3 minute read
An Analysis of the Law Society of South Australia’s Cloud Computing Guidelines: Resilience
Advertisement
MARK FERRARETTO, SOLICITOR, EZRA LEGAL
This is the fourth of fi ve articles that analyse the Law Society’s Cloud Computing Guidelines against candidate cloud systems and on-premises systems. My thesis is that the caution expressed in the Guidelines should be applied as much to on-premises systems as cloud systems to obtain the best risk profi le for a practice’s information systems.
In this article we discuss system resilience.
Resilience
This category is broader than the others and comprises more loosely-related topics, being system availability, incident management, data portability and system audits.
When analysing on-premises systems against these categories we fi nd a mixed bag. Most on-premises systems are usually comprised of a single computer, or a single computer for a single purpose (one practice management server for example). Many on-premises systems also do not have a Business Continuity Process or a Disaster-Recovery Plan. Should a system fail, outages can last for hours or even days. Recovery is usually complex and can be incomplete. For example, data may be recovered to the end of the day before the outage occurred, losing that day’s transactions. Incident management is adhoc. The main advantage of on-premises systems in this context is that practitioners usually have someone to yell at when things go wrong.
Cloud systems generally perform better in this category. Dropbox business claims an availability of 99.9999999% per year. That is an average downtime of 0.03 seconds each year. Google claims a comparatively paltry 99.9%, or 8 hours, of downtime per year, and provides service credit if this metric is not met. Actionstep promises a ‘Recovery Point Objective’, a best-efforts target, of 4 hours for an Table 4 Resilience
AVAILABILITY INCIDENT MANAGEMENT AUDIT DATA PORTABILITY
Dropbox
Not specifi ed Not specifi ed Not specifi ed Files can be exported.
Dropbox Business 99.9999999% Not specifi ed Access to audit data once per year Files can be exported
Google Workspace
99.9% with service credits Not specifi ed Not specifi ed All data can be exported
Microsoft 365
99.9% with service credits Will notify user ASAP
Standard audits- free. Custom audits available
LEAP
Not specifi ed Not specifi ed Not specifi ed
Actionstep
RPO: 5 min RTO: 4 hours
On Premises Usually low Yes Not specifi ed Depends on IT provider Usually none All data can be exported
Data can be exported on request Request data up to 20 days after termination Depends on software and PMS
outage and promises to restore data up to 5 minutes before the outage occurred. From an availability point of view, cloud services win hands-down.
Incident management is usually more structured with cloud providers, although the regimens vary. Microsoft, for example, sends push notifi cations to Microsoft 365 administrators as soon as an incident occurs. It also publishes a list of past incidents and resolutions. Dropbox conducts audits on a regular basis, as does Microsoft. Microsoft allows for additional audits to be performed for an additional cost.
Overall, cloud systems are more reliable, available and outages are managed in a more structured and transparent way.
While data portability may seem a nonissue with on-premises systems, a deeper look indicates this may not be the case. This is particularly so as many practices store their ‘source of truth’ in a practice management system and migrating data out of practice management systems is quite diffi cult, regardless of whether the practice management system is on premises or cloud-based.
Non-practice management data, such as email and fi le data is more portable in the on-premises context as the data does not need to be exported or downloaded. However, with faster network connections, export of email and fi le data from most cloud systems is also becoming more convenient.
Verdict
Overall, the much greater availability of cloud systems would lead to cloud winning this category. Outages can cost fi rms thousands of dollars per hour in lost income. The combination of very high availability coupled with stronger incident management and audit procedures provided by cloud services offset the perceived control offered by keeping data on-premises. Most cloud service data is portable, with the exception being the practice management systems. However, data portability in the practice management system context is an issue that comes with practice management systems themselves, and not necessarily because they are cloud-based.
Cloud takes this category
In our next, and fi nal, article we wrap up the analysis and give some thoughts risk, cloud and on-premises systems. B
