Analysis: Security not the only thing cloud adopters overlook

Security is not the only thing that is being overlooked by eager adopters of cloud-based services, it seems, with incident response also being neglected

Businesses are adopting cloud-based services mainly to speed up innovation and cut costs, often overlooking the security risks of this new delivery model.

But security is not the only thing that is being overlooked by eager adopters of cloud-based services, it seems. Incident response is also being neglected.

Why is it important to consider incident response when switching to cloud-based services?

For any digital investigation, whether because of a data breach, litigation or audit by regulatory authorities, organisations need to get at their data quickly.

However, that could be difficult when that data is held by a cloud service provider (CSP).

"In many cloud contracts, it turns out technically the cloud service provider owns the data," said Frank Coggrave, general manager for Europe at e-discovery firm Guidance Software.

"We know of investigations where it has been impossible, or difficult and time-consuming, for companies to get to their own data, when speed is important to ascertain and mitigate risks," he told Computer Weekly. "People are not going public about it yet, but it is a mistake that is starting to hit some organisations. They are suddenly realising they have no control over the data they have put in the cloud."

Incident response considerations

Because cost saving is usually the main driver of cloud adoption, many businesses do not consider all the ramifications as carefully as they should, said Coggrave. "For instance, even if they are able to access their data quickly, will it be in a format they can use?"

Typically, adopters of cloud services do not check whether, in the event of a data breach, their CSP provides access for customers to investigate.

"Digital investigations often require access to underlying systems to see who accessed the data and ascertain if modifications were made," said Coggrave.

Organisations are suddenly realising they have no control over the data they have put in the cloud

Frank Coggrave, general manager for Europe, Guidance Software

Before signing a contract, he said businesses should ensure it allows adequate access to data and systems when necessary.

At the bare minimum, he said, CSPs should be able to prove that they have the means to conduct an incident investigation if required.

Data breach alert

It is also a good idea for businesses to ensure their CSPs are contractually obligated to notify them if their data is breached, and that contracts cover the cost of downtime and loss of data.

While incident management is not entirely different in the cloud, the very nature of cloud, with massive scaling, shared infrastructure, virtualised platforms and cross-jurisdictional data flows, does bring some additional questions, said Andrew Rose, security and risk analyst at Forrester Research.

"Cloud customers need to make sure they have worked through these before they find themselves in the midst of their first incident," he said.

According to Rose, the focus should be on incident reporting – what the CSP will tell customers about and when.

"It's easy to define when an incident takes down your service, but what about a 'near miss', or the successful hack of another cloud customer that was sharing hardware with you? What are the criteria for cloud customers being alerted, and how soon after the event is detected? Would it, for instance, let you know if a piece of shared hardware had been seized as part of a criminal investigation, and that it may have contained elements of your data?"

Businesses should also make sure they know exactly how the CSP deals with evidence preservation and presentation.

"If an incident has local law enforcement officers asking for evidence, you don't want to find out that the cloud provider only retains such data for 24 hours, or has no capacity for forensic data capture. 

If your cloud provider is reluctant to share information relating to its incident detection and handling routines, businesses must consider their position before signing the contract. It's difficult to maintain a great service when one part of your offering is effectively a 'black box'," he said.

Consider cloud terms and conditions

The Cloud Industry Forum (CIF), which aims to determine best practice for the industry and has established the certified Code of Practice for CSPs, said it has not received any formal complaints about incident response performance issues relating to CSPs.

However, CIF chairman Andy Burton said the concept of cloud computing has raised the focus on three specific areas that consumers of services need to be better informed about.

Contracting, service resilience and data portability need to be considered fully in cloud service buying decisions, he said.

"It is astounding how few organisations entering into a service agreement with a CSP fail to review or negotiate the agreement," said Burton.

In a recent CIF survey, 48% of companies using a cloud service said they entered the agreement without negotiation over the terms, he told Computer Weekly.

"Understanding a CSP’s stance toward delivery of service levels and setting penalties for failure, levels of liability for data loss, or actions in the event of a termination of contract, is critical before commencing a cloud service," he said. 

In terms of service resilience, the CIF believes all credible CSPs should be able to state the level of resilience built in to the delivery of service, from the property and utilities, through to the architecture of the infrastructure and software, if appropriate.

CSPs should also have clear policies about their own internal management of data to ensure the ability to recover data in the event of a crisis. 

"However, issues do happen, and while it is possible for CSPs to provide extremely high levels of availability and resilience, there is usually a cost premium for this," said Burton.

It is critical for organisations to determine how, when and in what form their data can be extracted at the end of the agreement

Andy Burton, chairman, Cloud Industry Forum

Shared responsibility for data

At the same time, the CIF believes user organisations should act responsibly in the governance of their data, and therefore consideration should be given for either a geo-resilient service, or an appropriate back-up or high-availability business continuity solution depending on the importance and time sensitivity of access to data and systems. 

"Cloud does not remove the need for informed decisions about resilience, but there is a tendency in the market among both suppliers and consumers to explore this issue less fully than they should," said Burton.

In terms of data portability, the CIF believes it is essential to know at the outset of a relationship with a CSP what the experience will be like at the end of the relationship. 

"Lock-in is one of the biggest fears among user organisations, and as such it is critical for users to determine how, when and in what form their data can be extracted at the end of the agreement regardless of the cause of the contract ending," said Burton.

To help user organisations, he said, the CIF has published a Guide to buying cloud services, which is available for free download.

Guidance Software's Coggrave said not only should organisations ensure access to their data is guaranteed in the contract, but they should test out how that works in practice.

"Validate that what you have paid for is what you have been given. It is better to test the practicality and validity of access rights in advance than finding you can't do it when you need to do it," he said.

Image: iStockphoto/Thinkstock


Read more on Privacy and data protection