Cloud forensics - keeping tabs on your cloud provider

Advice Rene Millman Aug 22, 2013

Having the right policies in place could help your organisation’s forensic efforts

Keeping track of data in on-premise infrastructure seems easier to comprehend because for most people, it is considered to be in a physical location that’s easily locatable. But the cloud throws up interesting possibilities, as it is not always known where exactly that data is at any one given time.

This posits an interesting and important question; can your cloud provider provide forensic data in the event of a data breach, cyber attack or legal dispute?

What complicates matters is that forensics at cloud infrastructure level poses technical challenges unlike forensics at physical infrastructure since cloud is, for the most part, shared.

“Cloud service providers can ensure that their cloud service is forensic friendly so that the tenants can have access to the relevant forensics data for internal use, submission to an external agency or legal and statutory bodies whenever required,” says Kalyan Kumar, VP and chief technology architect at HCL Technologies.

But conducting forensic investigations in the cloud environment is complicated because data that needs to be imaged is often running on a virtual server that is on a physical server that also hosts data (on other physical servers) for other cloud clients. This can make the process of acquiring data in an investigation substantially more complicated. Moreover, there is a risk of inadvertent seizure of data, according to Ben Fielding, business development manager of computer forensics at Kroll Ontrack UK.

What complicates matters is that forensics at cloud infrastructure level poses technical challenges 

“The multitenancy nature of cloud servers necessitates a well-crafted confidentiality agreement between the cloud provider and its clients,” says Fielding. “You need to be assured that in a situation like this, the cloud provider can protect your data and continuity of operations.”

Most cloud providers offer some form of digital forensics to detect, track and report what systems were penetrated in the event of an attack or breach. The intelligence provided by these technologies can be used as evidence in legal disputes, according to Narsi Kodukula, vice president of products at CipherCloud.

But Kodukula warns that many cloud providers have not implemented these mechanisms in order to provide forensics data at an individual customer level without compromising the privacy of their other customers. “The best solution so far is to use operations preserving encryption of data stored in the cloud and generating audit and forensic trails from there,” says Kodukula.

Keeping tabs on where data is

But once your data has gone into the cloud, how easy, if at all possible, is it to keep track of it? This will largely depend on what services you are consuming from your cloud service provider (CSP) but will require some advanced planning and coordination between your security, operations and legal team – ahead of transferring your data to the cloud.

“Do your due diligence to understand what mechanisms the CSP has in place to provide details of who accessed your data and the underlying systems and infrastructure,” says Jess Richter, vice president of Strategic Alliances at Lieberman Software. He adds that organisations have to keep in mind that this may be more than one level deep, especially in the case of SaaS providers who frequently rely on third-party infrastructures for compute, storage, content delivery and other services.