Tag Archives: Cloud

DFIR Problems in the Cloud

As more and more companies are starting to use cloud because of ease of deployment and integration with business needs and due to its scalability, the pandemic and changing business models forced usage of it more.

From IT perspective, cloud usage provides a lot of convenience. With using cloud, companies can pay for only the resources they need and scale up or down to meet their needs easily. With this scalability, they do not need to guess future usage and butgeting it. Additionally, while it takes days or weeks to implement a new server, it only takes a few minutes to get a new one in cloud and it saves on expenses like cabling, staff, broad network access and data center. Cloud also provides a global infrastructure and high availability for systems easily.

Because of reasons above and more, it is very understandable why cloud market will keep growing in next years and the expectations are the market will have more than $800 billion in value in 2025. However, this convenience causes different problems and challenges on the security, incident response and digital forensics side.

Separation of Responsibilities in the Cloud

Security is difficult in cloud for customers because the cloud customer does not have access and responsibility of all the systems those need to be secured. So, it is crucial to know shared responsibility models of the cloud.

As the content of this article, we do not go into the description of what these cloud services are one by one.

Challenges of Security

This shared responsibility model shown above, makes security, incident response and digital forensics more difficult. It is not enough to know the organization’s assets only, security teams need to work together with cloud security provider’s (CSP) security teams. For all types of models, the organization’s teams will not have access and control on data, OS, storage, network traffic, or etc. The difficulties are not these only. Most of the organizations are using hybrid clouds and more than one CSP. This means, systems are distributed between different data centers and locations and teams need data from these different systems in different CSP and structures.

The distributed multi CSP structures causes difficulties to collect data during an incident. So, investigation real-time incidents in the cloud becomes more difficult. One of the reasons of this situation is the access rights; in all types of cloud service model, the incident handler and forensic analyst has limited access and control over data. And the other can be differences in the operational details and procedures in different CSPs. Also, with using different CSPs, and according to the CSP’s structure, logs can be stored as distributed across different servers and locations. This situation also creates difficulties investigation an incident. A correlation an activity between different CSPs is challenging due to lack of interoperability. Time stamps of the logs and time correlation will contribute to this challenging too.

Many new items can be added to this technical challenges list. However, there is also legal side of using cloud. As CSPs distributed their structure in different location all over the world, customers can face some legal issues. Data collection, protection and governance laws change according to the region that the servers located in. It creates a challenges to standardize processes. This differences can also reflect on SLAs.

We can easily increase the items that challenging security teams on cloud like; having experiences in handling cloud environments for admins, gathering and knowledge of cloud investigation and forensics tools, international communication, privacy concerns, unknown location of data, data volatility, time and timestamp synchronization, log format differences, etc.

CSA Announced Their 50 Trusted Providers

The Cloud Security Alliance (CSA) announced the selection of a first round of “trusted providers” for cloud security. CSA, a dedicated organization for defining best practices for cloud security, assumes that these trustmarks (will be displayed on each organization’s Security, Trust, Assurance and Risk (STAR) registery) will assist customers in identifying cloud providers that demonstrate their commitment.

There are some criteria that companies must follow to become a CSA Trusted Cloud Provides;

CSA’s co-founder and CEO, Jim Reavis said; “This new CSA Trusted Cloud Provider program builds upon CSA cloud provider certification to also quantify the credentialing of provider personnel and their contributions to industry projjects. This is intended to offer transparent B2B marketplace intelligence so business can better evaluate the security commitment and accomplishments of cloud providers.”

It was noteworthy that there are not many important security vendors which are already working for cloud security in the list. We will see how these trustmark will change the game in infosec world.