Michael N. Dundas

http://www.flickr.com/photos/room929/428260081/

Nicole Garton-Jones submitted on slaw.ca today a post entitled Practicing Law on the Road: the Role of the Cloud and the Emergence of the Virtual Law Firm.  In it she highlights the idea of working remotely and using VoIP, Cloud computing and virtual desktops along with your PDA and laptop devices.  Especially when it comes to law firms, my experience is they are often slower to adopt to technological changes that other industries due to a combination of tradition and general need to follow government laws, and procedures enforced by their professional organizations.  It is nice to see a lawyer promoting these technologies, I think that is great for the legal industry.

In her post, she discusses cloud computing, laptops and PDAs and touches on the security.  I feel that the security needs to be given a much more serious discussion.  My experience consulting with small companies and law firms is that they typically do not give security enough time, consideration, or expertise before choosing a technology path.  There are many reasons for this, cost, resources, and time being the main factors.  It is usually discussed when a laptop with sensitive data goes missing, someone realizes there is a keystroke logger on their system, or their server data has been compromised and is leaking onto the Internet bypassing the firewall, IDS, anti-virus, and notice of the system administrators or third party companies hired to provide system administration and security.

Cloud computing offers many advantages and cost savings to companies.  It also brings with it the concern of your data being stored off-site, out of your direct control.  With large cloud computing vendors such as Amazon and Google, your data could be across the world in a foreign country and the laws that apply to the protection of that data probably differ from those in your home country.  This has been a topic of discussion for a while now in the Cloud computing arena.  One of the suggestions is to use a ‘private’ cloud.  This is typically a cloud that you own or have more control over where the data is stored.  For example, Canadian Cloud offers a guarantee that “…data are safe and secure on hardware located in Canada, and subject only to Canadian laws and regulations..”  This resolves international issues when it comes to control of data and is appealing.  However, there is much more to consider before choosing a provider.  While Amazon, Google and other large companies are international, they also have the size to attract security professionals that are very knowledgeable and current.  They can afford the resources to properly monitor against attacks to steal your data.  Google recently publicized the discovery of China conducing espionage on its systems.  Will a provider of a smaller cloud offering have the resources to detect such attacks?  If you install your own cloud, do you have the resources to hire individuals capable of detecting these types of attacks?  One could argue that not using Amazon or Google is less secure and you have more risk exposure.  My point is that companies and firms need to consciously assess these decisions based on the sensitivity of the information they are thinking about storing on a cloud system.

Laptop security is still as important weather the cloud is present or not.  It makes sense for an attacker to go after the weakest link and that is almost always the end user device.  Although one may suggest that all the information is on the virtual desktop on the cloud, there may be cases where data needs to be pulled locally.  If this is the case and the data is sensitive you will require encryption.  Even if data is not stored on the laptop ever and therefore there is no need for encryption and the management tasks it brings, installation of malware that will capture keystrokes and gather screen shots is invaluable on the laptop of a lawyer involved in a sensitive case.  This software exists in many places and is easily obtained and deployed.  Proper user device security does not go away.

Between iPhone and Blackberry, currently the Blackberry is much more secure than an iPhone.  Blackberry has the infrastructure including BES servers which allow enforcement of detailed security policies along with a robust management architecture.  BES servers offer the ability to remotely wipe a lost Blackberry as well as the ability to track the location of the phone remotely.  The Blackberry device itself has the ability to wipe all data via a menu option or by simply entering the wrong password a configurable number of times.   By comparison, the current iPhone can have a password in place, but bypassing it is easy once you have the physical device and security policies can be easily overridden by the user of the device.  I fully expect the iPhone to improve in this area as it targets the business market, but currently this is the general state of security with the iPhone.  A company that deploys iPhones or Blackberries needs to consider the type of data on these devices and the required security.  While many users prefer the iPhone over the Blackberry, you are making a security decision when you make this decision as well.  Best to make it consciously and understand the risks you are assuming with your firm and clients data.

Companies and firms need to consciously assess the security requirements of their data independent of any one technology.  Once this is completed, choose and deploy solutions and services that meet those requirements balancing off risk, cost, and convenience.  While there is no such thing as 100% security, you can consciously minimize this exposure, and manage the risk.

How confident is your company or firm that data stored on your local servers, cloud infrastructure, laptops, PDAs and other devices is secure, and can not be extracted or viewed without proper authorization?  If your data was being extracted or viewed without authorization would your security team detect it?  If not, why not?

I wrote a post in June on companies that choose to outsource their email, specifically using Gmail.  A London, Ontario based lawyer named David Canton recently published an opinion here.

A few months back I read a post by CEO Michael Hyatt on why he liked Gmail and why he was having his staff investigate switching their corporate email from Microsoft Exchange to Gmail.  This sparked my interest from the perspective that if he would consider it, other CEOs and companies would probably give outsourcing I.T. to Google serious consideration as well.

I have been looking at Gmail and the other Google services for a completely different reasons, but I have to say that I agree with all his points.  The only reason I can think of that you would not want Google to manage your corporate email would be control reasons.  You no longer have physical control of the servers and functionality that house your email.  This could be a problem for certain groups or businesses where privacy is extremely important as well as potential repercussions if the emails were to become public.  Google states they give you complete control over your email on their system, but that statement is technically not completely truthful.   Google also has access to your emails.  Suppose an employee of Google read and extracted your emails.   Sure Google would discipline and probably let the employee go assuming they could find out who was responsible, but what if the impact is large?  What if for example, the emails of a women’s shelter using the Gmail service were published on the Internet?  What about emails from a law firm concerning a sensitive and active court case were to be posted?  Can you sue Google?  And even if you are successful, it doesn’t change the impact of those emails becoming public.   I have commented similar privacy implications before here.

The fact is when you outsource a service or function, you are giving up some control and security, no matter what any company tells you.  It many cases it might be well worth the cost, but it is important to assume this risk consciously.  Does anyone remember Hushmail? (They are still around).  For years they boasted that even Hushmail could not read your email because it was encrypted in storage with PGP encryption.  Without your passphrase or private key that you provide to connect to their service, decryption was not possible.  A company using their service was being investigated by the DOJ.  Despite, PGP, Hushmail was able to provide them with all the relevant emails of the company that were stored on the Hushmail servers. Yes, any company or citizen must comply with a court order, but technically they should not have been able to and they advertised this fact.  I am not advocating not compling with a cout order, obviously that would be bad for any business.  But, if a government can go to a outsourced company, provide a court order for a hosted companies email, documents, calendars, and part of the order is they are not to communicate any knowledge of or actions resulting from the court order, their hands are tied and you don’t know anything about it.  If you host your own email at least they have to serve you with the court order so you know something is up.  The applicable laws may be different too.  Google servers are housed in the United States which I believe brings them under U.S. law.  This could have implications as well.

Anybody contemplating using GoogleDocs or any other cloud computing system for their business documents might want to re-think that decision or at the very least, include it in the risk matrix when making that decision.  It took 10 days to fix and notify which I suppose is good in today’s world.  It does however highlight the risks of putting data on a cloud computing platform that you effectively do not have administrative control of.  A thoughful analysis of what an outsider thinks the process was at Google — probably pretty accurate in my opinion.

“There is a distinct difference between secrecy and privacy.” – Alanis Morissette, Interview

I heard that quote a few years ago, it is one that has always stuck with me.  Personally, I am a big proponent of respecting privacy, but secrecy is an entirely different thing.  Where the line is drawn depends on each individual unfortunately.

Previously, when doing security consulting for businesses, one of the common themes was the employers ability to access email, files, voice mail and even phone conversations of an employee if they felt it was necessary.   Taking email for example, most employers feel they have a right to read any email that enters or leaves their company network, regardless of whether it is private in nature or not.  I have been given arguments that the employer owns the equipment and the network and are ultimately responsible and must have the ability to do these types of activities if they feel it necessary.   I had a discussion with an individual that was a senior executive that felt very strongly in favour of this opinion.  I then gave him a scenario where he was collaborating with another company in a different province and the conversations were around some trade secrets or business that was sensitive in nature.  I asked him if it would it be okay if his upstream ISP or one of the ISPs along the path captured and read his email correspondence with this company.  His response was an absolute ‘no’ it would not be okay.  I then stated that it is the ISPs network, they are ultimately responsible for the security and integrity of it.  Two things happened.  First he didn’t like the conversation anymore, that became very obvious.  Second, he made some statement about it being ‘different’ and changed the topic.  This made me realize that  everyone wants secrecy for themselves, but do not want anyone to have secrets kept from them.  Yes, a very obvious statement, but I think it also comes down to that simple concept which drives all these debates, discussions, and laws or lack of laws.

So why am I bringing this up?   Michael Hyatt has a blog that I read regularly.  I don’t know him personally, but he seems like a good guy and has some insightful entries.  He recently commented on the idea of using Gmail for his business email. I completely understand why he is considering it, and would argue that if you are a small or medium size business it could make complete sense financially and logistically.   What about the privacy implications?  What if Google has a security breech and data is lost or stolen?  What if Google is late to apply a security patch? What if there is a security hole that Google isn’t aware of but a criminal is?   If there is a legal issue with a company in Germany that is using a cloud computing application who’s laws apply for data access?  Suppose you accept the terms of service and policies around Gmail and choose to use their service for email.  A year later, you change your mind and wish to have all your email transferred to a different server or service.  Can you do this?  Will all your data be erased from Gmail servers and their backup systems so they could never retrieve it again?  Do you care?

I think technology, innovation, and the internet are awesome.  But I also think it is very important that individuals and businesses realize and think seriously about the privacy implications.  Some suggest this is pointless.   With GoogleDocs, Gmail, online CRM systems, and the multitude of other cloud computing applications available and in use, we have already made this decision even if it is somewhat unconciously as a society.   I feel this statement may be right, and that makes me sad.

I blogged about the security risks of cloud computing a few weeks ago.   There may be another reason to be careful of cloud computing … cost.  A friend of mine just did an analysis of the cost to go to cloud computing for a software company.  He used his company as the example.

AWS

Amazon, quietly fixed a significant cryptographic vulnerability in their request signing code, seven and a half months after the discovery.   This type of behaviour is very typical of all software vendors.    Of course this is nothing new.   I would suggest the problem is going to become more critical in the next few years.  More and more companies are offering services in a ‘cloud computing’ form and the customer base is increasing to include end users not just other businesses.  Social networks, online backup services, online crm services and the list goes on.   Everyone  using these services is at the mercy of the vendors to fix the problem — there are many more people show concern and  complain and the number is increasing.

This blog is a perfect example.  It is currently located on WordPress.com.  Great service, but the database, interface, and software are not under my control.  I do have the option to download, setup and run the software myself — although I have the resources and technical capabilities to do this easily,  I do not have the time, so I assume the risk (which is minimal given the type of data) and use a third party service.  Unfortunately, many people do not have the technical expertise and are forced to use an external service,  completely at mercy of the company offering the service.

I have done a lot of consulting for law firms over the years and this is slowly becoming a bigger issue for them.  Law firms, medical offices, financial institutions, and any other business have personal and private data from their clients that needs to remain confidential and  in their control.  For example, what happens if you are a law firm that chooses to store their client data offsite using a third party company that in turn uses cloud computing services which you may or may not be aware of.  There are many good reasons to do this such as cost, decrease in requirement for I.T. infrastructure, decrease need  to hire staff or pay consultants to keep software and systems up-to-date.   Any technical issues are the responsibility of the hired company, not the firm.   Now if the cloud computing company has a security vulnerability that takes them time to fix and during that time someone uses that vulerability to extract the law firms data who is to blame?  The law firm for choosing to not keep control of their data, the company that the law firm purchased services from, or the third party cloud computing company?  David Canton wrote about cloud computing concerns this fall.

It will be interesting to see how government and the legal community handles this in the next few years.  I am just waiting for a client to sue a law firm, medial office or some other company as their data somehow was made public.   The best situation from a security perspective will be if there is a breech of data that is involved in an ongoing legal proceeding.

This article caught my attention. A decision against Universal Music Group (UMG) who was attempting to sue an individual for selling promotional copies of a CD that was distributed on Ebay. The reasoning for the decision was interesting: