Catalyst Repository Systems - Powering Complex Legal Matters

E-Discovery Search Blog

Catalyst E-Discovery Search Blog RSS Follow Catalyst on Twitter Join Catalyst on Facebook Catalyst on LinkedIn
Follow Us:
Technology, Techniques and Best Practices

NIST Issues Draft Recommendations on Cloud Computing

Earlier this month, the Computer Security Division of the National Institute of Standards and Technology (NIST) issued draft recommendations on cloud computing (PDF). As many of you know, NIST is an agency of the U.S. Department of Commerce. Founded in 1901, the agency was the nation’s first physical science research laboratory.

In the e-discovery field, we know it better for its list of 65 million hash values of system and program files (the “NIST” list). We use the list to remove unwanted files before we process documents and other data. The NIST list is the gold standard for our industry and we use it every day.

NIST is involved in many other areas of inquiry, including the International System of Units (as discussed in my recent post, How Many Bytes in a Gigabyte? My Answer Might Surprise You). It also recently issued draft guidelines on security and privacy in cloud computing and launched the NIST Cloud Computing Collaboration wiki to encourage collaboration in refining its cloud standards.

What is Cloud Computing?

In the 84-page draft, Cloud Computing Synopsis and Recommendations, published May 12, the NIST team set out to write a primer on the cloud—types, deployment models, service models, cloud security and, ultimately, the benefits of cloud computing. They start with NIST’s definition of cloud computing, which is tricky because:

Cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models, and deployment models.

Thus, while the term “cloud” is often used as a synonym for the Internet, cloud computing means more than simply the transmission of data over the Internet.

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

According to the NIST definition, cloud computing has five essential characteristics:

  • On-demand self service.
  • Broad network access.
  • Resource pooling.
  • Rapid elasticity.
  • Measured service.

Following this logic, one could argue either way for many of the e-discovery providers who bill themselves as cloud providers. While they may offer a hosted product via the Internet, they may not meet NIST’s requirements for on-demand self service, resource pooling and rapid elasticity.

There are several service models for cloud computing, each with different strengths and weaknesses:

  1. Cloud Software as a Service (SaaS): Cloud e-discovery providers would fall under this category. They offer a product accessible via a browser but manage the underlying infrastructure including network, servers, operating system, storage and applications.
  2. Cloud Platform as a Service (PaaS): This allows consumers to deploy their applications on top of a cloud infrastructure.
  3. Cloud Infrastructure as a Service (IaaS): Consumers essentially rent the infrastructure but determine their own software and even the OS they will use.

NIST's depiction of how control is shared in a SaaS model.

There are also four different deployment models for cloud computing:

  1. Private cloud: This refers to infrastructure that is operated solely for one organization. It may be managed by a third party but is dedicated to that purpose.
  2. Community cloud: In this case, a group of users provision a cloud infrastructure for a common purpose.
  3. Public cloud: Here, the infrastructure is made available to the general public, although owned by the organization selling the service.
  4. Hybrid cloud: This would be a combination of two or more clouds (private, community or public) that are connected by technology that allows data or application portability.

Why Read the Guidelines

If you are considering the cloud for any of your applications, this is a helpful document. The authors discuss operational characteristics, standards for service-level agreements and security considerations. Ultimately, they talk about the benefits of cloud computing and why organizations like law firms and corporations businesses might consider it.

Cloud computing is relatively new to the legal community, as it is to the rest of the business world. Why use it? Here is the NIST view:

In outsourced and public deployment models, cloud computing provides convenient rental of computing resources: users pay service charges while using a service but need not pay large up-front acquisition costs to build a computing infrastructure. … By using an elastic cloud, customers may be able to avoid excessive costs from overprovisioning, i.e., building enough capacity for peak demand and then not using the capacity in non-peak periods.

Earlier this year, we dumped our Exchange servers in favor of Gmail (via Google Apps). There was some grumbling at first but the transition was a success. The service has worked as well as Exchange, the product is continually updated and we don’t have to worry about hardware or software upgrades. Although email is critical to our business, it isn’t one of our core services. So why run it ourselves? Turns out we don’t need to and we get the added benefit of Google Docs, Google Calendar and other features.

Is it right for you? I would give it a good look the next time you think about upgrading or switching providers. It is the way the computing world seems to be going.

As for NIST’s draft guide to cloud computing, the agency is seeking comments from the public. The U.S. government’s CIO has asked NIST to lead federal efforts on developing standards for data portability, cloud interoperability and security. The goal, according to NIST, “is to help the federal government reap the benefits of cloud computing.” Comments must be submitted by June 13.

With FCPA Actions on the Rise, Search Takes Center Stage

Corporate Counsel magazine recently issued a report that should cause multi-national corporations and their counsel to pay attention: Trend Watch: Foreign Bribery Actions Doubled Last Year.

Specifically, the magazine reported that enforcement actions under the Foreign Corrupt Practices Act (“FCPA”) nearly doubled in 2010, rising to 76 (with complaints against 23 companies and 53 individuals). In 2009, the SEC and Justice Department brought 45 actions (against 12 corporations and 33 individuals). That number was a significant jump again from 2008 when the government brought 37 actions against companies and individuals.

The pace seems to be continuing as well. This month, Paul Hastings, one of the leading international firms advising on FCPA investigations, issued its first Quarterly FCPA Report for 2011 [PDF]. So far this year, it reports, enforcement continues apace, with actions brought against four companies and seven individuals, along with a blockbuster forfeiture and a number of guilty pleas and settlements. The forfeiture amounted to nearly $149 million and related to a high-profile arms contract case involving 22 indicted defendants.

Another international law firm, Herbert Smith, in an article, Developments in Anti-Bribery Legislation: The UK Bribery Act and its Impact for Japanese Companies [PDF], reported that, of the 10 all-time largest FCPA settlements, eight were achieved in 2010 and eight (together totaling over US$ 2.25 billion) were settlements with non-U.S. companies.

A lot of the recent activity seems to relate to the changing of the guard after the 2010 election. Under the Bush administration, FCPA enforcement happened but was not a priority. Under Obama and the Democrats, FCPA investigations seem to be a priority. As Assistant Attorney General Lanny A. Breuer said in a speech at a recent national FCPA conference, “We are in a new era of FCPA enforcement [and] we are here to stay.” (Also see our earlier post, DOJ’s Breuer Vows Heightened FCPA Enforcement.)

Add to all that the recent enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which provides that “whistleblowers” who provide information to U.S. authorities leading to successful prosecutions under the FCPA may be entitled personally to huge sums as a result (up to 30% of the monetary recovery). (See Fried Frank’s client memorandum, New Incentives for Foreign Corrupt Practices Act Whistleblowers: Dodd-Frank Wall Street Reform and Consumer Protection Act [PDF].)

At the least, the government had over 140 prosecutions and investigations underway in 2010, according to EthicalCorp.com. That figure is dramatically higher than previous years under prior administrations.

All you can say is watch out.

What Does This Have to Do with Search?

A lot actually. FCPA investigations typically involve hundreds of thousands or even millions of documents collected from all over the world. Sometimes, the investigations are initiated after the government issues a complaint. In those cases, counsel have a starting place for their investigation. The government has a good-faith obligation to set forth the basis of its complaint and that should alert counsel as to the people to interview and the subject matter for their searches.

In other cases, it doesn’t work that way. The FCPA laws impose liability on an acquiring corporation when mergers occur. That means that the buyer of another company could be held liable for bribes and other corrupt activities that occurred even before the merger. That is true even if the buyer never did anything wrong.

In that regard, it is a bit like buying a U.S. company that has plants and property. If you later determine that the property you are buying is contaminated with toxic chemicals, you may be facing expensive Superfund liability. It doesn’t matter that you didn’t release any pollutants at your company or at the new site you acquired. You’re stuck nonetheless.

Superfund’s broad environmental liability has led to a growing and lucrative practice for environmental audit companies. The same is true for the FCPA. Some of the largest law firms in the world, with the depth and geographic coverage to mount these investigations, offer specialized FCPA practices. Paul Weiss is one such firm but there are a number of others in the game.

The key difference is this: If you are doing an environmental audit, you know exactly where the property is. You can send out your teams to inspect the ground, review the chemical history of the plant, check where materials were dumped and even drill for problems. It is just a matter of money but you can certainly find problems if you are engaged to take a look.

FCPA Investigations are Not Easy

What about in an FCPA investigation? Well, the problem is a bit different. First, what kind of fraud are we looking for? Counsel can’t exactly assemble the staff and ask for a show of hands from anyone who has bribed a foreign official lately. What, nobody raised their hand? Well, bribery isn’t something you usually put on your resumé or Facebook page.

What to do? The law firms we work with often start by talking to people and collecting their documents. What can you learn about how they deal with government officials? What do the documents show? What about the expense accounts and other money transfers?

Search is a key part of the answer. Modern search engines allow you to search millions of pages in a variety of languages with the click of a mouse. But what do you search for? That’s the hard part.

Traditional Search Doesn’t Cut It

Traditional Boolean search certainly has a part to play in an FCPA case but it isn’t always the most effective method. The reason is that we don’t know exactly what we are looking for, let alone the terms that might elicit those documents. Searching for “bribe*” within 10 words of “government official” probably won’t do the trick. Searching for the names of the government officials in question (assuming you know even that) might help.

Boolean search becomes even tougher in FCPA due diligence investigations because we are trying to prove a negative—that employees in the company to be acquired were not bribing public officials. That means counsel has to comb company and employee records to determine that nothing improper is going on. A tough assignment to say the least.

This is where a non-traditional form of search can be helpful.

Think about the traditional approach to search: You ask the documents specific questions and hope they answer with helpful information. This is a bit like the games of Fish or Battleship from our childhoods. We kind of know what we are looking for and the trick is to frame queries to find out if it is there. So, we think of key term variants and try to frame our searches to find good stuff.

“Give me all your schemes to convince government officials to give us the business.” Answer: “Go Fish.” Uggh, try again.

Let the Documents Speak to You

Now consider another approach to search, one that is more effective for these kinds of cases. Instead of questioning the documents, you let the documents speak to you and tell you their secrets. While the technique is still based on search, the approach is different. It can be far more effective when you are dealing with large volumes of documents and have no clear road map to follow.

“What does he mean?” you ask. “After all, documents don’t speak, they just sit there.”

I mean this. Modern search engines collect data about documents than can help shed light on what they contain and how they relate to one another. For example, in Catalyst CR we collect statistics about the metadata contained in the documents we index. Thus, if I were looking at files obtained from a particular office or custodian, I could quickly determine a lot of helpful information about their contents—without running a search. Our Correlation Navigators feature allows you to see a wide range of information in a view that might look like this:

(Click image to enlarge)

In this case our focus is on recipients after a search on the Enron documents. We can quickly see who is on the sending or receiving end of emails and better focus our review on those files.

Likewise, the system looks for information within the bodies of the documents and can show key concepts being discussed in the population. Here would be a view of some of the topics being discussed in a sample of the Enron population:

(Click image to enlarge)

In this case, the words are placed in alphabetical order but sized by relevance. They can provide important clues as you try and hone in your investigation.

With Catalyst Insight, our next release of our flagship product, we are taking investigation to a whole new level. Along with the field information we can provide about people and topics, we will provide investigators with new tools to allow the documents to speak to them.

Here is a timeline view, for example:

(Click image to enlarge)

With the timeline and the various field facets, a searcher can interact with documents and allow them to “speak” about their contents. The searcher can interact with each of the facets or drill down into the timeline to see how the communications flowed between the parties.

Investigators can use similar tools to track communications between parties, which can help guide their investigation. Here is an example from Insight:

(Click image to enlarge)

In this case, you can click on any individual to move that person to the center of the graph. Instantly, you can see who individuals are communicating with and how often. Click on the numbers and you can look at the actual communications. As you continue your investigation, you can go back and forth among individuals and documents.

There are a number of other techniques you can employ to speak with your documents. Clustering documents around themes can help you sort through large volumes of documents and focus on those that might matter. Finding “More Like These” from a key document set can take advantage of more complex queries than most researchers can hope to create on their own. These methods let the computer do that work based on complex algorithms and let the documents speak to you and help your investigation.

There are many more techniques we could discuss for FCPA investigations but this is a start. Suffice it to say that search is at the heart of these investigations and that search is typically more complex than we learned using Lexis or Westlaw. Mathematics, analytics and visual cues are important here as we both interrogate the documents and let them speak directly to us.

Regulating Bribes and Corruption is Catching on Globally

If you think this issue is of importance only to U.S.-based corporations, think again. It is true that, for many years, the United States stood alone in its efforts to police international corruption. The FCPA itself has been around for 30 or so years, although enforcement efforts have stepped up only recently. Some questioned our cheek in trying to tell people how to do business in other parts of the world.

Despite these misgivings, the idea of combating corruption is catching on globally. England recently enacted a similar law called the UK Bribery Act. It goes into effect July 1, 2011, and will impact U.S. as well as Asian companies. Recently, the U.K. Ministry of Justice published its guidance on procedures companies can put into place to protect themselves under the new act. (Also see our earlier post, Is Your Company Ready for the UK Bribery Act?)

Other European governments are following suit. In December 2010, Spain passed legislation allowing companies to be held accountable for criminal liability and making it a crime to bribe foreign officials. A DLA Piper publication provides background on this legislation.

The Asian region isn’t ignoring this issue either. Singapore has the Corrupt Practices Investigation Bureau (CPIB) which is dedicated to enforcing its Prevention of Corruption Act.

Darren Cerasi, director of I-Analysis in Singapore (one of Catalyst’s Asia Partners), reports that while the CPIB was set up primarily to prosecute government officials, its jurisdiction also extends to civilian bribery and includes the potential for both fines and jail time. Indonesia is another country that is focused on bribery and other anti-competitive acts.

Interestingly enough, China has an Anti-Bribery Law as well, which came into effect in December 2008. The Chinese Anti-Bribery law was amended in February this year to include making it an offense to bribe government officials outside of China and non-government officials too. It is expected to come into force in May.

Our China hand, Richard Kershaw, director of Catalyst Asia, says that China seems to be interested in bringing more accountability to government and its people. In August of 2008, it also passed an Anti-Monopoly Law which allows citizens to sue for monopolistic practices along with government enforcement. These laws apply to both foreign and Chinese domestic companies.

To read more about China’s laws, see:

Japan is in the game as well. In a recent case, prosecutors in Japan got four former senior executives of a Japanese company to plead guilty to bribing a Vietnamese transport official. The guilty pleas are especially noteworthy given Japan’s historical reputation as a jurisdiction where anti-bribery enforcement has been relatively lax. (See the Baker Botts FCPA Update.)

Without question, international counsel will be faced with more and more of these tricky and high-stakes investigations. Documents will be at the center stage and search will be the key to making sense of them.

NIST Issues Draft Guidelines on Security and Privacy in the Cloud

While everyone who uses cloud computing should be alert to security and privacy issues, lawyers and litigation support professionals have a special responsibility in that regard. Not only are they entrusted with preserving the confidentiality of client communications, but they also play key roles in ensuring that their clients comply with a myriad of laws and regulations pertaining to data. Even so, legal professionals often have far more questions than they do answers about how to evaluate the privacy and security of cloud providers.

Earlier this month, the National Institute of Standards and Technology (NIST) published a draft document, Guidelines on Security and Privacy in Public Cloud Computing (PDF), that provides an overview of the security and privacy challenges pertinent to public cloud computing and suggests factors organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment.

At the same time, NIST launched a new NIST Cloud Computing Collaboration wiki to enable those involved in cloud computing to collaborate in refining the NIST’s standards.

NIST also released a draft that updates its work to create a definition of cloud computing, The NIST Definition of Cloud Computing (Draft) (PDF). NIST is seeking feedback on this draft, as well.

NIST’s Recommended Guidelines

The NIST draft guidelines pertain only to the “public cloud,” which NIST defines this way:

A public cloud is one in which the infrastructure and other computational resources that it comprises are made available to the general public over the Internet. It is owned by a cloud provider selling cloud services and, by definition, is external to an organization. At the other end of the spectrum are private clouds. A private cloud is one in which the computing environment is operated exclusively for an organization. It may be managed either by the organization or a third party, and may be hosted within the organization’s data center or outside of it.

The 60-page draft provides a fairly in-depth discussion of the key security and privacy issues and NIST’s recommendations for how to address them. In summary, NIST recommends:

  • Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
  • Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
  • Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
  • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.

“In general,” NIST adds, “organizations should have security controls in place for cloud-based applications that are commensurate with or surpass those used if the applications were deployed in-house.”

The Security Upside

Even as it addresses security precautions related to the cloud, the NIST report also takes note of what it calls “the security upside.” For many companies, particularly smaller organizations, the cloud holds the prospect of improving their overall security.

Companies may have only a limited number of IT administrators and security personnel. Cloud providers, by contract, offer a number of features that promote security, NIST says:

  • Staff specialization. Cloud providers have staff that specializes in security and privacy.
  • Platform strength. The structure of cloud computing platforms is typically more uniform than that of most traditional computing centers. That enables better automation of security management activities like configuration control, vulnerability testing, security audits and security patching.
  • Resource availability. Redundancy and disaster recovery capabilities are built into cloud environments. Scalable, on-demand resource capacity can be used for better resilience when facing increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents.
  • Backup and recovery. The backup and recovery procedures of a cloud provider may be superior to those of a company or firm. Data maintained within a cloud can be more available, faster to restore, and more reliable than that maintained in a traditional data center.
  • Mobile endpoints. Because the main computing resources are with the cloud provider, they can be accessed using lightweight and easy-to-maintain computers such as laptops, notebooks and netbooks, as well as embedded devices such as smart phones, tablets and PDAs.
  • Data concentration. Data maintained and processed in the cloud can present less of a risk to an organization with a mobile workforce than having that data dispersed on portable computers or removable media out in the field, where theft and loss of devices routinely occur.

NIST has put its development of final guidelines on a fast track at the request of Vivek Kundra, the U.S. government’s chief information officer. He wants to accelerate the federal government’s adoption of cloud computing and ensure that it is done securely.

NIST has set Feb. 28, 2011, as the deadline for submitting comments on these drafts.

Here’s where to read more: