CLOUD COMPUTING
An analysis of the Law Society of South Australia’s Cloud Computing Guidelines MARK FERRARETTO, SOLICITOR, EZRA LEGAL
T
What We Will Cover In this first article we’ll give a broad overview of what lies ahead, and then explore issues relating to governance of cloud computing. Firstly, we will discuss key points from the Guidelines and then discuss how I approach the analysis.
guiding practitioners through the evaluation and adoption of cloud systems. Overall, in my view, they paint a cautionary tale. The Guidelines cover a raft of issues, but they can be grouped into these broad categories: 1. Governance; 2. Confidentiality; 3. Data security; and 4. Data resilience. The Guidelines’ dealings with governance refer mainly to issues around data sovereignty and the governing jurisdiction of a cloud service’s terms of service. Data sovereignty raises issues of the underlying laws of a sovereign state that protect (or otherwise) your data. Ideally, practitioners would want their data located in Australia so that their data is protected by Australian law, which if nothing else, is a known quantity. Governing jurisdiction clauses in terms of service raise issues regarding the ease (or otherwise) of asserting a party’s legal rights. The Guidelines unsurprisingly deal extensively with confidentiality. Confidentiality stems from the risk of third party access to data but extends past this because, as we shall see, third parties always have access to our data regardless of whether it is in the cloud or on-premises. The confidentiality issue becomes a question of regulation of third-party access to a degree that satisfies practitioners’ obligations under the Australian Solicitor Conduct Rules.2 Data security is self-explanatory and has long been a concern of those looking to migrate to the cloud. As will be demonstrated, data security is also a significant issue with on-premises systems. Data resilience refers to several aspects. The most obvious being availability of data (ie: how often does a service crash). Less obvious are issues around incident management and data portability, data portability being the ability to extract data out of a cloud service if desired.
The Cloud Computing Guidelines As I’ve said, the Cloud Computing Guidelines are drafted with a view to
Analysis The aim of my analysis is to apply the abstract concepts in the Guidelines
he Law Society publishes Cloud Computing Guidelines1 which quite rightly guide legal practitioners through the various risks and issues associated with adoption of cloud services. What the Cloud Computing Guidelines neglect to mention, however, is that these same risks and issues also apply to on premises services. When evaluating cloud services, legal practitioners should evaluate the risk profile of cloud systems against the risk profile of adopting (or remaining with) on premises computer systems. This article and the next four that follow it analyse a set of cloud services commonly used in the legal profession against the Cloud Computing Guidelines and compares these services against on premises services. Before we get under way however, I should disclose a bias. I am a big fan of cloud services. The convenience of having information at your fingertips is simply too attractive. I constantly demonstrate to friends and colleagues how I can write on a tablet and have my writing magically appear on my desktop and on my phone at the same time. The accessibility that cloud services provide can lead to a great increase in productivity. Cloud services do pose unique challenges, data sovereignty and data security being but two. However, cloud services have evolved significantly over the last five years, to say nothing of the last 10 to 15 years. In my view, there are many contexts where using cloud services for data storage should now be considered best practice for law firms. Thus endeth my declaration of bias.
22 THE BULLETIN April 2022
to the practical context of cloud services commonly used by legal practitioners. To that end, I have decided to analyse the Guidelines against a set of popular cloud services and also against an onpremises context. The could services to be analysed are: • Dropbox (the consumer version);3 • Dropbox Business;4 • Google Workspace;5 • Microsoft 365;6 • LEAP;7 and • Actionstep.8 It is worth stating that there are many other cloud services, large and small, that are available to legal practitioners. My intention is to focus on the more prominent services that many practitioners consider adopting or have already adopted. It is also worth stating that this analysis is not a substitute for performing your own due diligence!
GOVERNANCE Two main points in the Cloud Computing Guidelines relate to governance – data sovereignty and jurisdictional issues. Let’s deal with data sovereignty first. Data Sovereignty As discussed above, data sovereignty relates to the location of data. The location of data is important as different countries prescribe different legal protections to data stored in them. Protections vary widely from country to country. Also, sovereign data protection may only extend to the citizens of a country. For example, data stored in the US may not be subject to the constitutional protections afforded to US citizens. Cloud services may store data across many countries. As cloud services usually store multiple copies of customer data (for resilience), it’s possible that information stored with a cloud service could fall under multiple widely-varying data legislation. Google, for example, stores its Google Workspace data in 18 different countries across the world, from the USA to Finland to Indonesia.9
