Venio Systems kicked off its monthly #VenioVibes webinar series on Tuesday, Feb. 9 with “5 Questions to Ask before Migrating Your Legal Data to the Cloud” (learn more about #VenioVibes here). This webinar addressed the security issues that must be considered when deciding how to protect your legal data in the cloud. With increasing amounts of data and vital business functions moving to the cloud, it’s never been more important for people working in eDiscovery to be aware of the security pitfalls and problems they might encounter and the solutions that are available to their organizations.
Last month, Venio Systems launched its Venio Cloud End-To-End eDiscovery SaaS, a new cloud-based platform that offers a self-managed, intuitive, and highly scalable solution to transform the way teams handle eDiscovery (learn more about Venio Cloud here) . In the webinar, Venio Systems Chief Technology Officer Arestotle Thapa and VP of Products Ankur Agarwal discussed the security considerations that went into launching Venio Cloud. Issues covered included protecting storage, data transfers, cloud-versus-on-prem, and other topics. The webinar also focused on how the most vital security issue isn’t whether the cloud is safer than on-premise storage, it’s what companies do to train their employees to be secure stewards of the data for which they’re responsible. Finally, webinar attendees learned the 5 important questions to ask when they’re considering moving their data to the cloud.
When making the decision to move your data into (or out of) cloud-based storage, here are some of the things to consider:
There are also different ways to transfer your data. These include:
When building Venio Cloud and running simulations that mimicked users loading data, Venio technicians discovered that the number of files being transferred can be at least as important as how large the files are. For example, when transferring a large number of files, even if the total volume of those files may be as little as a single GB, it can take six or seven times longer for the transfer. The number of files can matter more than the total data volume. For example, zipping those same files into a single file, dramatically increased the upload speeds.
Also, it’s advantageous to choose cloud storage located in the same region as the people who will be accessing the data. With more and more users working remotely, having a closer connection to the data stored in the cloud will make your system more responsive and help users be more efficient with less data latency.
Once your data is in the cloud, how will your applications perform and how will the data be accessed? Here are some things to consider:
Load balancing and replication of data are usually something the cloud provider will take care of. It’s an easy matter for them to ensure the data load is balanced and that the data is replicated as needed. For those who have not deployed and managed virtual environments, this is a great help to fill technical skill gaps.
One of the major concerns in the legal industry regarding cloud-based storage involves backups and recovery: What if I lose access to the cloud? What happens if my data goes down? How will I recover it? How will I restore it? Cloud-based data storage is actually in a better position to deal with these issues than on-premises storage. For an on-premises system, backup has to be done when users are not active because, depending on the volume of data, it can take a long time to back up. That means it can’t be done every day, which means the data is less protected against loss. But in cloud storage, snapshots are taken for backup and replication purposes on a regular basis, and that process does not affect user activity. Also, if an issue arises and recovery becomes necessary, cloud storage allows you to easily go to a specific point in time for data recovery. That is something you can’t do when backing up the system on-premises.
In on-premises storage, backing up data takes time and effort, often as much as a week’s worth of work. In fact, those systems are rarely tested because so much work is involved, which means when a problem arises and recovery is needed, data restoration workflows and systems aren’t ready. But backup recovery in the cloud is very different. Because the data is stored on virtual servers with replication, the data can be recovered and access to datacan be restored quickly and easily.
There are definitely threats to data security that can become more of an issue as data moves from behind an on-premises firewall to the cloud. The two primary issues being:
Overall, however, we found that the data stored in the cloud is often more secure than data in an on-premises server. That’s because cloud storage providers have much greater tools and resources at their disposal, along with the newest technology, to secure data. That doesn’t, however, mean you can automatically assume your cloud provider will take care of all security concerns and you don’t have to take precautions yourself.
The biggest security issues with cloud storage end up being the same human ones that we have on-premises. Users leave backdoors open, fail to be careful with passwords, and, in general, don’t follow obvious security procedures that they would follow otherwise. They’re used to the firewall protection of on-premises servers, sothey carry poor security practices into the cloud.
Clearly defining who has access to data, for what purpose, and for how long will go a long way to securing cloud data. There are a number of people and groups who will need access to your data. These include:
So how do you provision your data, given that so many people need different levels of access? Using the right application can provide the necessary flexibility to provide access to the data, but careful considerations must be made. Who — really — needs access to the data, and for how long? Two-factor authentication and complex passwords are absolutely necessary to make sure only those who need access are getting it, and you need to ensure that those granted access are not sharing it with anyone else.
In Venio Cloud, steps were taken to ensure that when access had to be shared with a client or outside party, it could be done through secure means via email links, and those links could be turned on or off at any time. What’s more, only the necessary sections of the data would be shared, and those links expire after a set period of time. This was a function of the application, and not something limited to cloud storage.
If you are storing data in the cloud, you need to be sure that your application can support the necessary security features, including link expiration, the ability to share securely (and share only subsets of data), etc. The system should also have application audit logs, so you know what was done or what data was accessed by whom and when.
Another key element is blocking access to all back-end users. In on-premises applications, back-end access can be a common occurrence. Even though the policy might be to only give access to administrators, people come and people go, and sometimes contractors need access to your machines. Often, companies fail to purge those access rights, leaving their data more vulnerable. Venio Systems solved this problem by logging off every person, only allowing them access for a specified period of time. Only one or two people — both Venio employees — manage data, and everyone else has to prove they have a specific need for access.
In the end, sharing data has two parts: the application and the process. The application involves how you share the data, including what technology is used, how access is given (and taken away), and what protections are in place.
The process is more philosophical and involves three important questions:
This also involves keeping track of the data, using audit logs, so there’s a record of who has access to what data. And it means making the decision not to grant access to everyone to ensure the data remains secure.
It’s crucial to develop a security mindset from the first day that work begins on an application, whether that application will be deployed on-premises or in the cloud. It’s a requirement with Venio Systems that we held to when developing our own Venio Cloud platform, and it’s one your company should follow as well — and be sure your platform provider follows.
Don’t have a laissez-faire attitude regarding security. Take it seriously. Don’t assume that, because a third-party company is storing your information in the cloud, or because your IT department is taking care of storing that information on servers, that it’s not your responsibility — and your team’s responsibility — to follow secure practices. That means:
Perform a security risk analysis: This analysis, performed regularly by your own internal security team, should cover all potential risk areas, including:
Undergo third-party Pen (penetration) testing: Your company’s internal testing is not enough. It can easily miss elements that are not secure enough, or internal biases can skew the results. By bringing in an experienced third-party expert, you can expose potentially dangerous security breaches. Such testing is more effective, because it is:
Third-party tests are vital because companies tend to overestimate their own security policies and procedures at the same time that they underestimate the threats. If you ask a developer to test his or her own code, chances are they will miss the obvious issues, because they will only check what they already know to be threats. They’ll reconfirm their own ideas while missing the backdoor issues, and they’ll miss the fact that security problems can arise from within the network and not just in the form of external threats.
Third-party testing is not a one-time thing. It’s a process. Companies must undergo the test, get the results, fix the problems and then test again. And again. The threats are constantly evolving, so the security measures must be evolving as well. When companies slow down testing or stop it altogether, the other side gains a dangerous advantage.
Security on a home network can also be an issue for a number of reasons: People keep default passwords on routers, making them easy to find. Also, they are not network security experts, meaning it’s incumbent on the company to make sure that they practice safe security. Because so many people are working remotely now, it’s more important than ever for companies to take additional security precautions and provide extra training.
On-Premises vs. Cloud Security
On-Premises |
Cloud-based |
Physical Security |
Secure Site |
Local Connections |
Internet Dependent |
Behind a Firewall |
Outside of Firewall |
Designed for Internal Access |
Designed for External Access |
But when the cloud arrived, the rules changed. Suddenly, you could be anywhere, and you didn’t have to be physically close to the server holding your data. In many cases, companies using cloud-based storage don’t actually know where the servers are located. There are often multiple servers holding a company’s data, and workflows can move from data center to data center depending on the need. When cloud-based storage became popular, there were many fears initially surrounding because people didn’t know where the server was located. At that point, everything had been based on an internal perspective, meaning people felt better if they could actually see the server and felt they could build their own security measures to protect a physical server. Having an on-prem solution gave people a feeling of being in control.
The truth is, whether you’re using an on-prem or cloud-based option, the only things that change are tools you use and the amount of work you have to do. Your ability to manage some of the elements in the cloud, for example, physical security, is limited. You have no control over the specific security measures that are used. But cloud-based storage is, in all probability, more secure than anything you could provide on your own. The major providers, including Amazon and Google, have been providing secure storage solutions for years, and they are experts in the field who have all the necessary security measures in place. They have no record of unauthorized access, which means fears involving cloud security are unfounded as long as the storage is by a known provider. They have the best security tools available, and when those tools are not enough, they design their own. What’s more, they’ve developed ways to compress and store your date so not only is it more secure, it’s available globally and with low latency.
That means you shouldn’t be worried about cloud security. Instead, what you should be worried about are mistakes by your own internal teams, who is getting access, and when they’re getting it. This goes back to the security mindset your company must have to prevent internal issues from allowing access by external threats.
One advantage a cloud-based solution has over an on-prem one is in the area of connectivity. Even though the data is theoretically closer and more directly linked when it’s stored on-prem, something as simple as a clipped wire can prevent your teams from being able to access it until a repair is made. Cloud-based storage providers, on the other hand, can react faster and reroute the necessary data connections to another data center, giving you almost immediate access to your data, even in the event of a connectivity issue. In fact, many of the legal service providers that Venio Systems serves and who buy an on-prem version of our software actually deploy it on the cloud. That’s because a cloud-based solution tends to be less expensive, faster, more convenient, more reliable and, most importantly, more secure than an on-prem solution.
If you’d like to learn more about how Venio Cloud can improve your eDiscovery or investigative practice, please contact us.