Table of Contents
Using cloud services
Key points:
- Ensure you cannot be locked in (or that you can live with the consequences)
"It's not the cloud; it's someone else's computer"
The term βcloudβ conjures up a fluffy, amorphous place in the sky where your data are held. When you store your data in a βcloudβ service, you are simply storing your data on someone else's computer (or, more likely, computers).
If you are not paying for online services, how are they making money?
If you are not paying for the service you are using beyond a trial period, have a think about how they are making money.
Running servers at scale is not cheap, and a common online business model is to use data relating to users of the services to make money β perhaps using it to target advertising, or even selling it (or insights based on it) to third parties.
A common mantra is that, if you are not paying, you are the product.
If you are not paying, you should also check what (if any) support is available to you, and whether you have any recourse if they decide one day to just switch off their services.
To mitigate this risk, take regular backups of your data and store them somewhere else. Test those backups, and check they are in a format which you can import into another service or piece of software.
Check your professional conduct rules
Check your local rules of professional conduct regarding the use of subcontractors generally and cloud computing specifically.
Although this wiki is definitely not about legal advice, you might need to draw your clients' attention to the use of cloud computing systems, and are likely to need to carry out due diligence on your providers' confidentiality and resiliency practices.
Canada
British Columbia: Cloud computing checklist v. 2.0 [Updated May 2017]
New Zealand
United Kingdom
The Law Society of England and Wales produced a practice note on cloud computing, but it appears to have been withdrawn.
Bar Council: Cloud computing β security issues to consider
USA
Check if the provider has access to your data
Some providers build their services in a way that the only data stored on their platform are encrypted, with a key that only you hold.
Others operate by storing your data in a way which makes it accessible to them.
Check that they way in which they operate is suitable for your needs.
Encrypt files before uploading them
If the cloud service you are looking at is a file storage service (e.g. Dropbox), encrypt your files before you upload them to the service.
That way, you are not reliant on their encryption or security, and your data should be safe from unwanted access if their servers are compromised.
For example, Cryptomator or Boxcryptor.
They may have much better security and resiliency than you could
Well-resourced and competent providers will employ superb and dedicated security teams, far better than you could do yourself.
Similarly, their infrastructure more likely to be better maintained than yours and, if there is a problem, fixing it is their problem, and not yours.
Check if you can be locked out and prepare accordingly
Check their terms of service: do they permit unfettered rights to suspend your service, or lock you out of your account?
Frankly, even if they do not say that they can do this, you are better-protected if you work on the basis that, at any point, your access to the service could be suspended.
Before it happens:
- Take regular, automatic, backups, so that you are not left without your data.
- Identify a suitable replacement / alternative service, so you can get going again quickly
Check their service level agreements, and remedies for failing to meet them, meet your needs
If the service is critical to your firm (for example, a document management system, or matter management system), check their service level agreements:
- what is their timescale for responding to support requests
- what is their uptime? Do they have a means where you can check the status of their services easily?
What are the fallbacks if they fail to meet their servie level promises? Do you have any meaningful recourse?
Check their backup procedures
Check how often they backup their systems, and how quickly they can restore them if they have a problem.
While having your own backups is essential, if you have to reload your data onto the service, you are limited by the speed of your Internet connection's upload. If you are talking about a significant volume of data, that could takes hours or even days.
Ensure you cannot be locked in
Check that you can you export your data readily?
This might be the same as taking a backup, or it might be a separate, dedicated, way of exporting your data.
Check the format in which you can export your data β does it come out in a way which enables you to load it into another servie or piece of software.
If you cannot readily export your data, there is a strong risk of being locked into that service β if they change their prices, you might have no real option but to pay the increase, and, worse, if their service degrades, you may find yourself stuck with a sub-optimal experience.
Check where are they storing your data
Are their (or, perhaps more likely, their provider's) servers in a jurisdiction which could be problematic to you? (For example, where local laws might permit a third party to access your data without telling you?
Depending on your local legal requirements, you might need additional contractual protection, beyond their normal terms of service.