This paper examines the risks that law firms must consider before migrating from legacy systems to cloud-based Software as a Service (SaaS) document management solutions. It reviews current industry standards for securing privileged data housed with cloud-based providers and evaluates whether associated security and administrative procedures adequately guarantee attorney-client confidentiality while remaining flexible enough to accommodate court-ordered discovery and litigation holds. The paper surveys cloud computing concepts, deployment models, and SaaS definitions before analyzing the legal, security, privacy, and regulatory risks specific to the legal profession. It concludes that cloud-based SaaS adoption is viable for law firms, provided that appropriate risk mitigation strategies are implemented by all key stakeholders.
The invention of the internet has enabled applications to be run from remote clouds. The technology referred to as Software as a Service (SaaS) makes this possible. Applications are specially designed to run as services on remote servers, and the advantages of this technology are numerous β the primary ones being cost, security, and convenience. The legal profession has been shown to be turning to cloud-based SaaS due to waning security concerns (Taylor, 2011). These concerns have been identified as a general source of lag in the adoption of this technology by law firms.
This project examines the risks that law firms need to consider prior to migrating from their legacy systems to cloud-based SaaS document management solutions. The rationale for this project is to review current industry standards for securing privileged data housed and maintained with cloud-based software-as-a-service providers, and to evaluate whether the technology and associated internal security and administrative procedures are sufficient to guarantee adherence to the confidentiality required in attorney-client relationships, while remaining flexible enough to respond appropriately to court-ordered discovery collections or litigation holds.
Cloud computing is considered a new research domain. Because the domain is still in a developmental stage, researchers and practitioners must work together to address gaps in legal, access, security, and regulatory issues (Dlodlo, 2011). The recent emergence of large-scale data centers specializing in hosting multiple servers has led to the creation of surplus computing power and resources β collectively referred to as "the cloud." The cloud refers to a group of networked computers that effectively distribute their processing power, applications, and other system resources among member machines. As a result, computing is no longer dependent on local computers but on highly centralized facilities under the authority and operational control of third-party computing and storage providers (Foster, 2010).
Cloud computing has transformed once-expensive resources β such as storage space and processing cycles β into an affordable commodity accessible to many individuals and corporations. The deployment of Information Technology (IT) infrastructure and services over a network has made it possible for organizations such as law firms, which handle confidential information, to purchase the computing resources they need on an as-needed basis, eliminating the capital costs of hardware and software. Cloud computing therefore offers organizations the opportunity to decouple their IT needs from their infrastructure, improving the confidentiality, integrity, and availability of their data while simultaneously reducing infrastructure costs through pay-for-service models.
Kushida et al. (2010) define cloud computing as follows: "Cloud computing provides on-demand network access to a computing environment and computing resources delivered as services. There is elasticity in the resource provision for users, which is allocated dynamically within providers' datacentres. Payment schemes are typically pay-as-you-go models" (p. 2).
The National Institute of Standards and Technology (Golden, 2010) identifies five distinct attributes of cloud computing:
On-demand services: Self-service capabilities allow corporations to obtain the computing resources they need without going through traditional IT departments.
Broad network access: Corporate applications can be designed in a manner aligned with the way businesses operate in the contemporary corporate landscape.
Pooling of resources: Computing resources are pooled to serve multiple consumers efficiently.
Rapid elasticity: Resources can be scaled in accordance with demand.
Measurable service: Business units pay only for the computational resources they actually use.
The topic of cloud-based document management borrows heavily from the concepts of outsourcing and virtualization. Outsourcing is the process through which business organizations obtain services that are not central to their business model from other organizations that can provide those services efficiently. This frees the business to concentrate on its core competencies and thereby gain a competitive edge. Organizations have outsourced transport, accounting, auditing, and computing services. Virtualization, a relatively newer concept in the corporate world, describes a situation in which firms operate virtually without fixed boundaries, relying on a networked structure that depends on other organizations in building the business model. The organization may conduct its business entirely online and may not maintain physical premises. Over the past several years, there has been a paradigm shift from the traditional organization toward outsourcing and the virtual organization β and this is where the idea of cloud computing emerges.
Cloud computing is a concept that is steadily gaining acceptance and relevance in business organizations today. It is a term that has been misconstrued by many. In this context, the term "cloud" is used metaphorically to mean the internet. Cloud computing therefore refers to a type of internet-oriented computing in which services such as servers and storage are delivered to the organization via the internet on the basis of demand. This concept has gained broad acceptance in corporate circles because it allows data centers to operate much like the internet, making computing resources accessible and shareable as virtual resources in a secure environment (Allen, 2009).
In simple terms, cloud computing means taking services and moving them outside an organization and placing them on a shared system. The services are then accessed through the web rather than through the organization's own storage devices, payment is based on usage, and the infrastructure is maintained by the cloud service provider rather than the client. The term "cloud computing" has been used to encompass grid computing, utility computing, software as a service, internet-based applications, autonomic computing, and remote processing. The goal of cloud computing is to apply traditional supercomputing or high-performance computing power β normally used by research institutions β to computing tasks in a business-oriented environment (Patrizio, 2008).
The definition of SaaS can be approached in two ways. As Software as a Service, SaaS is a software delivery method that provides access to software and its functions remotely as a web-based service. It allows organizations to access business functionality at a cost much lower than that of licensed applications, since pricing is based on a monthly charge. Because the software is hosted remotely, firms need not invest in additional hardware, and SaaS eliminates the need to incur costs on installation, setup, and routine maintenance. SaaS may simply be referred to as a hosted application (SIIA, 2001).
Alternatively, SaaS can refer to Storage as a Service. In this sense, SaaS is a storage model in which an organization rents or leases storage space from a service provider. Data is transferred from the client organization to the service provider via the internet, and the client can access the stored data using software provided by the service organization. This software performs common tasks such as storage, data backup, and data transfers.
Small and medium-sized businesses have embraced this technology because it involves no significant startup costs β such as servers, hard disks, or technicians β making it cost-effective. Payment is based on the storage space used by the user, which also makes it user-friendly. In this context, it may also be referred to as hosted storage.
Platform as a Service (PaaS) is one of the three layers that together comprise cloud computing. Infrastructure as a Service (IaaS) and SaaS are the two other layers. Infrastructure is essential for cloud computing to function, and it is the responsibility of the cloud service provider to establish and maintain the necessary infrastructure.
Smart companies are examining various aspects of the cloud, pushing some applications into the cloud environment and retaining others in the traditional data center. The most significant value of cloud computing is not merely cost reduction, but agility for the entire business β creating an opportunity for firms to offload any aspect of their IT infrastructure to an outside provider. With cloud computing, organizations contract only for the services they need, at the time they need them.
Microsoft has developed a cloud-oriented Windows platform intended to support cloud-based applications. Similarly, Amazon unveiled cloud services enabling customers to run Windows Server and SQL Server databases on its Elastic Compute Cloud (EC2) platform, indicating the rapid maturation of the cloud marketplace.
There are two important facets of cloud computing: the private cloud and the public cloud. A private cloud is developed to offer the same services as the public cloud but eliminates a number of criticisms of the cloud computing model, including concerns about control over enterprise and customer information, security, and regulatory compliance.
The public cloud describes cloud computing in the traditional mainstream sense, in which resources are dynamically provided on a fine-grained, self-service basis over the internet via web applications from an off-site third party (Claburn, 2009).
In situations where organizations share similar requirements and wish to share infrastructure to realize some of the benefits of cloud computing, a community cloud may be appropriate. Costs are spread over fewer users than in a public cloud but more than a single tenant. As an option it may offer a higher level of privacy, security, and policy compliance. It can also be economically viable, as the shared resources within the community have already reached their expected return on investment (ROI) (Claburn, 2009).
Since the primary responsibility of the IT department is to provide services to the business, both private and public cloud computing may be necessary, as services must also be delivered through in-house methods. This approach is referred to as hybrid delivery by major providers including HP, IBM, Oracle, and VMware, who offer technology to manage the complexity of performance, security, and privacy concerns that arise from mixed delivery methods of IT services (Needle, 2010). Another form of hybrid deployment is hybrid web hosting, in which the hosting infrastructure mixes cloud hosting with managed dedicated servers, commonly implemented as part of a web cluster in which some nodes run on physical hardware and some on cloud server instances (Krangel, 2009).
The intercloud is an interconnected global "cloud of clouds" and an extension of the internet's network-of-networks architecture on which it is based (Bernstein et al., 2009). The intercloud would theoretically function as one machine comprising all servers and cloud nodes on the planet. The concept is based on the observation that no single cloud can have unlimited physical resources. If a cloud saturates the computational and storage capacity of its virtual structure, it cannot satisfy further service allocation requests from its clients. The intercloud concept aims to prevent this by allowing each cloud to draw on the computational and storage capabilities of the virtualization infrastructure of other clouds. The competitive utility computing market, which brought together numerous computer utilities, is conceptually analogous to the intercloud (Parkhill, 1966).
Law firm Hawkins Rosenfeld Ritzert & Varriale, LLP has relied on software-as-a-service (SaaS) since its founding to save money, cost-effectively serve its clients, and ensure business continuity in the event of a disaster.
"Cost, reliability, scalability, and compliance benefits of SaaS"
"Security, privacy, legal, and data integration risks"
"Survey methodology and four legal risk categories identified"
"Adoption considerations and risk mitigation recommendations"
You’re 36% through this paper. Sign up to read the remaining 4 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.