4 Reasons why Law Firms are Switching to Cloud.
Cloud has become the new buzzword, and with law firms required to have Cyber Essentials certification, many are turning to Cloud in the hopes of a quick fix. There are, however, a few important considerations to keep in mind before deciding on which Cloud services provider to go with, and which type of Cloud services to choose.
Like most things in life, cost plays a big role in our decisions. Therefore it is a good place to start. Firstly is the service a pay-as-you-go, or will you be locked in a contract for a certain period of time? PAYG has the advantage of easy scalability, while contract represents a fixed cost making budgeting easier. Ultimately, you need to ask: “What’s best for the business?”
Remember that PAYG remains a fixed cost as long as you don’t make any upgrades, so perhaps consider PAYG as an option. I’ve seen some very sneaky tactics some Cloud providers use to indefinitely lock you in – such as resetting the 3-year contract duration each time a new user is added or removed. A PAYG service, however, gives you the flexibility to add or remove users as they join or leave the firm, and you only pay for the actual usage (caveat: make sure this is in your SLA).
The cost-saving element of cloud computing relies on economies of scale. In theory, it is cheaper to hire, let’s say, 20 virtual desktops that live on the Cloud, than to replace 20 physical machines due to the fact that cloud machines are constantly upgraded (again: make sure this is in your SLA) whereas physical machines have a finite life cycle, after which they need to be retired. The total cost of replacing all the physical machines for one running cycle is higher than the cost of renting the same number of virtual machines, and older physical machines can be used to access the virtual cloud-based machines without any dip in performance.
Another factor to consider is whether the offering is focused on consumer service or business service. Consumer service often has very limited functionality but costs less, making it the shiny apple for smaller businesses. Business grade cloud services, however, typically offer more flexibility, easy expansion, better security and full support. Think long-term when making this decision.
Final word on costing: Probably around 80-90% of all Cloud providers out there do not actually have their own data centres – they resell the services of a wholesaler. An easy way to get better prices is to go directly to the wholesaler, but if you’ve signed up with a reseller, most wholesaler/reseller contracts prohibit leapfrogging, which means you’ll be stuck with the reseller at reseller prices.
The two middle letters of GDPR stand for Data Protection. Ultimately, this is what it’s all about – keeping data safe, in particular the Personal Data of your clients and the sensitive data of your firm. Make sure you are dealing with a reputable Cloud provider. We recently heard of a person who has a single server in his office, and was renting out space on this server as “cloud hosting”. By definition, a single server cannot possibly be called ‘cloud’, so the lesson here is to check the credentials of the cloud provider:
- Do they have ISO 27001?
- Do they have multiple data centres? If one data centre goes down, there should be a second ‘fail-over’ site located in a completely different geographic area.
- What Tier rating does the DC have? Tier 4 is currently the highest, but most Tier 4 DCs are dedicated to military, governmental or banking operations. Tier 3 is, however, very close to Tier 4 in terms of security, making it an attractive and more cost-effective choice.
- Is there proper physical security at the data centres? IL3 or IL4 should be a minimum.
- Do the data centres have proper UPS systems in case of protracted power failures? What about fire suppression technology?
- What is the encryption level? A standard office server uses 256-bit encryption, a good Cloud server uses 1024-bit encryption, and a superior Cloud server uses 2048-bit encryption.
GDPR is not the only regulatory compliance to consider – there are various industry-specific compliance regulations as well. Lexcel 6.1 now requires law firms to be Cyber Essentials certified, and the PECR and DPA 2018 add further layers of required compliance.
If you are thinking of moving onto the Cloud purely for the sake of GDPR compliance, consider the following:
- Are the cloud data centres ISO 27001 certified? This is the main component for the technical aspect of GDPR compliance.
- Is the Cloud services provider itself (i.e. their offices) also ISO 27001 certified, adhering ISO 27017 code of practice for cloud providers?
- Where are the cloud servers located? And who owns the cloud servers? The GDPR wants to keep everything within the EU or the ‘white listed’ countries such as Canada, Jersey, Guernsey, Isle of Man, New Zealand and Switzerland, to name a few. Although the United States is also considered to provide adequate data protection under the EU-US Privacy Shield, it has recently come under scrutiny yet again for amongst others, Facebook & WhatsApp being investigated by Belgium, the Netherlands, Germany and Spain for data privacy violations.
Can your apps run on the Cloud? Some apps actually can’t, whereas others are already cloud-based, in which case there would potentially be no need to move them to another cloud, unless the cloud on which they are currently hosted does not conform to GDPR regulation. Could such apps be moved to a different cloud if needed?
Remember that Cloud is not the fix-all, silver bullet some might hope. Here are a few myths:
“Moving my data onto a Cloud makes me GDPR compliant” – False. GDPR compliance involves more than just securely storing your data. Additionally, the Cloud itself onto which you move your data needs to be scrutinised and needs to be GDPR compliant in its own right.
“The Cloud is cheaper” – False. It really depends on what you do and what your requirements are. Typically, smaller businesses do not see a cost benefit for moving onto the cloud – it’s more about security. Economies of scale only begin to work in your favour once you have upward of around 15 users. On the high end of the scale, if you have more than 3500 users, you’d probably be better off building your own Cloud data centres.
“You can use the Cloud for everything” – Hmm, yes and no. Most business applications can run very smoothly on the Cloud, but there are a few exceptions such as resource-hungry 2D & 3D design apps. In such cases, often the cost of upgrading servers with the specialised graphics cards required to run the design apps, makes cloud computing too expensive, but this rarely applies to law firms. If your firm has an in-house designer who uses such software, they’re probably better off keeping it on a purpose-built desktop/laptop and syncing their data to the Cloud, while everyone else in the office uses cloud-based virtual desktops for their day-to-day.
Prohibitive costs and the ongoing support and tech skills needed, prevent most law firms from investing in truly high-end IT equipment. With Cloud, however, you could have access to such systems at a fraction of the cost, fully managed and supported. Better security. Better failover. Cheaper on a like-for like basis. What’s not to love about Cloud?