processing document) is open to interception. SSL is also important for securing logins to both SaaS and STaaS — otherwise your login information is transmitted in the clear and risks access to all materials in the account. Recent media reports about Firesheep (a readily available interception tool) illustrate the reality of this danger.
More complex issues arise with storage encryption. Control of the encryption key is a fundamental issue. The lawyer should carefully assess who really controls the key before selecting a cloud provider. In many cases, especially with consumer-grade cloud offerings, the cloud provider, not the subscriber/lawyer, holds the key. Remember, the holder of the key potentially has unlimited access to your data. This creates a two-fold problem for the lawyer. First, the lawyer potentially cedes effective control of the data. Second, the provider could lock out the lawyer from the data.
In general, the lawyer should encrypt (ideally using the lawyer’s key) any data before uploading to the STaaS provider. Some lawyer-oriented STaaS providers follow this model, but most STaaS providers do not. An alternate model offers to encrypt data at the STaaS provider’s location using the STaaS provider’s key but with a subscriber’s “passphrase” — a compromise solution. Other STaaS providers, especially generic consumer-grade offerings, only encrypt on their end and then only using their key. A lawyer should seriously consider all the ramifications of this latter model before proceeding — how much do you and should you reasonably trust the provider?
Storage encryption becomes a real challenge with SaaS. Remember with SaaS, the subscriber uses software hosted at the SaaS provider’s data center. That remote software may create word processing, spreadsheet, database or other files saved at the SaaS provider’s site. This raises issues regarding how the data is protected and who holds the keys to the protection. For example, the provider may encrypt the data using the provider’s encryption key resulting in the same problems addressed above.
Thus, a lawyer needs to understand the use of and possible limits of encryption in the cloud. As the discussion implies, trust is a significant factor in cloud computing—especially with SaaS.
Knowing Where the Data Resides
Cloud providers may use multiple data centers across multiple jurisdictions, domestic or foreign. The lawyer should know the general location of any data centers used (for security, cloud providers might resist disclosing specific physical addresses) to minimize jurisdictional issues if a problem arises with the cloud provider. Furthermore, the lawyer should check the cloud provider’s policy on notice before moving data. A move may unexpectedly relocate data from one jurisdiction to another. In some cases, the cloud provider “shards” the data by splitting a file into pieces and stores pieces of the data in multiple locations, creating a pan-jurisdictional issue.
Also, the lawyer should be aware of “layered clouds” where one cloud provider sources some of its services from another cloud provider, such as an IaaS or PaaS provider. The lawyer may believe the data is stored with one provider when other cloud providers may also be involved, with each layer introducing its own complexity and potential jurisdictional issues.
Recovering from Disaster
While no disaster recovery program is perfect — the recent Amazon EC2 (cloud service) outage, apparently with some data loss, demonstrates that even cloud recoveries can fail — knowing before a disaster occurs what is backed up, what remedies are available and how the provider tests the backups is prudent.
If using STaaS in your own backup plan, you should verify that the cloud-based backup data is available by overnight delivery service in the event of a local computer failure. Downloading gigabytes of data is probably not feasible. If using SaaS, keeping local backup copies of cloud files. Regularly refreshing the local backup copies may be is necessary. However, if the SaaS service is database-oriented, retaining a meaningful backup of the data might not be viable and may be a factor when considering a SaaS option.
The cloud introduces complex issues for lawyers. In technology, like law, there are rarely simple answers. Ascending into the cloud, however, without a competent understanding of the issues may raise ethical questions. Granted, some of the issues implicated in cloud computing also arise with firms using traditional technologies. That is, cloud computing is not seemingly held to a higher standard. But cloud computing arguably amplifies the need for solid technical competence, in addition to legal competence, as a lawyer. The cloud lures. Are you prepared for the journey?
- Decrypting Encryption for Pennsylvania Lawyers: Encryption Basics When Considering Cloud Computing
- The Pennsylvania Lawyer Article: Unofficial Supplement.
First Publication: Shannon Brown, Navigating the Fog of Cloud Computing, The Pennsylvania Lawyer 18–22 (Sept./Oct. 2011).