Organisations of all sizes are embracing the cloud and reaping the benefits of cost savings, flexibility and scalability that these services offer. In fact, UK Cloud adoption is now at a massive 84% and it’s predicted that 70% of organisations already using the cloud expect their adoption to increase over the next 12 months.
[easy-tweet tweet=”UK Cloud adoption is now at a massive 84% #cloudadoption” user=”EnCase and @comparethecloud” usehashtags=”no”]
However, this growth is creating new levels of complexity when it comes to security breaches and digital investigations. With the scale and severity of security incidents increasing, the unfortunate truth is that, no organisation is immune to the risk of data breaches. And as the recent T-mobile data breach has shown, breaches involving a third party, or cloud hosting provider, create significant challenges.
It’s vital to understand how cloud providers would respond in the event of a breach and exactly where the lines of responsibility fall. Establishing clarity on how different types of breaches would be managed by a provider means that incidents can be dealt with swiftly and their impact minimised.
The first issue to address is that the catch-all term ‘cloud’ can encompass a range of different services; from hosted email services such as Gmail, to the wholesale migration of an organisation’s IT estate to a provider’s storage and servers in the cloud.
It means that, increasingly, most organisation’s hybrid IT environments are now infinitely more complex – a combination of legacy and on-premise services, Infrastructure as a Service (IaaS) and Software as a Service (SaaS). This is adding to the challenge of knowing how, and where, specific data is stored and should a breach occur, the level of access that can be provided for investigative purposes.
The reality is that the multi-tenant, shared environment of the cloud means that there’s no ‘one size fits all’ approach when it comes to determining the appropriate response to an incident. It will depend both on the type of cloud services that the organisation is using and the nature and scale of the breach.
Clarity on the Lines of Responsibility
Given this complexity, it’s essential that organisations moving to cloud services understand their providers’ approach to different incidents and have assurance that these obligations are underpinned in the contract. This helps to avoid the ‘blame game’ and minimises confusion in the investigation process.
This is important as there’s a growing expectation that a data breach investigation will involve a third party. In our own survey of e-discovery professionals, nearly half – 44 % of the respondents – claimed that they will have a business need either now or within the next year for collecting from cloud repositories as part of e-discovery.
Critical areas to consider are:
The Security Processes of the Cloud Provider
By entrusting your critical data to a cloud provider, you have a responsibility to ensure there is adequate security in place and that this meets all regulatory and legal requirements. Gain visibility into the specific levels of protection that are in place by your provider so that your data is safeguarded from cyber attacks. Ensure that checks are carried out on the provider’s security protocols: ideally, they should have an active, and carefully managed, vulnerability, audit and patch management process in place to ensure that all servers and infrastructure are updated regularly. In terms of remediating controls against known malware and data breaches, the cloud provider should have tools available to enable them to remotely triage, investigate and remediate threats to their infrastructure and supporting systems.
Any organisation entrusting data to a third party provider, must ensure that they understand the breach notification process and legal obligations if there is a data breach. This means not only establishing clarity in the contract on the cloud provider’s responsibility of timely notification to you – their client – of a breach, but also your responsibility for informing the relevant regional regulators.
[easy-tweet tweet=”Organisations must establish the geographical location of their #data and that it complies with EU DPR” via=”no” usehashtags=”no”]
With forthcoming changes to the EU Data Protection Regulation organisation will be responsible for ensuring that – no matter where the data is held – it is stored and managed within the strictures of the EU DPR. Organisations must establish the geographical location of their data and that it complies with this. For example, companies that provide cloud services within the EU and rely on data centres in the US will be contractually obliged to comply in accordance with the proposed changes in the European Union.
The Incident Response Processes
Find out if your cloud provider conducts regular risk assessments of their clients’ data and that they have the appropriate crisis management steps in place, should an incident occur. Understand if they have conducted ‘fire drills’ to test these measures and would be ready to cope with the commercial impact of data loss for your data. Will they take responsibility for the loss of data or will they leave the organisation to deal with the fallout and have third-party insurance to cover damages? Establish what access your investigative team would have so that they can get to the root cause of an attack and understand where it originated and what happened, some of the largest providers do not provide access to the entire virtual machine and limit access that will impinge an investigation.
Not all incidents are of equal scope, and contracts should also specify the incident response protocols and different levels of support depending on the varying level of the breach. The response required for a malware attack on an Exchange environment running in the cloud will be different to a targeted web application attack.
Cloud providers have to work with their clients on an individual basis to create a tailored response. This provides the peace of mind that SLAs have been built into the contract that will account for different attack vectors.
Planning is key and by addressing these areas organisations will not only avoid the complications which hamper many digital investigations, but will also have increased confidence that their cloud providers are upholding the security and integrity of their data.
Planning is key.