Cloud service providers often not set up for incident response

Cloud data storage and disparate privacy laws could be hampering companies fighting cyber attacks, warns security investigator

Cloud data storage and disparate privacy laws could be hampering companies fighting cyber attacks, according to Seth Berman, UK executive managing director of digital risk management and investigations firm, Stroz Friedberg.

He urged organisations to review cloud services contracts to prevent valuable time being lost when responding to a data breach incident.

“Companies are forced to fight attackers on multiple geographic fronts, but the complexities of the internet cloud and a patchwork quilt of data privacy laws means a prompt response is often difficult,” said Berman.

Cyber incident response plans must take into account any potential restrictions to access, but providers are rarely set up to support a victim's needs to obtain forensic images of their own servers.

“We regularly deal with incidents where data is scattered across servers in multiple physical locations or even on servers that may house other companies' data. This makes forensic response complicated, slow or, in some cases, impossible,” said Berman.

Investigations slowed by data privacy regulations

A former US Department of Justice prosecutor, Berman has led cyber crime investigations into hacking, corruption, corporate espionage, intellectual property theft, fraud and employee misconduct, on behalf private and public sector organisations.

More on cloud contracts

He believes the wide range of data privacy laws facing global companies could hinder a cyber investigation.

“In Europe, the process of forensically preserving and analysing the computers an attacker has compromised can run into road blocks rooted in EU data privacy frameworks. These provide strong protection against businesses examining employees' personal data,” said Berman.

Country-specific legislation adds a further layer of complexity. “Germany’s workers' councils, for example, have the ability to protect workers from a range of corporate inquiries into their data,” he said.

According to Berman, such restrictions complicate the ability to react swiftly to a cyber attack, given that one of the key methodologies attackers use is the delivery of malware-loaded emails to targeted corporate employees.

A spear phishing attack would commonly require a deep inspection of the affected employees' email folders and, sometimes, their entire computers. In many countries, that process could be slowed or impeded, depending on the response by the company, employees and/or labour councils.

Mandatory reporting of data breaches

“With mandatory data breach notification, the US now has an interlocking response system, with a shared sense of urgency and the backing of corporate executives, outside counsel and incident responders,” he said.

More on security in the cloud

The European Union is currently considering the introduction of mandatory data breach reporting, which may force organisations to report data breaches within hours of a breach.

“A shared sense of urgency across multiple continents may help companies overcome the hurdles that are often the inadvertent consequence of privacy laws. The challenge will be to strike a balance between privacy and a need to facilitate a rapid and coordinated incident response across multiple jurisdictions,” said Berman.

A report from research firm Gartner stated that buyers of commercial cloud services – especially Software as a service (SaaS) – are finding security provisions inadequate.

Contracts need more transparency to improve risk management, according to the Gartner analysts, as SaaS contracts often have ambiguous terms regarding data confidentiality, data integrity and recovery after a data breach.

This leads to dissatisfaction among the users of cloud services and makes it difficult for service providers to manage risk and defend their risk position to auditors and regulators, the report said.

Next Steps

Cloud incident response and forensics: What enterprises need to know

Read more on Cloud security