Incident Response, Computer Forensics, and the Cloud
As the security industry continues to move toward the cloud, practitioners must be able to not only secure cloud implementation but to perform incident response and forensics in the cloud as well. A growing number of organizations already use the cloud in one form or another. Depending on the service model—software as a service (Saas), infrastructure as a service (IaaS), or platform as a service(PaaS)—the business will need to adapt their incident response and forensic investigation programs accordingly.
Moving to the Cloud
When moving to a cloud service provider, the first thing an organization needs to do is perform an assessment of what changes will take place, and how they will reflect in its incident response and computer forensic schemes.
A key factor in this assessment is establishing the service model of all systems utilizing the cloud and where you store data. Making this determination helps guide the practitioner’s decisions on how processes will be handled during an incident.
Frequently, organizations make the transition to the cloud slowly while retaining a presence in its local data center. This hybrid architecture calls for caution on the part of the organization since its current incident response and computer forensic tools weren’t designed or implemented for the cloud. Without the ability to perform cloud forensics, the network can be vulnerable to attacks that may go unnoticed.
Importance of a Gap Analysis
It’s important to perform a gap analysis of how your existing incident/forensic tools and processes are currently used and how they’ll be used in the cloud. This will determine whether moving to the cloud will cause any limitations in the processes, or offer any potential improvements. Changes to the process must be explored to understand how they will work going forward.
A review of the cloud solution provider’s (CSP) roles and responsibilities within your cloud incident response and forensic processes should be performed during this time, so the organization understands how to run within a cooperative model in the cloud. The CSP support team will become an active member of your incident response team and will need to know how to work within your runbook before a migration is made and tested.
Organizations benefit from performing cloud incident response and forensics when they start moving fully into the cloud. A company planning to go into the cloud from an IaaS perspective should first look at what CSPs have to offer from a security standpoint. Contact Veristream at 888-718-0807 to learn more about cloud integration with your incident response and computer forensics.