The Gnoêsis Group is now Array. Read More on the merger.

Industry Insights
Key Cloud Security Questions
To Assess Legal Tech Vendors

Five Things to Ask About Cloud Security When Selecting Tech Vendors

Jenna Rooney | Director, Client Services | Array
Amanda Fennell | Chief Security Officer | Relativity 

Asking future vendors these five key questions will help to avoid any major pitfalls and ensure that your partnership provides the right level of security…

When law firms or legal teams decide to integrate a new SaaS platform into their workflow, there’s oftentimes a lengthy procurement process. Some of the most important questions to ask during that process are about security, but many organizations, especially those who may not have their own robust security teams, may not know where to start.

Any questions for legaltech SaaS vendors on cloud security should cover three main areas: technology, process and people.

  • Technology: When it comes to building a security program, it’s important the provider start with implementing technology as this is the foundational element that any security-minded vendor will invest in.
  • Process: Then comes process, which means that they have created guidelines and processes to follow to keep the product secure.
  • People: Most importantly, the people element comes in. Everyone on the vendor’s security team needs to be extremely well-versed on the protocols set forth to keep the product and customer data safe.

A SaaS vendor simply won’t be successful in providing adequate security in the cloud if they don’t focus on those three elements, so it’s crucial to ask questions that touch on them. Asking future vendors these five key questions will help to avoid any major pitfalls and ensure that your partnership provides the right level of security that you’re looking for:

1. Is the technology well-known and widely used?

When evaluating a SaaS platform, it is important to consider its adoption rate within the industry. There is no better indication that a SasS provider has a strong security framework in place than when other corporations and law firms trust them with their most sensitive data. Also, take note how many of their clients are large players such as Fortune 500 companies or AmLaw 100 law firms, as they typically have very sophisticated cybersecurity evaluation processes in place that can only be met with an equally sophisticated and strong security program.

2. How well trained are your employees when it comes to security?

Security awareness training is crucial. One accidentally clicked link in a phishing email could have major consequences for an entire organization, affecting its product, communications mechanisms and ultimately, its customers. While many organizations install effective spam filters, you cannot rely on those alone to prevent incidents. Trained employees make a massive difference – if you compare artificial intelligence (AI) or machine learning to human intelligence, you’d still bet on a human at the end of the day because technology cannot replicate gut instinct. AI and machine learning don’t have that capability, so the employees are ultimately the last line of defense. They must be informed and aware of how to stop phishing in its tracks. Don’t forget to ask about whether or not the vendor has a formal security awareness program and if/how they measure the efficacy.

3. How do you handle third parties who have access to the SaaS platform or the data?

It’s important to remember that when you bring on a SaaS platform, you’re relying on the team behind it to keep your environment up and running. Make sure that they require your explicit authorization for access to your production environment, and any data stored for their purposes should be purged as soon as it’s no longer required.

4. What access controls do you have in place for the day-to-day users in the platform?

You want to ensure that the people who are using the product day in and day out are only accessing what they need to have access to in order to complete their job. Users shouldn’t have access to sensitive or private data for a matter that they’re not involved in, nor should they want others to have access to what they’re working on.

5. Do you have any measurement around the efficacy of your security program?

This is an area where many have tried to institute some guidelines. What makes a program strong versus what is the baseline? Is there a simple scale to say, “Our program is at 4.5/5?” The answer can be simplified by asking what maturity models or measurements the vendor uses and asking questions. For example, Relativity aligns with NIST Cybersecurity Framework as well as several others. This provides a common ground for speaking with customers who also align or are familiar with this assessment. Other measurements can be found around audit findings, penetration test results, SOC II:II reports, and additional home-grown maturity measurements. Ask about how they measure themselves, how do they move the needle and what areas they are focusing on the most to grow in the year ahead.

When the responses to these questions begin coming in, it is important to look for an aspect of technology, process and people within each response and not just sprinkled throughout them. While each element is extremely important on its own, individually they cannot function at full capacity without the presence of the other two.

There is a reason most of us started out first riding a tricycle and not a unicycle or bicycle. The three wheels working together gave us the most secure option with the least risk of falling, especially on rough terrain. When it comes to cybersecurity, the same principle applies. In today’s everchanging threat landscape, a SaaS provider who is only scattering the use of technology, process, and people individually or even in twos around their overall security framework is not enough. The most secure provider who offers the least risk will have them working together in harmony at every step. Knowing that the vendor is spending time planning for various scenarios can make all the difference, and as President Dwight D. Eisenhower once advised, “In preparing for battle I have always found that plans are useless, but planning is indispensable.”