More business infrastructure and software services are moving to the cloud than ever before. However the fluidity and movement of huge volumes of data in the cloud era has created fresh challenges for the teams that are tasked with examining the cause and scope of security incidents. Forensic investigators who must dissect, analyse and sift through reams of data can be hampered in their efforts to access the files and servers that hold the key to the investigation. If, for example, a hacker strikes, the attack needs to be detected and quickly contained. When third parties are involved, this adds new layers of complexity. Investigators need to know what evidential data is available, if they can access the data and how long it can be retained.
Here we examine the contractual and practical issues at play and assess the critical factors that must be considered.
Rapid Response
An estimated 78% of UK organisations are now using at least one cloud-based service*. Web hosting, email, CRM data backup and disaster recovery are the most popular of these services, enabling organisations to reap the benefits of cost, efficiency and security that the cloud undoubtedly can deliver.
However there's another side to these growth figures; one which is posing some big questions for the teams that are conducting digital investigations and for C- suite executives who are looking for quick answers when a breach occurs. It is a symptom of a fast moving security landscape in which, the unfortunate truth is that, a breach is likely to occur. We must work under the assumption of compromise and respond to incidents at the first sign of intrusion.
Where the cloud has simplified life for enterprises, for investigative teams, it is creating new challenges. The typical approach that can be applied to an on-premise investigation no longer works in the multi-tenant, shared environment of the cloud. Yet the same rules of investigation apply: in order to properly manage a cyber breach, we have to act quickly, from triage - to understand the extent of the compromise and its ongoing capabilities - to classification, containment, remediation and post mortem in order to learn from the incident and avoid its recurrence.
Access and Privacy
The reality is that organisations are moving to cloud based services without fully understanding the implications of how they would deal with an incident involving the provider. If a breach does occur, it's vital to understand the potential security implications for client data and where the lines of responsibility fall for managing the response.
There are several layers to this, the first of which is understanding how and where data is stored. This starts with the physical location and jurisdiction in which the infrastructure resides, for example, countries within the EU are subject to the EU Data Protection Directive, which restricts transfers of personal data to countries outside of the European Economic Area that are not considered to have adequate levels of protection for personal data.
IT managers should ask questions about the specific security measures and checks that are in place to monitor and analyse the infrastructure on a daily basis. In short, organisations should require visibility into the specific levels of protection that are in place to ensure that their data is adequately safeguarded from cyberattacks.
However, we now need to go further than addressing the security protocols of the cloud provider. If we should now work under the 'assumption of compromise', questions also need to be asked about the Incident Response (IR) plans that are in place and the management link between the cloud provider and the incident response team.
For an investigation and remediation of a breach to be swift, access and information are key. We need to understand where the attack originated and what happened, that means potentially needing specific details of where the rack and server are located, to obtain forensic images. Also, and critically, the forensic team may need access to IP addresses, account names, server and SIEM logs, and access points. This could be further complicated if data is in multiple geographical locations, and therefore subject to different data privacy regulations across the EU. All of this may well fall foul of contractual obligations and essentially prevent access to required data.
Contract Clarity
Avoiding these obstructions to the investigative process means that clarity on processes and responsibilities needs to be stipulated from the outset in the contract between the provider and client. For example, the provider should not only articulate the specifics about the protection of data, but also, should an incident occur, the level of access that can be provided, from whether they are contractually obliged to report an incident to what happens next and who will foot the cost of the breach and clean-up efforts.
Email - which is a significant entry route for malware - is a prime example of this. If an organisation is the victim of a sophisticated zero-day attack, which penetrates their network security and starts to affect the Exchange environment running in the cloud, who is responsible? In a case such as this, the contract should specify the cloud provider’s obligations. Without any contractual fallback, it may come down to the goodwill of the provider to support an investigation.
Not all incidents are of equal scope, and contracts should also specify the incident response protocols and different levels of support depending on the varying level of the breach. This provides the peace of mind that SLAs have been built into the contract that will account for different attack vectors. Given these considerations, it makes sense to take a multi-faceted approach by involving different teams in the contract: IT, security and legal teams to help to avoid ambiguities.
As the cloud has shifted from emerging technology to mainstream adoption, increasing emphasis must be placed on transparency: communication, planning and contractual clarity. Naturally, a balance must be struck between allowing access and maintaining adequate levels of data privacy, however, ultimately a successful investigation requires cooperation between all parties. Addressing these areas will not only avoid the complications inherent in many investigations, but also lead to increased confidence from organisations that cloud providers can manage every aspect of the security and integrity of their data.
*Cloud Industry Forum (CIF) : ' Cloud: The Normalisation of Cloud in a Hybrid IT Market'