The extra dynamic is the presence of a third party the cloud service provider (CSP) so the organization must understand how laws and regulations apply to the cloud.
In other words, it becomes important to understand how laws apply to the different parties involved and how compliance will ultimately be addressed.
Regardless of which models you are using, you need to consider the legal issues that apply to how you collect, store, process, and, ultimately, destroy data.
There are likely important national and international laws that you, with your legal functions, need to consider to ensure you are in legal compliance.
There may be numerous compliance requirements, such as Safe Harbor, HIPAA, PCI DSS, and other technology and information privacy laws and regulations.
Failure to comply may mean heavy punishments and liability issues.
Laws and regulations typically specify responsibility and accountability for the protection of information.
For example, health information requires positions established for the security of that information.
Sarbanes-Oxley Act (SOX), for example, makes the chief executive officer (CEO) and chief information officer (CIO) accountable for the protection of information, whereas GLBA specifies that the entire board of directors is accountable.
If you are using a cloud infrastructure that is sourced from a CSP, you must impose all legal and regulatory requirements that are inflicted on you to the CSP.
Accountability remains with you and making sure you are complying is your responsibility.
Usually, this can be addressed through clauses in the contract that specify that the CSP will use effective security controls and comply with any data privacy provisions.
You are accountable for the actions of any of your subcontractors, including CSPs.
Why we need e-Discovery?
For those familiar with digital evidence’s relevance and overall value in the event of an incident or suspected instance of cybercrime, e-discovery has long formed part of relevant investigations.
E-discovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.
E-discovery can be carried out online and offline (for static systems or within particular network segments).
In the case of cloud computing, almost all e-discovery cases are done in online environments with resources remaining online.
What are the e-Discovery Challenges?
The challenges for the security professional here are complex and need to be fully understood.
Picture this scene.
You receive a call from your company’s legal advisors or from a third party advising of potentially unlawful or illegal activities across the infrastructure and resources that employees access.
Given that your systems are no longer on-premises (or only a portion of your systems are), what are the first steps you are going to follow?
Start acquiring local devices and obtaining portions or components from your data center?
Surely, you can just get the data and information required from the CSP.
This may or may not be the case, however.
And if it is possible, it may be complicated to extract the relevant information required.
If you look at this from a U.S. perspective, under the Federal Rules of Civil Procedure, a party to litigation is expected to preserve and be able to produce electronically stored information that is in its possession, custody, or control.
Sounds straightforward, right?
Is the cloud under your control? Who is controlling or hosting the relevant data? Does this mean that it is under the provider’s control?
What are the Considerations and Responsibilities of e-Discovery?
How good is your relationship with your cloud vendor? Good, bad, or fine? Have you ever spoken with your CSPs’ technical teams?
Imagine picking up the phone to speak with the CSP for the first time when trying to understand how to conduct an e-discovery investigation involving its systems.
At this point, do you know exactly where your data is housed within your CSP? If you do, you have a slight head start on many others.
If you do not, it is time you find out.
Imagine trying to collect and carry out e-discovery investigations in Europe, Asia, South America, the United States, or elsewhere when the location of your data is found to be in a different hemisphere or geography than you are.
Any seasoned investigator will tell you that carrying out investigations or acquisitions within locations or states that you are not familiar with in terms of laws,
regulations, or other statutory requirements can be tricky and risky.
Understanding and appreciating local laws and their implications is a must for the security professional before initiating or carrying out any such reviews or investigations.
Laws in one state may well clash with or contravene laws in another.
It is the Certified Cloud Security Professional’s (CCSP’s) responsibility under due care and due diligence to validate that all the relevant laws and statutes that pertain to their investigation are documented and understood to the best of her ability before the start of the investigation.
How e-Discovery reducing the Risk and threats?
Given that the cloud is an evolving technology, companies and security professionals can be caught short when dealing with e-discovery.
There is a distinct danger that companies can lose control over access to their data due to investigations or legal actions being carried out against them.
A key step to reducing the potential implications, costs, and business disruptions caused by loss of access to data are to ensure your cloud service contract takes into account such events.
As a first requirement, your contract with the CSP should state that it is to inform you of any such events and enable you to control or make decisions in the event of a subpoena or other similar actions.
These events should be factored into the organization’s business continuity and incident response plans.
What is e-Discovery Investigation?
There are various ways to conduct e-discovery investigations in cloud environments.
A few examples include the following:
- Software as a service (SaaS)-based e-discovery: To some, “e-discovery in the cloud” means using the cloud to deliver tools used for e-discovery.
- These SaaS packages typically cover one of several e-discovery tasks, such as collection, preservation, and review.
- Hosted e-discovery (provider): e-discovery in the cloud can also mean hiring a hosted services provider to conduct e-discovery on data stored in the cloud.
- Typically, the customer stores data in the cloud with the understanding and mechanisms to support the cloud vendor doing the e-discovery.
- When the providers are not in a position to resource or provide the e-discovery, they may outsource to a credible or trusted provider.
- Third-party e-discovery: When no prior notifications or arrangements with the CSP for an e-discovery review exist, typically an organization needs a third party or specialized resources operating on its behalf
Note that careful consideration and appreciation of the service-level agreement (SLA) and contract agreements must be undertaken to establish whether investigations of cloud-based assets are permitted or if prior notification and acceptance are required.
Is Cloud Forensics and ISO/IEC 27050-1 worth it?
When incidents occur, it may be necessary to perform forensic investigations related to that incident.
Depending on the cloud model that you are employing, it may not be easy to gather the required information to perform effective forensic investigations.
The industry refers to this as cloud forensics.
Cloud computing forensic science is the application of scientific principles, technological practices, and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, interpretation, and reporting of digital evidence.
Conducting a forensic network analysis on the cloud is not as easy as conducting the same investigation across your network and local computers.
This is because you may not have access to the information that you require and, therefore, need to ask the service provider to provide the information.
Communication in this scenario becomes important, and all involved entities must work together to gather the important information related to the incident.
In some cases, the cloud customer may not be able to obtain and review security incident logs because they are in the possession of the service provider.
The service provider may be under no obligation to provide this information or may be unable to do so without violating the confidentiality of the other tenants sharing the cloud infrastructure.
The goal of such standards is to promote best practices for the acquisition and investigation of digital evidence.
Although some practitioners favor certain methods, processes, and controls, ISO 27050-1 looks to introduce and ensure standardization of approaches globally.
The key thing for the Certified Cloud Security Professional’s to be aware of is that while doing cloud forensics, all relevant national and international standards must be adhered to.