In-House Legal Security: Using Cloud Technology to Address Threats
The Intersection of Legal and Compliance is Data Security
I have a tremendous amount of empathy for the legal office team who, in recent years, has been asked to get savvy, and quick, on the security features of Cloud applications. Legal office budgets are expanding to take on more Governance, Risk and Compliance (GRC) functions; at the heart of the GRC function is security–protecting against liability, protecting against threat, protecting against chaos. Security roles are deeply specialized, highly technical, and are wrapped in a layer of acronyms that make the domain all but indecipherable to the uninitiated. Add to that the stress of knowing that a single vulnerability might bring down a company, and the prospect of climbing the mountain of security knowledge seems, frankly, terrifying.
But it doesn’t have to be.
In an earlier post, I took a step back to do a landscape survey of the types of security threats legal teams and their IT counterparts are concerned about. In this post, I am going to take a deep dive into the two major categories of security features cloud vendors offer to address the threats.
Product vs. Operations
All security-related activity in cloud vendor companies fall into either the “product” category or the “operations” category. Product security features are things that directly touch the product or underpinning architecture of the vendor’s technology. Product security features are the bricks, moats, bows and arrows of the castle. Operations features, by contrast, is the army. Operations is made up of the people who hold the shields, who raise and lower the drawbridge, and who control who has the keys to the vault. As a buyer, you should be looking for a vendor who balances the two. The castle won’t stand without the army, but the army is toast without the castle.
Building Secure Technology
As a product person, I’m mostly focused on the product security features category, because these are the items that vie for space on our roadmap and that need to be considered by engineering early in the requirements process. Some of these features deliver vast quality-of-life improvements to our users as well. Consider single sign-on (SSO) and its cousin, multi-factor authentication (MFA). From the buying company’s perspective, both are needed as part of a mature federated identity management approach. From a user’s perspective, however, they reduce friction in the sign-in process and overall reduce cognitive load. Everything we build is built with both the buyer’s and the user’s needs in mind.
Product security features include:
- Multi-tenant architecture:
- Encryption key management
- Identify management services
- Multi-factor authentication
- Granular roles and permissions