As cloud environments grow so data privacy issues and threats are expanding even becoming international. Within business these issues are raising many legal questions for firms making data centre and cloud operation decisions.
In a not atypical scenario a cloud involves a diversified file system with data in multiple physical locations sitting in public and private clouds. This is something which could lead to cross border investigations in the event of data breaches says
Cameron Brown a security expert who has worked on major international investigations and advises international companies, legislators and regulators on cybersecurity policies and issues.
The potential reach for such investigations should be viewed in the context of the impending data regulations that will come out of the EU. Companies will be staring at weighty fines for breaches of privacy and failure to secure data and this is weighing heavily on the minds of company executives.
He says further complications could come from the Safe Harbour agreement between the US and the EU falling apart and the rejection of the Privacy Shield by the EC. This has been a further wake up call to companies to think about their data.
Even more complicated and uncertain are the considerations for established agreements should the UK vote to leave the UK on June 23rd. This would have huge implications for established agreements.
Mr Cameron says "Data sovereignty is rapidly moving up the agenda. The Germans do things in their way as do other countries. This is calling into question what is the cost of doing business in the cloud. So anyone with data in a territory must ask: Am I complying and what does my risk look like?"
"Look at the impact of data replication. There are synchronised virtual environments on phones, apps and hard drives."
This is also a supply side issue.
Just how can firms conduct security due diligence on cloud and data centre providers? What are the levels of transparency available to users?
"Evaluating service levels must come down to security. People engaging with cloud providers must ask about security provision. It falls back to due diligence. It comes down to enterprises making sure they are informed. It is like insurance. It is the provider who is least transparent who will suffer," says Mr Cameron.
What is the minimum you need to do to evaluate the environment? Have a look at the security options in place in cloud environments. Has your security posture adapted? Do you understand the impact on the enterprise?
It could get even more complicated if a breach occurs and computer forensics come into play. "In a hosted data centre or public cloud environment things could very interesting. Can you deploy pre-emptive forensics? What post breach forensics can you use? Can you look at a particular activity on particular server, node?"
Post mortem, can you understand the breach? What’s transpired? Are you relying on what information has been harvested by the provider? Who is authorised to do the searching and looking at native content of particular file, server, user, VM. How can you capture that information? Who is chasing down logs, looking at access, was the wrongdoing by an authorised user?
"In the cloud it is a collection of different devices? Can you go and grab the information from one device? This is a particularly pronounced issue in the cloud. Can you get access to a particular array? Are you just grabbing hardware that is relevant to the investigation? How can you maintain integrity in a cloud environment?"
"Think about the elements of security. You need to understand the potential for some environments and being compliant."
There are additional tensions that are brought by the additional cloud layer such as understanding the potential risk when it comes to data moving through jurisdictions.
Says Mr Camerson: "Any multi-tenancy environment presents additional issues. These may be from sabotage, unauthorised access or criminals seeking to attack platforms. The question is do you believe that there is such a thing as bullet proof hosting?"