CLOUD COMPUTING
An Analysis of the Law Society of South Australia’s Cloud Computing Guidelines: Resilience MARK FERRARETTO, SOLICITOR, EZRA LEGAL
T
his is the fourth of five articles that analyse the Law Society’s Cloud Computing Guidelines against candidate cloud systems and on-premises systems. My thesis is that the caution expressed in the Guidelines should be applied as much to on-premises systems as cloud systems to obtain the best risk profile for a practice’s information systems. In this article we discuss system resilience. Resilience This category is broader than the others and comprises more loosely-related topics, being system availability, incident management, data portability and system audits. When analysing on-premises systems against these categories we find a mixed bag. Most on-premises systems are usually comprised of a single computer, or a single computer for a single purpose (one practice management server for example). Many on-premises systems also do not have a Business Continuity Process or a Disaster-Recovery Plan. Should a system fail, outages can last for hours or even days. Recovery is usually complex and can be incomplete. For example, data may be recovered to the end of the day before the outage occurred, losing that day’s transactions. Incident management is adhoc. The main advantage of on-premises systems in this context is that practitioners usually have someone to yell at when things go wrong. Cloud systems generally perform better in this category. Dropbox business claims an availability of 99.9999999% per year. That is an average downtime of 0.03 seconds each year. Google claims a comparatively paltry 99.9%, or 8 hours, of downtime per year, and provides service credit if this metric is not met. Actionstep promises a ‘Recovery Point Objective’, a best-efforts target, of 4 hours for an
30 THE BULLETIN July 2022
Table 4 Resilience
Dropbox
AVAILABILITY
INCIDENT MANAGEMENT
Not specified
AUDIT
DATA PORTABILITY
Not specified
Not specified
Files can be exported. Files can be exported
Dropbox Business
99.9999999%
Not specified
Access to audit data once per year
Google Workspace
99.9% with service credits
Not specified
Not specified
All data can be exported
Microsoft 365
99.9% with service credits
Will notify user ASAP
Standard auditsfree. Custom audits available
All data can be exported
LEAP
Not specified
Not specified
Not specified
Actionstep
RPO: 5 min RTO: 4 hours
Yes
Not specified
Usually low
Depends on IT provider
Usually none
On Premises
outage and promises to restore data up to 5 minutes before the outage occurred. From an availability point of view, cloud services win hands-down. Incident management is usually more structured with cloud providers, although the regimens vary. Microsoft, for example, sends push notifications to Microsoft 365 administrators as soon as an incident occurs. It also publishes a list of past incidents and resolutions. Dropbox conducts audits on a regular basis, as does Microsoft. Microsoft allows for additional audits to be performed for an additional cost. Overall, cloud systems are more reliable, available and outages are managed in a more structured and transparent way. While data portability may seem a nonissue with on-premises systems, a deeper look indicates this may not be the case. This is particularly so as many practices store their ‘source of truth’ in a practice management system and migrating data out of practice management systems is quite difficult, regardless of whether the practice management system is on premises or cloud-based. Non-practice management data, such as email and file data is more portable in
Data can be exported on request Request data up to 20 days after termination Depends on software and PMS
the on-premises context as the data does not need to be exported or downloaded. However, with faster network connections, export of email and file data from most cloud systems is also becoming more convenient. Verdict Overall, the much greater availability of cloud systems would lead to cloud winning this category. Outages can cost firms thousands of dollars per hour in lost income. The combination of very high availability coupled with stronger incident management and audit procedures provided by cloud services offset the perceived control offered by keeping data on-premises. Most cloud service data is portable, with the exception being the practice management systems. However, data portability in the practice management system context is an issue that comes with practice management systems themselves, and not necessarily because they are cloud-based. Cloud takes this category In our next, and final, article we wrap up the analysis and give some thoughts risk, cloud and on-premises systems. B
