Cloud computing is an excellent way for Barristers Chambers to reduce their IT overheads, enhance the efficiency of their network and improve their business continuity solutions. However, there is no escaping the fact that cloud computing has had its fair share of associations with security problems, many of which have been written about in the media. Although technology has improved vastly to ensure that data breaches are rare, it is still imperative that Barristers are aware of the risks involved in cloud security to ensure that legal compliance regulations are satisfied. In particular, it is important to quiz any potential or existing cloud services providers about their architecture and processes so that Chambers can be absolutely certain that their client data is protected.
Here are some key areas that need to be assessed.
What Data Encryption Services Are Available?
Due to the sensitive nature of highly confidential client data that is held within Chambers systems, it is vital that cloud security procedures include advanced data encryption techniques. Cloud services providers should be able to answer questions regarding when and where data is encrypted. Ideally data should be encrypted when it is in transit as well as when it is in rest mode. Some network connections which are used to access the cloud area may not be secure so data must be encrypted in transit to ensure that it is not intercepted along the way. Additionally data should be secured by encryption when it remains static within the cloud server’s storage location.
It is also wise to find out about the storage of encryption keys. They should be located within a secure database which must be both physically and logically separated from the encrypted files themselves.
Who Is Responsible For Which Areas Of The Cloud?
In a cloud services arrangement, it can sometimes be unclear about who is responsible for which particular areas of the cloud and where the boundaries lie. Barristers must be certain about the cloud services that they have purchased and whose authority they fall under. In a typical scenario the cloud services provider (CSP) would manage the physical premises, network and servers that the cloud solution operates from. They would be responsible for everything up to the hypervisor stack, at which point accountability would fall to the client for the data contained within the cloud storage location.
How Is Data Isolated From The Storage Of Other Customers?
One of the ways in which CSPs are able to provide affordable and flexible data storage solutions for businesses, is by storing data belonging to multiple different clients on the same physical server. They are able to do this by utilising a virtualisation technology model which stores data on a physical server then distributes copies of such ‘assets’ across a range of other servers. Data is kept isolated from other cloud customers by using electronic partitioning within the cloud software. Chambers will want assurance that their confidential client data could not possibly be accessed by any other individual or organisation whose data is stored on the same server. It is vital that CSPs provide details of their virtualisation model to satisfy these cloud security concerns.
What Sort Of Penetration Testing And Cloud Security Certification Has Been Achieved?
The reputation of a cloud services provider relies on its ability to be protected from a cyber-attack. However, the reputation of Chambers is also very much dependent on its competence at keeping client data safe. Therefore it is essential that Chambers chooses a CSP with proof of cloud security certification and recent evidence of penetration testing. There are various certifications in place for information handling. Standards for compliance include the PCI DSS qualification, whilst an SSAE-16 audit verifies that a CSP data centre has achieved rigorous levels of physical security, access and internal controls.
Is A Least Privileged Model In Use?
The principle of least privilege (POLP) is a security model which is used in many different technical scenarios. It works by assigning the lowest level of authority to a user’s access privileges which enables them to still be able to do their job. It is essential that a CSP employs the POLP in cloud security to safeguard the underlying infrastructure from any credential hijacking or malicious insiders who may modify the network within which Chambers data is stored.
We are experts in providing cloud computing solutions for the legal sector and will ensure that your infrastructure complies fully with regulations set by the Bar Council, the Attorney General and the Information Commissioners Office. If you’d like guidance on switching to a cloud based environment, then why not call us today on 0203 355 7334 for a free IT consultation.