Cloud computing is simply computers somewhere else, dolling out software or hardware recourses over the Internet or local network. The inherent risks all still exist, but not on site. Despite this, the cloud has become quite popular with businesses and institutions as a way of storing and accessing data and information on demand.
Some of these institutions, including large US law firms, are slowly and reluctantly implementing the use of these services, but have fears that sensitive information could potentially be compromised (hacked) by exploiting their relatively weak security measures.
Using these services, such as IaaS (infrastructure-as-a-service), StaaS (storage-as-a-service), and PaaS (platform-as-a-service), can be both beneficial and potentially risky for those involved in the US justice system.
On one side of the cloud coin, major law firms can store an incredible amount of legal documentation that can be accessed at any given point for documentation management. This means that records are less likely to be lost, damaged, or misfiled over data stored locally on hard drives or physical paper filing. Cloud services also provide the end-user the ability to manage human resources more efficiently, a centrally-controlled email management system (easier for containing viruses, spam checking, etc.), and the reduction of physical hardware needed in-house, which can also reduce the costs associated with IT services.
The other side of that coin is painted in an unattractive light, and is anything but beneficial to large law firms: Security risks that can potentially compromise sensitive material such as confidential client information and court litigation information. Cloud services generally use the same security measures (firewall, IPsec Protocol, anti-virus protection, etc.) and encryption methods of a typical shared multi-user mainframe (server). The problem with implementing cloud defense tactics is that the services are still in their infancy, which means security measures are basic at best.
There are some choices that could easily be integrated into the various services, potentially increasing the cloud's overall defensive posture in detering cyber-attacks, such as those implemented by the US military, including ultra-strong secure operating systems. These are based on system kernel technology (such as the Bell-LaPadula model, which enforces access control) that reinforces key security policies in the OS that are absolutely enforced in the system, and therefore extremely difficult to gain access.
The operating systems designed using kernel-based tactics (such as Honeywell SCOMP, NSA Blacker, Boeing MLS LAN, and USAF SACDIN) are used to secure critical information along the lines of national security, classified military data, and information regarding international financial institutions.
Orange Book A-1 (taken from the DoD’s Trusted Computer Evaluation Criteria standard), is the top of the line for classified information. It’s still not completely secure, as anyone willing and able could find ways around those measures. However, adapting cloud services to use the kernel method of anti-intrusion is a very viable option for large law firms to implement. It could effectively ease the fears associated with storing sensitive legal data in a cloud environment.
Do you think the information you store in the cloud is safe? Tell us in the comments section below.