This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our privacy policy to learn more.

Cloud-Hosted E-Discovery Systems: Debunking Common Misconceptions about Security and Privacy

Created on February 19, 2014

e-discovery trends

This is the first in a series of posts on hosted e-discovery technologies. Future posts will explore issues around capabilities and interoperability, costs and return on investment (ROI), systems management and upkeep, and scalability.

Many organizations are currently using cloud-hosted solutions, ranging from email services, such as Gmail, to popular business applications, like Salesforce. In recent years, a growing number of e-discovery technologies have also made the ascent to the cloud. While adoption of such systems is on the rise, concerns have been raised over whether cloud-based e-discovery systems can deliver the level of security and privacy that organizations require.

Skepticism is understandable. After all, e-discovery is a legal process, and lawyers have serious ethical obligations around protecting client data. These obligations were recently inscribed into the comments of the American Bar Association (ABA) Model Rules of Professional Conduct, which state that lawyer competence involves understanding the “the benefits and risks associated with relevant technology." Additionally, several state bar associations have issued ethics opinions that specifically address cloud computing (learn more about that here). Legal and IT teams should absolutely do their homework and ask a lot of questions before investing in cloud-based e-discovery systems. In doing so, they will discover that many of the fears surrounding the cloud are unfounded.

Here are two popular misconceptions about cloud-based e-discovery systems:

  1. Data is more secure when stored on-premise versus in the cloud

Cloud Security 2This misconception is perpetuated by the notion that the security controls organizations apply to their own networks exceed those of cloud providers. In reality, reputable cloud providers make security of customer data a top priority; it's critical to the success of their businesses. In such a competitive market, a major security breach would almost surely spell doom for a cloud provider. For this reason, some experts have argued that the cloud provides more security than traditional, behind-the-firewall management. In a recent Network World article, Harold Moss, CTO of Cloud Security Strategy at IBM Security Solutions, argues that the changing nature of security threats underscores why it's a mistake for organizations to place too much trust in their own abilities to protect data. He points out that half of all data breaches now occur from within the organization (e.g. Edward Snowden and the NSA data leaks), and many organizations don't have adequate protections in place to guard against these threats.

Examples of common cloud security controls include:

  • Access controls to define user permissions
  • Built-in firewalls that allow users to control system accessibility
  • Storage encryption to protect against unauthorized access at the data center
  • Transport level encryption to protect data when it is in motion
  • Hardening of servers to protect against vulnerabilities in the system
  • Physical security and extensive background checks to protect against unauthorized physical access to data by employees or visitors at data centers.
  • Redundant systems to deliver high availability

These are merely baseline security considerations. Established cloud providers, like Amazon Web Services (AWS), have a bevy of advanced security options that can be implemented at the request of its customers. For example, AWS customers concerned with transmitting data to the AWS cloud over public networks can opt for the company's Direct Connect service, which allows users to establish a virtual private network connection from their premise to AWS.

  1. Software as a Service (SaaS) e-discovery systems produce undesirable data comingling, which can compromise data privacy

It is correct that in a multi-tenancy cloud environment, a single instance of a software application serves multiple customers. It also correct that in such environments, user data is comingled across one server. The misconception is that these are inherently bad things. In fact, users reap many benefits from the multi-tenancy setup. Since SaaS software providers need only manage one instance of a given software application, customer needs can be incorporated into the product very quickly to the benefit of all users, not just one. Regular, periodic software updates are also delivered to multiple users in a timely fashion because the software provider only needs to update one instance of software code. The importance of this can't be overstated. Budget constraints, IT resource limitations and other internal and external factors often delay on-premise software updates by many months, if not years, or preclude organizations from pursuing updates altogether. These updates can also be technically disruptive and lead to performance issues if existing configurations and integrations aren't maintained. Cloud-hosted applications eliminate these delays and the headaches that can accompany software updates.

For some people, the term 'data comingling' elicits fear their data may be exposed to other companies using the same software application. Just as an organization's IT team is easily able to partition out a shared database, cloud vendors use exactly the same logical separation to keep one user's data from comingling with another customer's data.

It's also important to remember that users may have many options when it comes to the underlying SaaS architecture. Organizations can opt for a single-tenancy SaaS architecture, sometimes referred to as multi-instance, where a separate instance of a software application and supporting infrastructure is used by each customer. Even within the multi-tenancy framework, there are a growing number of delivery options. For example, Virtual Private Clouds allow customers to extend their private networks across isolated sections of a multi-tenancy cloud, ensuring that the customer's data remains isolated from that of other customers.

Our next entry in the cloud series will address product capabilities. Specifically, it will examine the impact cloud hosting has on product functionality and interoperability with other business systems.

Read more about how Exterro addresses data privacy and security protocols with its FusionNow™ cloud-based infrastructure here.