Cloud Computing: Cloudy Forecast for Forensic Accounting By: James Provenzano, CPA, CFE, CFF Tel: (415) 689-3907 Email: Mr. Provenzano Website: www.provenzanocpa.com

Cloud computing is here to stay but what does it mean for security and forensic accounting issues? Like many of us I am not a digital forensic expert nor an IT trained professional. Nevertheless on forensic assignments and also certain expert witness roles, we work alongside a digital forensic accounting expert and need to have more than a basic understanding. This situation will increase as cloud computing continues its rapid growth.

There are some statistics that indicate spending on cloud services is growing at five times the rate of traditional on premises IT. Why is that and what is cloud computing? The National Institute of Standards and Technology (NIST), (an agency of the U.S. Department of Commerce) that is dedicated to "promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology..." has come up with a working definition of cloud computing. The working definition of cloud computing described by NIST is "a pay-per-use model for enabling available, convenient and on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." The bottom line is reduced costs, anytime/anywhere data access, increased storage, worry free maintenance etc. The risks are confidentiality of data, integrity and availability.

The NIST also defines digital forensics as the "application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data".

Cloud Computing Description

Cloud computing has five essential characteristics:

1. on-demand self-service
2. broad network access
3. resource pooling
4. rapid elasticity and
5. measured service.

It has three service models:

1. Cloud Software as a Service (SaaS),
2. Cloud Platform as a Service (PaaS) and
3. Cloud Infrastructure as a Service (IaaS)

and it has four deployment models, i.e., private cloud, community cloud, public cloud and hybrid cloud.

SaaS

Essentially a provider's software is used by the customer on a cloud infrastructure. It is accessed through a web browser or other program interface. The consumer does not manage or control the underlying cloud infrastructure.

PaaS

The consumer deploys onto cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

IaaS

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Deployment Models:

Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units).

Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations).

Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

Cloud Computing Security and Forensic issues

Why is their concern about security and forensic ability in the "cloud" environment?

• Customers have no control over hardware in any service model and limited administrative control in SaaS and PaaS
• If involved, law enforcement does not have physical control of the media nor the network since many users have access to a particular cloud
• Cloud organizations including providers and customers have yet to establish a well-defined forensic capability due in part to the lack of experience for this service and the diversity of deployment and service models
• In certain models, multiple tenants and jurisdictions create difficulty in segregating forensic data. Multi-jurisdiction and multi-tenancy challenges have been identified as the top legal concerns among digital forensics experts (Broadhurst, 2006; Liles et al., 2009)
• The Cloud can be the subject of crime when it is the environment where the crime is committed, e.g., unauthorized modification or deletion of data residing in the Cloud, identity theft of users of the Cloud.

The key areas above involve lack of control, lack of experience with the new service model, multiple legal jurisdictions and new opportunities for white collar crime.

Cloud Computing Security and Forensic Tools

Thus you have a situation of impressive growth of cloud computing and concerns that arise with new technological services and platforms. How are market forces and forensic service providers reacting? Following is a discussion with the warning that it is very fluid, not a complete discussion and subject to change. Source of much of this data is from a white paper "Cloud forensics: An overview" authors (Keyun Ruan, Prof. Joe Carthy, Prof. Tahar Kechadi, Mark Crosbie*).

✓Tools and procedures to segregate forensic data in the cloud among multiple tenants in different deployment models and different service models need to be continuing developed. In addition cloud forensics, tools and procedures need to be developed to physically locate forensic data at a given timestamp, and physically trace forensic data at a given time period, taking into considerations of the jurisdiction(s) of the physical locations.

✓Due to the complex jurisdictional and other potential multi-tenant issues it is recommended that a legal advisor be available to consumers of the cloud. Service Level Agreements (SLAs) should be written with clauses that explain the procedures to follow in the event of a forensic investigation and the SLA should contain clauses dealing with jurisdictional, multi-tenant and other related issues.

✓Cloud forensics can include: Investigations, troubleshooting, log monitoring, data and system recovery and due diligence and regulatory compliance

✓Accurate time synchronization is a significant issue in network forensics, and is made all the more challenging in a cloud environment as timestamps must be synchronized across multiple physical machines spread in multiple geographical regions, between cloud infrastructure and remote web clients including numerous end points.

✓In computer forensics, recovered deleted data is an important source of evidence, so it is in the Cloud. A simple challenge is: how to recover deleted data, identify the ownership of deleted data, and use deleted data as sources of event reconstruction in the Cloud?

✓it remains a challenge for the service provider and law enforcement during the whole process of investigation to avoid breaching the confidentiality of other tenants sharing the same infrastructure and ensure the admissibility of the evidence

Conclusion

When dealing with a cloud computing environment whether in a forensic investigation, expert witness assignment or simply a consulting engagement for a cloud customer, make sure you have access to a digital forensic consultant; be aware of the cloud customer's level of control over hardware and administrative rights; have an understanding of multi-jurisdiction and multi-tenancy challenges; request to obtain a copy of their Service Level Agreements (SLAs); determine how to measure accurate time synchronization of events if relevant and be aware of the deployment models (i.e. community cloud vs. public cloud) and type of service model (SaaS etc.).

This is not a complete list but you will need at least a basic understanding of the cloud computing environment and sufficient access to other experts.