2 minute read
The security risks of cloud-based systems versus on-premises systems
An analysis of the Law Society’s Cloud Computing Guidelines: The security risks of cloud-based systems versus on-premises systems
MARK FERRARETTO, SOLICITOR, EZRA LEGAL
Advertisement
This is the last of five articles that analyse the Law Society’s Cloud Computing Guidelines against candidate cloud systems and on-premises systems. My thesis is that the caution expressed in the Guidelines should be applied as much to on-premises systems as cloud systems to obtain the best risk profile for a practice’s information systems.
In the previous articles we evaluated six candidate cloud systems, and an onpremises system, against the Law Society’s Cloud Computing Guidelines. We saw that cloud services can provide better management of security and confidentiality issues while also providing a more reliable service than on-premises systems.
In this article we summarise our analysis.
In my view, the Law Society’s Cloud Computing Guidelines should be re-named to ‘Information System Guidelines’. Doing so recognises that the risks and issues the Cloud Computing Guidelines discuss are just are relevant to the on-premises context as the cloud context.
It is important to bring the caution and diligence in the Cloud Computing Guidelines to the on-premises realm. A perceived bias against cloud systems has the effect of potentially lulling practitioners into a false sense of security with respect to their on-premises systems.
There is a risk on both sides. We need to be aware of this.
In my view at least, in many circumstances a cloud solution is the better option when compared against an onpremises system. This is particularly the case for services that provide for control over data location and robust security and incident management practices.
For storage of non-practice management system data, that is emails, files and so-on, I would venture to say that cloud is best practice. Cloud services provide a lower risk profile than managing that same data on premises.
However, I do not extend my conclusion to the free and/or consumer services, such as Dropbox. These services invariably do not give their users any control over data location and may re-sell data. Google, for example, reads the contents of emails stored in Gmail. It is the enterprise systems that should be used. Confusingly, many cloud providers use the same product names for their consumer and enterprise offerings. Generally, if a service is available for free, or has a free component, it should not be used.
For practice management systems, the overriding issues are governed by the software provider. Some don’t ‘do cloud’ for example. Data portability issues exist in this context not because of the cloud/ on-premises question but because of the proprietary storage of data in practice management systems.
My hope, as an avid cloud services user, is to dispel wariness of cloud systems. Cloud systems bring with them advantages in risk, availability and data security, not to mention the convenience of having data at your fingertips.
At the very least, on-premises systems should be evaluated with the same scrutiny as is recommended for cloud systems. B August 2022 THE BULLETIN 27