Blue sky thinking?

There are many myths and threats, real and imagined, to take into account in the search for cloud solutions, particularly for small and medium-sized professional service businesses, such as most law firms. Lawyers all have client confidentiality concerns, but most firms do not have the infrastructure or internal resources of the major firms, which puts different constraints on their decision processes.

This article describes the results of a research project involving a significant proportion of the larger law firms in Scotland, that identified and evaluated the drivers and barriers to cloud service selection. It outlines some recommendations and suggested guidelines that could support effective decision making by most Scottish law firms.

Twenty-two firms were approached for the research, and 14 agreed to take part. The research took place in September and October 2012. Nine of the firms had adopted cloud services; the other five had seriously considered adoption. All had at least two offices; numbers of partners varied between 18 and 80 (see chart 1). Two providers of cloud computing services also took part.

Adoption drivers

We found that cloud adoption is driven by a combination of economic, operational, organisational and quality factors. Law firms tend to sweat their assets for as long as possible, and therefore the return on investment (ROI) calculation is typically done over a minimum of five years.

In many cases, this means a cloud solution may be more expensive, because this is essentially a rental arrangement; in contrast, an investment in IT equipment is amortised over its expected period of use.

"It may be slightly cheaper in the first two years, but over the five years it turned out to be much more expensive than an upfront capital cost. So if you are low on cash then that may be an attractive option, but if you look at it as an investment over 10 years then you are going to be massively overspending." (IT director)

One of the firms in the study was looking to implement a new business application: it found that the ROI for a cloud-based solution was significantly better over three years, but at five years the advantage disappeared. Despite this, the firm chose the cloud solution because, on balance, it was much better than the on-premise option when taking other factors into consideration, some of which are discussed below.

As illustrated in chart 2, firms widely use cloud to commoditise standard applications, such as email virus scanning and web filtering, and for collaborative working, for example for deal/data room services.

This is motivated by lower implementation and infrastructure costs and reduced maintenance overheads. One example is the use of cloud-based email management systems:

"Using Mimecast [email management service] has been very beneficial because we no longer need to store the email archive on site, saving on hardware costs and the overhead of managing the service in-house." (IT director)

With email and document management systems (such as NetDocuments), firms no longer need to manage massive and difficult to maintain archives on site. Cloud services enable fee earners to work from anywhere.

Another important factor behind the decision is faster deployment. One firm successfully implemented a cloud-based application in three months, compared to the six to nine months it would have taken for an in-house hosted system.

This meant that the firm could use its precious IT resources to add value by focusing on the business processes, training users and promoting best practice in order to improve efficiency.

The use of cloud by other firms does not directly influence adoption intentions, but it does put the technology on their decision-making agenda. It can be argued that firms copy each other in order to mitigate technological risk.

"Law firms generally are quite keen to see what other law firms are doing, and being the first one to do something is kind of a little bit uncomfortable, because you are thinking why no one else has done this. What you tend to find is that a supplier who has never sold into the legal market before, they get one law firm and then, within a year, they will get 10 law firms, and within two years they have 20, and so on." (IT director)

Another explanation is the "safety in numbers" principle. This is best illustrated by the email management systems used by the majority of firms contacted. Despite the fact that emails are essentially personal data, firms are happy for them to be stored on a shared public cloud service, albeit hosted in the UK, because the number of firms using the service is seen as assurance that the vendor will ensure the security and confidentiality of the data.

Quality of service is also felt to be important: this includes reliability, applications quality and security. Many firms feel that cloud vendors would have better backup, business continuity and disaster recovery provisioning and security, and therefore potentially be able to provide more reliable, secure and resilient service than could be done internally.

Adoption barriers

Loss of control of the core systems and data, and ensuring the security of the data are seen as big risks. These are regarded as the "crown jewels" and, as such, firms are very reluctant and indeed unlikely to relinquish control of them to a third party. Knowing where the data is stored, who can access it and, crucially, being able to access the data or get hold of it when needed is important:

"It can't just be looked on in terms of monetary value because of the fact that you lose control... Lawyers are typically very conservative and like to understand where the data is held… The location of the data is important and therefore you have to take clients with you." (Partner)

The key barriers to cloud adoption identified by our study can be summarised by these concerns:

• Information security and control over the data.
• Disclosure and jurisdictional issues: data location is a key consideration. The overwhelming view is that the data needs to be located in the UK. The capacity to comply with legal and regulatory obligations in relation to data protection is a significant concern, as is the potential need to modify contractual terms for clients.
• Data portability and interoperability. Firms are concerned about the ability to get the data back to move it to another provider, and the complexity and cost of application integration.

So, despite an emerging consensus on mitigating security risks and an acknowledgment that the data may be more secure in a cloud environment, provided the appropriate vendor is used of course, firms remain determined to keep core applications and data on-premise.

A further barrier is perception and reassurance for the stakeholders, including firms' clients, on the confidentiality of data.

Resistance from internal IT staff is also felt to slow down or inhibit wider cloud adoption. This may be due to fear of job losses, but resistance to the use of cloud for core systems and data may be a way of managing the perceived risk and reassuring partners of the safety and security of the data.

"Data security and compliance issues all have to be completely firewalled. It doesn't matter what I say to the partners about how much we think it might be OK, that is going to be a massive hurdle to get over. I might as well say, there's my job and if it doesn't work out then I'll just leave. Therefore it would have to be bullet proof." (IT manager)

Availability, reliability, portability, integration

Concerns over availability and reliability are barriers to wider adoption, especially for business critical systems. The internet connection is considered to be the weakest link - many firms cited a "catastrophic" failure by a network provider earlier in 2012 which left the majority of legal firms in Edinburgh and Glasgow without internet access for a significant period. Continuity of service should the cloud provider go out of business is also a big concern.

Firms need to get their data back quickly and in a compatible format: many currently have serious misgivings about whether cloud services make this possible. Mandating data portability by law would eliminate this as an adoption barrier, although it is generally felt that contractual controls could be used.

Proprietary standards also make it difficult to integrate applications. Given the level of integration that firms have between their core systems and office applications, this is also considered to be a big barrier to wider cloud adoption, as it becomes an all-or-nothing decision.

Cloud deployment models

We found that the preferred deployment model for business applications and data is through a private cloud, that is, data hosted on dedicated equipment, most likely by a third party based in the UK, to enable firms to visit the provider and carry out audits. As trust is a key consideration, firms are more likely to select a vendor with whom they have an existing relationship.

The use of a public cloud such as Google applications or Amazon Web Services is limited to commodity applications and services. This is primarily due to security concerns, meaning that use for core applications and data is highly unlikely.

All of the firms were asked if a community cloud (infrastructure shared between legal firms) was needed and whether this would encourage wider adoption. The overwhelming view was that this is not required and would indeed be difficult to achieve. Instead, cloud standards and Law Society cloud vendor accreditation would help engender trust and may help increase adoption.

Using the results

This article provides firms with two things:

• Information about the technology and its benefits, whether perceived or actual, as well as highlighting the issues and risks associated with adoption.
• General guidance on what they need to do when considering the adoption of cloud services.

We feel that the recommendations outlined in this article will assist firms of all sizes which are considering adopting cloud-based solutions.

As one of the participants in the study said: "I think that is great. I would certainly find it extremely helpful to have that sort of guidance in front of me when discussing the possibility of using cloud, either when talking to a vendor, or even my firm's IT director! There are many points in the guidance which had not occurred to me when we spoke last year." (Partner)

We believe that these recommendations will also provide cloud vendors with valuable insight into the requirements and expectations of law firms - enabling them to tailor solutions and services.

Firms wishing to learn more about the study, or to discuss details of the resulting recommendations and guidance, are invited to contact Jaffar Hamoudi.

Edinburgh Napier University carries out collaborative research projects into cloud adoption; contact Peter Cruickshank if this is of interest.

Further reading

More information on cloud computing can be found at:

• Cloud Security Alliance - https://cloudsecurityalliance.org/
• Law Society of Scotland (Cloud Computing - Advice for the profession) - www.lawscot.org.uk/rules-and-guidance: look for Section E, Division B.

View from the cloud

Cloud providers comment on weighing up the relative risks of remote hosting of sensitive data

While concerns over security and loss of control in relation to the cloud are cited by some firms as reasons to continue to manage their data in-house, cloud providers report that smaller firms in particular are likely to see a balance of advantage in an externally-hosted service.

"Among our customers, while data security remains a concern of paramount importance, it no longer presents the barrier to the adoption of cloud tech that it once did," comments Niall Richardson of PureIntuitive. "The Law Society of Scotland's strong guidelines have been taken on board and exceeded by cloud technology suppliers, and both bodies have made good strides in educating firms that this is the case. Additionally, because the smaller firms we work with tend not to have dedicated IT personnel, the partners themselves have carried out the necessary research, leaving them well armed to ensure their data security expectations are met."

Warren Wander, managing director of LawWare and LawCloud, sees "a distinct lack of objection" to adopting cloud among high street firms. He says: "Even though lawyers are risk averse, they are level headed and keep the risk/benefit factors in perspective. Once a firm finds a trusted business partner who can address their concerns, the barriers are removed pretty quickly."

Regarding the relative security of cloud and non-cloud systems, he adds: "On-premise servers are considerably more vulnerable to hacking and physical removal than servers held in state- of-the-art data centres that have invested many millions on physical and virtual security systems."

Specialising in the small and medium-sized law firm market, LawCloud has seen what Wander describes as "an exponential increase" in the number of new start-ups, firm amalgamations and separations who want newer generation systems.

As for control of data, Richardson again maintains that it is more perception than reality.

"Locally-installed software can prove to be onerous to maintain," he notes. "Because of difficulties in distribution, updates, fixes and improvements can be infrequent or sporadic. Cloud-based software is far more agile - allowing for upgrades and meeting customer needs on a regular basis. Imagine being able to make a call and have Microsoft make a change to Excel to suit your working practices? If you work with a responsive cloud technology supplier, that's exactly what you can do, massively increasing control over the applications you use."

Wander emphasises that trust and confidence in the supplier is crucial. "In the same way that a patient will entrust their doctor with sensitive information in the hope of a cure, law firms want to trust their systems and data with an established IT provider who knows what they are doing," he maintains.

"New starts want a no-hassle way of getting their business off the ground. They want to offload and outsource the specialist areas of administration, compliance and IT, so they can get on with growing their businesses. If they can trust that the right provider has done the necessary due diligence, has solutions in place to handle data security, integrity, performance and availability, and can demonstrate this by responsible service level agreements, that is the best basis to nurture a strong and trustworthy supplier-business relationship."

Richardson hopes the day will come when common industry standards mean even greater flexibility for business clients. "While increased data control is a natural result of using cloud-based technology, there is definitely more that can be done," he observes. "In the same way that the Origo standards transformed communications within the financial services industry, standardisation of data processing in the legal industry would not only provide firms with greater control over their data, but also provide a raft of commercial advantages – badly needed, especially for high street firms, in today's economic climate."

Such a development would certainly be an advantage to cloud over on-premise systems. Until then, firms will have to weigh up the other claimed benefits. Wander sums up: "All innovation comes at a price but, if the benefit outweighs the cost, then the risk is minimised."