For Supporting Continuous Operations When applying security strategies, it is important to consider the whole picture. Technologies may have dependencies or cost implications, and the larger organizational goals should be considered .
To support continuous operations, the following principles should be adopted as part of the security operations policies:
Audit logging: Higher levels of assurance are required for the protection, retention, and lifecycle management of audit logs.
They must adhere to the applicable legal, statutory, or regulatory compliance obligations and provide unique user access accountability to detect potentially suspicious network behaviors or file integrity anomalies through forensic investigative capabilities in the event of a security breach.
The Supporting Continuous Operations of audit logging is composed of three important processes.
New event detection: The goal of auditing is to detect information security events. Policies should be created that define what a security event is and how to address it to Supporting Continuous Operations of the cloud.
Adding new rules: Rules are built to allow the detection of new events. Rules allow for the mapping of expected values to log files and detect events. In continuous operation mode, rules have to be updated to address new risks.
Reduction of false positives: The quality of the continuous operations audit logging depends on the ability to gradually reduce the number of false positives to maintain operational efficiency. This requires constant improvement of the rule set in use
Contract and authority maintenance: Points of contact for applicable regulatory authorities, national and local law enforcement and other legal jurisdictional authorities should be maintained and regularly updated as per the business need (that is, a change in impacted scope or a change in a compliance obligation).
This ensures that direct compliance liaisons have been established and will prepare the organization for a forensic investigation requiring rapid engagement with law enforcement.
Secure disposal: Policies and procedures must be established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media.
This is to ensure that the Supporting Continuous Operations for data is not recoverable by any computer forensic means.
Incident response legal preparation: If a follow-up action concerning a person or organization after an information security incident requires legal action, proper forensic procedures, including chain of custody, should be required for preservation and presentation of evidence to support potential legal action subject to the relevant jurisdictions.
Upon notification, impacted customers (tenants) or other external business relationships of a security breach should be allowed to participate as is legally permissible in the forensic investigation.
Chain of Custody and Nonrepudiation
Chain of custody is the preservation and protection of evidence from the time it is collected until the time it is presented in court.
For evidence to be considered admissible in court, documentation should exist for the collection, possession, condition, location, transfer, access to, and analysis performed on an item from acquisition through eventual final disposition.
This concept is referred to as the chain of custody of evidence.
Emerging Technologies to Supporting Continuous Operations
It often seems that the cloud and the technologies that make it possible are evolving in many directions all at once.
It can be hard to keep up with all the new and innovative technology solutions that are being implemented across the cloud landscape.
Some examples of these exciting technologies, bit splitting and homomorphic encryption, are discussed in the following sections.
Bit splitting usually involves splitting up and storing encrypted information across different cloud storage services.
Depending on how the bit splitting system is implemented, some or all of the data set is required to be available to unencrypt and read the data.
If a RAID 5 solution is used as part of the implementation, then the system can provide data redundancy as well as confidentiality protection, while making sure that a single CSP does not have access to the entire data set.
The benefits of bit splitting follow:
- Data security is enhanced due to the use of stronger confidentiality mechanisms
- Bit splitting between different geographies and jurisdictions may make it harder to gain access to the complete data set via a subpoena or other legal processes.
- It can be scalable, can be incorporated into secured cloud storage API technologies, and can reduce the risk of vendor lock-in.
Although providing a useful solution to you, bit splitting also presents the following challenges:
Processing and reprocessing the information to encrypt and decrypt the bits is a CPU-intensive activity.
The whole data set may not be required to be used within the same geographies that the CSP stores and processes the bits within, leading to the need to ensure data security on the wire as part of the security architecture for the system.
Storage requirements and costs are usually higher with a bit-splitting system.
Depending on the implementation, bit splitting can generate availability risks because all parts of the data may need to be available when decrypting the information.
Bit splitting can utilize different methods, a large percentage of which are based on secret sharing cryptographic algorithms:
Secret Sharing Made Short (SSMS): Uses a three-phase process encryption of information; use of information dispersal algorithm (IDA), which is designed to efficiently split the data using erasure coding into fragments; and splitting the encryption key using the secret sharing algorithm.
The different fragments of data and encryption keys are then signed and distributed to different cloud storage services.
The user can reconstruct the original data by accessing only m (lower than n) arbitrarily chosen fragments of the data and encryption key.
An adversary has to compromise (m) cloud storage services and recover both the encrypted information and the encryption key that is also split.4
All-or-Nothing-Transform with Reed-Solomon (AONT-RS): Integrates the AONT and erasure coding.
This method first encrypts and transforms the information and the encryption key into blocks in a way that the information cannot be recovered without using all the blocks, and then it uses the IDA to split the blocks into m shares that are distributed to different cloud storage services (the same as in SSMS).
Homomorphic encryption enables the processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a CSP for processing without the requirement to decipher the data first.
The advantages of homomorphic encryption are sizeable, with cloud-based services benefitting most because it enables organizations to safeguard data in the cloud for processing while eliminating the majority of confidentiality concerns.
Note that homomorphic encryption is a developing area and does not represent a mature offering for most use cases.
Many of the current implementations represent partial implementations of homomorphic encryption; however, these are typically limited to specific use cases involving small amounts or volumes of data