What Does the Capital One Hack Reveal About Cloud eDiscovery?
Most of us are already aware of the arrest of Paige Thompson, a Seattle resident and former Amazon Web Services (AWS) employee, who was taken into FBI custody earlier this week for hacking Capital One and exposing personal data of more than 100 million customers. According to Israeli security firm CyberInt, other organizations including Vodafone, Ford, Michigan State University, and the Ohio Department of Transportation may have also fallen victim to the same hack.
AWS is sometimes referred to as the most secure cloud environment in the world and is the only company that has received the highest-level Defense Department IT certification, known as Impact Level 6, which allows it to handle top-secret data. That advantage stems in large part from a $600 million contract with the CIA that was awarded in 2013.
Hack and data breach may seem interchangeable as terms, but in actuality, they are different, and it’s that difference that may affect who is liable. A hack is an intentional attack perpetrated by a malicious actor who gains unauthorized access to a protected system (e.g. computer, server) in order to steal private information or hold the system ransom. A data breach occurs when data that is unintentionally left vulnerable in an unsecured environment is viewed by someone who shouldn’t have access to that data. The question here is whether the liability lies with Capital One and a misconfigured database within the AWS environment or with AWS because a former employee may have used credentials to access the cloud and/or knowledge of the misconfigurations.
Many eDiscovery solutions host their platforms, along with users’ case data, on public clouds like AWS and Azure, which might lead some to question the security of cloud-based eDiscovery. First, it’s important to remember that the Capital One hack (or is it breach? Or both?) had nothing to do with security certificates (after all, they have an Impact Level 6 certification), but an attack conducted by someone with inside knowledge.
But it is an opportunity to review the notion of “Cloud eDiscovery” and note that there isn’t a single environment that everything is operating in, but instead many options when it comes to choosing a cloud hosted platform.
Public Cloud (AWS, MS Azure):
In a public cloud, all infrastructure exists in the data centers of the cloud service provider. Each user then has a private environment within the larger public ecosystem, while the cloud host has physical control of the hardware and is responsible for all aspects of data security, IT management, and support.
Sounds good right? Except these public clouds aren’t just used for eDiscovery. They’re used for everything. Case data is in the same cloud as Capital One, Ford Motors, MSU, and ODOT (and others). And while the cloud provider is in charge of data security, IT management, and support (which is a definite plus), they aren’t specialists in eDiscovery, and they aren’t the same people who created the eDiscovery software that is being hosted in their cloud. So it adds additional stakeholders.
Private Cloud (AKA, On-Prem):
In lieu of some of the issues mentioned above, an organization may want more control over their environment and set up a dedicated, private network located either on-premise or at a remote site. Many times, when eDiscovery vendors talk about an “On-Prem” deployment, they may actually mean installing the solution on the user’s private cloud.
This definitely brings control of eDiscovery data wholly onto the organization, which is an added benefit from a security and control standpoint. However, for many, the burden of having to maintain an in-house system is heavy. Managing upgrades to software as well as hardware, while trying to recover costs, maintaining an IT team that understands the needs of the legal department, while being challenged with the ability to scale in the face of ever-growing datasets, as well as the liability of securing against hacks and data breaches, can be draining on both personnel and financial resources.
Hybrid eDiscovery: The Ipro Cloud
If only there was a hybrid of the two cloud options, one with the scalability and easy management of a public cloud, but with the control and security of a private cloud. And even better, what if that cloud was created and managed by people who not only understand the unique needs of eDiscovery but are dedicated to you?
That’s not just any cloud, but the Ipro Cloud. It gives you the flexibility to run your own environment on a private cloud managed by the creators of the eDiscovery software you’re using. Ipro teams speak the same language as your legal team and act as your eDiscovery dedicated IT department.
You also get the scalability of a public cloud with the control and security of a private cloud, utilizing Ipro’s decades of IT and industry experience running and operating the largest of client-environments. Unlike large public clouds, the only data hosted here is related to eDiscovery, all housed in a state-of-the-art data center with limited employee access to sensitive data, as well as a lower profile when it comes to targeted hacks. And hosting fees on the Ipro Cloud are a fraction of those on public clouds.
While you can secure and fully manage your own environment in the Ipro Cloud, you also get the benefit of a true technology partner and let Ipro’s services team do this for you. Ipro’s services team has been in your shoes and know the pain points and urgency of eDiscovery. Clients return again and again, because we specialize in building customized workflows for both simple and complex cases, while using our technology and advanced analytics to speed up processes through review with a focus on delivering quality results.
Proven Client Success:
Ipro is a 30-year legal technology veteran and hosts some of the biggest corporations and law firms in its cloud. One of them is Chamberlain Hrdlicka, a diversified business law firm with offices in Atlanta, Houston, Philadelphia, and San Antonio. In a recent case study, they said, “The Ipro eDiscovery Suite ultimately improved our firm’s ability to produce higher quality, streamlined reviews and provided the flexibility to handle cases of any size. Using Ipro, we were able to increase caseload by hosting over 330 cases and 40TB of data, while still working fewer hours and maintaining a small team. The workflows are well thought out and the system is intuitive to use, which minimized the learning curve for our technical staff, support personnel and attorneys as they adopted the system.”