Having a new set of endpoints to protect might seem like an IT nightmare. But one of the most compelling aspects of a cloud-based platform is that, from a security perspective, it makes the endpoint accessing the service — whether it’s an office desktop, a home laptop or some other device entirely — somewhat irrelevant because of the inherent protection that the cloud provides.
Correction: Change that last sentence to “because of the inherent protection that a modern cloud platform provides.” Not all clouds are created equal, and not all have been built with the same security principles in mind.
One of the fundamental frameworks for modern cloud design has been the principle of zero trust. As the name suggests, zero trust challenges the idea of trust in any form, whether that’s trust of networks, trust between host and applications or even trust of super users or administrators.
The best way to secure a network, according to this line of thinking, is to assume absolutely no level of trust. This approach is essential to providing the highest level of protection for critical assets and confidential or sensitive data.
Zero trust can only work properly, though, if zero touch is at the center of it. So what does that entail — and how is it best achieved?
PROTECTING AGAINST BAD INTENT AND HUMAN ERROR ALIKE
Zero touch means ensuring that nobody — not even a small number of trusted resources, which is what most cloud vendors typically allow for — is allowed access to the customer data.
Think about it: If a legal organization is storing privileged client documents and communications in the cloud — even if it’s a zero-trust cloud — all it takes is an admin with bad intent for that data to be breached. That admin can easily get their hands on the information through direct access to the server that’s storing the data, perhaps when they’re installing a patch or performing some other bit of routine maintenance.
“Zero touch is crucial. It uses new forms of automation to remove the human from the equation and create a hands-free environment so that there is physically no way to access sensitive customer data.”
A breach doesn’t even necessarily require bad intent from the admin, just human error. For example, an admin can accidentally leave a setting unsecured or click on something they shouldn’t have clicked on, unknowingly letting a small mistake snowball into something much more damaging.
Zero touch is crucial. It uses new forms of automation to remove the human from the equation and create a hands-free environment so that there is physically no way to access sensitive customer data. Common maintenance scenarios like server patching or troubleshooting can be performed in an automated way, where the vendor never has hands-on access to the data.
Likewise, if a customer presents the vendor with an information request to gather some details about their data, the vendor should be able to carry that task out by pushing an application into the production environment to collect the information. There’s no need to have an admin manually type on a keyboard to run queries against the customer data; they simply don’t require that hands-on access.
Ultimately, no one person or account should be able to solely execute a change to the system that can affect the security of the system — and automating out human vulnerabilities helps make that a reality.
FINDING THE RIGHT PARTNER
In many ways, the move to the cloud is about transferring risk out of the organization and to the cloud vendor. While the organization will still have responsibilities around identity and access management — essentially, controlling who has access to the services — the actual physical infrastructure that the data is hosted on will become a vendor responsibility.
But as legal organizations are looking to make this move, they are getting asked more questions by their clients about the cloud services they utilize. Clients want to ensure that legal organizations have really done their due diligence on those service partners that they’ve entrusted with hosting sensitive client data.
For legal organizations trying to make an informed decision about who to partner with — or for clients trying to determine if their law firm has made a wise choice — the key is to partner with cloud vendors that have a mature security and compliance function. Among other things, that means that they’ve embraced not just a zero-trust model, but zero-touch as well.
Increasingly, savvy law firms and their customers will not only know to look for this criterion from their cloud vendors moving forward — they will use it to decide which partners take security as seriously as they do and are worthy of earning their business.