There’s certainly been plenty, perhaps too much, talk on cloud computing. There’s infrastructure-as-a-Service, software-as-a-Service, platform-as-a-Service - everything is now sold as-a-service. But aspect of all of this that doesn’t get much attention is how cloud computing affects incident response. And even if you’ve yet to move to cloud in a significant way, incident response in the cloud is something you should start considering long before you make the move.
Anthony Di Bello So how does cloud computing affect incident response? There are a number of ways. First, and possibly most significantly, security and incident response in cloud computing are so brand new that everyone - from cloud providers, security vendors, to enterprises, are still striving to get their hands fully around the issue. There are a number of worthwhile organizations that can help with this, such as the European Network and Information Security Agency (ENISA), which has published some material relating to cloud security and incident response. In North America there’s the Cloud Security Alliance (CSA), which has recently created a cloud computing security incident response team dedicated to cloud incident response.
Interestingly, some of the biggest challenges around cloud computing aren’t technical at all, they’re legal. The legal vagaries surrounding cloud make it difficult to understand how incident response can be executed in the event of a breach or attack. Who owns the data in the breach? In many cloud contracts, it turns out technically the cloud service provider owns the data. Is your service provider contractually obligated to notify you should they be breached? Are you sure about your answer? Legal experts say that clients need to make certain that their contracts cover things such as breach notification, the cost of lost downtime or data that has been destroyed.
Also, are you confident, in the event of a breach, that your cloud services provider can conduct an incident investigation - or provide the way for you to investigate the breach against your systems, data, or applications?
If a customer can’t do it themselves, should cloud providers be offering incident response and e-Discovery as a service? That’s a possibility because existing incident response technology does work in the cloud, but its use is more a matter of data ownership, legal authority, and accessibility to affected systems that it is about technical challenges.
As more data moves to the cloud, attackers are going to increasingly target cloud-based systems. But until the rules about incident response become more clearly defined, one of the most important things you can do now to prepare yourself and make sure your cloud provider has the appropriate incident response capabilities in place, and that you have the right contractual agreements set for when something goes wrong (and it will, eventually, at one or more of your cloud services providers).
While most will wait until there is an actual breach before asking these questions, it’s not the best time to do so. In actuality, it may be the worst time. That’s because a breached services provider is not going to be in the mood to go beyond what is detailed in the contract while they are in the midst of an incident.
So it’s best to have how incident response will be handled long before that happens. To learn more about how incident response capabilities are critical to understanding the source, scope and damages suffered by a suspected attack, visit www.guidancesoftware.com/cybersecurity.