eDiscovery Daily Blog

Avoiding Glittering Generalities in Selecting eDiscovery Software – Considering Security: eDiscovery Best Practices

Editor’s Note: If you read our blog regularly, you know that we frequently reference my friend and CloudNine colleague Rob Robinson’s excellent blog, Complex Discovery for various industry information, including quarterly business confidence surveys, eDiscovery software and service market “mashups” and information about industry mergers and acquisitions (among other things).  We’ve been discussing aspects of on-premise and off-premise eDiscovery offerings quite a bit lately (including this recent webcast conducted by Tom O’Connor and me a few weeks ago) and Rob has written a terrific article on the subject which he has graciously allowed me to publish here.  This is the second part of his multi-part article (part 1 here) – we will publish it in a series over the next couple of weeks or so.  Enjoy! – Doug

Considering Security

“Distrust and caution are the parents of security.” Benjamin Franklin

The security of data is fast becoming one of the most prominent and visible areas of concern in the selection of eDiscovery software solutions. With public examples of data security failures increasing in regularity and impact, it behooves any discovery solution decision maker to carefully consider how they manage this important risk factor and make decisions based on facts.

Control of data, applications, servers, storage, and network connectivity behind an organization’s firewall has traditionally been viewed as the most secure of available eDiscovery solution deployment options. In this on-premise security approach, an organization has complete control of data and all the elements that might act on the data in the course of eDiscovery. For organizations that have an established security infrastructure, on-premise offerings appear to be a safe approach to eDiscovery security as they minimize security risk through the exercise of direct control of data.  The on-premise approach also seems highly desirable to many organizations sensitive to data transfer regulations and privacy requirements as it ensures they maintain a direct understanding of the physical location of data and have the ability to act on that data at all times.  From an acceptance standpoint, according to a recent eDiscovery industry report from the Aberdeen Group (covered by us here), organizations are 50% more likely to have an on-premise eDiscovery solution than a cloud-based one.  With these facts in mind, it seems reasonable to conclude that an on-premise approach to security is a safe method that is and should continue to be used by many organizations as part of their eDiscovery solution even in the face of growing acceptance of off-premise alternatives.

With the mainstream acceptance of cloud computing, the off-premise approach to delivering eDiscovery software is experiencing increasing in acceptance. This acceptance is based on many attributes, one being the evidence that off-premise offerings delivered via SaaS may be able to satisfactorily address many of the security requirements previously only achievable in on-premise offerings.  Reasons for this growing acceptance of cloud-centric eDiscovery solutions as secure on-premise alternatives include but are not limited to the following security elements:

  • Sophisticated Encryption: The ability to encrypt data in various states of movement and rest.
  • Security Experts on Staff: The availability of experts to continuously monitor and address security requirements.
  • First Access to Emerging Technologies: The access to emerging technologies based on size and centralization of data.

These elements of security are increasingly available in cloud offerings and are helping make the use off-premise eDiscovery solutions acceptable when viewed through the lens of security.

There are also different types of cloud implementations that may contribute to the overall security of a particular cloud-centric solution. There are pure public clouds that operate exclusively on a public cloud infrastructure and are delivered by companies such as Amazon, Microsoft, and Google. There are also private cloud solutions that combine the economic and access benefits of pure public cloud solutions with the added security of provider-owned resources that allow for determination of the exact physical location of data at any time. This ability to reach out and physically locate client data is a desirable security attribute of private clouds, especially in light of increasing regulatory and legal requirements around the disposition and disposal of personally identifiable information.

Given the current state of security of most public and private cloud eDiscovery offerings, it seems reasonable to suggest that there are many appropriate cloud-based offerings from a solely security-centric perspective.

Regardless of on-premise or off-premise approach, there are always some areas of security concern that transcend delivery approach. One example of this type of security concern is the transfer of productions outside of the firewall or cloud-secured environment to requesting parties. However, there are also many ways to mitigate even this risk through the use of secure transfer protocols, encryption, and shared access to secure servers managed with role-based access. In fact, some vendors present this concern of data transfer security argument as a reason not to consider a solution when in fact the real reason the vendor highlights this risk is that getting data out of their system is incredibly time-consuming and they want to direct users to proprietary approaches that mitigate data transfer speed deficiencies. Said differently, when evaluating software provider arguments and objections to differing security concerns, make sure you accurately understand the cause of the concern as it may be more related to performance deficiencies than security deficiencies.

Quick Takeaway: Both on-premise and off-premise offerings may be sufficient to meet organizational security requirements. However, some approaches may mitigate security risk more comprehensively than others, so it is important to understand current and potential future security requirements when selecting eDiscovery software.

Thursday, we will address the next area of evaluation, providing a consideration of capability.

So, what do you think?  What factors do you consider when evaluating and selecting eDiscovery software?  Please share any comments you might have or if you’d like to know more about a particular topic.

Also, I’m excited to report that eDiscovery Daily has been nominated to participate in The Expert Institute’s Best Legal Blog Contest in the Legal Tech category!  Thanks to whoever nominated us!  If you enjoy our blog, you can vote for it and help it win a spot in their Best Legal Blogs Hall of Fame.  You can cast a vote for the blog here.  Thanks!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

print