Cloud data storage and disparate privacy laws could be hampering companies fighting cyber attacks, according to Seth Berman, UK executive managing director of digital risk management and investigations firm, Stroz Friedberg.
He urged organisations to review cloud services contracts to prevent valuable time being lost when responding to a data breach incident.
“Companies are forced to fight attackers on multiple geographic fronts, but the complexities of the internet cloud and a patchwork quilt of data privacy laws means a prompt response is often difficult,” said Berman.
Cyber incident response plans must take into account any potential restrictions to access, but providers are rarely set up to support a victim's needs to obtain forensic images of their own servers.
“We regularly deal with incidents where data is scattered across servers in multiple physical locations or even on servers that may house other companies' data. This makes forensic response complicated, slow or, in some cases, impossible,” said Berman.
Investigations slowed by data privacy regulations
A former US Department of Justice prosecutor, Berman has led cyber crime investigations into hacking, corruption, corporate espionage, intellectual property theft, fraud and employee misconduct, on behalf private and public sector organisations.
More on cloud contracts
- Negotiating cloud contracts
- Follow best practices while contracting cloud services, warns lawyer
- Gartner: Negotiate cloud contracts with detailed security, control
- Businesses at risk from 'unfair' cloud contracts
- Cloud contracts poor on security, says Gartner
- Cloud security begins with the contract, says expert
He believes the wide range of data privacy laws facing global companies could hinder a cyber investigation.
“In Europe, the process of forensically preserving and analysing the computers an attacker has compromised can run into road blocks rooted in EU data privacy frameworks. These provide strong protection against businesses examining employees' personal data,” said Berman.
Country-specific legislation adds a further layer of complexity. “Germany’s workers' councils, for example, have the ability to protect workers from a range of corporate inquiries into their data,” he said.
According to Berman, such restrictions complicate the ability to react swiftly to a cyber attack, given that one of the key methodologies attackers use is the delivery of malware-loaded emails to targeted corporate employees.
A spear phishing attack would commonly require a deep inspection of the affected employees' email folders and, sometimes, their entire computers. In many countries, that process could be slowed or impeded, depending on the response by the company, employees and/or labour councils.
Mandatory reporting of data breaches
“With mandatory data breach notification, the US now has an interlocking response system, with a shared sense of urgency and the backing of corporate executives, outside counsel and incident responders,” he said.
More on security in the cloud
- Public cloud secure, G-Cloud conference told
- Cloud adoption immature, shows security survey
- Cloud security for SMEs: Seven key steps
- Cloud endpoint security considerations: Endpoint security management
- How to assess the security of a cloud service provider
- Security Think Tank: Cloud, BYOD and security – lock your doors
- An introduction to enterprise hybrid cloud security
- Securing and mitigating risk in the cloud
- Transparency, not security, is biggest cloud challenge, says Verizon
The European Union is currently considering the introduction of mandatory data breach reporting, which may force organisations to report data breaches within hours of a breach.
“A shared sense of urgency across multiple continents may help companies overcome the hurdles that are often the inadvertent consequence of privacy laws. The challenge will be to strike a balance between privacy and a need to facilitate a rapid and coordinated incident response across multiple jurisdictions,” said Berman.
Contracts need more transparency to improve risk management, according to the Gartner analysts, as SaaS contracts often have ambiguous terms regarding data confidentiality, data integrity and recovery after a data breach.
This leads to dissatisfaction among the users of cloud services and makes it difficult for service providers to manage risk and defend their risk position to auditors and regulators, the report said.
Cloud incident response and forensics: What enterprises need to know