Archive for December, 2011

Those of us who work on cloud platforms have been fighting a long, defensive battle against the entrenched interests of legacy, on-premise software. In one sense, it’s understandable that many organizations are reluctant to give up their local software installations. No one wants to admit that their investment in hardware, software, staff, and training are obsolete. But if an organization is serious about protecting client data, it makes no sense to stick with local software installations that are inherently less secure, more complicated, more expensive, and much harder to maintain than cloud-based software. The reality is that data kept on-premise is a headache and security risk that organizations no longer need to face.

Security Should Not Be Your Problem

This month, we’ve focused our discussions on data security, looking at the advantages in physical security, firewalls, and authentication a cloud computing environment can offer. The bottom line is that a hosted software solution, managed and run by dedicated security and IT professionals, can offer levels of security no IT staff can offer in-house. To illustrate, the chart below compares the security found in the Amazon Web Services data center, versus what a typical local network provides.

As Nextpoint Vice President of Research and Development Ben Wolf pointed out in a recent post, cloud service providers have resources no in-house IT staff can ever hope to match. Today’s threat environment is more complex than ever, meaning in-house IT staff need to deploy and maintain a firewall, intrusion prevention system, a Virtual Private Network for remote access, anti-virus/anti-malware gateway software, plus separate appliances for email security. In addition, many corporate clients insist that partners meet data security or regulatory standards (such as the Health Insurance Portability and Accountability Act (HIPAA)), before sharing sensitive data.

A network hosted on-premise can afford very little in the way of network security beyond what can be found in an off-the-shelf network appliance. Even more problematic, on-premise systems offer nothing in the way of physical security or environmental controls beyond what is found in a typical office building. The fact is, many local networks are managed from a supply closet or backroom anyone with access to an office can enter.

Organizations that rely on local, on-premise solutions often have to fall back on unsecured or even archaic mechanism to move and share data, including mailing data on disks. And depending on the size of an organization, on-premise networks lack redundant storage and backup; if a disaster strikes, data is likely lost forever. The largest and most reputable cloud providers often have redundant data centers dispersed across the country, or even the planet.

The Illusion of Control

The use of the term “the cloud” is probably unfortunate. It implies a nebulous and impermanence that just isn’t accurate. We are talking about real facilities with real IT professionals working to protect their systems. In no sense does anyone hand over their data to a cloud service provider- major cloud computing providers don’t want to know anything about your data. They just want to host it and make it available. You control the data, you control who accesses it and how they access it.

In theory, on-site software installations offer more control and easier management. But the reality is that local software is still dependant on updates and fixes sent from the software provider. That just means more demands and more work for in-house IT staff. In the cloud, there is no wait for new releases, and few demands are placed on IT. Best of all, if an organization makes a bad choice in software, they are not stuck with an expensive, useless solution installed on their computers that no one wants to use.

Cloud computing providers- companies like Amazon, AT&T, Microsoft, and Apple- are changing the discussion about data security and management. The question is no longer whether to entrust data to a cloud computing environment. The question is why anyone would continue to put up with the problems on an on-premise software or data storage solution for critical business data.


Read Full Post »

Physical and Environmental Controls 

As a further comparison to the typical on-premise solution you may be using to store confidential client data, here’s a closer look at physical and environmental controls of cloud data centers. The following precautions apply to nearly all large scale cloud vendors, but for this case we are specifically referring to Amazon Web Services. 

  • 24/7 surveillance
  • Located in unmarked/nondescript facilities in remote locations
  • Military-grade defense barriers
  • Maintain own power generation in the case of natural disaster
  • Physical access strictly controlled with state of the art intrusion detection systems
  • All physical and electronic access to data centers by Amazon employees is logged and audited regularly
  • Co-located facilities means data is not lost if something happens to systems at one location

It’s clear that data stored in the cloud is held to a high standard of security. Is your server room this safe? Does your on-premise solution have similar provisions to ensure your data is secure?

Read Full Post »


What are they and what do they do?

Continuing our discussion of security within the cloud, a common hesitation we are met with is the “firewall excuse.” Here’s what we tend to hear: “Well, our data is currently protected by a firewall.” But, the thing is, it’s not a “real” firewall. In reality, it should be called it a virtual firewall. Just as a private network is typically referred to as a VPN, or Virtual Private Network. This virtual firewall in your network is really just an appliance.

Firewall’s act as a gatekeeper. They are designed to allow or deny network transmissions, protecting networks from unauthorized access. The firewall pictured is one from Barracuda networks. As mentioned in a previous post, Barracuda networks was hacked. This is the firewall many firms rely on to keep out internet attacks.

That’s not to say firewalls are unnecessary. They are a vital security component. However, a firewall appliance like the one pictured cannot compare to the security systems that protect the data centers where cloud-based applications are hosted.

Amazon Web Services for one, has dedicated security professionals who provide a complete firewall solution. Taking advantage of their military-grade security, we configure our systems so that only inbound traffic that has been explicitly permitted access may log into our services. Our co-located data centers provides a complete, impenetrable firewall solution. This mandatory inbound firewall is configured in a default deny mode and Nextpoint must explicitly open any ports to allow inbound traffic.

Read Full Post »

This week we’re going to take a look at a series of security provisions to keep data safe in the cloud.

There are a number of reasons why cloud computing environments are inherently more secure than any solution hosted on-premise. One of the most basic and important provisions is two-factor authentication. Because it is impossible to physically access a cloud-based system, authentication via the web is the first line of defense anyone accessing a system in the cloud will encounter.

Two-Factor Authentication

What is it and what does it mean?

The easiest way to think about two-factor authentication is as an extra step to verify one’s identity. The first step is an encrypted password. The second step is generally a device verification. For example, an online banking account will email a pin number out if someone is trying to login via an unrecognizable device. Typically this happens the first time a new computer or device is used to login. This second authentication is in place to further secure Internet data.

More information about Nextpoint’s two-factor authentication can be found here.

Read Full Post »

All this talk about security concerns surrounding cloud computing and moving eDiscovery data to the cloud really begs the question: “Secure compared to what?”

Let’s take a step back. The “Cloud” is all the buzz right now, but it tends to go hand in hand with apprehension around security. According to an annual survey published in the November issue of ALM’s The American Lawyer, “Law firm technology managers are tempering their interest in cloud computing with a heightened focus on security.” 61 percent of respondents cited “security concerns” as a drawback to cloud computing. Why is that? What is this mythical security system currently being deployed/utilized that is clearly more secure than cloud computing?  The short answer? There isn’t one.

The long answer requires we look at the common security parameters currently in place supposedly keeping data secure on-premise.

Laptops and Cell Phones

Dell Ponemon Lost and Found Study

  • 1,200 laptops lost weekly at LAX
  • 12,000 U.S. laptops are lost weekly
  • 65%-70% never reclaimed
  • 53% had sensitive corporate information
  • 65% take no steps to protect it
  • 42% do not back up their data

Speaking of laptops. How about that story about the BP laptop lost containing personally identifiable information on 13,000 people?  Laptops are crawling with confidential information and people have the misconception that it is more protected because it’s “in their possession.” A post from our Nextpoint Technology Lab a couple years ago, “Loading up the Laptop?” asks, “If you’re without that machine for a few days: what does that cost you? … and that’s assuming you’ve been religiously backing it up.  Have you?”

Security Breaches

Juniper Ponemon Security Study

•    583 companies surveyed
•    90% had suffered a breach
•    Nearly 60% reported two or more
•    50% have little confidence in preventing future attacks

These security breaches aren’t just happening to companies without stringent security protocols. Barracuda, an actual internet security provider, is getting hacked. RSA, the security division of EMC, is getting hacked. These are companies whose core business model is to secure data from unauthorized access via the Internet. They sell products specifically to keep hackers out. All of their research and development goes into internet security and their systems have been hacked.

Sony and Sega have been hacked. These are front line technology companies with deep expertise in data security and in building security perimeters around on-premise solutions.

So the first question shouldn’t be “Is cloud is safe?” First examine the current state of  your on-premise data security. Then let’s talk cloud. We think you will see the marked security advantages to data stored in the cloud.

Read Full Post »

An interesting article today in The Wall Street Journal.

“Will U.S. Businesses Finally Get Some Cybersecurity?”

The article highlights a plan in Congress to provide substantial limits to liability stemming from lawsuits against companies sharing information with the government for purposes of cybersecurity.

“There’s a hunger for reinforcements in this war, made more urgent by the recent damaging hacker attacks on Sony, Epsilon and RSA and the major but thwarted attack on defense contractor Lockheed,” the article states.  (Note: I find the Lockheed reporting suspect. A recent Vanity Fair article seems to suggest that attack was not thwarted at all.)

So let’s assume this bill passes, and the NSA starts working with private industry to battle cyberterrorist attacks and more generally, unauthorized hacking efforts.

Who do you think makes that list that the NSA works with?  An open enrollment seems unlikely if not an impossibility (Imagine that ad in thenewspaper, “Talk to your local NSA experts to find out what technologies and techniques the U.S. Government is using to battle cyberterrorism!”)

It will be a restricted list.  It will be narrowly defined, it will be on a ‘need to know’ basis. And it will be those companies with strong enough IT teams to actually be able to contribute to the program in an effective manner.

The likely candidates are obvious.

  • Defense Contractors (Boeing, Lockheed Martin, Northrop)
  • Big Old Tech (IBM, Oracle, HP)
  • Cloud computing providers  (Amazon, Microsoft, Rackspace, Verizon, maybe Facebook)

If a company is not that list, they won’t get that information.  But customers using those technolgies to protect your data will benefit tremendously from the knowledge sharing with NSA.

How many other companies make this list?  Not many.

How many law firms? My guess is zero.  Law firms must get out of the business of hosting their client’s highly confidential data. There is no feasible way for law firms to develop the in-house expertise to sufficiently protect their client’s data.

Read Full Post »

In Part 1 of the article, “Why Not Move Your eDiscovery to the Cloud,” Greg Buckles of eDiscovery Journal investigates why, despite tremendous cost savings,  many corporations and firms are not “jumping to move their eDiscovery to the cloud.” Buckles starts by answering the common question, “How can I assure my client’s that their sensitive ESI is safe and that we are not inadvertently waiving privilege?”

Buckles aims to debunk common myths about cloud hosting and storage.

  1. Storing ESI in the cloud is no different than a client sending data to a firm or a firm sending a collection to their usual provider. For cloud, that means encryption. Think of it as a “super password” if you will, and you hold the master keys to your data “kingdom” as Buckles points out.
  2. Data storage in the cloud is NOT on some shared drive that anyone can look at. You are paying a cloud provider to store your data securely and to provide you uncompromised access to that particular data.
  3. The majority of customers assume that all on-premise eDiscovery service providers conformed to top security, chain of custody and data handling standards. Buckles paints this assumption as just “wrong,” and points out that the shear size of the largest providers like AWS and Rackspace force them to implement better security and handling procedures than on-premise solutions.

Buckles goes on to suggest (wisely, we think) to seek out a provider “who has had to certify compliance with HIPPA, U.S.-EU Safe Harbor data protection or financial services consumer information protection requirements.” (which we mentioned previously in our recent Cloud Computing Security post)

It’s an understatement to say firms are set in their ways and that industry change is slow and plodding–and this article by Buckles references that slow movement and wariness. But the benefits of cloud-computing are plainly obvious (an opinion supported by Buckles) and the cloud is changing e-discovery for the better for those who do their due diligence.

Read Full Post »

Older Posts »