CSA to help plug gaps in standards on digital forensics in the cloud
The Cloud Security Alliance (CSA) announced the formation of a new working group that will closely examine incident handling and forensics in cloud environments.
The CSA is a not-for-profit organisation tasked with promoting the use of best practices for providing security within cloud computing environments, and it hopes that the Incident Management and Forensics Working Group will help practitioners define and standardise processes for conducting forensic investigations with cloud service providers.
“The objective of this new CSA Working Group is define best practices that consider the legal, technical, and procedural elements of responding to security incidents in the cloud in a forensically sound way,” said Dominik Birk, co-chair of the CSA Incident Management and Forensics Working Group.
The CSA also released an inaugural whitepaper which details some of the key challenges posed by cloud computing for the practice of digital forensics within those environments.
The multi-tenancy nature of cloud computing infrastructure poses some of the biggest challenges, as distributed mission-critical devices often cannot be powered off due to the investigation needs of one tenant. Identifying the physical location of a physical storage array device “might be difficult if not impossible,” as documents or files might exist as data fragments stored in multiple physical locations, and the way data is written on to storage drives is so dynamic that it may become difficult to effectively implement cybercrime investigations.
Although the white paper highlights the extent to which existing standards pertaining to digital forensics and eDiscovery are somewhat inadequate when mapped to a cloud environment, the authors suggest that virtualisation technology could provide the means through which a standard solution may be found. “The introduction of a new abstraction layer between the physical hardware and the computer systems operating system software introduces powerful new options. For example, it creates the capacity to create non-intrusive system snapshots on live systems or plugging into the hypervisor to record data on the OS kernel level,” the authors write.
At the moment, virtualisation technology is not considered as a standard source of evidence for digital evidence first responders (DEFR, who provides digital evidence collection and acquisition) under ISO 27037, the relevant networked devices standard, but the new CSA Working Group suggests that this should change along with the degree of enablement virtualisation technology offers.
“Thus, the DEFR should consider the virtualisation management systems and APIs as a new source of digital evidence and input (i.e. for creating timelines out of central log information, information on network events regarding virtual switches and firewalls but also VLAN mapping, locating target file systems or systems in scope within virtual containers or on storage systems, and tracking moving VMs, access logs and system configuration details),” the white paper’s authors write.
Speaking at the Cloud World Forum in London last week, the CSA’s executive director and co-founder Jim Reavis said that improving the practical application of current standards for the cloud will above all ensure a degree of transparency customers of cloud services require from service providers.
The organisation plans to release another White Paper in Q4 this year that will offer a more complete model for forensics handling in cloud environments.