Governance in the cloud

Whitepaper

This paper examines the impact and application of information governance (IG) when using public cloud services and reviews the considerations that a law firm needs to address when evaluating a move to the cloud.

October 23, 201712 mins
Download Resource
Iron Mountain logo with blue mountains

Executive summary

This paper examines the impact and application of information governance (IG) when using public cloud services and reviews the considerations that a law firm needs to address when evaluating a move to the cloud. It is meant to provide guidance to assist the IG professional when evaluating cloud providers and offers suggestions for topics to be discussed within the firm and with providers. We include several checklists of questions to consider, as well as references to more detailed sources for further consideration.

Introduction

The cloud. A term often heard and all too often misunderstood. “The cloud” is used to refer to all sorts of outsourced technology arrangements, despite the fact that it actually refers to a specific set of technical capabilities. Hosted applications, which have been used for years and simply referred to as “hosted,” are now referred to as if they are in the cloud. Maybe, they are, maybe they aren’t; frankly it’s complicated. At the same time, many organizations leverage cloud technology in their own data centers – a “private cloud,”as opposed to a “public cloud,” (see callout) but this is likely not seen as a cloud service by management.

The Information Governance (IG) professional must have an understanding of the cloud and the potential implications and considerations related to records and information management and governance. There are many resources available that provide more broad, expansive detail, several of which are referenced in this paper. This paper does not attempt to address all of these considerations, but rather focuses on those areas related to data governance.

So what’s all the hoopla? The pitch we have heard from cloud vendors has been “put your data/application/platform on our computers and it’s easier, faster and cheaper for you; you don’t have to have a data center, maintain environmental controls, hire engineers and buy all the computers. You don’t have to wait weeks to get a new server ordered, delivered, configured and installed. And let’s talk about security – the cost of securing your own infrastructure grows every year – we’re doing it across thousands of customers so we can give you cheaper infrastructure security more cheaply than you can yourself.”

Sounds like a deal. So why is the cloud not embraced by everyone? As usual, a firm’s management has to look at the entire return on investment scenario. One of the key factors to examine is the cost required to have sufficient network bandwidth to connect to the cloud using a variety of devices with acceptable performance. Maybe your organization invested in a private cloud, generating significant savings already and moving to a public cloud would not generate as much savings.

One of the most common concerns raised about moving to a public cloud is governance of information. When a firm’s data is in-house, we have plenty of challenges maintaining good governance. When it is in a public cloud, we still bear the responsibility of providing good governance, however, the data is at arms-length and we may not have as much visibility or control as we would like. In this paper, we examine the impact and application of Information Governance (IG) when using public cloud services.

We must first define what it means for a law firm to be “in the cloud.” Much of that answer lies in what differentiates the business of law from other industries. Document filings, docket deadlines and court appearances run on absolute deadlines. Communications with clients and third parties are interdependent and not necessarily linear. At times, data must be handled, stored, secured and dispositioned specific to firm, client, government and international requirements. Attorneys must meet these deadlines and comply with these requirements bound by their professional rules of service, not the least of which is client-lawyer confidentiality. Cloud service providers must meet and exceed the critical business needs of the legal industry: service continuity and data privacy maintenance. Data must always be ready for access yet must always be as secure as possible against breaches or other unauthorized activities.

Organization-level understanding of cloud use

The cloud has had much media exposure, not all of which is positive or accurate. The challenge for the conservative legal industry is to weigh the perceived risks against the potential benefits. Since law firms and lawyers are often cautious about embracing technology change, it is important that executive management, directors, managers and attorneys and their legal staff have a solid understanding of how using the cloud benefits the firm, as well as the attendant risks. Historically, attorneys (and law firms) have been concerned with the use of the cloud, making it a challenge for IG and IT professionals to address the attorneys’ data privacy and availability concerns. This may be changing. ILTA’s 2016 Technology Survey[1] (ILTA) showed increases over 2015 in the use of both cloud storage repositories and of high-availability solutions amongst law firms. Of the latter, cloud only and hybrid cloud configurations are in use by over 50% of law firm respondents. While some jurisdictions are addressing cloud requirements in ethical opinions, there is no hard, fast, universal rule regarding use of the cloud.

To establish a cloud strategy and approach, executive management benefits from an understanding of the growing trend to use of the cloud and how it may change the data access, transmission and storage practices in the near future. Further many of the firm’s clients are already using cloud technologies and may be very comfortable and, in fact, demand the same from their legal services providers.

One way to promote and maintain your organization’s use of the cloud is with a straightforward policy communicated to all personnel defining:

  • The classifications of information that may be stored in the cloud
  • Approved data transmission methods to and from the cloud, where appropriate
  • Synchronization between devices and cloud offerings, such as Gmail mailbox synchronization
  • Who may access the data in the cloud
  • What method or device may that data be accessed
  • What firm (and client) specific IG and security procedures must be followed
  • Enforcement that all defined policies and procedures must be followed before entering into the cloud.

Related resources

View More Resources
Guidelines for Information Security and Records Management for Remote Workers- Secure network concept
Whitepaper

Guidelines for information security and records management for remote workers

Many organizations need employees to work from home during an emergency. This simple guide provides a pragmatic approach and best practices to keep information secure.
Fundamentals of Records Retention Schedule
Whitepaper

Fundamentals of records retention schedule

A records retention schedule is a policy document that defines an organization's legal and compliance recordkeeping requirements.
People in a discussion
Blogs and Articles

Internal company communication - how to improve it in the digital age?

Want to know how to improve your company's internal communications? Check out the latest information on digital solutions to improve your company's processes!
View More Resources