Application Service Providers – Accessible, Secure, and Practical
Has your hard drive ever made a “cluck-cluck” sound? It’s commonly referred to as the “clunk of death.” It usually means that your hard drive has just died – and taken your data along with it.
In 2007, Google published a large study on hard drive failure rates. You may not have been aware, but Google uses the same standard hard drives found in your PC to power their massive storage facilities. In the study, Google found that 1.8% of those hard drives failed in the first year. Over 8% fail by the third year of operation. The most shocking aspect of the study: most of those failures were completely unreported by the drive’s error monitoring system. Fortunately for Google, their impressive custom file system constantly mirrors their data. A user typing an email stored on a defective Google hard drive at the moment of failure wouldn’t notice a thing. The whole backup and restore process is done continuously.
Contrast that to the user who suddenly suffered a disk failure while typing an email into Outlook. It’s likely the message would be lost (along with any data since the user’s last backup) since few law firms can implement and maintain a backup procedure as robust as Google’s.
Automated backups are one of many advantages offered by Google, an application service provider. Application service providers (“ASPs”) provide remotely hosted applications that users access through small programs called a thin clients. In many cases, the thin client is simply a web-browser. A user inputs data into the thin-client, sends it to the server for processing. The result is then returned and displayed to the user through the thin-client. All the heavy data storage and processing is done on the server.
This structure results in an obvious benefit to using an ASP: accessibility. The application can be used from any location with Internet access. It can also be run on any hardware capable of running the thin-client. In the case of a web-browser, older computers, cell phones, and handhelds can all access the application. But this model also has other less obvious benefits. Utilizing common and less complex software on the client frees developers from having to support and maintain software for various hardware configurations. Instead, they can focus on improving the core of the application hosted on their server, and swiftly adapting the client-side software to new devices. If they utilize a web-browser, someone usually adapts it to the device for them. For these reasons, the software often requires fewer programmers. This lowers end-user costs and allows for more coordinated and agile development.
Hosted applications also provide a number of security and stability benefits. A Tier 4 Data Center (as defined by the Uptime Institute) must have multiple systems in place for power and cooling, controlled physical access with biometric readers and single-person entryways, gaseous fire suppression, and redundant backbone cabling infrastructure. And it cannot experience anymore than 25 minutes of downtime per year. A law firm cannot practically ensure this same level of stability and security with an on-site server.
Nor are law firms better situated to maintain the application. With an ASP, every user is executing the same code on the same server hardware. “Bugs” in the software are therefore quickly identified. In turn, the technicians are more familiar with the server’s hardware configuration and can resolve issue efficiently. Application updates are also delivered quickly and seamlessly to end-users.
These benefits are really the result of specialization. For instance, consider the online billing application Freshbooks. Freshbooks allows lawyers to enter clients, track time on projects, and then bill the clients via email or postal mail – Freshbooks will even print the invoices and mail them for you. Clients can also log in, print their invoice, pay by credit card or PayPal, upload or download documents, and file trouble tickets. A firm could certainly setup and maintain a similar system, but they’d have to undertake a significant amount of overhead: updating the server’s code when vulnerabilities are discovered, updating the bank’s payment gateway protocol when it changes, diagnosing client technical problems with using the site, and keeping the database backed up. The benefit to paying a specialist for these services is clear.
Of course, placing data on a widely accessible server increases its exposure. This, intuitively, raises privacy concerns. But one has to weigh these concerns against already existing privacy risks. Any open communication port on a computer can be exploited. Any password can be cracked. Any data can be copied onto a USB drive and carried out of the office. Should offices stop using remote desktop software in fear that someone will compromise the communication? What about someone passively listening and decrypting the packets sent by your wireless router? Or the magnetic fields projected by your hard drive? What about unencrypted emails, faxes, telephones, and cell phones? What if someone at the post office is reading your mail?
In light of these already existing privacy risks, both the New Jersey Advisory Committee on Professional Ethics (Ethics Opinion 701) and the State Bar of Nevada’s Standing Committee on Ethics and Professional Responsibility (Formal Opinion No. 33) [Ed. Note: last link is to PDF file] opined that a lawyer may store client information on a server or device that is not exclusively in the lawyer’s control, provided that the lawyer:
- exercise reasonable care in selecting the third party party contractor;
- instructs and requires the contractor to keep the information confidential; and
- has a reasonable expectation that the data will be kept confidential.
The key is your “reasonable expectation of privacy.” When selecting an ASP, you must carefully consider whether the provider is reputable, knowledgeable, and capable of providing the service in a professional and confidential manner. Here are some things to consider when selecting an ASP:
- Check the terms of service. Every provider gives you a boilerplate agreement when you sign up. Make sure privacy is adequately addressed in those terms. Often, a reputable provider will also have a page on their website discussing privacy and outlining the security of their systems.
- Find out who’s really hosting. Most ASPs do not host servers themselves for the very same reason that law firms don’t: it’s more efficient and secure to allow a hardware specialist to maintain the server. Make sure the provider is using a reliable host, preferably a Tier 4 hosting facility.
- Look at the provider’s website. This is my biggest pet-peeve when it comes to selecting any application. I’ve seen so many applications with completely outdated, unprofessional looking websites. Clean, modern, uncluttered websites are easy to program. If the developers can’t even code a nice website, what does it say about their skill and motivation?
- Don’t just look at the price or company size. Anyone can look big on the Internet, and anyone can charge a high price. Don’t fall into the trap of thinking a product is better because it costs more, or because its offered by MegaLegal, Inc. Instead, look for a professional team of developers offering a quality product. Look for a responsive and friendly support team, an active and happy user community, and innovative ideas that will give you an edge.
- Do your part to secure data. As was pointed out in the Nevada ethics opinion, all PDFs and similar documents can be password protected, encrypted, and scrubbed of meta-data. OpenOffice can be set to do this automatically when the document is closed or saved. Set up a procedure to ensure all confidential data is encrypted before being uploaded.
- Utilize open standards. Save your data using open standards that can be read by multiple applications. This allows you to switch vendors in the future and avoid getting “locked-in” to a single program. With regard to ASPs, make sure they allow you to import and export your data into popular open formats. This also allow you to shift various part of your software (calendaring, email, billing, accounting, etc) to different programs while maintaining compatibility with the others, if it becomes necessary.
- Keep local backups. Even though your ASP’s host should use advanced backup measures, regularly export and save your data locally. This is easy to do if your ASP supports open data standards. For instance, Google allows you to download all emails via POP3, export all of your calendars, and download all of your documents and spreadsheets.
Finally, it’s important to recognize that ASPs are likely the future of software for reasons beyond the scope of this article. What’s important is that the major software players are all positioning themselves to become ASPs. Google has launched Google Apps, aiming to provide online office applications, as well as Google Gears which enables any web-browser based application to be run offline. Adobe has launched a similar framework using Flash, called Adobe Air. Even Microsoft, recognizing the “web app revolution,” has launched its own ASP-oriented framework called Silverlight.
In fact, Microsoft CEO Steve Ballmer just recently announced a future “multi-tiered client-server platform for its Office and consumer applications” which will “use its data centers and network infrastructure already in place to offer hosted applications on its Windows Live service, as well as continue to offer desktop applications that can connect to this services platform for collaboration and data sharing.” Microsoft execs refer to it as “software plus services.” Sound familiar? Even the next version of Windows (code named “7″) is rumored to have an integrated online-subscription service. Given that the future of software clearly lies in ASPs, is it prudent for a law firm not to consider them?
I can understand why certain lawyers hesitate to trust their client’s data to a third-party in return for a specialized service. But keep in mind that this is exactly what we ask of our clients: give us your data, trust our specialization, and we’ll provided you with a service more efficient and effective than if you do it yourself. As the blog Ross Ipsa Loquitur has correctly observed, the law firm that self-manages too many tech projects is providing a service to itself in pro se. And as the old saying goes: the lawyer who represents himself has a fool for a client.
Paul Slough is the law clerk for a Michigan trial court. He was admitted to the State Bar of Michigan in February and is opening a solo law practice next month. He blogs about Linux in the law office at his Linux Law Office blog. He writes this guest post as an inaugural member of the “TIS Debate Team.”
Print
email
PDF
del.icio.us
Facebook
Twitter
