Guest Post :: Is Cloud Storage Secure Enough For Lawyers?

Posted on by Posted in Guest Posts, Online Resources, Software, Technology 13 Comments
Share

The following Guest Post is from my friend and technology wizard, Tomasz Stasiuk:

There is a widening divide among lawyers: those who embrace cloud based services because of the advantages they provide (distributed off site storage, synchronization, and access) and those who are justifiably concerned about putting clients’ documents into someone else’s hands.

Using cloud based service raises issues of security, control, and trust.

  • How are the files protected?
  • Where are they located and who has access?
  • Do you trust the provider?

It may seem naive to talk about trust. "Trust NO ONE" some lawyers shout. However, even solo practitioners have to trust someone. If you do not own your office, you trust your landlord not to riffle through your documents. As a firm grows, trust becomes more important. You trust your staff to keep confidences. You trust their families not to look too closely at documents on desks. You trust your cleaning staff, copier technician, plumber, or your landlord’s HVAC servicer not to listen in on discussions, look over papers or take documents. You trust that someone will not walk in off the street during business hours and take a file.

Still don’t think trust is a big factor in your day-to-day operations in a law office? Do you use a service for storing closed files? You know the drill: you put the files into a cardboard box. cover it with a lid, then you give them to a man who takes them away. You have just given all your client’s confidential records, medical information, social security number, to some guy in a jumpsuit, secured with nothing more than an ill fitting cardboard lid.

You have just given up control of the files. You have given up security for the client information. You are relying that the trust you have put in the storage company and it’s employees and contractors is not misplaced.  

The seldom discussed fact of law offices is that you rely on trust A LOT to maintain confidences. And the people you trust could more easily disclose client confidences than any cloud based service provider.

Let’s look at the other two big issues in using a cloud based service: security and control. Security is always a matter of asking, "as compared to what?" When looking at cloud based storage it is important to consider how it stacks up against other storage options.

PAPER BASED FILES

At one end of the spectrum are pure paper based files. These are inherently less secure since each page is often the sole repository of the information it contains. Paper based files often have no redundancy. Nobody "backs up" paper. The file is "THE" file. If any page is destroyed, the information on it is gone. One fire, one storm, one burglary and it all could be gone. Forever!

Oh, you may be able to recreate part of the file: you may be able to get pleadings from the court, medical records from the doctor. However, this is not a solution. Recreating a file takes a lot of leg work, and there is no guarantee that you will get everything you had before.

What about the security of paper? There is none. Zero. Zip. Paper itself has no security: you cannot encrypt paper. If you have access to the physical file, you have access to the information in the file.

I realize that most paper files are under some type of lock and key. The problem is that law offices are not banks. Even firms that have safes only store a tiny fraction of files in them. Everything else is kept in filing cabinets or on shelves. Accessing a file is as simple as kicking open a door or breaking a window. Most filing cabinets locks can be popped with a crowbar. Even a security system, at best, only limits the amount of time a burglar has in an office. The situation gets worse when files travel. Attorneys who bring their files to court risk having a file stolen out of a briefcase. The three digit combination locks on catalog cases only provides a false sense of security when the lock can be pried with a screwdriver, or the entire case can simply be picked up and taken away. And who hasn’t heard an attorney say, "I left that file in my car." With the car becoming a second office for many attorneys, all it takes to access the files left there is a broken window or slim jim.

Even when you control the physical files, the amount of security you can provide is limited and the value of that security is questionable. Consider banks: one of the most secure private businesses that still allow public access. Despite vaults, cameras, security systems, and guards, even banks get robbed. However, it is only the physical money that is taken, not the 1s and 0s representing clients’ accounts. Even banks find that the best security is simply not having the money at the bank.

Let’s take a look at some of the other options for storing case files.

SELF HOSTED STORAGE

A more middle-of-the-road approach is keeping documents paperless but controlling the storage. A self hosted solution improves on a paper-based system since it allows duplication and encryption. You can have a server in the office and rotate hard drives between the office and home. You can even access data, or back up to, a pogoplug out of your basement. This, at least, provides some off-site backup.

The problem is that the backup is not distributed. In the event of a region-wide disaster (for example: hurricane Katrina) you could still loose both the main copy and the backup.

A self hosted storage solution is the data equivalent of keeping your money stuffed in your mattress. You control where the data is but are you the best person to protect it? Whether you keep the data on a server in an office or at home, or a combination of the two, the simple truth is that you are away from your data half the time.

Just as with paper files, all it takes to gain physical access to your hard drives or servers is a kicked-in door or broken window. Paper files, for all their shortcomings, may be safer as they take more effort to carry off than a harddrive or server.

CO-LOCATION STORAGE

A third option is to store your data at a "colo" (or co-location facility). You provide, buy or rent a server in a data center often with serious security (no one is going to break in, period) and serious services (redundant power, redundant data communications connections, and environmental controls) with a fast internet connection. You control the data and the hardware. Win-Win!

However, there are a few catches:

  • A colo is more expensive than a cloud based solution and if you want back-up and secondary hard drives, those options increase the monthly costs.
  • Data may not be distributed among different machines in different locations.
  • You also have to administer your server remotely. Physical access is limited by the the location of the data center, and its security. Want to go in on the weekend and work on it? Not gonna happen!

The big problem of using a colo, is that you have put your server on a fat pipe. Putting your server on a fast internet connection is like painting a bulls-eye on it. Even if you have an IT guy or IT department, you should take a long hard look at whether you want to take on the security challenge: this is going from playing a pick up game of baseball in the park on Sunday, to playing in the majors. You have to ask yourself: do you want to become a security professional and face off against 12-year-olds accross the world with nothing but time on their hands? Psst… the answer should be, "no."

CLOUD BASED STORAGE

Finally, let’s look at the security offered in a cloud based storage solution. One of my favorite services is Dropbox. This is a server + cloud solution (also known as "offline cloud access"): your data is stored on your own computers or servers, and synchronized with servers in the cloud. In addition to providing storage, it also synchronizes your data among your the various computers you control.

So, how secure is this service? Here is what Dropbox has to say:

  • All transmission of file data and metadata occurs over an encrypted channel (SSL).
  • All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.
  • Dropbox website and client software have been hardened against attacks from hackers.
  • Dropbox employees are not able to view any user’s files.
  • All files stored online by Dropbox are encrypted and kept securely on Amazon’s Simple Storage Service (S3) in data centers located along the east coast of the United States.

You may have noticed that Dropbox uses Amazon’s S3 servers. So, in reality you are trusting two services. Sure, you buy everything from books to toilet paper from Amazon, but can you trust them with this data? Remember that Amazon only provides the storage. Dropbox encrypts the data before any files are stored on Amazon’s S3 servers.

The benefit of using Amazon’s S3 servers is the level of their data center security:

Physical Security:

AWS [Amazon Web Services] data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.

Backups:

Data stored in Amazon S3 … is redundantly stored in multiple physical locations as a normal part of those services and at no additional charge.

In short, cloud based storage provides:

  • Encrypted communication (protecting against interception during transmission).
  • Encrypted storage (protecting against data loss through theft).
  • Distributed storage in multiple data centers (protecting against regional disasters).
  • Redundant environmental and power controls (protecting against power and cooling failure).
  • Physical security safeguards (protecting against unauthorized physical access).

I am personally a fan of cloud based storage. While I give up physical control of the media, I gain more security than I could provide on my own.

There are other issues concerning cloud based storage such as terms of service agreements and under what circumstances a provider would release files to law enforcement. Depending on your area of practice, this risk may be reason enough to rule out cloud based storage in your office.

Some of these problems can be resolved by pre-encrypting your data before using a cloud based service. In this scenario, the client system (your computer or server) encrypts the data before it is sent to the server (the cloud based service) so that that the service has zero knowledge of the contents. "Sounds great! Sign me up!" you might say. However, client-based encryption brings its own set of problems.

Container based encryption (encrypting a large folder) via Truecrypt or PGP, defeats much of the instant synchronization benefits of a cloud based service, and increases the chance of conflicts during access. Since the entire container is in use, anytime two users attempt to access the same container, a conflict occurs. The result is either the entire container is duplicated (which can be a problem when you are storing gigabytes of data) or the second user is locked out until the first user has logged off and the local and server copies are synchronized. Note: synchronization is greatly slowed since the entire container must be checked for differences against the cloud based copy, before the differences are uploaded. The near instant back-up and synchronization slows to the point of becoming akin to putting a motor home on a scooter. If you need to pre-encrypt a container, you may want to forego instant synchronization and only consider online backup options such asJungleDisk.

The ideal solution is automated per-file encryption. However, operating systems are moving awayfrom this option and add-ins like EncFS are for techies who are unafraid to recompile a kernel. Some services, like SpiderOak provide Dropbox-like functionality along with client-based, per-file, encryption. However, reports are mixed about the success of the synchronization, which needs to be a given before trusting your data to such a service.

I am optimistic that these issues will be resolved over time. On the whole, cloud based storage provides a superior degree of security than what most practitioners could provide and goes a long way toward providing distributed off-site backup. I am thrilled that my data is in the cloud. It provides piece of mind to know that whatever happens to one of my computers or my office, I can always get my data back.

About the author: Tomasz Stasiuk is a Social Security disability attorney in Colorado Springs, Colorado who writes and presents on technology issues. Tomasz also helps solo attorneys and small firms how to leverage low cost technology at Planet 10 Technologies.

13 thoughts on “Guest Post :: Is Cloud Storage Secure Enough For Lawyers?

  1. Interesting post. I agree with your conclusions that data security is likely to be greater in a good cloud system than any of the other options, but in the UK there are various regulatory requirements that would rule out the use of Dropbox (and similar services) for client data.
    First, data protection law prohibits the export of “personal data” (effectively any data relating to an identifiable person) outside the European Union, without the data being subject to the same protections that it would have in the EU. US “safe harbor” principles satisfy that, but I don’t see Dropbox or AWS signing up to those obligations in the near future.
    Second, professional regulation requires that where data is outsourced like this there are contractual commitments as to its security and an ability to audit compliance with those commitments. Dropbox’s terms of use contain the usual “no warranty, as is” clauses which you would expect with a consumer-grade service, but which certainly would not fulfil those regulatory requirements.
    The Dropbox example is particularly pertinent in looking at iPad use for professional work. Many have adopted Dropbox as the best way of getting documents on and off an iPad, but for professional work this has the same regulatory issues as using the service for long-term storage.
    Jon Bloor of http://ipadlawyer.co.uk (a blog I sometimes contribute to) looked in some detail on how the UK regulatory regime would affect cloud services (particularly Dropbox) before concluding that it could not be used for client work. His post is at http://ipadlawyer.co.uk/get-off-of-my-cloud
    I’d be interested to learn of any more developments on per-file encryption.

  2. Disappointing. How does storing your files locally become less secure than storing your files locally + syncing them to a cloud? Funny how a break-in was a talking point for local storage but did not come up at all during the review for “cloud-based solutions”, which includes local storage. And the issue of region-wide disaster is easily solved by using an off-site storage service for your backups, which includes protection against catastrophic events.
    I’m not saying cloud computing is bad, but Dropbox is merely a syncing solution. With Dropbox, you still have to retain copies locally on your own media to sync across all of your points of access, and you still need to download a copy of the file onto your device in order to open it – Dropbox is not a web service which will display the contents of the file from within a browser. Instead, review web-based cloud computing where your data lives in someone else’s infrastructure sharing resources with other customers, and there is no local storage of data for the end user, for a more balanced review.
    Again, disappointing review heavily biased to a syncing solution paraded as a cloud computing solution.

  3. What do you mean by ‘dropbox is a syncing solution. You have to retain copies locally … ?’ I thought that Dropbox was a way to acces all your files, no matter where you are, by using Dropbox. I installed this tool on my imac, windows laptop, my phone and every piece of hardware has access to the files on dropbox. I don’t download a copy to work on a file (although it’s a bit quicker when you do that), just open, work, save or saveas for a new copy.

  4. When you put a file into the Dropbox folder, it activates the software to grab a copy of that file to the ‘cloud’, which then pushes the file to all of your authorized devices, thereby keeping the Dropbox folder synced across multiple computers and handhelds.
    The files within the Dropbox folder are not only synced to your other devices, but stored locally on all of those devices, since Dropbox is keeping the folder’s contents synced. So your files are local to your computer, which has all the same disadvantages as a non-Dropbox solution in terms of physical security. There could be an option to only house the file on Dropbox’s servers (although I did not see that option from their general guided tour); however, if you need to edit the file, you will absolutely have to download the file to your local device to do so, because the software to edit it (Word, Excel, etc) is on your computer/device.
    The point is, Dropbox does not store the only copy of your file – you also have a copy on your local drive which houses the Dropbox folder. Although both the connection to and folder on Dropbox’s servers are encrypted for safe transmission and storage, it is unlikely the original file is encrypted on your hard drive, putting it at the same risk for theft as a file in a non-Dropbox folder.
    I think it’s a great product in terms of solving shared folder syncing issues and is a very strong, viable alternative to tape backups for time-sensitive materials (because technical meltdowns follow no one’s schedule), but for an apples-to-apples review, the pitfalls of local storage and ownership apply.

  5. Looking more closely at the way Dropbox works I must admit that you were correct about the syncing part. It’s not a 100 % cloud storage solution. Google docs is probably more cloud then Dropbox.

  6. I need to rephrase my previous post. It’s possible to retain only a copy on the cloud. But the way to accomplish that is way to cumbersome. Log in by using dropbox’s website, go to correct folder, upload file by manually selecting it, delete file on computer. Don’t think I will use that often, except when you need a file and got a replace computer for some period of time.

  7. Just a few points.
    1. Cloud based storage should be encrypted, yes. BUT, you need to be sure that there is no “backdoor” in the program itself. Or its useless. And with the eroding rights today, how can one prevent snooping at will?
    2. There are problems with accessing the internet itself. If one is using a Microsoft product. You would need multiple security layers to insure that the date is safe. Just access to the net alone is enough to be a problem.
    3. Consider other OS than Windows. Look into Linux. I started to meass around with it a few weeks age, ad its not that hard really. And being open sourse, I am willing to bet that someone will build the security package that can do the trick. And is trustworthy.
    The best bet is to have duel hard drives. Physical back up a well as the cloud. Encrypted everything. And set the computers to encypted the HD when not in use.
    And have good, slid firewalls on computers that are connected to the interenet. And have security measure in place that will detect keyloggers.

  8. Well, if you are looking for another encrypted online storage you could try our service http://www.cloudsafe.com as well.
    We focus on secure data sharing and some unique access options that could be handy for lawyers: Two-man access rules, access via confirmation party. Or you could use access-codes that can be stored locally.
    Right now there is no way that we could access CloudSafe client data as long as the client is not logged in. And we will be offering full end2end encryption (comparable to SpiderOak) soon.
    Data can be accessed via Web browser or via WebDAV. So in general you can access your data on a Mac by using the integrated WebDAV functionality of the Mac OS X Finder. Or you could use three great clients: Transmit (Panic), FrokLift (Binary Nights) or Cyberduck.
    And if you are only looking for a secure backup solution you could use Twin (App4Mac) and encrypt your data locally before uploading it to our servers.

  9. With DropBox, if your iPad, smartphone or computer is lost or stolen, there is nothing protecting your encrypted files. Changing the password doesn’t solve the problem, as I recently learned. I changed the password on one computer after turning in a bad smartphone and forgetting to remove DB. When I got to another computer it opened without asking for the password. You would have to set up a new account and move the files. Unless there is a way to set the password as required this is a serious chink in the armour.
    Excerpt quoted from your article:
    “So, how secure is this service? Here is what Dropbox has to say: All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.”
    I’ve only been asked for a password when I set up a new access from a different computer.

  10. Pingback: Planet10Tech » Blog Archive » Is Dropbox Secure Enough For Lawyers?

  11. Pingback: Planet10Tech » Blog Archive » Making Dropbox secure for lawyers and law offices

  12. Pingback: Cloud Computing for Lawyers – Reviewed – The past, present and future practice of law

Comments are closed.