CLOUD COMPUTING
An Analysis of the Law Society of South Australia’s Cloud Computing Guidelines: Data Security MARK FERRARETTO, SOLICITOR, EZRA LEGAL
T
his is the third of five articles that analyse the Law Society’s Cloud Computing Guidelines against candidate cloud systems and on-premises systems. My thesis is that the caution expressed in the Guidelines should be applied as much to on-premises systems as cloud systems to obtain the best risk profile for a practice’s information systems. In this article we discuss data security. Data Security This is where cloud services really shine. Ironically this is also the area which is usually of the greatest concern. The question to ask is whether a practitioner would prefer to delegate the security of their data to a provider with extensive resources dedicated to the maintenance of data security and the detection and resolution of security incidents, or to manage data security themselves, either directly or via an IT provider, neither of whom is likely to be a cybersecurity specialist. The resources and skills required to detect and protect against security intrusions is way beyond the capabilities of most IT providers. Cybersecurity has evolved to its own discipline and there exist businesses that specialise in cybersecurity management, most of whom are not engaged by legal practitioners to manage their IT infrastructure. Detecting an intrusion is itself very difficult. If an intrusion remains undetected, as many are, an intruder could usually remain, or ‘dwell’, in a compromised system for many many months.1 Cloud services encrypt data at rest (when it is stored) and in transit (when it is sent to a computer to use). Cloud providers usually have robust systems in place to ensure the keys used to decrypt data are not easily accessible.
24 THE BULLETIN June 2022
Table 3 Data Security ENCRYPTION ENCRYPTION EFFECT OF AT REST IN TRANSIT TERMINATION
CHANGE OF CONTROL
Yes
Yes
Will notify and Will notify and give opportunity to ‘outline your export data choices’
Dropbox Business Yes
Yes
Provision to export data after termination
Not specified
Google Workspace Yes
Yes
Access to data ceases on termination
Will give notice
Microsoft 365
Yes
Yes
Not specified
Not specified
LEAP
Yes
Yes
Data retained but inaccessible
Not specified
Actionstep
Optional, Yes on request
Delete data 30 days Not specified after termination
On Premises
No
N/A
Dropbox
No
Apart from Actionstep, all the service providers analysed for this paper encrypt data at rest and in transit. Actionstep does not encrypt data at rest by default but it can be requested. It is true that cloud services provide an easier target for intruders. However, this is offset by the increased security resources dedicated to detecting and mitigating this risk. On-premises data is almost always not encrypted, particularly on practice management servers and file servers. On-premises backups are also usually not encrypted and may not be stored in a secure location. An intrusion into an on-premises system carries significant risk of going undetected, and the intruder is likely to have access to unencrypted client information for an extended period of time.
N/A
Verdict In my view, cloud services do data security much better than on-premises services. Although cloud might be an easier target, this risk is in my opinion more than offset by the much higher level of cybersecurity skills present inside cloud firms (or at least the candidate firms discussed) than what exists in the onpremises context. Data security is a comprehensive win for cloud in my view. In the next article we discuss data resilience. B Endnotes 1 See eg: ‘Asia-Pacific Lags in Dwell Time, Study Reveals’, Security Intelligence <https:// securityintelligence.com/news/asia-pacific-lagsin-dwell-time-study-reveals/>.
