By Jayant Saran, Partner – Forensic, Financial Advisory, Deloitte Touche Tohmatsu India LLP
Cloud computing is increasingly being adopted by organizations worldwide due to its ease, cost benefits, and usage flexibility. However, despite its advantages, cloud computing has also exposed individuals and organizations to various security and fraud-related threats. Various studies reveal that as much as US$3 billion has been lost to frauds perpetrated over cloud computing networks in the past few years.
Understanding the cloud computing environment
Cloud computing, typically, consists of three service (i.e. Infrastructure as a service, Platform as a service and Software as a service) and four deployment models (i.e. Private, Public, Community and Hybrid). The characteristics define the capabilities/ benefits available to users, whereas the service and deployment models define the possible means of utilizing cloud service. From a fraud risk perspective, a large number of challenges may arise from the way cloud computing is deployed at organizations. This could also be because each type of deployment model allows a varying degree of resource sharing and corresponding security limitations.
Potential hurdles in managing fraud risks
When an organization adopts a cloud solution managed by a third-party, dependencies get created with the Cloud Service Provider (CSP), with respect to legal liability, the risk universe, incident escalation, incident response, and other areas. The actions of the CSP and fellow cloud users can impact the organization in various ways. Some of the challenges could include difficulty in integrating enterprise risk management programs; inclusion of risks faced by the CSP; lack of transparency; security and compliance concerns; Non-availability/ accessibility to certain critical information; High value cyber-attack targets and risk of data leakage
How these hurdles can impact investigations on the cloud
Complexity of the cloud infrastructure and the volatility of data create various challenges for digital forensic investigations. These include recovery of deleted data; authorization and access to data; challenges with system architecture; authentication and chain of custody; privacy protection; jurisdictional and geolocation issues; dependencies with multiple cloud systems; different Meta data, multiple log formats and differing time zones; seizure/ confiscation of a computing resource and data on virtual machine environments
Managing fraud risks on the cloud through forensic readiness
It is important that companies assess their fraud risks in context of opting for cloud based services or solutions. To achieve this they need to understand inherent risks and gaps in the control mechanism and prepare a forensic readiness program. In the absence of adequate controls and forensic readiness, it may not be possible to collect any data that can be processed for discovering evidence.
Forensic readiness refers to the level of preparation an organization has in order to respond to forensic investigations in the future. These could be in response to internal and regulator driven investigations with sufficient provisions and support obligations in the SLA with the CSP. Depending on the type of incident, the nature of investigation and methodology for gathering evidences may differ. The SLA and service level objectives (SLO) should adequately address all possible issues that can come up during an investigation process.
Identifying an appropriate fraud risk management model for cloud environments
Some of the important aspects to consider before finalizing SLAs and SLOs from a forensic readiness standpoint include:
o Is your cloud service provider complying with any international security standards, (e.g. various ISO 27K standards) that can reasonably safeguard your cloud environment?
o Do you extend your Enterprise Risk Management (ERM) to the cloud environment?
o Do you have a vendor risk management plan in place to manage fraud risks associated with your CSP?
o Are your senior management and corporate legal counsel aware of your cloud service providers and do they review service level agreements with the technical teams prior to initiating business with CSPs?
o Have you identified forensic readiness and support from your service provider as part of your SLA?
o Have you finalized the processes for authorizing a forensic investigation in the cloud?
o Have the provisions of privacy, regulatory and legal concerns based on the rules and regulations of the controlling geography been introduced into the SLA?
o Do you have a team of specialists to deal with incidents? While this can be an in-house team or an outsourced one, it is recommended to entrust this task to a professional team under a Master Services Agreement (MSA), as incidents need to be responded to quickly considering the dynamic nature of storage media management in cloud environments.
o If an in-house team manages investigations, do they have the necessary skill sets and tools to pursue investigation in a cloud environment?
o Have you finalized and shared plans for responding to incidents/ incident management plan with your cloud service provider?
o Is your Incident management team aware of legal and other implications of carrying out a forensic investigation in the cloud environment?
Cloud infrastructure poses very different sets of challenges for digital forensics investigations. Most tools currently used for digital forensic investigations are largely intended for offline investigations with the assumption that the storage media under investigation is within the control of an investigator.
Limited tools and methodologies that can assist in extraction and analysis of potential evidence (in a manner acceptable in legal proceedings) are significantly dependent on the service models or deployment model opted on a cloud infrastructure and the way a cloud service provider is managing those models. Non-availability of expert advice and inadequate oversight, right from the initial stages of planning a migration to a cloud infrastructure, can expose a user to legal or compliance issues later.