Q&A: Moving to a Legal Storage Cloud
Can a law firm make a smooth transition to a storage cloud while meeting security and resource requirements?
What happens when a legal firm needs to share a huge number of documents, make the move quickly and safely, and do it with minimal IT resources? We talked to Matt Donehoo, director of information systems at Segal McCambridge Singer & Mahoney, a Chicago-based law firm with approximately 150 attorneys, about his experiences moving his firm’s document storage to the cloud.
Enterprise Strategies: What problem(s) were you trying to solve? What solutions did you consider? What criteria were most important?
Matt Donehoo: I’ve been interested in cloud storage for a long time, because it offers essentially unlimited capacity, can be accessed from anywhere, and is extremely resilient. However, until recently, I never saw a storage solution that incorporated the cloud in a secure way that could offer performance on par with a local NAS.
Obviously, security is also critical for us. If I’m storing primary data in the cloud, it had better be secure, since these are typically documents involved in litigation. The stakes are high. Just encrypting data in transit isn’t enough, and even encrypting the data at rest isn’t sufficient if someone other than my people possesses the encryption keys. I want to control the keys and nobody else.
What’s more, performance can’t flag, and it has to be available all the time. Attorneys bill by the hour, after all, so they can’t be waiting on documents.
Finally, any cloud storage solution needed to be transparent to end users. I don’t want our attorneys to change how they access files; it needs to integrate with our existing storage infrastructure.
How are the needs of legal firms different from those of other enterprises?
Storage presents unique challenges for law firms because it’s unpredictable. At any moment, I can get a call from a partner telling me that a new case has come in and that he or she needs multiple terabytes of documents processed, securely stored, and readily available to our attorneys as soon as possible.
It makes planning for storage capacity difficult, to say the least. There simply is no way to predict how much capacity we will need tomorrow, next week, or next month -- let alone next year. Traditionally, storage vendors want you to buy in three- to five-year chunks, and that’s almost impossible in legal IT.
Security is always important, of course, but it takes on special significance for a law firm. You have to remember, we’re dealing with files that in many cases are evidence. They absolutely must be managed and preserved in a manner that is defensible in a court of law. Any breach at any time can result in data spoliation, which means that evidence no longer stands up in court. We all remember the situation with Dropbox where users didn’t need passwords for several hours. It doesn’t take a lot of imagination to see what a disaster that could be for a law firm.
Why did you choose a cloud solution -- what special advantages did it offer in your case?
Initially, I was simply looking for a way to deal with our capacity issues. Now, I can get additional terabytes of secure storage with just a few mouse clicks -- our storage capacity can grow at the rate we are growing. Once I deployed the solution, we found that not only was performance better than our traditional NAS, but we could also give full read/write access to our other offices very easily. It’s great to have someone upload documents in our New York office and then just minutes later I can manage it all from my Chicago office.
As I mentioned, security was a major concern. When we first looked into cloud storage, it didn’t take long to see big holes. Some services only encrypted content in transit, which meant that data at rest was completely in the clear. That’s obviously unacceptable for any serious enterprise, much less a law firm. But even if they did encrypt data at rest, they had to hold the encryption keys, which, again, isn’t acceptable. No one can have access to our data but us, for any reason. The solution we ultimately adopted encrypts all data on premises in our office using our keys before forwarding anything to the cloud. No one, not even our provider, has access to our data but us.
We were also concerned about availability, since, like everyone else, we’ve seen all the reports on cloud outages. After investigating the issue we found that the back end our provider uses, Amazon S3, has been remarkably stable -- going down at most a few minutes a year, which is better than most traditional solutions. Plus, the service uses a hybrid solution that stores the most frequently used documents locally. So the only time we’d experience an outage would be in the highly unlikely scenario where S3 was out and someone called for a document that wasn’t in the cache. If that happens, our provider has a strong SLA, so we’re covered.
How many documents (number or total size of documents to migrate) did you have to store in the cloud?
We’ve currently got 12 terabytes with our storage services provider, and we expect that to grow to at least 20 terabytes by the end of the year.
How long did the project take? How many people were involved? What was its cost and how did you measure ROI?
Surprisingly, it didn’t take very long at all. I installed the physical appliance in Chicago, plus a few virtual appliances at other locations, and we were ready to go in less than an hour. As for how many people were involved, it was just me and our storage guy.
As for cost, our storage services provider charges by the terabyte/year, and it varies according to how many terabytes you’re buying, but they generally start off at about $10,000 per terabyte, with discounts if you buy more capacity. That’s just usable storage, though. We get unlimited snapshots in the cloud without incurring additional charges, and can roll back as far as we want at any time. Plus, if one of the appliances melts down, all I need to do is install a new instance of the virtual appliance on a working server and we have full access to all our storage within minutes.
I’ve not done a formal ROI analysis, but not having to babysit our NAS, backup systems, or DR site all the time and worry about capacity has freed me up to focus on more strategic initiatives, such as VDI. That’s worth a lot.
What problems did you encounter? For example, was bandwidth an issue? What best practices would you recommend to colleagues about to embark on a similar project?
Bandwidth hasn’t been an issue because the files we use most often are locally stored, with the master in the cloud, so even if there is lag, we don’t feel it.
In terms of best practices, you would think it doesn’t need mentioning, but I don’t think you can stress enough the importance of security. There are a lot of cloud storage solutions out there that come from a consumer pedigree that simply aren’t designed for use in the enterprise.
When we tested the solution, we initially had performance issues with the document management system. However, we were using a virtual appliance for the test, and the server on which we had it installed didn’t have a large enough cache. We switched over to our provider’s physical appliance, and once the DMS data was in cache, it performed better than our own environment. It had everything to do with cache size. When files weren’t local, the DMS solution would time out. With the physical appliance, we’ve had no issues at all.