Whether it’s a public cloud or private cloud, or anything in between, everyone agrees that cloud computing has key benefits including scalability, instant provisioning, virtualized resources, and the ability to expand the server base quickly. But what’s the difference between private and public, and how will it work for me? We answer these hard-hitting questions in this week’s Free Training Fridays.
About Free Training Friday: Since the beginning of 2017, we have been holding these free, 30-minute training hosted by our industry-leading experts and innovators who will teach you about AbacusLaw, Amicus Attorney, the Abacus Private Cloud, and everything in between. If you would like to request a topic, please email firstname.lastname@example.org.
My name is Allyson and I am the content manager at Abacus. Today, we will describe the difference between public and private clouds. However, before we begin, here are a few housekeeping notes:
Please feel free to type in the questions throughout the webinar and we will answer them in the order that they were received. Again, this is going to be a 15-minute presentation, with a 15-minute Q&A and thank you so much for joining us this morning. Please let me introduce Tomas. He is our chief solutions architect for practice automation. A member of the California state bar, he uses his legal and business acumen to create solutions for our clients. Recently he became a soccer champion with the AbacusNext team, so take it away Tomas!
All right, thanks, Allyson. Welcome everybody; I appreciate you joining us on a Friday morning. The topic this presentation is the difference between a public cloud offering and a private cloud offering. Therefore, the Abacus Private Cloud (APC) is just that, a private cloud with security, flexibility, and compliance that are integral to the architecture of the platform. We specifically created it to serve the legal and accounting industries, amongst others, and other businesses that want to take their network environment into the cloud.
So, the first thing that I wanted to touch on is to describe the cloud in a general sense. The cloud is simply somewhere where you put your information, your data, your applications, and your desktop stored in someone else's server in a data center that's accessible via the internet. At its core, that's really what it is. It is a fundamental, you know sharing and storing and hosting of your data in a cloud, on a server hosted by someone else, in a data center.
Now let's talk about public cloud. The public cloud includes Amazon Web Services (AWS), Microsoft Azure, and a whole host of other applications. They are different in that they are browser-based (or web-based) environments that support the storage and access and kind of sharing of information. Now you may have heard recently that there have been a couple of hacks to public cloud environments. Now the reason I bring this up is to use it to distinguish the difference from a security standpoint. We know that law firms specifically have been targeted more in the last two years, in the last six months specifically, because of law firms capture, store, and need to protect information that's confidential, that's privileged, and that's sensitive for your clients.
Not only are you held to the highest of bars from a professional standpoint, but you have to make sure your relationships are maintained to the highest ethical standards. So let's talk about a couple of the public cloud security breaches and how they were, you know what steps were taken to remediate them.
The first security breach is called Cloudbleed. As you know, Cloudflare is an online service that can cache a listing of your client's websites. It's done in that way to provide speedier access to information. But what happened is that someone developed an exploit called Cloudbleed, because it's a variation of Heartbleed, which was an exploit that happened 18 months ago. In this situation, clients of cloud flare (a public cloud) had passwords, cookies, and tokens that were used to authenticate users hacked and made available via the internet. This meant millions of sites that were in the cloud flare network and even mobile apps were affected.
Here are some of the sites that were affected: dating sites, chat applications, and password managers (which really give me pause because not only the exploit gives access to one password but it's a manager for many passwords), history of visiting adult sites, travel data, etc. So, those are some of the types of information that was accessible via the internet. And not only was it accessible via this exploit, but Google cached those sites so even after the visibility of that information was resolved, unfortunately, the cached versions were available for some time to going forward. And this is the real kind of concern here is, it's not just customers of Cloudflare, but visitors to the website that has supplied their information via those web interfaces. Visitors who were not Cloudflare customers, that's not easy to say. That visitor’s information was also made public via this breach.
I want to touch on Cloudbleed because it is a specific exploit that affected a public cloud and what it really shows is one of the vulnerabilities of a public cloud. In a public cloud when information is hacked, by whatever method, all the information within that public cloud then becomes public. And I touched on that earlier, you know your information sent received from dating sites, chat apps, password managers and so on. Those are the kind of exploits where if the public cloud security, it's almost like the wall, if that wall falls all the information behind becomes accessible or you know made public.
Here’s the next one - it happened about maybe a week and a half ago. Let’s talk about AWS S3 shutdown. AWS is a huge organization and one of the largest public clouds on the market. Their outage was caused by an internal procedure to refresh or reboot small numbers of servers in their network. During which time, an inadvertent mistake by a technician at AWS happened: instead of rebooting a small number of servers, the mistaken kind of code entered rebooted a large number of servers. What that did was actually bring down websites, brought down you know virtual desktops, brought down all the things that AWS was hosting and provided through a public cloud. Now it is a slightly different situation because it was not hackers, it was more like an internal error that simply resulted in not necessarily the exposure of data but it was down time. It meant that not all customers affected by this simply could not access their own information or if your website is hosted on AWS S3, clients who come to it would have received an error.
What I am trying to say about a public cloud is that a simple mistake or an attack against an organization can expose and make multiples millions (potentially) of customer’s information either not accessible or you know not accessible by them if it's a desktop, virtual desktop environment. Or not by clients who need and rely on your website, let's say for information. So those are two examples that point out how when a public cloud fails, the information within (and even that organization's ability to remediate it) can be company-ending. Can you imagine the letter you would have to write to your clients explaining the situation, or the press release that explains that your public cloud caused their data to be at risk? I can’t.
Also, it’s important to mention that you don’t know what was stolen. You only know that the public cloud was breached. However, you have no idea about what was breached, who, you know who copied it off, who had access to it. They simply do not know, except for the fact that the breach happened.
So now I'm going to shift over and talk about APC. The first thing I'll touch on is the term “private.” Why is a private cloud different? Well, it still is hosted by us in our data centers in the United States. We have four of them. So, there's geographic redundancy because they're not in one basket from a hardware perspective. But also the private cloud means that when we create a cloud for your organization, it's private because it's encrypted, right, all the data within it remains yours, you're the data owners, right. You always have access and ownership of the data. We consider ourselves to be the guardians of data within the environment.
We also manage the environment. So 24/7/365 we become the vendor, your technology partner for your private cloud that is encrypted using a key that's specific to your cloud. And the real key distinction I'm drawing here is if your neighbor's private cloud was inadvertently exposed or was hacked for you know, for whatever reason or by whatever method, your cloud and the encryption and data within would not be accessible. So that is a true dividing line between the two is should there be an exploit of some sort. In this situation. We become your partner, we're managing the environment proactively 24/7. And in fact, if there's any kind of anomalous behavior or even kind of intrusion, some sort of attack against the environment, you know we would be notified. Both, you know we have live you know highly trained techs that are monitoring it live, you know 24/7 as well as you know systems, software tools that alert us to any anomalous behavior.
Essentially, we become your partner and now we can reach out and let you know is this something you mean to do, if not we have you know our remediation steps become an instant response. So the private cloud is just that, it's your cloud, it's encrypted, it's accessible by you and really the accessibility is the benefit of the cloud. Where the services within it, you know the backups right, you know that everything is backed up with five layers, you have geographic redundancy across multiple data centers, you have one number, one hand to shake or one neck to choke depending on the call. But you know who to call. We support it, we protect it, and within the system, you have access to your individual virtual desktop.
That's another kind of key distinction between a virtual desktop environment within the private cloud, is that within an organization you can work closely with us and let us know what to fix on a user-by-user basis. So you have peace of mind knowing when you connect to the viral desktop that's yours, you have the tools you need to communicate and collaborate, and your colleagues have similar tools and any other you know administrative access rights. Or even you know the opposite side of that coin, the restriction can be fine-tuned on a user-by-user basis.
So you know the 24/7 remote access, whether you're you know at your desk at work, whether you're in the conference room, on a laptop, on a desktop, a Chromebook, smartphone, tablet, there's a lot of flexibility if you're traveling, you're in court, or you log in from home. You know each session, in essence, gives you a consistent virtual desktop with all the applications you need, whether it's Abacus Law, whether it's Amicus, whether it's you know all the other different programs you might need, Office365. It becomes a nice, consistent way for you to understand exactly what security you have in tier three data centers across the United States with proactive monitoring, intrusion detection, and that encryption. An encryption is key because it is important for you to know.
And here is a scenario that I refer to regularly but I think it's instructive. We have a client who in their private cloud environment, they have about 24 users on the program. One day, they called us because an administrator there had clicked on an email in the private cloud that was designed to look like it was coming from the IT department. She found out that she had downloaded malware to her virtual desktop, that ran somewhere, and that CryptoLocker virus encrypted her desktop and all other desktops within that environment. The client called us in a panic and we were able to reset not only her desktop but their server and every other desktop in the environment, literally down to the programs that were installed, the preferences, what you know the image you used as your desktop wallpaper. Because the private cloud gives you a virtual environment, we can reset that firm's entire private cloud within 24-minutes.
That's a key advantage of the private cloud. That we're the vendor that can give you that kind of turnaround, where should something go wrong -- whether it's a disaster or a mistake -- the end result is similar. Where you're in a bad position because you no longer have access to the private cloud for whatever reason, you call us and we're able to support it, reset it, and have you back up and running with very little downtime.
All right, so there are a number of services that are part of the private cloud, but I'm really drawing the distinction between a public cloud where maybe it's hosting multiple you know services or multiple programs or multiple vendors. You're not sure who supports what within it. So it comes down to your understanding in APC that you're protected and not affected by neighbors. Instead, in the private the cloud what you have access to on a user basis, the security controls, two-factor authentication, things that are necessary that I would absolutely recommend that every cloud-based business utilize. The private cloud gives you that plus proactive monitoring, the security at a next level, far beyond what most firms can just from a resources perspective, what they can support on the local level. You're no longer reliant on a server down the hall, instead, you have access to your private cloud 24/7 with a team behind it that is proactive in monitoring it and ready to answer the call should you have any questions or scale up or in any way kind of further utilize your private cloud.
So, just kind of recap: with the private cloud you have:
24/7 remote access.
The encryption, which is vital to making sure that you're protecting your environment.
The proactive support for the environment with full management 24/7.
And your information is not exposed with a breach of your neighbor's environment.
All right, so that's kind of a recap, or at least an overview of recent events in public clouds and drawing distinctions between the public cloud versus the private cloud. And you know, as you're making your decision, it is vital to ask a provider of a cloud of whatever type:
Do they have these types of controls? Confidentiality, Privacy standards, Control and remediation steps if a problem occurs?
Q & A
How many firms are currently using APC?
That number's growing every day. I think the last one I heard was over 8,000. It's growing rapidly, especially in the last two years we've had a very specific ramp up in the number of our long-term, legacy clients, as well as new business. I think it is because the ABA came out with their take on the cloud, which is not only is it compliant from a kind of ethical perspective but within five years they see more law firms using the private cloud.
If AbacusNext gets a subpoena issued and that information is stored in the private cloud, what is Abacus' SOP for dealing with this?
If we receive a subpoena, our policy is to reach out to you, notify you immediately and at that point, react to it. So it's not like we're going to respond to a subpoena without notifying you.
What about printing, scanning, streaming music, watching YouTube or whatever you might do during the course of the business day?
You can stream music, you can even watch the video, I don't think I would recommend that (more from a productivity standpoint and not a technical issue!). Understanding that bandwidth of the Abacus Private Cloud, and preparing a private cloud that's specifically tailored to your needs, we would have those conversations with you. We ask you what you do on a regular basis, what kind of programs you use on daily basis, and what kind of applications you will need for your work.
But let’s talk about printing and scanning because that comes up often and what I do is actually helping law firms be more efficient and moving towards a paperless environment. But let’s say there's a flatbed scanner on your desk that you use to scan. Those are built into the private cloud. Where we can actually have you in the office, have access to your printers and scanners just like you would if you were running those programs locally. And then if you're at home and you want to print something out at the office printer, there's also secure tunnels that we can create where at home, when you connect to the private cloud you can have access to your printer or multifunction device even though it's in the office which could be miles away.
If there is a breach, do you provide remedies for your customers?
I think that goes to your specific need. It's spelled out in our, you know in our terms and conditions and our service level agreement. Of course, there's many different you know scenarios where that would apply, but the remedies that we provide to you are spelled out. You know and it is ... it's not necessarily cased by case basis but that's a conversation that's specific let's say at least to what you're doing, as far as what your business is, what information your, you know you have, and you're protecting your clients. So that's something where you know, Billy gives me a call. You know my name and number's up on the website, give me a call and I'm happy to discuss that with you in some detail.
What would happen if another company's data is hacked?
The short answer to your question is if another company's data is hacked or in this specific, they were locked out of their data, it affected no other private cloud. Neither the access to that private cloud or the data within it. So you know I hope that's clear. Your private cloud would not be affected in any way by a, you know another organization's data being exploited, locked, encrypted, whatever the case may be.
Is APC HIPAA compliant?
Yes, the environment, the data centers are within the United States, we have data centers in Las Vegas, Phoenix, outside of Houston in Katie, and here in San Diego. So those four data centers are within the United States, that's one of the HIPAA regulation. Encryption both data at rest and in transit as well as email encryption, so the short answer is yes, the environment is HIPAA ready for compliance. Clearly we've gone through those reviews and you know we have a good understanding of all the requirements to be HIPAA compliant and APC satisfies all those requirements. So good question, thank you for that one.
Why don't more people know about the private versus public cloud?
It's a good question and here are my take: Unfortunately, the term cloud has a lot of excitement behind it. Because having a backup that's offsite, that doesn't require you to know about hard drives or tape drives. But the idea of making sure you're backed up in the cloud, that was one of the kinds of selling points for the cloud not so long ago. And then Dropbox and Gmail and you know having your calendar, all of those things available in the internet right, similar to a webpage except it was more of an application or it was your information that was stored in that environment.
But the real problem is that the term “cloud” has been applied to many different types of services. And so that the actually kind of understanding of what it exactly is had been diluted because of that. So the terms private and public become necessary because there are three different types of clouds – public, hybrid, and private. The problem is they use the term cloud to identify at it's core something that's just hosted remotely, but even something that's hosted remotely can vary in how you access it, what you have access to, what controls, applications services, and you know kind of benefit are involved in the different flavors or variations of cloud environment.
That's why I think there's a need to inform and educate about not only the benefits of the cloud but also the accessibility and making it device and location agnostic. And what's crucially important going forward when you're using or you're anticipating or making that decision whether to move your environment, you know your key business you know processing and application and all the data that you rely on and need. When you move that into a cloud you know part of our education today is to make sure you understand what is actually, at the core of these different you know these different types of clouds, with you know the private cloud being the one that we created.
Because you know future proofing your firm and taking kind of known environments and paradigms where you know you work at your desk and you connect to a server right. And the server has your databases and your applications and your files and whatnot. Taking that paradigm and moving it into a hosted environment with the backups and disaster recovery and business continuity and security built in, that's where a private cloud really differentiates or distinguishes itself. Because the encryption, the protection, and the monitoring truly mean that you actually are moving into an environment that is more secure. And is you know as is better supported and managed than an environment that you could host and kind of manage on site. With all the benefits of the cloud being kind of the icing on that cake. Where the true business needs and protection are built into the private cloud.
What is the connectivity and how many providers support your infrastructure?
if you're in an office with users you want at the minimum 30 down and 30 up for your broadband internet. Now, those requirements are often times in business class internet, most of our clients already have it. Or if not, we have a team here that can work with you and actually work with kind of internet aggregators across the United States that can actually in some ways find better (more efficient, more effective and more affordable) solution for your environment. Simply because you know when you aggregate rather than going with one or two providers in a geographic region, we can help you to prop up your internet if you need to. Especially on the upload side.
Want more Free Training Friday? Register for upcoming webinars here!