Any business that anticipates using cloud-based services should be asking the question: What can my cloud provider do for me in terms of providing digital forensics data in the event of any legal dispute, civil or criminal case, cyberattack or data breach?
It's going to be different for every provider, according to the industry insiders and legal experts who discussed this topic during a panel session at the recent RSA Conference. And complicating cloud-based forensics is that the high-tech industry is still scratching its collective head over basic requirements, some of which are being pounded out now in the Cloud Forensics Working Group at the National Institute of Standards and Technology (NIST).
"In cloud, we're still struggling with definitions," said Steven Teppler, partner at the Sarasota, Fla.-based law firm Kirk-Pinkerton PA in its information governance and electronic discovery practice. "This causes problems for attorneys. We may not get answers that are complete because we don't know what to ask."
Teppler, who spoke on the panel, said the focus for any lawyer is on obtaining cloud forensics evidence which will lay a foundation for admissibility under the law that a jury can weigh, based on the "provenance" of the information -- the who, what and where of the data. He also noted the process known as "legal discovery" to collect information in any dispute is always constrained by time and expense.
The reality is that "anyone can be sued," said Teppler, and if served with a complaint, it may be necessary to speak with your cloud provider to ensure that information can be preserved "in a consumable fashion" that can be used by the opposing party. This adds up to the need to make a "good-faith effort" that has IT people speaking with corporate lawyers to make forensics-based information available.
The world today is populated with "lots of little clouds," noted Christopher Day, chief security architect and senior vice president of secure information services at Verizon Terremark, speaking on the panel. These can be roughly construed as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) vendors.
Day said Terremark uses an IaaS cloud based on VMware virtual machines (VMs). In the event that Terremark got a served a warrant by law enforcement, Terremark has procedures in place to "get them the image they want," Day said. "We have to show we haven't messed up the image."
Terremark would know if a virtual machine "suddenly disappeared" because it's tracked as part of the billing process, said Day. He added that Terremark would always tell the customer if the cloud provider got a subpoena related to them unless law enforcement asked Terremark not to share that information.
Josiah Dykstra, a doctoral candidate about to graduate from the University of Maryland, Baltimore County, who has made cloud forensics a focus of his study, spoke on the panel about what he's finding out in his research.
"Big providers can't keep pace with the number of cases they get," Dykstra said. There's little that's "built in" today to help cloud providers in a multi-tenant environment through processes such as obtaining firewall logs to deliver to law enforcement or attorneys asking for them. "Cloud providers want law enforcement to do it themselves," said Dykstra, noting Amazon, for instance, has no incentive to expand cloud forensics capabilities unless it's possible to make money from it.
Eric Hibbard, chief technology officer, security and privacy, at Hitachi Data Systems, agreed that cloud providers "really don't want to get into this" and a deep level of cloud forensics remains somewhat unusual. He acknowledged cloud providers would rather hide behind explanations such as "we don't keep that, we don't do that."
If a judge orders that certain evidence be obtained, and it happens to be in a cloud service, the court may hold a hearing with witnesses from both sides arguing how easy it is to obtain it, Hibbard pointed out. And if a virtual-machine image is provided, it may lead to more questions, such as is the email trail missing.
And if there is some suspicion that a cloud provider was hacked, perhaps due to some vulnerability, recourse is probably going to be difficult in terms of getting digital forensics.
"It's a 'best effort' and all that," said Day, noting that "individual cloud VMs get popped all the time." There have been known to be exploits in which a compromised VM could allow the attacker to get access to the underlying hypervisor. There's a lot of concern about memory and traffic but "you may not know how the intruder got in" and the forensics on it can be "dodgy," he acknowledged. But Terremark can do preservation of VMs through network storage. Some customers -- mostly government agencies -- are very concerned about what data might remain on drives and put specifications in contracts to be informed that drives are securely destroyed.
When asked if a criminal who knows a subpoena is coming might in theory be able to completely wipe his own traces, Day said, "Not directly." But what cloud-service providers do to try and preserve digital evidence varies widely across the industry, according to Dykstra. In the end, some take drives and shred them and some may throw them away in dumpsters.
Encryption plays a dual role in a cloud service. It can make data more secure for the customer but harder for law enforcement to get if the cloud service provider doesn't require the customer to provide an encryption key for it. Sometimes law enforcement will attempt to brute force decrypt, and other times law enforcement has been smart enough to ask for data residing in memory, said Day.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: [email protected]