Comment: DMS security – five ways trusted cloud platforms safeguard client data

Recent high-profile data breaches of internal IT systems at major international firms are causing clients to increase the scrutiny of their outside counsels’ cybersecurity efforts. Now, more than ever, it’s essential to ensure law firms are doing everything they can to safeguard their clients’ data against ever-evolving threats. While end users can often be the weak spot when it comes to security, it’s equally important that law firms embrace modern best practices around the storage and management of client data in their document management systems (DMS).
Rather than trying to address today’s increasingly demanding security requirements all on their own using traditional systems, law firms and corporate legal departments are increasingly looking to trusted cloud-based solutions that have been purpose-built to safeguard client data. A 2015 Cloud Security Alliance (CSA) survey of 200 IT and security professionals revealed that “64.9% of IT trusts the cloud as much or more than on-premises.” Modern cloud solutions today provide world-class levels of security and data privacy, including encryption at rest with the strongest levels of cryptography, Hardware Security Modules (HSMs) for the protection of cypher keys, unique encryption keys per document, customer custody over encryption keys, best-in-class perimeter defense, denial of service prevention, etc.
Below are five key ways modern cloud DMS platforms can help improve the safeguarding of law firm client data:
1.Automatic encryption of data at rest using Hardware Security Modules (HSMs). Sensitive client information is at risk when it’s not encrypted at rest. Surprisingly, many law firms today still have not implemented basic encryption at rest with their traditional DMS due to cost, complexity, and lack of native support for encryption at rest in traditional systems. When the data stored in a DMS is not encrypted, law firms are effectively commingling sensitive data from all their different clients in one big unencrypted library, and also exposing sensitive data in ‘clear text’ to potential external and internal hackers, including system administrators. Thus, encryption at rest has become a baseline standard to protect against unauthorized access to sensitive information. Modern cloud platforms can automatically encrypt all data at rest, with the encryption keys securely managed, processed, and stored inside hardened, tamper-resistant HSMs.
2.Unique encryption keys per file. While ensuring that client data in the DMS is encrypted at rest is extremely important, equally important is how that data is encrypted. If a single cryptographic key is used for all data stored in a DMS, a hack of that single key could expose the sensitive data for all of a firm’s clients. Today, cloud platforms can provide a separate and unique encryption key for each document. Under this model, in the unlikely event of an encryption key being compromised, only a single document would be exposed, as opposed to all of a firm’s client data. Cloud solutions today also enable customers to maintain custody over matter or workspace encryption keys, giving law firms the ability to completely revoke the cloud service provider’s access to data at any time.
3.Highest levels of built-in security and compliance. It’s increasingly not enough to simply host traditional systems in third-party datacenters that have obtained ISO 27001 certification. What’s becoming more critical is that the actual software platform itself, as well as the internal operations of the vendor related to the delivery of such platform, achieve the highest levels of built-in compliance and security certifications including ISO 27001, SOC2 and the emerging SOC2+ standard, HIPAA, SEC 17-A, FIPS 140-2 Level 3, etc. By using a DMS that provides these industry-leading certifications built-in to the platform, law firms can ‘inherit’ the levels of security and compliance that will give clients peace of mind and help fulfill the most stringent security audit requests. With traditional systems or hosted versions of traditional systems, the burden is on the law firm to achieve security and compliance of the software and how it is deployed. 
4.Flexible hybrid solution that provides a seamless end-user experience. Most experts agree that modern cloud platforms provide higher levels of security and compliance than most individual law firms can on their own (i.e., security economies of scale). However, some data may still need to be stored locally for data sovereignty, information governance, or simply because of certain client requirements. In this case, the DMS can still be delivered via the cloud, but designated data storage may remain locally within a firm’s specified location(s). To ensure a seamless experience for end users, it’s essential that the storage location (cloud or on-premises) be configurable on individual clients/matters all within a single repository or library. If the storage location can only be configured for an entire repository or library, it can introduce significant usability issues as users are constantly required to stop and think which library to search in, save documents in, etc.
5.Built-in advanced security protections for end users and end user devices. Modern cloud platforms can not only improve the safeguarding of client data from a back-end standpoint, but also from the front-end aka end user standpoint through enforcement of 1) strong passwords through federated identity integration; 2) two-factor authentication at all times and on all devices; 3) restricted access based on devices and IP addresses; 4) validated audit trails and history logs; and 5) access control restrictions for externalizing or emailing specific documents. For secure offline working, modern cloud solutions provide “Dropbox-like” device synchronization capabilities with robust governance controls such as remote wipe, device authorization and blocking, etc. For mobile device document editing, modern cloud solutions provide an automatic way for Microsoft Office applications to directly read and write files to the document management system, thereby eliminating the security risk of having documents stored on tablets or phones. These end-user and device security controls should be built-in to the cloud solution to ensure comprehensive but seamless security. 
Law firms and corporate legal departments have been embracing cloud-based DMS for many years to modernize their technology and improve usability, mobility, and agility. Now firms of all shapes and sizes are moving to the cloud at an unprecedented rate to improve security and compliance. Modern cloud platforms have been purpose-built to safeguard data and, coupled with proper internal training and controls, provide a robust “Security as a Service” solution for client data. This unique “Security as a Service” value proposition will increasingly be a key driver behind the current shift from the ‘early adopter’ to the ‘early majority’ phase of modern cloud-based DMS adoption.
Alvin Tedjamulia is chief technology officer at NetDocuments