3 Reasons Why the Cloud is More Secure
than Your Server
Joshua Lenon – Lawyer-in-Residence @joshualenon
Doug Edmunds – Asst. Dean for Information Technology
@unclawinfotech
Agenda
• Cloud Overview (5 minutes) • 3 Reasons the Cloud is More Secure – Economies of Scale (5 minutes) – Cybersecurity Framework (10 minutes)
• Framework vs. Confidentiality Duties – Lightning Advancement (10 minutes)
• Guest: Doug Edmunds (20 minutes) • Takeaways (5 minutes) • Questions (5 minutes)
Instructors
Joshua Lenon • Lawyer, admitted in New York • Lawyer-in-Residence for Clio
Doug Edmunds • Assistant Dean for
Information Technology at University of North Carolina at Chapel Hill - School of Law
NIST Cloud Definition
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”
Source:(NIST(Defini0on(of(Cloud(Compu0ng;(Special(Publica0on(800>145(
Cloud Economies Dedicated(Security(Team(
Greater(Investment(in(Security(Infrastructure(
Fault(Tolerance(and(Reliability(
Greater(Resiliency( Hypervisor(Protec0on(Against(Network(AMacks(
Simplifica0on(of(Compliance(Analysis(
Data(Held(by(Unbiased(Party(
Low>Cost(Disaster(Recovery(and(Data(Storage(Solu0ons(
On>Demand(Security(Controls(
Real>Time(Detec0on(of(System(Tampering(
Rapid(Re>Cons0tu0on(of(Services(
Source:(Cloud.CIO.gov(
Law Firms Current Security
• 47% have no documented disaster recovery plan
• Only 39% have intrusion detection system • Only 36% have intrusion prevention system • 32% never have outside security
assessments performed • Only 14% have server logs • 2% have ISO 27001 certification
Source:(2013(ILTA(Tech(Survey(
Federal Labor Relation Authority (FLRA) Case Management System
• 88% reduction in total cost of ownership over a five year period
• Eliminated up-front licensing cost of $273,000 • Reduced annual maintenance from $77,000 to
$16,800 • Eliminated all hardware acquisition costs • Secure access from any Internet connection • Ability to operate and access case information
from any location in the world, supporting the virtual enterprise
Source:(Cloud.CIO.gov(
Cybersecurity Framework
• “Framework for Improving Critical Infrastructure Cybersecurity”
• Published by NIST in February 2014 • Provides Core, Tiers and Profiles
Cybersecurity Framework: Cores
Source:(NIST,(“Framework(for(Improving(Cri0cal(Infrastructure(Cybersecurity,”(02/14/2014(
Cybersecurity Framework: Tiers
• 4 Tiers: – Tier 1: Partial – Tier 2: Risk Informed – Tier 3: Repeatable – Tier 4: Adaptive
“Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.”
Cybersecurity Framework: Tiers
• Tier 3: Repeatable – Formal risk management policies with reviews – Organization-wide approach with training – Collaborates with outside partners on risk
management • Tier 4: Adaptive – Adapts security based on lessons & predictions – Security is part of corporate culture with continuous
improvement – Actively shares information with partners
Cybersecurity Framework: Profiles
• Current: security outcomes being achieved • Target: outcomes needed to meet goals • Compare Current and Target Profiles to
identify gaps in security processes
Model Rules of Professional Conduct
• Rule 1.1 – Competency – “lawyer should keep abreast of changes in the
law and its practice, including the benefits and risks associated with relevant technology…”
• Rule 1.6 – Confidentiality – “lawyer shall not reveal information relating to
the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation…”
Model Rules of Professional Conduct
• Rule 5.3 - Responsibilities Regarding Nonlawyer Assistant – “person's [nonlawyer] conduct is compatible
with the professional obligations of the lawyer…”
Cybersecurity Framework: Tiers
• Tier 3: Repeatable – Formal risk management policies with reviews – Organization-wide approach with training – Collaborates with outside partners on risk
management • Tier 4: Adaptive – Adapts security based on lessons & predictions – Security is part of corporate culture with continuous
improvement – Actively shares information with partners
28% of solo and small firms have no process for updating
their computers.
Source:(2013(ILTA(Tech(Survey(
Lightning Advancements
• Cloud Services move at the speed of the internet.
• Real-time monitoring and upgrades keep your Software-as-a-Service on the cutting edge.
“When weaknesses are discovered in cryptographic systems, the system will not
necessarily become suddenly insecure.” Source:(Bruce(Schneier,(‘Cryptanalysis(of(SHA>1’(
“Such discoveries impel migration to more secure techniques, rather than signifying that
everything encrypted with that system is immediately insecure.”
Source:(Bruce(Schneier,(‘Cryptanalysis(of(SHA>1’(
Carolina Law - Background
• Part of UNC-Chapel Hill, nation’s oldest degree-granting public university
• Law school founded 1845 • Charter member of ABA – 1920 • Approx. 740 students; 63 tenure track
faculty; 35+ adjuncts • 6 clinics with 70-80 students per year
Clinical Program - Challenges
• Aging hardware • Bad software support • Short staffing • Limited funding • Campus security
policies • Skepticism of
university counsel
Photo(source:(hMp://0nyurl.com/lk5hy4u(
Old Model vs. New Model
Time Matters - Local • Poor support for Macs • Software upgrades difficult • No redundancy – single
server in place • Vendor difficult to reach • Students frustrated, faculty
jaded
Clio - Cloud • Operating system agnostic • Software upgrades totally
transparent • Geolocation of data
centers and fully redundant
• Excellent vendor support and self-help resources
• Students and faculty love it
Security
Local Solution • Security = just one thing
your organization does • Cobbled together,
piecemeal • Few if any guarantees • Knowledge deficient • No formal access controls
Cloud Solution • Data center’s rep &
business depend on it • Multi-layered, robust • Guarantees in Service
Level Agreement • Expertise • Monitored, controlled
environment
Policies & Procedures
• Rule #1 - Cloud adoption should not be based solely on convenience
• Rule #2 – Implement consistent metadata/tagging standards
• Rule #3 - Leverage version control • Rule #4 - Require security awareness training • Rule #5 – Prohibit “rogue agents”
Mobility & Agility
• True anytime, anywhere access
• Security is “baked in” rather than “bolted on”
• Accessible across platforms/devices
• No downtime due to server outages
Photo(source:(hMp://0nyurl.com/l7wgd45(
Takeaways
• Cloud computing economies of scale provide security and service that cannot be matched by individual installations
• Organizations large and small are shifting to cloud-based services for increased savings
• Robust frameworks for measuring and mitigating risks are being developed for cloud services
• Cloud services are best suited for cutting edge implementations
Action Items
• Read state ethics opinions on technology • Commit to a cybersecurity review. – Document
• Cores • Tiers for Firm and Vendors • Current vs. Target Profiles
• Download the Cybersecurity Framework Core Exercise on GoClio.com/Blog
Thank You
Doug Edmunds [email protected] @unclawinfotech linkedin.com/in/dougedmunds
Joshua Lenon [email protected] @JoshuaLenon linkedin.com/in/joshualenon