{"id":30429,"date":"2024-05-07T12:45:00","date_gmt":"2024-05-07T16:45:00","guid":{"rendered":"https:\/\/abovethelaw.com\/?p=1057005"},"modified":"2024-05-07T12:45:00","modified_gmt":"2024-05-07T16:45:00","slug":"cloud-security-advice-for-law-firms","status":"publish","type":"post","link":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/","title":{"rendered":"Cloud Security Advice For Law Firms"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-378512\" src=\"https:\/\/abovethelaw.com\/wp-content\/uploads\/sites\/4\/2015\/06\/Hacker-typing-on-a-laptop-Article-201408011552-300x181.jpg\" alt=\"Hacker typing on a laptop\" width=\"300\" height=\"181\" \/><em><u>Ed. note<\/u>: This is the latest in the article series,\u00a0<strong>Cybersecurity: Tips From the Trenches<\/strong>,\u00a0by our friends at\u00a0<a href=\"https:\/\/senseient.com\/\">Sensei Enterprises<\/a>, a boutique provider of IT, cybersecurity, and digital forensics services.<\/em><\/p>\n<p>With amazing speed, we\u2019ve become a very mobile society. Mobile phones are the main computing device for most people. To support a mobile environment, cloud services are growing by leaps and bounds. In the last several years, we can only recall one instance of implementing an on-premises server for a law firm. Just one. And that solution was a non-negotiable demand from the law firm\u2019s largest client. Apart from that one exception, law firms are universally accepting a cloud first mentality.<\/p>\n<p>It is one thing to provide technology to support the business function, but many law firms don\u2019t pay much attention to securing the cloud environment. They trust the vendor to provide secure cloud applications for the firm. However, many lawyers (especially solo and small firm attorneys) don\u2019t know that their own actions can make a secure vendor cloud service very unsecure.<\/p>\n<p><strong>Best Cloud Practices from CISA and NSA<\/strong><br \/>\nIn March of this year, CISA (Cybersecurity &amp; Infrastructure Security Agency) and the NSA (National Security Agency) released five joint Cybersecurity Information Sheets (CSIs) with guidance for recommended best practices for improving the security of the cloud. The five CSIs include:<\/p>\n<ul>\n<li><a href=\"https:\/\/media.defense.gov\/2024\/Mar\/07\/2003407866\/-1\/-1\/0\/CSI-CloudTop10-Identity-Access-Management.PDF\">Use Secure Cloud Identity and Access Management Practices<\/a><\/li>\n<li><a href=\"https:\/\/media.defense.gov\/2024\/Mar\/07\/2003407858\/-1\/-1\/0\/CSI-CloudTop10-Key-Management.PDF\">Use Secure Cloud Key Management Practices<\/a><\/li>\n<li><a href=\"https:\/\/media.defense.gov\/2024\/Mar\/07\/2003407861\/-1\/-1\/0\/CSI-CloudTop10-Network-Segmentation.PDF\">Implement Network Segmentation and Encryption in Cloud Environments<\/a><\/li>\n<li><a href=\"https:\/\/media.defense.gov\/2024\/Mar\/07\/2003407862\/-1\/-1\/0\/CSI-CloudTop10-Secure-Data.PDF\">Secure Data in the Cloud<\/a><\/li>\n<li><a href=\"https:\/\/media.defense.gov\/2024\/Mar\/07\/2003407859\/-1\/-1\/0\/CSI-CloudTop10-Managed-Service-Providers.PDF\">Mitigate Risks from Managed Service Providers in Cloud Environments<\/a><\/li>\n<\/ul>\n<p>Even if you are not personally responsible for securing your firm\u2019s cloud technology, the CSIs will give you insight into what you should be doing to protect your data in the cloud. Reviewing the CSIs will also help you assess how well your cloud providers are securing your data. We can\u2019t cover all the points referenced in the CSIs but will discuss a few that are easy to implement.<\/p>\n<p><strong>Cloud Access<\/strong><br \/>\nThe starting point is getting access to the cloud and the data stored there. Just like accessing any computer system, you should be using MFA to logon. You may be limited by the cloud provider in which MFA method to use. Our preference is to use push notifications via an authenticator app if available. Hardware tokens are better yet, but most firms won\u2019t have that as an option unless they have a high level of control for the cloud.<\/p>\n<p>Access to the cloud is usually under the direct control of the firm. The firm defines the users that are authorized and what restrictions may be imposed upon each user. When you hear about cloud data breaches, a very large number are due to mistakes made by the end-user. Weak passwords, lack of MFA and password reuse are just some of the poor security practices that help attackers gain unauthorized access to the firm\u2019s cloud environment.<\/p>\n<p><strong>Separation of Duties<\/strong><br \/>\nAnother area to consider is separating out user functions and responsibilities. Think of it as the two-person rule when launching nuclear weapons. Both codes\/keys must be valid in order to launch. Separating out duties achieves a very similar function with the cloud. No one person can take complete control of critical aspects of the operation. The end result is minimal damage should one user\u2019s credentials be compromised.<\/p>\n<p><strong>Network Segmentation<\/strong><br \/>\nSegmenting the network means \u201cchopping\u201d up traffic into smaller sections that are isolated from one another. Firewalls are used to restrict which traffic is allowed for each defined section. Not only does this keep authorized usage within the segment, but it also minimizes any negative impact should an attacker land within the segment. The firewalls help isolate any malicious activity to the compromised segment instead of allowing full lateral movement within the network. You can see how critical that defense could be. Another bonus is that network segmentation is part of zero trust architecture (ZTA) which is becoming increasingly mandatory.<\/p>\n<p><strong>Encryption<\/strong><br \/>\nAnother key element in securing the cloud is utilizing encryption. It probably goes without saying that all network traffic should be encrypted. This means not only the traffic to and from the user and the cloud, but also within the cloud environment. Don\u2019t forget to encrypt any data at rest too. The CSIs identify various encryption algorithms and standards that should be followed.<\/p>\n<p><strong>Managed Service Provider Risks<\/strong><br \/>\nIn our experience, most firms do not wholly implement and control their cloud environments. Managed Service Providers (MSP) are utilized to provide much of the firm\u2019s cloud needs. This puts a lot of trust in the hands of the MSP. There is an entire CSI focused on mitigating the risk with MSPs in a cloud environment.<\/p>\n<p>As firms go through the MSP selection process, consideration of the MSP\u2019s security operations is a key part of due diligence. Besides following the best practices recommendations in the CSI, we would also suggest focusing on the responsibilities and liabilities of the MSP when dealing with a security incident and any potential data breach. Many of the MSP contracts we\u2019ve seen attempt to shed liability for any data breach. Make sure that language does not exist in your MSP contract.<\/p>\n<p><strong>CIS Controls<\/strong><br \/>\nIn addition to the CSIs from CISA and NSA, the Center for Internet Security (CIS) has Critical Security Controls. CIS Controls V8 is the current version. CIS Control 3 and CIS Control 16 are particularly relevant for cloud environments as they deal with application security and data protection.<\/p>\n<p><strong>Convenience vs. Security<\/strong><br \/>\nYou have certainly read about and probably even experienced the movement towards the implementation of single sign-on (SSO). The intent of SSO is to make it a lot easier for you to gain access to multiple systems without having to login to each one individually. In other words, it\u2019s convenient. Does it really work? Yes and no. From what we\u2019ve seen so far, each vendor seems to have its own way of trying to seamlessly integrate application access. The methods and successes vary. It\u2019s been a bumpy road for some and smooth sailing for others.<\/p>\n<p>Most of the SSO activity we\u2019ve seen recently is due to vendor acquisitions. The acquiring company wants its users to access the resources of the new entity as quickly as possible and without a separate login. Rather than migrate the new company application and data, SSO is rolled out to \u201cmerge\u201d everything together. Frankly, we think it is more of a bolt-on band-aid than an integration.<\/p>\n<p>Here\u2019s where we\u2019ll get a little controversial. While SSO can be seen as a convenience, we see it as a security risk and would much rather see separate logins to the data and applications. Something like network segmentation at the application layer. If a user\u2019s login credentials are compromised, the attacker has much more access if SSO is implemented. Obviously, the security of the environment is dependent on how well SSO is implemented, but we would rather see true system\/data integration as a design goal.<\/p>\n<p>We\u2019re also not fans of systems that allow for alternate logins using other system credentials such as \u201cLogon with Google,\u201d or \u201cLogin with Facebook.\u201d Linking across accounts is another way for an attacker to gain access to multiple systems with a single set of compromised credentials. So, what is your firm doing right or wrong? Are you carefully monitoring what your MSP is doing?<\/p>\n<p>As we\u2019ve watched the recent torrent of law firm data breaches, it seems to us that oversight of MSPs by law firms is often lax.<\/p>\n<p><strong>Final Thoughts<\/strong><br \/>\nIt can take a very long time for a law firm to build a solid reputation \u2013 and that reputation can be lost by a single cyberattack.<\/p>\n<hr \/>\n<p><strong><em>Sharon D. Nelson (snelson@senseient.com) is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.<\/em><\/strong><\/p>\n<p><strong><em>John W. Simek (jsimek@senseient.com) is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.<\/em><\/strong><\/p>\n<p><strong><em>Michael C. Maschke (mmaschke@senseient.com) is the CEO\/Director of Cybersecurity and Digital Forensics of Sensei Enterprises, Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional. <\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p class=\"summary\">A firm&#8217;s own actions can make a secure vendor cloud service very unsecure.<\/p>\n","protected":false},"author":86,"featured_media":378512,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[11],"tags":[11496,258,11499,1226,9731,7,11268],"class_list":["post-30429","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-cloud-security","tag-cybersecurity","tag-cybersecurity-infrastructure-security-agency","tag-national-security-agency","tag-sensei-enterprises","tag-technology","tag-zero-trust-architecture"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cloud Security Advice For Law Firms - Above The Law&#039;s Legal Tech Non-Event<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cloud Security Advice For Law Firms - Above The Law&#039;s Legal Tech Non-Event\" \/>\n<meta property=\"og:description\" content=\"A firm&#039;s own actions can make a secure vendor cloud service very unsecure.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/\" \/>\n<meta property=\"og:site_name\" content=\"Above The Law&#039;s Legal Tech Non-Event\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-07T16:45:00+00:00\" \/>\n<meta name=\"author\" content=\"Brian Dalton\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Brian Dalton\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/\",\"url\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/\",\"name\":\"Cloud Security Advice For Law Firms - Above The Law&#039;s Legal Tech Non-Event\",\"isPartOf\":{\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2024-05-07T16:45:00+00:00\",\"dateModified\":\"2024-05-07T16:45:00+00:00\",\"author\":{\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/#\/schema\/person\/c90ecdd660543c781c8f923b49840db7\"},\"breadcrumb\":{\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cloud Security Advice For Law Firms\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/#website\",\"url\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/\",\"name\":\"Above The Law&#039;s Legal Tech Non-Event\",\"description\":\"A Legal Tech Adoption Guide For Perplexed Lawyers\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/#\/schema\/person\/c90ecdd660543c781c8f923b49840db7\",\"name\":\"Brian Dalton\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/173e997e634d3703349d56132b2f05d9a1282b8e0b3e43a7d4342025ddfcc15b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/173e997e634d3703349d56132b2f05d9a1282b8e0b3e43a7d4342025ddfcc15b?s=96&d=mm&r=g\",\"caption\":\"Brian Dalton\"},\"description\":\"Brian is a graduate of Middlebury College and Fordham Law. He joined Breaking Media in October 2011 after spending seven years at Vault.com, most recently as Director of Research and Consulting. Before that, he was, among other things, an associate at a Manhattan law firm, a French teacher in Brooklyn, a Peace Corps volunteer in Mali, and a security guard at a waterslide park in Albuquerque, NM.\",\"sameAs\":[\"http:\/\/breakingmedia.com\"],\"url\":\"https:\/\/abovethelaw.com\/legal-innovation-center\/author\/brian-dalton\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cloud Security Advice For Law Firms - Above The Law&#039;s Legal Tech Non-Event","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/","og_locale":"en_US","og_type":"article","og_title":"Cloud Security Advice For Law Firms - Above The Law&#039;s Legal Tech Non-Event","og_description":"A firm's own actions can make a secure vendor cloud service very unsecure.","og_url":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/","og_site_name":"Above The Law&#039;s Legal Tech Non-Event","article_published_time":"2024-05-07T16:45:00+00:00","author":"Brian Dalton","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Brian Dalton","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/","url":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/","name":"Cloud Security Advice For Law Firms - Above The Law&#039;s Legal Tech Non-Event","isPartOf":{"@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/#website"},"primaryImageOfPage":{"@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#primaryimage"},"image":{"@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#primaryimage"},"thumbnailUrl":"","datePublished":"2024-05-07T16:45:00+00:00","dateModified":"2024-05-07T16:45:00+00:00","author":{"@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/#\/schema\/person\/c90ecdd660543c781c8f923b49840db7"},"breadcrumb":{"@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/2024\/05\/07\/cloud-security-advice-for-law-firms\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/abovethelaw.com\/legal-innovation-center\/"},{"@type":"ListItem","position":2,"name":"Cloud Security Advice For Law Firms"}]},{"@type":"WebSite","@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/#website","url":"https:\/\/abovethelaw.com\/legal-innovation-center\/","name":"Above The Law&#039;s Legal Tech Non-Event","description":"A Legal Tech Adoption Guide For Perplexed Lawyers","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/abovethelaw.com\/legal-innovation-center\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/#\/schema\/person\/c90ecdd660543c781c8f923b49840db7","name":"Brian Dalton","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/abovethelaw.com\/legal-innovation-center\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/173e997e634d3703349d56132b2f05d9a1282b8e0b3e43a7d4342025ddfcc15b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/173e997e634d3703349d56132b2f05d9a1282b8e0b3e43a7d4342025ddfcc15b?s=96&d=mm&r=g","caption":"Brian Dalton"},"description":"Brian is a graduate of Middlebury College and Fordham Law. He joined Breaking Media in October 2011 after spending seven years at Vault.com, most recently as Director of Research and Consulting. Before that, he was, among other things, an associate at a Manhattan law firm, a French teacher in Brooklyn, a Peace Corps volunteer in Mali, and a security guard at a waterslide park in Albuquerque, NM.","sameAs":["http:\/\/breakingmedia.com"],"url":"https:\/\/abovethelaw.com\/legal-innovation-center\/author\/brian-dalton\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/wp\/v2\/posts\/30429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/wp\/v2\/users\/86"}],"replies":[{"embeddable":true,"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/wp\/v2\/comments?post=30429"}],"version-history":[{"count":0,"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/wp\/v2\/posts\/30429\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/wp\/v2\/media?parent=30429"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/wp\/v2\/categories?post=30429"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/abovethelaw.com\/legal-innovation-center\/wp-json\/wp\/v2\/tags?post=30429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}