'Resistance Is Futile': The Legal Industry Moves To The Cloud

Thomson Reuters Elite, a longtime industry leader in financial and practice management solutions, is at the forefront of the industry’s move to the cloud. We recently sat down with Anne-Marie Scollay, Director of IT Operations at Elite, to discuss some of the biggest questions surrounding cloud security and why the legal profession shouldn’t be afraid to make the jump.

Would you say security is the number one concern for people switching to the cloud?
Absolutely. But in my personal opinion, the cloud is neither inherently more secure nor less secure than on-premises solutions. There are just different considerations that need to be taken into account. I find the statistics released by Microsoft®, who runs Azure®, one of the largest public clouds, to be interesting—when they talk to prospective customers, 60% view security as the number one barrier to going into the cloud, but once they’re in the cloud, 94% realize benefits above and beyond what they had on-premises.

What are some of those different considerations you just mentioned?
I like to start the conversation by focusing on the specific organization that’s moving into the cloud and what it’s going to be moving. I recommend that organizations start by creating a cloud policy. Participation in writing that policy needs to be cross-functional within the organization, because the IT department no longer has the control it used to have. They used to be able to say, “Here’s the perimeter of our network and we control everything inside.” Today, people can individually subscribe to technology and make purchases on their corporate cards. Employees are being asked to do more with less and they’re looking for solutions to help them get their jobs done, and if that means unilaterally buying subscriptions to software with the corporate Amex, they’ll do that. IT no longer controls all the technology spend, and therefore how the technology and information security policy evolves really does need the business participation as well.

When you have that cross-functional participation, there’s a greater success rate for your cloud adoption programs. So you start with the information security program, and from there you look at things like data classifications. Not all data is created equal. It’s easy for organizations to think all of their information is confidential and private, but when you look at it a little more constructively, you’ll realize that maybe not everything is. Knowing what your different classifications of data are is helpful in understanding what you can and what you should not put into different permutations of a cloud. “Cloud” elicits a very emotional response in people, and it’s important to understand what people mean by cloud. There are cloud-based applications, but those aren’t the same as buying a generic cloud platform or service where you have to build on top of it.

What are the specific challenges or security concerns involved in moving products into the cloud like Elite is doing?

First of all, it’s a matter of looking at the application’s code base itself and looking for areas to improve and enhance the security of the application. It’s making sure that we’ve got well-trained developers and we’re doing appropriate testing to identify gaps in security and how to remediate them. Thomson Reuters is a multi-national corporation, so there are frameworks and guidelines within which we need to operate, and that’s to help ensure that our assets and our clients’ assets stay secure in the cloud. So, for example, we have preferred public cloud providers within Thomson Reuters, and Elite is currently using Microsoft Azure to host our applications.

From a security perspective, are there any advantages to the cloud over on-premises software?

The cloud providers are able to do security at scale. I like to cite a press release from October 2016, stating that Microsoft invested roughly $1 billion in security during 2015 and doubled the number of security executives on its team in that same period. And that number’s just R&D—it’s not even their total spend on overall security measures. When you compare that with a lot of other companies, $1 billion would be a significant portion of their total revenues. So, when we talk about security and companies like Microsoft, Amazon, Google, they have to get it right. This becomes their bread and butter and they’re investing in it at a scale that the rest of us can only dream of.

Also, with the cloud, you’re paying for what you use. With on-premises software and hardware, you’re trying to forecast use over several years. You might end up spending a lot more than you need, and that is sunk cost you’ll never get back. With cloud solutions that are a service, you have a lot more elasticity to meet the demands of your business as they ebb and flow.

What’s your response to someone whose number one concern about cloud technology is security? Why should they not be afraid to make the jump?

I’d go back to the security at scale issue. Also, look at who’s in the cloud—if you look at the major public clouds like Azure, they all have marquee brands using their product. These days, if you’re not in the public cloud, it raises a lot of other questions, like how are you securing your technology? Because on-premises isn’t necessarily more secure. Do you know who exactly has access to your office? And what physical controls are in place in the office, who has physical access to certain areas within the office? Access is one area where the cloud has more nuances. So, when people start to push back, thinking, “The cloud is bad,” I like to reframe the discussion in terms of hosted infrastructure and software. When you boil it down, you can isolate specific security concerns, if there are any. Start looking at the type of data you’re putting in the cloud. Maybe the approach to becoming comfortable with the cloud is starting by hosting less sensitive data. It doesn’t have to be an all-or-nothing approach. You don’t have to move 100% of your technology to the cloud. More and more we’re seeing a hybrid approach as the norm, with some things in the cloud and others on-premises.

Do you think there’s much of a future outside the cloud? How long can firms realistically resist the move?

I personally think that if a firm believes they have zero cloud footprint today, that’s naïve. Again, it goes back to what you define as the cloud, but if you’re using Office 365, you’re in the cloud already. Many popular products use cloud technology. And whether or not a firm is ready to go into the cloud, the employees are driving it. They increasingly have to do more work with smaller workforces and smaller budgets, so they have to get creative, and cloud solutions really provide a way for people to accomplish more with less. You’ve also got more firms working with a geographically dispersed workforce, and that really only works with the cloud. So at the end of the day, I think resistance is futile. I think most companies are probably already there to some degree, and I think it would be a better use of energy and time to instead look strategically at what you want to put in the cloud.