Which cloud model is the right choice for your core practice management applications?

December 1, 2014

By David Ricketts and Carrie Morgan*

With governance, security and data residency being among the top focus areas for IT managers, you could think that cloud just wouldn’t work for the legal sector. Yet, firms are becoming increasingly comfortable with experimenting with cloud services for different tasks and non-critical applications. As hosting services become more mature and the cloud suppliers develop more awareness of the importance of data residency and security guidelines, firms are now able to look at deploying cloud services across their entire business; even underpinning their core practice management systems.

Now, legal IT managers are focusing on how they can harness the flexibility that cloud gives them, whilst bringing more governance and control back into their firms. It can be a complex minefield of different cloud models to sift through in order to find the perfect fit for your firm, and many organisations choose to avoid the cloud altogether due to the complexity involved in selecting a supplier.

In this article, we are going to look at the different cloud models that legal firms can consider for their core practice management platforms – and what is best suited to a legal organisation. At C24, we created a suitability matrix – highlighting what type of cloud model performed best for different requirements (i.e. security, service management, availability). We will now share the findings of this study with you.

Private On-Premise Cloud

A private on-premise cloud is a traditional onsite infrastructure, that has been built and designed to provide a shared resource pool of hardware within your own organisation (i.e. shared storage over dedicated storage, virtualised machines centrally managed) with a strong focus on the automation of infrastructure provisioning. The IT department acts as an IT service provider back into the business.

– An on-premise private cloud can be tailored to your exact needs, creating a bespoke solution that an infrastructure provider can design and integrate into your existing IT environment.
– The infrastructure will not be shared with other organisations to reduce the risk of performance or security impact.
– If you need increased resiliency, you can build in your own provisions to the solution for disaster recovery, higher levels of connectivity, and define your own SLAs.
– Once the up-front investment is made, you can sweat the assets for as long as they are supported or functioning.

– With an on-premise private cloud, security can often be lower than what you would expect from a purpose-built datacentre from a hosting provider. Many local datacentres consist of a server room within an office which doesn’t have the security of fireproof datacentres, with armed guards and stringent access control policies.
– Flexibility in the short term will be higher, but once you have used the capacity and reached the performance ceiling of your solution you will have to pay for upgrades – and the platform may not even have the capability to be upgraded.
– If the infrastructure or software supplier chooses to discontinue support for your solution, you are forced into refreshing your IT sooner than you had planned.
– The management and monitoring of the platform is your problem – the day to day management and support falls to the IT team.

Hosted Private Cloud

A hosted private cloud is a dedicated compute, storage and networking resource, hosted by a cloud provider. The solution is tailored and built to the client’s requirements, rather than being a standardised service within a multi-tenant environment as typically offered by Public cloud providers.

– Hosting providers tend to have high levels of datacentre security as the datacentres they operate and host within are purpose built for delivering enterprise, secure hosting to clients.
– When you work with a trusted hosting provider, you are working with an organisation whose core business activity is delivering hosted IT.
– Having a private cloud hosted with an expert provider gives you the benefit of a dedicated environment that has been built to your needs within a specialist hosting centre.
– The management, monitoring and support is relatively low-touch from your side as this is left to the hosting provider to look after your IT environment.
– With a private cloud model, you have more control to define SLAs, connectivity requirements and data security and residency.
– Your data is located where you need it to be.

– Deploying a hosted private cloud solution takes longer than deploying adhoc services with a Public Cloud provider (such as email services, web-hosting).
– Public cloud has more flexibility to scale services on the fly, and you have the ability with many public cloud solutions to self-provision compute resource through a web-based tool.
– Private cloud hosting will inevitably be more expensive than multi-tenant public cloud services due to economies of scale.


Public Cloud

The public cloud space encompasses larger providers who offer multi-tenant solutions to clients, often located outside of the UK. Services are usually standardised and commoditised with little room for tailoring to firm’s specific IT environments. Examples of Public Cloud providers are Amazon Web Services and Microsoft Azure.

– Costs for multi-tenant services are low and typically have low set up costs also.
– Services are easy to set up and activate – often just requiring a login and credit card.
– Public cloud is often flexible for easy scaling and can offer the ability to self-provision services.
– By its nature, Public cloud is a scalable model within which the mainstream providers operate vast datacentres with lots of available room for clients to grow into.

– Costs for services can escalate when enterprise features are added on; such as disaster recovery, security, backup elements, performance guarantees.
– Multiple cloud accounts across the organisation can be difficult to manage; especially as departments start to procure cloud services outside of IT’s control. This can result in Public Cloud sprawl throughout the firm.
– Security can be an issue for legal firms who need to know where their data is located and held. Also there are many data governance issues about how to take back data from a public cloud provider once the service has ended, all of which need to be considered carefully.


Hybrid Cloud

Hybrid cloud shares resources between your on-premise infrastructure, and your cloud provider (be that Public or Private). This could mean having onsite mission critical applications deployed locally, and specific applications hosted in the cloud and consumed within a software-as-a-service model.

– Provides you with the level of control you want – if you require more control then you can retain more services in house, or if you want less control then you can tip the balance and put more services to the cloud.
– There is more flexibility to grow as you can expand your Public Cloud and Private Cloud services whilst still having core solutions onsite in your datacentre.
– Performance can be high when and where you need it – you can cope with spikes in performance by consuming more services from the cloud at busy times and scale back down to your local infrastructure during quiet periods.
– If security is a concern then you can make sure your data is located in the right place by putting workloads on the most appropriate platform for the application.
– A hybrid model is flexible enough to combine true public cloud, hosted private cloud and onsite technology for an organisation – enabling services to be delivered from the appropriate provider, depending on security, performance and SLAs.

– Management of the entire infrastructure may be higher if you are managing multiple cloud services in addition to your onsite technology.
– Your IT team will need to be both a manager of services (from cloud providers) and IT service providers themselves (of their own infrastructure) to reach a balance.


In the long term, it is expected that firms will move out many of their generic IT platforms to the cloud, in order to reduce the amount of time spent managing and fixing hardware issues. Most firms will adopt a hybrid model, making use of Public cloud services where it fits and retaining control over core Practice Management applications by placing them with a private hosting provider or by delivering the platforms onsite.

However, as more innovative legal-specific technology is introduced, it is likely that most new applications will be delivered in a software-as-a-service model, or at least developed to be –as-a-service ready – making it easier for firms to put services out to the cloud with minimal transitional work needed.

As private and multi-tenant hosting providers in the legal sector, we are seeing more and more legal firms looking to the cloud to deliver cost-efficiencies and flexibility, and many are becoming confident with putting core practice management platforms out to the cloud – to increase their own IT security and datacentre compliance capabilities. This shows a marked change in the industry as the cloud market matures and starts to offer a secure, viable cloud option to legal firms.


* David Ricketts is Head of Marketing and Sales at C24 Ltd and Carrie Morgan is Director at The Sales Way Ltd. C24 Ltd is one of the UK’s leading specialist managed service and hosting providers. Working with businesses all over the globe, the company manages, secures and delivers critical business applications to over 100 countries, with a particular focus on the legal sector. It is also a strategic Thomson Reuters partner and delivers enterprise hosting platforms for Thomson Reuters Elite clients who are looking for more flexible solutions for their core practice management platforms. www.c24.co.uk


November 10, 2014


A legal hold is a written directive issued by attorneys instructing clients to preserve relevant evidence – such as paper documents and electronically stored information – in an anticipated litigation, audit, or government investigation. However, as businesses increasingly store data in electronic formats, it’s becoming ever more important to be able to manage, preserve, classify, and search electronically stored information (ESI).

A legal hold includes the following steps:

  • Issuing a written hold notice
  • Identifying the right stakeholders
  • Coordinating data identification and preservation
  • Monitoring the implementation of the hold

Who Needs to Comply

Any organization that can potentially come under litigation should educate employees on the company’s legal hold policy as well as how to respond to any legal hold notice they may receive. When a legal hold is issued, attorneys should ascertain that the recipients listed in the legal hold understand their responsibilities. Also, working within the organization’s legal framework, attorneys and the IT Department will take all appropriate steps to retain and preserve ESI.

Risks in Non-compliance

When evidence is destroyed, lost, or altered, the ramifications can be detrimental as it becomes virtually impossible to prove or defend a case. An organization’s failure to prevent spoliation of evidence can result in court-ordered sanctions as well as fines, especially if ESI is found to have been destroyed because a legal hold was not effectively carried out.

Below are consequences and regulations set forth by each association and regulating party.

Title 18 of United States Code Sections

Under Title 18 of United States Code Sections, the individual responsible will be fined and/or face jail time.

“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.” 18 U.S.C. Sec. 1519.

Federal Rules of Civil Procedure

Under Federal Rules of Civil Procedure Rule 37 possible sanctions are as follows:

  • dismissal of the wrongdoer’s claim
  • entering judgment against the wrongdoer
  • imposing fines on the wrongdoer

How Varonis can help with Legal Hold

1. Finding Evidence

DatAnswers maintains an index so that files containing specific terms can be found at any time.

The Varonis IDU Classification Framework is a data classification engine that can incrementally scan file servers and intranets for documents based on a multitude of criteria: keywords, patterns, date created, date last accessed, date modified, user access, owner, and many more, making it possible for IT to find and preserve relevant evidence.

The IDU Classification Framework is efficient and performs true incremental scans, knowing exactly which files have been modified and require rescanning without checking every single location.

The IDU Classification Framework is an automated classification engine. It does not rely on users to manually flag or tag data (though that is possible). It classifies data across multiple platforms (Windows, NAS, SharePoint, etc.).

Also critical to preserving evidence, DatAdvantage can identify and locate all ESI, show which users and groups have access, and provide an audit on all ESI, such as when the file, directory services object, and email was open, edited, deleted etc.

2. Holding Evidence

Once relevant evidence has been found by the IDU Classification Framework, the Varonis Data Transport Engine can automatically migrate or copy documents into a secure location designated for legal hold where the files cannot be modified or deleted.

Brintons Carpets selects C24 as their strategic hosting partner

October 28, 2014

Birmingham, West Midlands, 28th October 2014 – Brintons Carpets Ltd are the world’s leading manufacturer of high-quality woven carpets and have selected C24 to be their strategic hosting partner for the global delivery of their business critical applications. The solutions will see C24 deliver Epicor ERP systems, Microsoft Exchange and a variety of other applications from their tier IV datacentre.

Like many other growing enterprises, Brintons were reaching a turning point in their business and IT needed to transform to cope with new business demands. An increasingly complex IT environment was making it difficult to manage a large technology infrastructure with the same resources, and Brintons recognised that in order to keep providing such high levels of service to their customers, they would need to re-evaluate their existing IT platforms to ensure they still fulfilled the needs of the business. Brintons also identified the importance of working with a true partner; as technology is so central to the services that Brintons delivers globally, they needed a strategic hosting partner that could offer flexibility and scalability for their operations.

C24 partnered closely with Brintons application providers to deliver a holistic and simple to manage solution that would help solve some of the challenges faced by an evolving business. C24 recognised that the smooth delivery of the enterprise hosting solution to Brintons was an ability to partner seamlessly with Brintons’ own IT team and third party providers involved in the overall solution.

Sarah Goode, IT Manager at Brintons Carpets, commented, “As a mid-market business, finding a hosting partner with the right skills who have an understanding of both the applications and the supporting infrastructure wasn’t easy; C24 showed a true understanding of both areas but just as importantly, they are willing to work closely with us to deliver our desired business outcomes.”

David Ricketts, Head of Marketing at C24, commented, “Brintons Carpets is one of the UK’s most recognisable brands, with a history of delivering the very best quality for organisations across the globe. For us at C24, the opportunity to work with them; delivering their critical applications to sites across the world, specifically across the UK, Europe, Asia, USA and Australia, highlights how far we have come as a hosting business. The team are really looking forward to delivering on their high expectations over the coming three years.”


About Brintons Carpets Ltd

Brintons has been making British carpets in Kidderminster for 230 years, focusing on delivering superior quality. Proud of their phenomenal British heritage, their 1400 employees worldwide help to create a quality product and global brand.

About C24 Ltd

C24 Ltd is one of the UK’s leading specialist Managed Hosting providers. Working with businesses all over the globe, the company manages, secures and delivers critical business applications to over 100 countries globally. Solutions are tailored to each business and range from traditional email hosting to secure back-up and managed hosting of Enterprise Resource Planning (ERP) solutions, business productivity applications and high availability disaster recovery.

Press Contact

David Ricketts, Head of Marketing, C24 Ltd, dricketts@c24.co.uk / 0121 550 4569


October 23, 2014

During a recent visit to Brazil, I encountered many customers and partners who faced a similar challenge – providing their clients with a safe, secure and genuinely easy way to share files and collaborate with data.  All faced a number of barriers and none were happy with the current offerings of cloud based file sharing solutions.  Generally speaking:

  • All required a secure way to share files with internal and external people– partners, vendors and employees
  • All tried to block access to file sharing sites and no one thought they were successful in doing so
  • All were concerned about the additional resource requirements to manage and control cloud file shares
  • Many wanted the same user experience and processes  for internal  and external collaboration
  • Not one had a plan to fulfill these requirements
  • All were required by the business areas to provide a solution in the near term

The following 5 criteria summarize their requirements, which are not currently fulfilled by cloud based file sharing solutions:

1. Ongoing guarantee of rightful access

Customers clearly state that the security of cloud based file sharing solutions is a primary concern.  They require a comprehensive audit trail of all usage activity, the ability to ensure permissions are granted and revoked at the appropriate times by the appropriate people, and the ability to develop different profiles for different data and people based on data sensitivity, customer location, and role.

2. Ability to leverage existing infrastructure and processes

Customers want to leverage their existing infrastructure and processes instead of purchasing a new solution, and have no wish to reinvent their processes for managing data on a third-party cloud solution.  Customers have processes and applications to perform backup, archival, provisioning and management of existing infrastructure, and they are confused about how to perform these functions within a cloud-base file sharing solution.

3. Ensuring Reliability with Accountability

IT organizations have defined service levels for their internal clients,  and are accountable for the delivery of each service. If they don’t deliver, there is no question about whose responsibility it is.  Service levels associated with cloud based file sharing must be negotiated like other third party services – there are typically few guarantees of performance and remedies for non-performance are limited.

4. Providing an intuitively simple user experience

Regardless of the solution, IT Managers are very concerned about a new user experience for their clients.  Most indicate that a different user experience will require training, impact the number of calls for support, and reduce productivity at least temporarily.  Ultimately, IT Managers would like leverage the user experience that their user population has already mastered.

5. Predictable expense

Typical cloud based file sharing solutions are priced based on amount of storage— storage requirements often grow at a surprising rate. Customers may need to negotiate storage costs with cloud providers on an ongoing basis.


October 14, 2014

To get a sense of where the PCI Data Security Standard (DSS) is heading, it helps to take a look beyond the actual language in the requirements. In August, PCI published a DSS 3.0 best practices document that provided additional context for the 12 DSS requirements and their almost 300 sub-controls. It’s well worth looking at. The key point is that PCI compliance is not a project you do once a year just for the official assessments.

The best practice is for DSS compliance to be a continual process: the controls should be well-integrated into daily IT operations and they should be monitored.

Hold that thought.

Clear and Present Dangers

One criticism of DSS is that it doesn’t take into account real-world threats. There’s some truth to this, though, the standard has addressed the most common threats at least since version 2.0—these are the injection style attacks we’ve written about.

In Requirement 6, “develop and maintain secure systems and applications,” there are sub-controls devoted to SQL and OS injection (6.5.1), buffer overflows (6.5.2), cross-site scripting (6.5.7), and cryptographic storage vulnerabilities (6.5.3)—think Pass the Hash. By my count, they’ve covered all the major bases—with one exception, which I’ll get to below.

The deeper problems are that these checks aren’t done on a more regular basis—as part of “business as usual”—and the official standard is not clear about what constitutes an adequate sample size when testing.

While it’s a PCI best practice to perform automated scanning for vulnerabilities and try to cover every port, file, URL, etc., it may not be practical in many scenarios, especially for large enterprises. Companies will then have to conduct a more selective testing regiment.

If you can’t test it all, then what constitutes an adequate sample?

This question is taken up in some detail in the PCI best practices. The answer they give is that the “samples must be sufficiently large to provide assurance that controls are implemented as expected.” Fair enough.

The other criteria that’s supposed to inform the sampling decision is an organization’s own risk profile.

Content at Risk

In other words, companies are supposed to know where cardholder data is located at all times, minimize what’s stored if possible, and make sure it’s protected. This information then should guide IT in deciding those apps and software on which to focus the testing efforts.

Not only should testing be performed more frequently, it’s also critical to have a current inventory, according to PCI, of the data that’s potentially hackable—let’s call it data at risk—and users who have access.

For Metadata Era readers, this is basically the Varonis “know your data” mantra. It becomes even more important because of a new attack vector that has not (yet) been directly addressed by PCI DSS. I’m referring to phishing and social engineering, which has been implicated in at least one of the major retail incidents in the last year.

Unlike the older style of injection attacks that targeted web and other back-end servers, phishing now opens the potential entry points to include every user’s desktop or laptop.

Effectively, any employee receiving a mail—an intern or the CEO­­—is at risk. Phishing obviously increases the chances of hackers getting inside and therefore raises the stakes for knowing and monitoring your data at all times, not just once a year.


October 7, 2014

During this past year, we’ve been reminded (too) many times that data breaches are costly and damaging to a company’s reputation. According to the Ponemon Institute’s 2014 Cost of Data Breach Study, the average total cost of a data breach—which can include credit monitoring, legal fees, remediation, and customer loss—for the companies who participated in the research report increased 15%, to $3.5 million USD. Also, the average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9% from $136 in 2013 to $145.i In short: failure to protect sensitive data has a quantifiable cost, and the theft of that data has bottom line implications. However, are C-level execs viewing files and emails containing customer records and other sensitive information as bits and bytes on a disk, or do they view them as piles of unprotected cash?

Unfortunately, it has been much more of the former, based on the huge data heists of the last year. The tide, though, may finally be changing. Here’s what HP CEO Meg Whitman had to say about the cloud, security, and Big Data:

“When I am with my fellow CEOs…these are three areas that me and my colleagues are worried about…Every CEO lives in fear of a Big Data breach, loss of data, a hack into the system that compromises our company’s reputation. And reputations take years and years to build and can be destroyed overnight.”

Our guess is that executives will have no choice but to join Ms. Whitman and start weighing the potential impact of data loss and how it can evaporate years of trust and brand equity in a heartbeat.

Unsure if your environment is well-protected? Get a free 30 day risk assessment! Varonis will show you where your sensitive content is, who has access to it, and more.


Specialist Legal Application Hosting Provider, C24, showcases the latest in business intelligence software to Legal Firms.

October 1, 2014

C24, an Applications Hosting Provider, showcased their Business Intelligence analytics platform, BI24, to legal firms at the Alternative Legal IT Conference 2014 earlier this month.

Held annually at the Belfry in Sutton Coldfield, leading technology suppliers to the UK Legal sector were present to meet with law firms and demonstrate how the sector could benefit from next generation technology solutions.

C24’s Business Intelligence analytics platform was on display, with C24’s technical specialists offering live demonstrations to clients throughout the day. Demos included showing how legal firms were using their internal data to understand how they could achieve savings across Work In Progress cases, who their top fee earners were and general fee trends and operational statistics to help make better business decisions, amongst many other topics. BI24 is a business analytics platform that centralises data and information and provides search engine functionality across the entire organisation, and is particularly helpful to legal customers who require holistic visibility of client and internal operations.

C24 has worked with numerous legal clients to deliver innovative business intelligence and hosting solutions. A recent win at Wright Hassall, a leading UK law firm, uncovered a number of challenges common to the legal sector, such as increasing demand from clients for more granular visibility of case activities and the need to drive further efficiencies across the organisation.

Martyn Wells, IT Director at Wright Hassall LLP, commented, “Expedient and insightful analytics are now essential in an industry where data hungry clients demand precise and granular views of activities conducted on their behalf. It is becoming increasingly clear that the days of monolithic data warehouse are over, and we sought a much more contemporary and agile solution; one that our users would understand and use intuitively.”

David Ricketts Head Of Sales and Marketing at C24, commented “C24’s on-going focus on the legal sector means that we are continually developing a significant portfolio of legal and professional services clients, and events like the Alternative Legal IT Conference and the Thomson Reuters Vantage Show enable us to connect directly with our legal clients and showcase the next generation technology in the law industry. The response to the business intelligence demonstrations using live data that we delivered at the show was fantastic and we are already speaking to a number of large law firms about how they too can benefit from increased visibility and business insight across their organisation”.

About C24
C24 is an enterprise applications hosting provider based in the West Midlands, delivering infrastructure hosting, business intelligence software and document management capabilities to clients across the globe. C24 works closely with key technology vendors and partners to deliver best of breed private cloud hosting solutions to customers, and is a HP Cloud Agile Service Provider Partner and a Microsoft Gold Hosting Partner.


Get every new post delivered to your Inbox.

Join 863 other followers