Any business that anticipates using cloud-based services should be asking the question: What can my cloud provider do for me in terms of providing digital forensics data in the event of any legal dispute, civil or criminal case, cyberattack or data breach?
It's going to be different for every provider, according to the industry insiders and legal experts who discussed this topic during a panel session at the recent RSA Conference. And complicating cloud-based forensics is that the high-tech industry is still scratching its collective head over basic requirements, some of which are being pounded out now in the Cloud Forensics Working Group at the National Institute of Standards and Technology (NIST).
"In cloud, we're still struggling with definitions," said Steven Teppler, partner at the Sarasota, Fla.-based law firm Kirk-Pinkerton PA in its information governance and electronic discovery practice. "This causes problems for attorneys. We may not get answers that are complete because we don't know what to ask."
Teppler, who spoke on the panel, said the focus for any lawyer is on obtaining cloud forensics evidence which will lay a foundation for admissibility under the law that a jury can weigh, based on the "provenance" of the information -- the who, what and where of the data. He also noted the process known as "legal discovery" to collect information in any dispute is always constrained by time and expense.
The reality is that "anyone can be sued," said Teppler, and if served with a complaint, it may be necessary to speak with your cloud provider to ensure that information can be preserved "in a consumable fashion" that can be used by the opposing party. This adds up to the need to make a "good-faith effort" that has IT people speaking with corporate lawyers to make forensics-based information available.
The world today is populated with "lots of little clouds," noted Christopher Day, chief security architect and senior vice president of secure information services at Verizon Terremark, speaking on the panel. These can be roughly construed as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) vendors.
Day said Terremark uses an IaaS cloud based on VMware virtual machines (VMs). In the event that Terremark got a served a warrant by law enforcement, Terremark has procedures in place to "get them the image they want," Day said. "We have to show we haven't messed up the image."
Terremark would know if a virtual machine "suddenly disappeared" because it's tracked as part of the billing process, said Day. He added that Terremark would always tell the customer if the cloud provider got a subpoena related to them unless law enforcement asked Terremark not to share that information.
Sign up for CIO Asia eNewsletters.