Our law library reopened. And then reverted to virtual as the next viral variant swept past. But, like many organizations, we made a dramatic shift towards the cloud in 2020. This has created a stable operational through line during the pandemic. As a long time proponent of cloud, it was satisfying to see earlier policy objections disappear when faced with the reality of service delivery in a pandemic. But it has also been interesting to see which organizations have fully committed and which haven’t. Cloud adoption has been a big step forward but it is hindered by uneven implementation.

What it made me realize is that, like changing your mind after you jump but before you land, fear can override trust in the technology. Worse, it can cause your organization to deliver technology in an uneven way. In particular, the increase of friction in one part of the workflow can undo the very benefits of having cloud-enabled systems.

I’m going to focus on Microsoft 365 because that’s the most common source of anecdotes I’ve had in the last 24 months. The legal world retains a substantial preference for Microsoft products and so, for those who were already serving Office and SharePoint and Exchange on-premises, a shift to Microsoft 365 was the least risky cloud adoption possible.

All or Something

The simplest way to implement the cloud is to rely on the cloud itself. That will sound obvious because why else would you use the cloud? But as you’ll see below, there can be resistance to relying on the cloud if you are accustomed to the on-premises approach.

I was talking to some colleagues whose organizations went through the same thing our organization did. They had been a Microsoft shop but using Exchange for email that was hosted by their IT staff on-premises. All of the apps – Word, PowerPoint, Outlook – were installed on each PC. Pretty familiar.

Some of their organizations had already committed to other cloud-based apps for their work, things that couldn’t be easily hosted on-premises. One organization is a heavy user of Basecamp, for example, for matter and project management. If your organization is like theirs, and staff are already comfortable working in the cloud, it can be helpful but isn’t necessary. Because you can shift to cloud-based services without changing the apps that the end user experiences, it can be a largely invisible change.

A simple chart showing apps and a web browser on the left connecting to Microsoft 365 services on the right.
You can use a web browser to connect to Microsoft 365 or, in the case of Outlook or Teams or OneDrive, you can use desktop apps (Outlook, Teams, File Explorer, Word, PowerPoint).

One benefit of this simple approach is that it appears to be how Microsoft 365 is designed. You get different functionality based on whether you use the desktop application or a web browser version but the underlying integration is the same.

I say different because I actually prefer the web interface for Outlook and Teams, where I can run my inbox, calendar, and chats within the same browser but under separate tabs. Some people prefer the desktop apps but I think they merely provide alternate interfaces. For example, I switch over to the Teams app when I do a video call because I use the added features it has over its web app version.

It’s that integration that is so powerful. You receive an email with an attachment in Outlook. You can download the file to your PC but you can also save it directly to your OneDrive cloud storage. You access a Teams channel and share a document. The document is automatically stored on your organization’s SharePoint site. Those are document-centric actions but you can see how integration eliminates the need to download and drop on a file server (creating new copies by who knows how many people).

So now let’s break that integration.

The Friction of VPNs and RDP

One benefit of a lot of cloud systems is their ability to integrate with other cloud systems. You see it in the case management world with products like Clio or conferencing tools like Zoom. Or tools whose only purpose is integrating, like Zapier and IFTTT. Microsoft 365 is no different. Especially for information professionals, this sort of integration can have a huge impact on records retention, document management, and creating a single source of truth.

The reason the integrations work is the lack of friction. As soon as you add friction – additional steps, more complicated interfaces – people will fall back on what they know. In my experience, information management reverts to email attachments. I’m sure I’m not the only one who has experienced email conversations where the email contains all of the replies and attachments, but neither may represent the current conversation or document. This is particularly true if a final policy or document is “published” outside of that email stream.

One of my colleague’s organizations seems to have been wary of jumping entirely into the cloud. They seem to have changed their mind mid-jump. And so, while you can access part of Microsoft 365 over the public internet, you can only access other parts if you’re using an IP address that is provided by the organization. It means these apps only work if you’re sitting in their corporate offices or running across their corporate network.

This seems counter-intuitive to me. If you’ve licensed a highly secure cloud service like Microsoft 365, why would you, in 2022, still run it through your corporate network hardware?

For example, if your organization uses a virtual private network (VPN), you are now running all of your web and app traffic over that VPN. Since VPN can be configured to block multi-homing, your apps and browser will use the VPN even if they could connect over the open internet to the resource. Once a VPN is up and running on your PC or mobile device, it manages all of the incoming and outgoing traffic.

A simple diagram showing that, if you restrict OneDrive and SharePoint by IP, you may need a VPN to access them from a remote computer.

It used to be standard advice that lawyers should use VPNs and so it’s understandable that a lot of law firm-adjacent groups use them to. But the common wisdom has changed. We now have browsers that default to encrypted connections only. We can use encrypted DNS. And if you are using a service like Microsoft 365, they are using encryption all the time.

Your organization may have a legitimate need for a VPN. But I don’t think they make sense if you’re connecting from a modern browser to a cloud-based service that is encrypted. We can do payroll and HR, information management and storage, customer relationship management, communication, all in the cloud. The VPN use case seems really unlikely for a law library.

If you’re at an organization that warns everyone to disconnect from the VPN before joining an all hands meeting, you have seen one of the drawbacks of the VPN. It constrains bandwidth. And when you force your users to go through the VPN only to then emerge on the open internet to reach Zoom or Teams, you’re creating an unnecessary bandwidth throttle.

Another alternative is to use the remote desktop protocol (RDP). The upside is that you can continue to connect over the public internet with apps and browser where possible. The downside is that you are running an iteration of Windows just to access services that you could have also accessed over the open internet. Since it is not configured like your personal (work or home) PC, you may find that you lose some productivity as you adapt to it.

A simple diagram showing that, if you restrict access to OneDrive and SharePoint by IP, you can use RDP to enable access but it adds a layer of complexity to the experience.

All of this creates friction. At one point, our organization IT recommended that we run through the VPN or RDP to get to our attendance management system. But it was on the open web so I just logged in directly. Why would I log into a slower technology if I didn’t have to?

There’s a scatter gun approach to some of this. You can understand why an organization might think they need to secure SharePoint or OneDrive differently. If they’re law firms, that may be where they store the documents which represent their professional and financial future. I wonder if less document-centric professions would make this same choice.

But the documents exist in the emails as well, as attachments. So why wouldn’t Outlook also be IP-restricted? So it’s not a holistic approach to managing document security. For the life of me, I can’t think of a good reason to IP-restrict SharePoint but not all of the other Microsoft 365 apps.

Commit to the Cloud

The reluctance to commit fully to the cloud suggests that the organization continues to have some process- or policy-related challenges. My guess is that they don’t fully use apps like SharePoint and so the friction may not be as apparent – particularly to C-suite decision makers who have executive assistants – as it is to other workers. To that end, their corporate culture may already embrace the centrality of email and be unaware of the missed opportunities.

Not everyone is ready for the cloud, even after all of this time. Some organizations have found that the pandemic or other catastrophic business change, like a hotel being infected by malware, forced them to move forward. But it shows that, even with a contemplative approach, we can still inject friction into what can be an opportunity to reduce friction.

If anything, I’m hopeful that the last 2 years of the pandemic have substantially reduced resistance to moving to the cloud. The more decision-makers who are open to the cloud, the more options it will give our organizations to consider the cloud, and outsourced, options for our law libraries. Anything that helps our researchers and staff access information as easily as possible.