Comment: Don’t trust the cloud, trust the provider
By Andrew Brewerton, EVault’s regional director EMEA west.
For some, the term ‘cloud’ seemingly emerged from nowhere. Before they knew it, the cloud or cloud computing – which has been defined as any service delivered over a network – was being advocated as the future for all IT applications. These could range from cloud management tools, designed to help senior partners run their law firms to cloud billing software, accessible from any internet-enabled computer; ‘cloud’ became the buzzword of 2011/12.
It’s easy to see why the cloud has grown in popularity in the legal sector. Lawyers need to able to work on the move, heading to and from court or visiting clients. The cloud has given legal professionals the opportunity to access and sync their files safely while on the move and at home.
Law is a profession which generates a high volume of important data and keeping that data secure is paramount. As a result, one of the most valuable services available in the cloud is data back-up and disaster recovery. While most law firms still rely heavily on paper files (it may be some time before someone presents a digital bundle in court) the volume of information stored on company servers is growing. Not only are client files recorded digitally, but archived files are also being uploaded.
Law firms need to be sure their data can easily be recovered, especially in the event of a disaster. Data, after all, is the lifeblood of business; losing a client’s information can negatively affect business and the firm’s reputation. If data is not backed-up regularly, and can’t be restored at speed, then the business is being put at risk.
Why trust the cloud?
Technology vendors are often asked is the cloud safe? Can our company be sure its data is secure? They will be told yes. When data is backed up to the cloud it is essentially moved across a WAN and laid to rest in a secure data centre. This is instead of being copied to a tape or disk on site.
Businesses can choose from one of four tiers of data centre. The higher the tier, the more security will be put in place to safeguard the data. For example, a tier four data centre is designed to host mission-critical servers and computer systems. Access to the servers will be controlled biometrically, and physical security will be provided by cameras and guards. But, no matter which tier of data centre a company chooses, the business can be assured that encryption and security solutions will be in place.
While the cloud itself is secure, there are a number of law firms that have taken their cloud backup and disaster recovery back in-house as a result of the poor quality of service they were receiving from their service provider. To avoid such situations, law firms must learn to recognise the qualities of a good cloud reseller/vendor.
How to spot a poor cloud supplier reseller/vendor
Choosing a cloud partner is all about trust. The law firm has to trust the chosen supplier, trust it is has the skills to protect its data, trust that it uses reliable technology, and trust that its business is stable and therefore unlikely to fold in the near future. It is important that the firm considers every aspect of the partnership, thus gauging the provider’s reliability.
For a business to do this, the following questions should be asked:
Question: How can we be sure that our staff are the only ones with access to our data and that it is protected from hostile parties?
Answer: Confirm that the MSP has a solution that encrypts the data on your premises before sending it to the cloud. Also verify that data will be stored according to relevant security compliance standards. For example, NASD Compliance & SEC Compliance demonstrates accountability when storing financial records.
Some providers will also supply an encryption key for the data. In this case, only the holder of the key, will be able to decode that data.
2. Service level agreement (SLA)
Question: If our data is stored in a data centre, how long will it take for it to be recovered in a disaster?
Answer: When purchasing solutions from an MSP, an SLA will be set out. This will explain the services that the provider guarantees. It should describe how data will be handled and it will make clear what to expect in the event of a disaster. Be sure that the recovery time objective (RTO) meets the business’ requirements (if you need data recovery within 12 hours then explain this to the MSP), and remember there is no reason not to question the SLA on offer. The responses given can be used to judge whether your expectations can be met. Equally, it is important to know what will happen if the MSP does not meet the SLA – is the deterrent strong enough?
3. Financial stability
Question: What happens if our supplier goes out of business?
Answer: Each supplier will handle this differently, but they should be able to say what will happen and there will be clauses in the contract for return of data on default.
To protect the business from this eventuality, why not look for a hybrid solution that will allow for onsite redundancy: the business experiences the benefits of the cloud while keeping a copy of data in an on-premise vault in the event another MSP needs to be employed. For peace of mind, a credit report can be run on potential providers before making a commitment.
4. Recovery process
Question: If we are not in control of the recovery of our data, how can we be sure it will be restored as expected?
Answer: A good service provider will agree to carry out regular disaster recovery rehearsals – this can be written into the SLA. Rehearsals ensure that the business knows what should happen in the event of a real disaster and confirm that RTOs can be met. While some companies are happy to test the recovery process just once or twice a year, businesses storing critical data would be advised to insist on more frequent practice runs. The more important the data, the more often its recovery should be tested.
Question: What happens if the data centre is damaged and the backed-up data is destroyed?
Answer: Look for a solution that allows for onsite redundancy. Also consider an MSP that can back up data to multiple data centres in different geographic locations.
Above and beyond these questions, a supplier should be able to prove its track record with an excellent set of references. Most reputable resellers and vendors will display testimonies on their website. But if they don’t, there is no problem in requesting references from an existing customer. If there is nothing to hide, the MSP will be perfectly happy to provide such details.
It’s a pity that some businesses have had bad experiences with their cloud back-up and disaster recovery provider, but it’s the same as with any industry, including law. Some companies are much better at what they do than others. There are good, trustworthy, resilient, efficient and cost-effective providers out there – you just have to know how to spot them.