the future of legal cloud - cce it service & support · service levels and mobility are going...
TRANSCRIPT
THE FUTURE OF LEGAL CLOUD A WHITE PAPER
JUNE 2016
CONTENTS
1 Introduction
2 The barriers to cloud adoption
3 The benefits of going to cloud
4 The types of legal services suited to the cloud
5 What do you look for from a cloud provider?
6 What type of cloud architecture is needed?
7 Future Cloud I What is your 2020 vision?
8 Influencers
9 More Information
1 INTRODUCTION The term ‘cloud’ is now a
marketing catch-all for many
offerings and services and can
mean completely different things
to different people form simply
‘somewhere else’ to a highly
complex hybrid outsourcing of
people systems and services.
The Law Society describes cloud computing as computing as a service: someone
else owns and runs the hardware, and often the software, which a firm can access
and operate via the internet.
Law firms and their clients are starting to adopt cloud services in earnest and CCE
would welcome your input into some research we are carrying out on future cloud
services.
You may already be using cloud services or thinking of doing so in the near future,
either way please come and join us over breakfast to discuss how security, cost,
service levels and mobility are going to drive legal technology adoption.
CCE have been working with law firms to provide the managed services they rely on
to run their core business services for over 20 years, well before the term ‘cloud’ was
coined to describe the types of third party services they provided then and continue
to deliver. We know however that the best way to grow and evolve with your clients
is to listen. By understanding your challenges, perceptions and requirements we can
continue to be one of the leading service providers to the legal sector.
To ensure we keep listening we created the Legal Research Group, a voluntary
meeting of minds for subject matter experts to share and inform in a relaxed forum.
The following commentary is the result of our ‘Future of Legal Cloud’ breakfast
roundtable.
2 THE BARRIERS TO CLOUD ADOPTION It was unanimously agreed that the single largest
barrier to cloud adoption is security of data.
Data Security
Ever since cloud computing first began to enter
the mainstream, security has been its most
controversial component. For years, business
leaders were reluctant to adopt any cloud
services whatsoever out of a fear that this would expose their networks to data loss,
theft or exposure. Over the past few years, these concerns have largely softened as
business leaders gained more exposure to and a greater understanding of cloud
services.
Having said that, the new General Data Protection Regulations, which come into
force in 2018 have brought data security back under the spotlight. With a data
breach incurring possible new penalties of 4% of global revenue to contend with, the
protection of personal data will be getting the attention it deserves. With the practical
difficulties associated with classifying and separating high risk personal data, it is
likely that for the time being the same protections will need to be in place for all data.
“The biggest concern would, for me, always be
security. You’re going from a position of having all
your servers, disks and data on premise where
you can see it and protect it yourself to sending it
all out into a Data Centre somewhere where you
have no day-to-day physical access to it. This can
be quite a leap of faith.”
Ultimately, it is thought that the GDPR will just be a bump in the road rather than a
significant barrier but it will certainly force firms into a more thorough understanding
of the data they hold, who can access it, where it is located, why they are keeping it
and perhaps the biggest change for law firms, how long they keep it.
Cost
There is unanimous agreement that a cloud service will be more expensive in the
long run than an on premises service. It was also agreed however that the extra
cost of ownership would be offset by other benefits.
Performance
Data circuits remain as the single biggest performance inhibitor. As time goes by in
countries with well-developed infrastructures this is becoming less of an issue as
bandwidth increases and cost decreases. It remains a significant issue in other
locations such as the Middle East where high bandwidth is not as available.
Is the term cloud detrimental?
Yes – One of the challenges to widespread adoption of hosted services has been the
lack of clarity for law firm Partners and business leaders as to what ‘cloud’ really
means. The fact that it has become a catch all for such a wide variety of services has
allowed misconceptions and fears relating to one type of provision (such as an
Amazon Public Cloud service) relate to all.
“We have already made the move to the cloud and
the main barriers are security, choosing the right
partner and cost. I found that these factors vary
wildly between suppliers.”
3 THE BENEFITS OF GOING TO CLOUD The primary benefit associated with cloud
adoption is convenience.
Facilities
There was total agreement that service providers
are in a much better place to provide the core
facilities such as power, air conditioning and
physical security than any law firm could or
should be providing. Although the physical space
required is decreasing hosting infrastructure is no longer seen as an appropriate use
of office space, cost or maintenance resource.
Mobility
Having centrally located but external services are seen as considerably more
conducive to mobile and agile working strategies. It has become much easier for
users to roam and access core business systems from multiple locations and
devices. A secondary benefit to ease of access is that client facing services are also
more readily available.
A centralised service can also make the opening of new or temporary offices much
simpler, quicker and less expensive, particularly where the business has also
adopted a ‘thin client’ or virtualised connectivity strategy.
Licencing
Primarily associated with software-as-a-service, the simplified and more flexible ‘pay
as you go’ style licencing models were seen as much simpler and potentially more
cost effective than the traditional models.
Changing shape of the IT team
As more services, particularly infrastructure migrate to the cloud, the requirement to
have in-house expertise to maintain these services diminishes enabling a focus on
project delivery and strategy.
Contract Management
A new and important requirement is for the IT Department to closely manage third
party services. Areas of growing importance are data security (third party processing
and compliance), business continuity (zero disruption of service) and disaster
recovery (guaranteed access to services even if provider financially liquidated). If an
IT Service Management (ITSM) framework such as ITIL is in operation, extending
the core processes such as incident management and service level agreements to
all suppliers is becoming an increasing challenge.
Tools are becoming more important with reporting and analytics recognised as
increasingly essential to managing third party services.
Cost Savings?
No one was able to report any demonstrable cost savings although for many the
move of services from the Capital expenditure budget to an Operational expenditure
budget was welcomed as it removed the annual haggle for project or upgrade related
funding with the inevitable prioritisation of tasks. Fixed costs were seen as much
easier to manage and the typical 3 to 5-year investment cycle could be ‘flat-lined’
with the responsibility for upgrades passed to the supplier as part of the contract.
Availability
Making the always on, zero disruption to business services ‘some else’s problem’ is
seen as an obvious benefit. The ability of a mature provider to supply 24/7/365
services with associated adequate support is far higher than that of a law firm IT
department particularly with smaller less resourced firms.
“For the first time small and medium firms are
getting access to the same services as the big
boys.”
Business Continuity
There remains a view that Central London as a location for either on premises or
data centre based facilities is to be avoided if possible for physical security reasons.
The primary fear in the current climate is the potential for a terrorist attack but the
potential for power based disruption to services is also noted.
Supply Chain Compliance
Post ‘Panama Papers’ and other notable data breaches there is an increasing
demand by clients to understand a law firms security provisions and compliance
credentials.
Accreditations such as ISO 27001 and Cyber Essentials are far easier achieved and
maintained by third party suppliers than in-house.
4 THE TYPES OF LEGAL SERVICES SUITED
TO THE CLOUD
There has been much debate as to which
services both internal and external (client facing)
would be suitable for hosting externally. Typically,
this type of discussion focusses on the software-
as-a-service element of ‘cloud’ particularly the
core business systems that are already widely
used outside of the legal sector.
The research group were unanimous in their
thinking that the majority of existing business services have the potential to be
sourced as software as a service subject to a thorough risk assessment.
The decision is not a technical one, instead it is a combination of business risk, value
and functionality.
The following table summarises opinion of the suitability for an application to be
cloud based.
SYSTEM RISK POTENTIAL
DOCUMENT MANAGEMENT HIGH HIGH
CRM HIGH HIGH
HR HIGH MEDIUM
TELEPHONE SERVICE LOW HIGH
LITIGATION SUPPORT MEDIUM HIGH
VIDEO CONFERENCING LOW HIGH
OFFICE 365 LOW LOW
SaaS
5 WHAT DO YOU LOOK FOR FROM A
CLOUD PROVIDER? The following were the key factors the research
group would look for when choosing a managed
service provider.
Longevity
It is important to understand how long a service
provider has been in existence for, the size of
their client base and strength of their financial
position, particularly post 2E2. There is an
important caveat to this however in that it is essential the provider’s technology is up
to date and competitive with newer providers.
Future proof
It is also critical that the service provider can not only meet the requirements at time
of contract but also any anticipated future requirements in terms of capacity
planning, storage, physical rack space and power consumption.
Site visits
The ability to visit a proposed data centre is expected.
Location of data centres
Sovereignty remains important particularly as regarding location of data. It is still
seen as a requirement for providers to explicitly guarantee that data will not leave the
EU for any purpose including backup and support. Some contributors went as far as
stating all data must remain in the UK.
Number of third parties involved (levels of service ownership)
Other customers
There was no business reason for third party suppliers to demonstrate that they
already had law firms as clients but it was recognised that this still matters to many
law firm Partners.
“The ‘razor wire’ effect can put me off – knowing
that a data centre housed other high risk clients
may be a reason to go elsewhere”
And what is not so important…
SLA’s - whilst the need for a well written service level agreement is a useful
contractual tool in times of dispute, the reality is that if invoked it is is probably too
late. Down time is simply an unacceptable occurrence and if SLA’s are used to
determine fault, responsibility or compensation it is probably not far from the end of
that particular relationship.
6 WHAT TYPE OF CLOUD ARCHITECTURE
IS NEEDED? Private cloud remains the most popular topology
for third party services with hybrid cloud emerging
as a viable option as software evolves. It was
thought that there is a place for Public cloud in
legal which was increasingly being considered
with the emphasis on risk assessment.
Public Cloud
Public cloud is defined as a multi-tenant
environment, where you ‘lease’ a service in a cloud computing environment that is
shared with a number of other clients or tenants. Public Clouds typically deliver a
pay-as-you-go model, where you pay by time or number of users purely for the
resources you use. A classic use of this would be for a test & development
environment where servers and resources are spun up and down on a regular basis.
Well known Public cloud services include Microsoft Office 365 and Amazon Web
Services.
Typical Public Cloud features include:
• No long term contracts – The pay as you go model is commonly used to
acquire services on demand.
• Shared services – due to the multi-tenant environment, the service you use
whether hardware or software will often be the same hardware, storage and network
devices as used by other tenants subscribed. Compliance with generic standards is
possible but individual requirements are unlikely to be met.
• Control – Typically, many of the ‘controls’ are passed over to the service
supplier. Whilst the customer can retain user access controls, software updates,
hardware performance and maintenance outages are amongst the areas often in the
control of the supplier.
“For me a private cloud infrastructure would be an
absolute requirement. Like all law firms we hold
personal, confidential and sensitive data so we’d
have to be sure our data was as secure as
possible with no risk that another firm etc. could
accidentally stray onto our file stores.”
Private Cloud
Private cloud services are typically single-tenant environments where the hardware,
storage and network are dedicated to a single client or company. Co-location
services are perhaps the most common form of private cloud arrangements whereby
a business hosts their own hardware and data at a data centre taking advantage of
the service providers superior power, security and environmental facilities.
Typical Private Cloud features include:
• Security - Because private clouds are dedicated to a single organisation and
cannot be accessed by other clients in the same data center, the hardware, data
storage and network provision can be designed to provide high levels of client
defined security.
• Compliance - Because the hardware, storage and network configuration is
dedicated to a single client, compliance such as ISO, PCI and SOX are much easier
to achieve.
• Bespoke configuration – Hardware provision including processor, storage and
network performance, can be specified by the customer.
• Hybrid - a business system can be split between an on premises database
and a cloud database, perhaps for data protection or performance reasons. This is
not available in the Public cloud.
7 FUTURE CLOUD – WHAT IS YOUR 2020
VISION FOR CLOUD ADOPTION/USAGE?
With change happening so quickly, it is never
easy to predict anything in the IT world but the
following are a few thoughts from our contributors.
“I want to be able to deliver a
seamless experience to
users. Whether they are in
the office, at home, in a café
or on a plane they need to have everything to
hand to do their job hassle free.”
Less data
A combination of increased cloud service usage and greater emphasis on protection
of data, particularly with the impending GDPR requirements is likely to see a new
focus on deletion of data when no longer specifically required. This ‘Keep Less’
strategy will have security, performance, capacity and cost benefits.
Hybrid Cloud
The leading document management providers in legal have already started to
embrace hybrid cloud as an effective compromise between on premises and co-
located. Enabling firms to allay security fears by ring fencing certain data and
distributing non sensitive data can has the potential to drastically reduce costs of
security and storage whilst improving performance and confidence.
Better understanding of data
To take advantage of potential hybrid solutions around security, archiving and back
up, it will be necessary to have a robust and accurate classification system in place
so that the right technology and service can be applied to the right data.
Artificial Intelligence
It is difficult to predict where AI will be most productive but the potential for a ‘robot v
risk’ strategy whereby the simpler legal claims are initially advised by an AI scan of
legal knowledge and precedent mitigated by an insurance policy to cover bad or
incorrect advice is a potential reality. A further development of this is likely to be an
AI-as-a-service offering whereby all sizes of firm can take advantage of initially
expensive and/or advanced technology.
Security Operations Centre (SOC)
Cyber risk is a constantly evolving and moving target with business struggling to
keep up with the always one step ahead bad guys. As information security generates
more headlines and becomes an increasing boardroom concern it is likely that the
threat analysis, assessment and prevention services will be much better provided as
a service than by internal teams. The emergence of SOCs that provide a high
quality, highly technical service at a cost effective rate is inevitable.
Agile working
Primarily for talent attraction and retention reasons, there is an increasing desire to
introduce life-balance into working practices. Cloud services will be seen as one of
the enablers of this strategy.
“Total cloud adoption among medium and small
law firms is a must or they will be spending so
much on their IT they won’t be able to compete”
8 INFLUENCERS
Our thanks to all the legal sector influencers who
kindly gave their time and insight into this white
paper.
9 MORE INFORMATION
You will find a lot more information on CCE,
managed services and cloud on the CCE website
including the following studies and white papers:
THE CLOUD FOR LEGAL
THE ICO AND CCE COMPLIANCE
CLOUD PROVIDER CHECKLIST
DATA SECURITY AND CLOUD ADOPTION
PRINT INFRASTRUCTURE & DOCUMENT WORKFLOW
For more information go to www.cce.co.uk/legal-it-services