Digital investigations in the cloud: Avoiding the ‘blame game’

Organisations of all sizes are embracing the cloud and reaping the benefits of cost savings, flexibility and scalability that these services offer.  In fact, UK Cloud adoption is now at a massive 84% and it’s predicted that 70% of organisations already using the cloud expect their adoption to increase over the next 12 months.

[easy-tweet tweet=”UK Cloud adoption is now at a massive 84% #cloudadoption” user=”EnCase and @comparethecloud” usehashtags=”no”]

However, this growth is creating new levels of complexity when it comes to security breaches and digital investigations. With the scale and severity of security incidents increasing, the unfortunate truth is that, no organisation is immune to the risk of data breaches. And as the recent T-mobile data breach has shown, breaches involving a third party, or cloud hosting provider, create significant challenges.

It’s vital to understand how cloud providers would respond in the event of a breach and exactly where the lines of responsibility fall. Establishing clarity on how different types of breaches would be managed by a provider means that incidents can be dealt with swiftly and their impact minimised.    

Multi-tiered services    

smarte IT
Click to register now

The first issue to address is that the catch-all term ‘cloud’ can encompass a range of different services; from hosted email services such as Gmail, to the wholesale migration of an organisation’s IT estate to a provider’s  storage and servers in the cloud. 

It means that, increasingly, most organisation’s hybrid IT environments are now infinitely more complex – a combination of legacy and on-premise services, Infrastructure as a Service (IaaS) and Software as a Service (SaaS). This is adding to the challenge of knowing how, and where, specific data is stored and should a breach occur, the level of access that can be provided for investigative purposes.

The reality is that the multi-tenant, shared environment of the cloud means that there’s no ‘one size fits all’ approach when it comes to determining the appropriate response to an incident. It will depend both on the type of cloud services that the organisation is using and the nature and scale of the breach.

Clarity on the Lines of Responsibility

Given this complexity, it’s essential that organisations moving to cloud services understand their providers’ approach to different incidents and have assurance that these obligations are underpinned in the contract. This helps to avoid the ‘blame game’ and minimises confusion in the investigation process.

This is important as there’s a growing expectation that a data breach investigation will involve a third party. In our own survey of e-discovery professionals, nearly half – 44 % of the respondents – claimed that they will have a business need either now or within the next year for collecting from cloud repositories as part of e-discovery.

Critical areas to consider are:

The Security Processes of the Cloud Provider

By entrusting your critical data to a cloud provider, you have a responsibility to ensure there is adequate security in place and that this meets all regulatory and legal requirements. Gain visibility into the specific levels of protection that are in place by your provider so that your data is safeguarded from cyber attacks. Ensure that checks are carried out on the provider’s security protocols: ideally, they should have an active, and carefully managed, vulnerability, audit and patch management process in place to ensure that all servers and infrastructure are updated regularly. In terms of remediating controls against known malware and data breaches, the cloud provider should have tools available to enable them to remotely triage, investigate and remediate threats to their infrastructure and supporting systems.

Notification Processes 

Any organisation entrusting data to a third party provider, must ensure that they understand the breach notification process and legal obligations if there is a data breach. This means not only establishing clarity in the contract on the cloud provider’s responsibility of timely notification to you – their client – of a breach, but also your responsibility for informing the relevant regional regulators.

[easy-tweet tweet=”Organisations must establish the geographical location of their #data and that it complies with EU DPR” via=”no” usehashtags=”no”]

With forthcoming changes to the EU Data Protection Regulation organisation will be responsible for ensuring that – no matter where the data is held – it is stored and managed within the strictures of the EU DPR. Organisations must establish the geographical location of their data and that it complies with this.  For example, companies that provide cloud services within the EU and rely on data centres in the US will be contractually obliged to comply in accordance with the proposed changes in the European Union.     

The Incident Response Processes

Find out if your cloud provider conducts regular risk assessments of their clients’ data and that they have the appropriate crisis management steps in place, should an incident occur. Understand if they have conducted ‘fire drills’ to test these measures and would be ready to cope with the commercial impact of data loss for your data. Will they take responsibility for the loss of data or will they leave the organisation to deal with the fallout and have third-party insurance to cover damages? Establish what access your investigative team would have so that they can get to the root cause of an attack and understand where it originated and what happened, some of the largest providers do not provide access to the entire virtual machine and limit access that will impinge an investigation. 

Not all incidents are of equal scope, and contracts should also specify the incident response protocols and different levels of support depending on the varying level of the breach. The response required for a malware attack on an Exchange environment running in the cloud will be different to a targeted web application attack.

Cloud providers have to work with their clients on an individual basis to create a tailored response. This provides the peace of mind that SLAs have been built into the contract that will account for different attack vectors.   

Planning is key and by addressing these areas organisations will not only avoid the complications which hamper many digital investigations, but will also have increased confidence that their cloud providers are upholding the security and integrity of their data.    

Planning is key.

+ posts

Nick Pollard, UK General Manager, Guidance Software 

Nick joined Guidance Software Inc. in the summer of 2012. He is the General Manager UK. Nick comes from a technical forensics & eDiscovery background and has comprehensive experience in managing eDiscovery cases along with large scale incident responses. In fact, Nick and his team responded to one of the largest cyber security breaches in late 2012 which affected over 35,000 end point devices. 

Nick’s specialties: Legal risk, compliance, EnCe, EnCep, SAR, FOI, eDisclosure, eDiscovery, cybersecurity, fraud investigation, eCrime, digital investigation, data security, policy enforcement, information, incident response. For finance, pharmaceutical, critical infrastructure, or any organisations concerned with the whereabouts and safety of their data.

Unlocking Cloud Secrets and How to Stay Ahead in Tech with James Moore

Newsletter

Related articles

Welcome to More Productive, AI-powered Working Lives

According to content services expert Dr. John Bates, AI...

Cloud Security Challenges in the Modern Era

Organisations already have to store files and data in...

Why I welcome AI software development

Today, I will be taking you on a journey,...

A Practical Guide to the EU AI Act

Disclaimer: This article is opinion-based; please seek legal advice...

Building a Smart City

If you ask me how I picture the future,...