45
3 Reasons Why the Cloud is More Secure than Your Server Joshua Lenon – Lawyer-in-Residence @joshualenon Doug Edmunds – Asst. Dean for Information Technology @unclawinfotech

3 Reasons Why the Cloud is More Secure than Your Server

Embed Size (px)

Citation preview

3 Reasons Why the Cloud is More Secure

than Your Server

Joshua Lenon – Lawyer-in-Residence @joshualenon

Doug Edmunds – Asst. Dean for Information Technology

@unclawinfotech

Agenda

•  Cloud Overview (5 minutes) •  3 Reasons the Cloud is More Secure – Economies of Scale (5 minutes) – Cybersecurity Framework (10 minutes)

•  Framework vs. Confidentiality Duties – Lightning Advancement (10 minutes)

•  Guest: Doug Edmunds (20 minutes) •  Takeaways (5 minutes) •  Questions (5 minutes)

Instructors

Joshua Lenon •  Lawyer, admitted in New York •  Lawyer-in-Residence for Clio

Doug Edmunds •  Assistant Dean for

Information Technology at University of North Carolina at Chapel Hill - School of Law

CLOUD OVERVIEW

NIST Cloud Definition

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”

Source:(NIST(Defini0on(of(Cloud(Compu0ng;(Special(Publica0on(800>145(

Cloud Defined

Cloud Defined

3 REASONS THE CLOUD IS MORE SECURE

ECONOMIES OF SCALE

Cloud Economies Dedicated(Security(Team(

Greater(Investment(in(Security(Infrastructure(

Fault(Tolerance(and(Reliability(

Greater(Resiliency( Hypervisor(Protec0on(Against(Network(AMacks(

Simplifica0on(of(Compliance(Analysis(

Data(Held(by(Unbiased(Party(

Low>Cost(Disaster(Recovery(and(Data(Storage(Solu0ons(

On>Demand(Security(Controls(

Real>Time(Detec0on(of(System(Tampering(

Rapid(Re>Cons0tu0on(of(Services(

Source:(Cloud.CIO.gov(

Law Firms Current Security

•  47% have no documented disaster recovery plan

•  Only 39% have intrusion detection system •  Only 36% have intrusion prevention system •  32% never have outside security

assessments performed •  Only 14% have server logs •  2% have ISO 27001 certification

Source:(2013(ILTA(Tech(Survey(

Federal Labor Relation Authority (FLRA) Case Management System

•  88% reduction in total cost of ownership over a five year period

•  Eliminated up-front licensing cost of $273,000 •  Reduced annual maintenance from $77,000 to

$16,800 •  Eliminated all hardware acquisition costs •  Secure access from any Internet connection •  Ability to operate and access case information

from any location in the world, supporting the virtual enterprise

Source:(Cloud.CIO.gov(

CYBER-SECURITY FRAMEWORK

Cybersecurity Framework

•  “Framework for Improving Critical Infrastructure Cybersecurity”

•  Published by NIST in February 2014 •  Provides Core, Tiers and Profiles

Cybersecurity Framework: Cores

Source:(NIST,(“Framework(for(Improving(Cri0cal(Infrastructure(Cybersecurity,”(02/14/2014(

Cybersecurity Framework: Tiers

•  4 Tiers: – Tier 1: Partial – Tier 2: Risk Informed – Tier 3: Repeatable – Tier 4: Adaptive

“Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.”

Cybersecurity Framework: Tiers

•  Tier 3: Repeatable –  Formal risk management policies with reviews – Organization-wide approach with training – Collaborates with outside partners on risk

management •  Tier 4: Adaptive – Adapts security based on lessons & predictions –  Security is part of corporate culture with continuous

improvement – Actively shares information with partners

Cybersecurity Framework: Profiles

•  Current: security outcomes being achieved •  Target: outcomes needed to meet goals •  Compare Current and Target Profiles to

identify gaps in security processes

CYBERSECURITY FRAMEWORK VS. CONFIDENTIALITY DUTIES

Model Rules of Professional Conduct

•  Rule 1.1 – Competency – “lawyer should keep abreast of changes in the

law and its practice, including the benefits and risks associated with relevant technology…”

•  Rule 1.6 – Confidentiality – “lawyer shall not reveal information relating to

the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation…”

Model Rules of Professional Conduct

•  Rule 5.3 - Responsibilities Regarding Nonlawyer Assistant – “person's [nonlawyer] conduct is compatible

with the professional obligations of the lawyer…”

Cloud Computing Ethics Opinions

Source:(American(Bar(Associa0on(

Framework vs. Ethics Opinions

Framework helps map, measure, & migrate

cost benefit analysis

Cybersecurity Framework: Tiers

•  Tier 3: Repeatable –  Formal risk management policies with reviews – Organization-wide approach with training – Collaborates with outside partners on risk

management •  Tier 4: Adaptive – Adapts security based on lessons & predictions –  Security is part of corporate culture with continuous

improvement – Actively shares information with partners

Framework vs. Ethics Opinions

Opinions fail to discuss regulatory requirements.

Framework vs. Ethics Opinions

Cloud services allow easier regulatory compliance

LIGHTNING ADVANCEMENTS

28% of solo and small firms have no process for updating

their computers.

Source:(2013(ILTA(Tech(Survey(

Lightning Advancements

•  Cloud Services move at the speed of the internet.

•  Real-time monitoring and upgrades keep your Software-as-a-Service on the cutting edge.

Heartbleed

“When weaknesses are discovered in cryptographic systems, the system will not

necessarily become suddenly insecure.” Source:(Bruce(Schneier,(‘Cryptanalysis(of(SHA>1’(

“Such discoveries impel migration to more secure techniques, rather than signifying that

everything encrypted with that system is immediately insecure.”

Source:(Bruce(Schneier,(‘Cryptanalysis(of(SHA>1’(

GUEST: DOUG EDMUNDS

Carolina Law - Background

•  Part of UNC-Chapel Hill, nation’s oldest degree-granting public university

•  Law school founded 1845 •  Charter member of ABA – 1920 •  Approx. 740 students; 63 tenure track

faculty; 35+ adjuncts •  6 clinics with 70-80 students per year

Clinical Program - Challenges

•  Aging hardware •  Bad software support •  Short staffing •  Limited funding •  Campus security

policies •  Skepticism of

university counsel

Photo(source:(hMp://0nyurl.com/lk5hy4u(

Old Model vs. New Model

Time Matters - Local •  Poor support for Macs •  Software upgrades difficult •  No redundancy – single

server in place •  Vendor difficult to reach •  Students frustrated, faculty

jaded

Clio - Cloud •  Operating system agnostic •  Software upgrades totally

transparent •  Geolocation of data

centers and fully redundant

•  Excellent vendor support and self-help resources

•  Students and faculty love it

Security

Local Solution •  Security = just one thing

your organization does •  Cobbled together,

piecemeal •  Few if any guarantees •  Knowledge deficient •  No formal access controls

Cloud Solution •  Data center’s rep &

business depend on it •  Multi-layered, robust •  Guarantees in Service

Level Agreement •  Expertise •  Monitored, controlled

environment

Policies & Procedures

•  Rule #1 - Cloud adoption should not be based solely on convenience

•  Rule #2 – Implement consistent metadata/tagging standards

•  Rule #3 - Leverage version control •  Rule #4 - Require security awareness training •  Rule #5 – Prohibit “rogue agents”

Mobility & Agility

•  True anytime, anywhere access

•  Security is “baked in” rather than “bolted on”

•  Accessible across platforms/devices

•  No downtime due to server outages

Photo(source:(hMp://0nyurl.com/l7wgd45(

TAKEAWAYS

Takeaways

•  Cloud computing economies of scale provide security and service that cannot be matched by individual installations

•  Organizations large and small are shifting to cloud-based services for increased savings

•  Robust frameworks for measuring and mitigating risks are being developed for cloud services

•  Cloud services are best suited for cutting edge implementations

Action Items

•  Read state ethics opinions on technology •  Commit to a cybersecurity review. – Document

•  Cores •  Tiers for Firm and Vendors •  Current vs. Target Profiles

•  Download the Cybersecurity Framework Core Exercise on GoClio.com/Blog

ClioWeb

Planning to move to the Cloud now? Try Clio for free & get 25% off your first 6 months

QUESTIONS

Thank You

Doug Edmunds [email protected] @unclawinfotech linkedin.com/in/dougedmunds

Joshua Lenon [email protected] @JoshuaLenon linkedin.com/in/joshualenon