Think strategically

It is easy to get started with cloud computing, but you should still think strategically about making the move. For instance, your new cloud services will need to interact with your existing IT systems, which may involve a complex mix of internally developed applications and third-party software. Any move to the cloud will involve a certain amount of disentangling, data migration and decommissioning of existing systems. A sensible starting point is to simplify your existing IT system to establish what works well in-house and what would benefit from being moved to the cloud.

The majority of cloud computing services are delivered through what is known as the public cloud. These services are offered on a ‘one-to-many’ basis. This means that the standard functionality of the service is offered to all, although some elements of configuration for individual needs can still take place. For example, using a public cloud-based email system would allow you to configure mailbox settings and dictate who has permission to access the service and from which devices, but would typically not allow you to demand changes to the supplier’s security policy. Public cloud services typically share hardware and software between multiple clients of the provider, with software-based security controls in place to make sure that one client cannot access another's data.

A key factor with public cloud services is that the terms of the contract tend to be fairly fixed. Provided you are satisfied with the functionality, compliance and security arrangements on offer, it is perfectly possible to run the majority, or indeed all, aspects of a legal practice using the public cloud, including email, document production, practice management, storage and networks.

By contrast, private cloud services are tailored more precisely to the needs of the customer. For example, it is usual for private clouds to be run on separate infrastructure, which adds an additional layer of physical security. As with more traditional IT procurement, more fully negotiated agreements are more likely to be put in place for private cloud offerings to meet specific customer needs, albeit such a bespoke arrangement is likely to come with a commensurate price tag.

As a balance between the two offerings, the hybrid cloud has emerged - an infrastructure that includes links between public and private clouds so that it appears as a single environment to users - while the component entities remain distinct. Larger organisations are likely to make use of a hybrid cloud offering, for example, using a private cloud to host sensitive data and critical workloads and a public cloud for less critical resources. Most smaller organisations are likely to use public cloud services, as this can lead to an easier (and quicker) implementation with standardised upgrade schedules and a lower overall cost.

A significant proportion of the data that a law firm may look to place in the cloud will relate to clients. Clients will have expectations that this data is held securely and safely, and in accordance with regulatory requirements and any engagement terms.

Unless specifically prohibited by the engagement letter, no specific client consent is required to make use of cloud providers as the law firm will generally be acting as a data controller . However, if the personal data is going to be processed by the cloud provider outside the United Kingdom and/or European Economic Area (EEA), it will be necessary for the law firm to satisfy itself that the security arrangements proposed are compliant with data protection requirements (including the UK General Data Protection Regulation and the Data Protection Act 2018), and that the requirements relating to international transfers of personal data are met.

Cloud computing providers range from large, international organisations to local companies and others specialising on the legal or professional services market. It is important to ask some key questions to ensure a potential provider meets your service delivery, security and compliance requirements.

Questions to ask include:
  • What commitments around availability and performance of the services are being given?
  • How responsive is the support that the supplier provides if the service fails / becomes unavailable? Does this flow through to service credits to compensate for the service being unavailable?
  • Where will my data be held and processed (including remote access for support purposes)?
  • How easily can I get data back, both during and at the end of the service?
  • What backup arrangements are being offered if the service goes down? How quickly can that backup be accessed?
  • What security arrangements are in place?
  • What systems do I have to run in order to be able to use the service? Are there relevant formats that data / content will be stored in and are they consistent with my other systems?
  • How does pricing work? Do excess charges automatically apply if the number of intended users is exceeded?
  • If using a shared rack in a shared data centre, what would happen to my data if another customer's server on my shared rack was seized, perhaps by a regulator for investigatory purposes?
  • Is any bespoke development work required so that I can use the service, or am I taking a standard service (possibly with some customisation)?

A cloud solution hosted on a dedicated server will come at a premium but should ensure a greater degree of security and control of your data and systems.