Cloud v On Premises Data Storage: Which is Best?

Is it any wonder why lawyers and managers don’t get to grips with IT?

First off, I’m not an IT expert so the following is what I have gleaned from speaking  to people who know about IT and my own experience with researching cloud and on-premises data storage solutions over the past year. However this is a very relevant topic, so I’m not going to shy away from setting out the issues as I see them. Any comments and corrections from IT experts are most welcome.

Cloud/third party data storage could be on the cusp of being adopted wholesale by law firms due to panic caused by the now regular data hacking incidents. Essentially, the thinking is: If I adopt a cloud solution, this will be more secure as my data is looked after by large companies such as Amazon and Microsoft, who most likely employ the best data security experts known to mankind. This view is confirmed by some information published by the Law Society, though their full Practice Note on cloud data storage is well worth reading in full.

Let’s not delay with getting to grips with the issues from a law firm manager’s perspective.

1. Who is actually storing the data?

Can someone tell me one thing that connects this with data storage?
Can someone tell me one thing that connects this with data storage?

A perusal through the marketing literature of many third party data storage providers won’t tell you where the data is actually held and who holds it – the word “cloud” is used as an explanation in itself, as if there really is a data depot up there in the heavens that allows our client information to rest in peace eternally, unless we recall it for use.

For example, Tresorit, one of the best known high security data storage providers for business, known for their hacker competitions ($50,000 bounty offered to anyone who successfully accesses their data), use Microsoft Azure datacentres to host their data storage service, though you won’t find this mentioned in their Wikipedia entry.

Likewise, some of the best known legal software providers such as LEAP use a third party to host your data.

2. Do we have a contract with the data storage provider?

Yes surely I do! Hang on, no – actually I have a contract with a software provider who in turn (hopefully) has a contract with the data storage provider, but we don’t know what that says.

What is the issue with this? It means your precious client data is being handled by a party whom you do not have a direct contractual relationship with. This could make remedies or legal action very difficult if anything should go wrong, also it just doesn’t seem great not have a direct contractual relationship with an organisation which handles one of the most (if not the most) important asset you are trusted with. A bit like asking a third party to put your files in their safe, but not bothering to sign a contract with them?

3. Data Protection law

As the data is often held by very large international organisations (such as Amazon or Microsoft) who have a complex network of worldwide data-centres, we need to check that the data is held within the EU and so complies with Principle Eight of the Data Protection Act.

Ultimately we retain responsibility and liability under the Data Protection Act as the data controller – the legal responsibility isn’t transferred to the third party data storage provider – see page 7, para 23 of the ICO’s Cloud Computing Guidance for Organisations.

This means that all of these issues need to be considered carefully before we rush into adopting a data storage solution which is taken care of and hosted by a third party.

4. Security

Here is where we start to really take on an area in which as non-IT experts we cannot have any certainty. In my view, none of us can rely on internet research, or a cloud software representative’s opinion.   Bearing in mind the highly regulated and high risk (of a data breach) environment in which we work, we need a expert IT consultant’s opinion to help inform us specifically which data storage solutions could work best. Some IT experts acknowledge that certain companies are dealing with data that requires more security than that which cloud data storage providers can offer.

One potential issue is that the larger the data storage provider is,  the greater the incentive is to hackers to penetrate security and gain access to a huge amount of sensitive and valuable data. Successful cloud data storage hacks are not unknown – here’s a whole list of incidents.

There is much information on the benefits of cloud data storage security over on-premises data security, but some of this is published by private companies who have an interest in selling you a cloud product or solution.

5. Contracts again

At least this limitation of liability notice isn't hidden away...
At least this limitation of liability notice isn’t hidden away…

So what if we do have a contract directly with the data storage provider and we are satisfied that all points above re location of our data and security are covered? What is our remedy if, god forbid, a data breach does occur?

Unfortunately the contracts I have seen offered to business users by “cloud” providers include a comprehensive limitation of liability clause, which states:

(a) They accept no liability whatsoever for any data loss or breach of any kind, howsoever caused, and;

(b) They do not provide any warranty that their product is fit for any particular purpose, including business use.

For more on this see my previous post on Contracting with the Cloud.

6. Password protection

Access to “cloud” data is often provided through a one-stage password entry process on an online login page, which is accessible to anyone, anywhere. The password may be known by a large number of employees, therefore data could be compromised either through a hacker using sophisticated software to obtain the password, or by employees writing down a password which is then discovered by the wrong person. Would we accept a one-stage password entry system for our online banking?

Access to cloud data is as easy as this...
Access to cloud data is as easy as this…

Passwords can be obtained by hackers through a variety of methods, and once they have your password they could gain unrestricted access to your client and office data. Consider this scenario; a fake login page is projected on a employee’s inadequately protected personal PC which has been hacked, the employee enters the login details believing it to be genuine, the hacker has the password and therefore access to all client data.

Or, what if your login details are obtained by a hacker and published online? Unlikely? Consider the potential effect on law firms of this 68 million username and password leak affecting DropBox users.

With on-premises data storage you could avoid this potential scenario by restricting the ability to access data for persons who are on site at the office only, though this would obviously be less convenient.

7. Is an on-premises solution definitely more high risk?

Paris_servers_DSC00190
Maybe servers are not just for yesterday’s law firms?

I am once again out of my depth here, but from my understanding a local solution will not necessarily be more high risk, as it will not rely entirely on your in-house IT expertise. We can adopt firewall and anti-virus software solutions which are independently recognised as being leading security options, and are updated and maintained on a daily basis. Bitdefender’s security software, for example, consistently provides protection against all threats under independent laboratory testing. However this is not the entire security picture – a great security software suite would need to be combined with up to date user and server software that provides the latest in security protection.

Conclusion

Data kidnapping is a growing trend and threat for organisations who hold sensitive data – and cyber criminals know just how much we have to loose from a breach of our obligations. Here’s a summary of the key points:

– We are ultimately responsible for managing this risk from the point of view of our contractual duty to our clients, our DPA legal obligations as data controllers, and our regulatory position.

– In my view we cannot safely “delegate” the management of this risk to a cloud provider without being very thorough in checking out the above issues, and most likely more.

– From what I have learnt, I do not believe that a cloud solution will always be more secure than a On Premises solution.

– We need guidance from IT experts to help us choose the right solution. We can’t rely on marketing information from cloud storage providers and their partners.

– We might need to sacrifice ease of access to avoid some recognised threats that enable hackers to gain access to our data.

And if you have 55 minutes to spare, this video talk by Penetration and Hacking technique expert Kevin Dunn is very informative – he walks us through a large number of means of gaining access to cloud data involving all platforms (Google, Office 365, Citrix) and concludes by saying we should only be holding data on the cloud that we can afford to loose, or have hacked. “There is no cloud”, he says, “it’s just someone else’s computer”.

Lee Watkin and Andy Green‘s comments below this post are also well worth reading –  both have many year’s experience delivering IT solutions, so their input on this debate is invaluable.

Share this post, like or follow
RSS
Follow by Email
Facebook0
Facebook
Google+
https://www.lawpracticemanager.co.uk/it/cloud-v-on-premises-data-storage-key-points/
LinkedIn18
Martyn

Ben

I set up Law Practice Manager because I enjoy sharing fresh and original opinions and posts on law management issues.
Facebook and Twitter: @LawManager1
LinkedIn group: https://www.linkedin.com/groups/8538343

6 thoughts on “Cloud v On Premises Data Storage: Which is Best?

  • PaulW
    June 23, 2016 at 8:14 am
    Permalink

    Ben you ask a straightforward question and are right to do so. PMs will be coming under pressure from management to look at alternatives for secure data storage given current topic of the risk to data being accessed. An instinctive reaction is to lay off the risk to a third party – the question is how easy is this option and what professional regulations need to be satisfied when considering this option. The LS has published a practice note relating to outsourcing and I believe that this should be considered as part of a practices risk assessment on the matter – the link to the LS website is:
    http://www.lawsociety.org.uk/support-services/advice/practice-notes/outsourcing/
    A tip: try asking a solution supplier if they can satisfy the your regulatory obligations in full.

    Reply
    • Martyn
      June 23, 2016 at 8:17 am
      Permalink

      Thanks for bringing that to our attention Paul – that PN is new to me but looks very relevant

      Reply
  • July 5, 2016 at 4:28 pm
    Permalink

    As someone that has designed and scoped solutions for many companies across multiple sectors, the question of cloud is one that is not going away. This article is actually quite good coming from an self proclaimed non IT person. The research is good and as such should be used as a basis.

    However data storage is just one part of what you need to look at, you need to ask yourself what is it I am looking to achieve? And how can this best be delivered?

    The Cloud offers basic storage areas for offsite backups, to more complex cloud delivered applications (SaaS) . Many application providers are now offering their services in the cloud on a opex based cost model, so you pay as you consume. The data resides on their system and you pay for protection and encryption, however you can dovetail this into your own Active Directory to ensure only users permitted to use the application can access it. The application can then add in additional levels of security by only allow people with certain access rights to more sensitive areas of the program.

    So if you are looking to place all your applications in the cloud and you wish to purchase PaaS platform as a service from your cloud provider, you will purchase everything you need to run your applications in the cloud, however you still retain responsibility for the application and updates – hence why SaaS is by far the better option if your application vendor offers this.

    So with regards to your data , the application should be able to encrypt this so if it’s hacked they don’t see anything. Now remember in 2017 a European data encryption law comes into force that basically mandates that you have to prove your data is encrypted, if not you could be liable for a fine of up to 2% of the companies value for each piece of data lost – scary stuff eh and even if that data is in the cloud, it’s still your companies data.

    So what’s the best model? Well I have recently left IT and started my own companies (yes 2 at once) and have used the cloud model to offer me an opex model, flexibility, scalability, no IT requirements for software and hardware upgrades and the ability to offer flexible working environments for staff by not operating from offices but rolling out collaboration in the cloud to facilitate home working. We are paying for IT as we use it. Our applications are all cloud based and any new applications will only be considered if they fit that model. But hand on I hear you say you’re not a new company and you have all this onsite. This was extremely common and I always recommended a Hybrid model with applications that are non business critical offloaded to the cloud as SaaS model (O365 being a prime example, and can include sharepoint online for collaboration both internally and externally) with all the business critical applications and data onsite. This would effectively reduce data and storage requirements massively as you would off load exchange and file data and only retaining database information. Your requirements onsite would be 1 X 5th of what you need now, your files and exchange can be protected and backed up by the provider say Microsoft, and you can determine where you data is held. As from this year that includes 2 new data centres in the UK.

    These companies don’t take security and data protection lightly as any security breaches could ruin their businesses and just remember they have pinned their colours to the Datacentre cloud business model.

    So ask yourself
    1) what is it I want to achieve
    2) what applications can be offered via the cloud
    3) how is the data protected and where is it kept
    4) how much will it cost me
    5) what security measures do I need in place to protect the companies data
    6) how much does it cost if I want my data back – remember to bring your data back costs

    Remember you can determine where your data is kept, you can ask for encryption, you can ask for data protection, and high availability, and the weakest link into the whole cloud will be your companies link to the Internet. However what it does offer you is the ability to start offering flexible working environments for your staff, being able to facilitate early return to work for new mums if they so wish by allowing them to work from home whilst collaborating with colleagues, with direct line via VoIP systems. This to me is a great way to increase your companies productivity whilst moving away from the old 9-5 requirements.

    Having retired from IT it still holds an interest and I can now see it from the other side, but please feel free to email me if you have any questions

    Reply
  • October 24, 2016 at 9:18 am
    Permalink

    Ben

    My name is Andy and I have over 20+ years working in IT and 10 years directly working as a Cyber Security Expert.

    Jumping straight in even though ‘Cloud’ has been around for many years, it is still in it’s infancy and as such many of the questions you raise are very valid.

    Taking for example where your data is physically held is critical to which legal structure you fall under and as such you may have seen the recent investment that Microsoft and Amazon are making in bringing data centres within the EU to try to alieviate this exact situation.

    The headline is if you are considering ‘Cloud’ against on premises data storage then as with most things that are not your sphere of expertise, engage an expert, it costs of course but that is offset against the value of the solutions that they provide.

    How the data is held is also now a major consideration for any organisation especially with the increasing pressure from the Information Commissioners Office and pending EU regulation regarding the holding of and transportation of sensitive information. Is the data held being encrypted ‘in the cloud’?, is it encrypted when being sent to and from the cloud?, are replicated copies encrypted?, what are the cloud providers disaster recovery practices, what are their internal security practices and policies regarding their own personel.

    Just a few simple questions that have major implications for a business, and a similar set of questions could equally be asked of an on premise soultions, again this is why it is always best to get in ‘the experts’.

    Data ownership is also a major consideration and little things like your insurance policy compliance, what are your requirements against this, does the policy have specific clauses on how data is secured off site and in what form, for example UK based data centres only or for on premises do back ups need to be taken off site or is a fire secure safe acceptable.

    I always say to any company thinking of ‘migrating’ to cloud anything – just because someone says it is secure does not necessarily mean it is – planning and evaluating any movement of ‘your’ data in to the hands of someone else always entails a risk – what you have to do is always way up the rewards against the risk. ‘Cloud’ is the way forward and the benefits to organisations can be extremely beneficial – how you adopt and implement a ‘Cloud’ strategy will determine how successful it actually is.

    Dynamic Networks provide a full IT & Cyber Security service – 0113 347 1231

    Reply
  • October 24, 2016 at 9:48 am
    Permalink

    In respect of the use of on-site servers, something else that should probably be considered is Disaster Recovery.

    Having on site servers may or may not reduce the risk of having your data kidnapped but “what if” your servers go up in smoke or are flooded beyond repair? Whilst it isn’t a risk in terms of a data protection breach (because your data will have been destroyed), what protection are you putting in place to ensure business continuity? Storing data “off-site” could well alleviate some of these concerns….

    Reply
    • Martyn
      October 26, 2016 at 10:32 am
      Permalink

      Thanks Charles, you make a very good point. I guess some ways you could mitigate this risk if you don’t want a third party data storage solution could be to auto back up data onto a second and even third PC (this need not be a server) at different on-site locations, or to back up data regularly onto a removable hard drive unit (these days you get massive storage capacity on a small unit) and store this in a fire proof safe. Would welcome views on this from IT experts as this exercise of balancing the risk of data loss against data security is key and one which I find difficult as a non expert.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close