The cloud is everywhere in today’s legal technology world, but knowing what to consider before embarking into the cloud can be daunting. While you have many of the same issues that exist in other industries, data exchange in the e-discovery industry presents some very interesting challenges, especially as the data flows downstream from the corporation to the e-discovery vendor and then to the law firm and even further down the line to the experts or others that are going to view the data.
How do you know if the cloud is right for you and your organization? While more and more cloud-based solutions are appearing in the e-discovery arena, which seem to be a better choice than on-premises solutions, e-discovery presents some special considerations that need to be examined before deciding what is best for your organization and really taking a stand in the on-premises vs. cloud debate.
Security is always at the top of people’s lists of concerns when it comes to the cloud. The ability to have hands-on control and ensure security through your firm’s firewall and other sophisticated security measures is one of the big draws of on-premises software over cloud-based software. As you can imagine, in the case of something as important as e-discovery, where the protection of confidential and sensitive information is a serious concern, many firms have historically been reluctant to relinquish that control and trust in the security of the cloud.
However, while the cloud may have originally raised real questions regarding security, those concerns have long since been addressed. In fact, weak security in the cloud is a huge misperception; the cloud might be safer than some of its on-premises counterparts these days.
Vendors who routinely deal in the storage of sensitive information have invested significant money and resources in security. Major cloud-based e-discovery solutions such as RelativityOne are built on the Microsoft Azure cloud or comparable cloud servers. Most corporations now require some form (or multiple forms) of security certifications such as SSAE 16, certain HIPAA requirements, as well as ISO, to name a few. These certifications can cost organizations tens of thousands of dollars per year to obtain and maintain.
Cloud providers like Microsoft and Amazon spend over $1 billion a year on security research and development and have huge teams dedicated to ensuring network security. Even the most security-focused law firm can’t hope to meet that level of investment. When you opt for cloud-based e-discovery solutions, you get to take full advantage of that advanced security without having to invest in it yourself.
One of the hot-button topics regarding public cloud services is how the service provider can access the raw data. Larger corporate clients need assurances that their data is safe and private, even from the company that is hosting the files, the databases and the user credentials. For example, in the Microsoft cloud, a technology called Customer Lockbox is used, which gives the client complete control over whether a support engineer can ever touch its data. RelativityOne has a similar lockbox, as well as granular permissions that allow the customer to not only say that support can access the environment, but what, specifically they are allowed to access.
Beyond the compliance and customer lockbox issues, it is also important to understand the granular parts of the cloud solution. This is not just a question of access vs. non-access. What is the management platform that your network and security administration staff will have access to so they are able to define specific rules and controls and define the needs for access? Are there predefined roles in the system that you have no control over, or can you decide per screen, per field, per checkbox in the application what a user can get to? Not only should your solution have the ability to make these changes, but also the ability to audit these changes, especially in the event of some type of breach.
Security in cloud-based applications, although it can be enhanced, still does not entirely take the place of an overall security strategy. Even if all the data in the cloud or in your application is secure, if users are able to download or retrieve information out of the cloud, your on-premises or overall security strategy needs to account for this. If the cloud is locked down sufficiently and controls are in place but the application allows you to download to locations that aren’t secure and encrypted, the data is no more secure than if it lived in the on-premises environment. Therefore the functions of the application and how data is made available for use need to be analyzed and sufficiently tailored to your compliance requirements just like when you weren’t in the cloud.
A question that comes up often in corporate security RFPs is “When and where is your data encrypted?” The only acceptable answer is everywhere. For a cloud solution to be considered a valid option, data should be encrypted at rest, in transit and at every endpoint. This should be a typical question whenever you are considering any type of cloud solution, but especially an e-discovery cloud solution.
One of the greatest advantages that cloud-based storage has over on-premises storage is scalability. When you use on-premises storage, you must have a fairly good sense in advance of how much storage you will need — not just now, but in the long run. If you run out of storage, you have to scramble to add more servers. Perhaps worse, though, is if you overestimate how much storage you’ll need. In those situations, you’re stuck paying a lot of money for storage you aren’t actually using.
Cloud-based storage, on the other hand, is infinitely flexible. When you use a cloud-based e-discovery system from a SaaS vendor, the vendor’s entire system is at your disposal. When you need more storage or processing power, you simply increase your subscription plan and pay a little more. If your project shrinks unexpectedly, you can scale back to just the amount of storage you need, saving money in the process by no longer paying for unused storage.
Like almost everything else in the digital era, the legal profession has become mobile. Lawyers no longer do all their work from their offices — they expect to work wherever they are, whenever something needs to get done. Because they depend on the firm’s internal security measures, on-premises e-discovery systems often can only be accessed at the office or through specific remote access protocols. The story is very different for cloud-based systems. When e-discovery is hosted in the cloud, employees can access it anywhere, and on any device, as long as they have an Internet connection. In addition to making things more convenient for employees, this also makes it much easier to coordinate geographically dispersed review teams.
Cloud-based systems also tend to be less susceptible to interruptions caused by power outages or natural disasters because they have a more robust and less centralized backup system. SaaS vendors can manage necessary system upgrades and updates in a way that minimizes disruption to your project as well. On-premises interruptions are much more difficult to control.
Many cloud-based systems also have mobile apps that allow users to collaborate in the cloud, review documents in the cloud and manage their application from their iPad or tablet. The ability to make a responsive call on a document, shift resources around or simply catch up on the status of a project from the comfort of your couch and your mobile device can give any user the type of accessibility needed to stay productive.
At the end of the day, many technology decisions at law firms come down to a question of cost. Spending for on-premises vs. cloud-based e-discovery software differs greatly. Conducting e-discovery with on-premises solutions requires a much larger capital investment upfront in crucial hardware like servers and backup drives, as well as IT staff to support and maintain the system. Investing in the on-premises infrastructure necessary to securely store e-discovery data is an ongoing expense and not an insignificant one. It often requires IT buy-in for purchase and support, but even in today’s world, many IT departments still do not understand the advanced hardware requirements for e-discovery. Many IT departments still operate their e-discovery infrastructure on the same oversubscribed hardware used for regular infrastructure, causing performance issues that are only seen by the IT departments.
In contrast, most cloud-based e-discovery solutions are provided on a software as a service basis with a monthly subscription. The SaaS provider makes the initial investment in systems, servers and IT staff. As the subscriber, the law firm takes advantage of that infrastructure already in place, simply paying for necessary services as they are used. Subscription-based services allow firms to stay competitive with the most cutting-edge technology, but without the often prohibitive investment of capital.
While most of the considerations outlined above point to a likely industrywide shift toward cloud-based e-discovery, each firm still needs to consider its own specific circumstances before proceeding with a given project. If your firm is one of the few that has already significantly invested in on-premises servers, security and support staff, in-house e-discovery solutions might continue to be the right answer for the time being. As compliance and new regulations continue to mount, however, you may find that keeping all of it secure can easily double or triple your costs through not only employing the various security measures, but paying for audits as well.
There’s a good reason more and more firms are making the move to the cloud. Between reduced investment in infrastructure, enhanced security and increased scalability and accessibility, cloud-based storage solutions offer benefits over traditional on-premises e-discovery solutions that might just be too good to pass up. So, if you are like many firms or corporations and have not made the necessary investment for on-premises solutions or are looking to cut expenses in these areas, you should strongly consider making the switch to cloud-based e-discovery. Just because you’ve always done your e-discovery in-house in the past, that doesn’t mean you have to continue down that path in the future.
Stephen Ehrlich is the CIO at The MCS Group. With over 20 years of experience in the area of information technology, he oversees all technology operations for MCS.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.