Responding to a Data Breach in the Cloud
Operating in the Cloud Brings Additional Data Security Issues
Doug Pollack, ID Experts
There are new and additional challenges that come into play when you have a data breach of sensitive personal information of your customers, or others, when that data resides in the cloud. The Cloud Security Alliance February 2013 report titled The Notorious Nine: Cloud Computing Top Threats in 2013 recognizes data breaches at the #1 cloud security threat. So given this level of risk, how do you prepare for, and what new twists must you anticipate, when it comes to a data breach by a cloud vendor?
As noted in a recent discussion with Seth Berman of Stroz Friedberg (Cloud service providers often not set up for incident response, ComputerWeekly.com, August 2, 2013):
“Companies are forced to fight attackers on multiple geographic fronts, but the complexities of the internet cloud and patchwork quilt of data privacy laws means a prompt response is often difficult.”
And while as Mr. Berman notes, part of the complexity is the interesting web of laws that dictate the requirement for data breach notification, especially given that in the U.S. federal and state laws can overlap in confusing ways, much of the challenge can be in just determining the relevant facts: what data on what individuals was exposed? He further notes that:
“We regularly deal with incidents where data is scattered across servers in multiple physical locations or even on servers that may house other companies’ data. This makes forensic response complicated, slow or, in some cases, impossible.”
Which is understandable. Part of the benefit of using cloud services is that they handle the virtualization process and scalability issues for you. So sensitive personal data to which you are entrusted can be spread across servers, and in some cases, on shared systems with other company’s similarly sensitive information. So imagine the challenges of carrying out a forensics investigation to determine the nature and level of data exposure, when you don’t “control” the computing environment.
A starting point to address this thorny issue comes in a recent report from Gartner Group on cloud contracts. Gartner has recommendations and guidance for companies to improve the provisions in their cloud contracts to address data breach risks and the processes for mitigating compromises and supporting the required data breach notification process. And then of course, there is the question of who bears the costs, and which costs.
It makes a great deal of sense to address the questions of how a data breach is handled with your cloud vendor as part of the agreement. Given the challenges in carrying out forensics in a timely and accurate fashion, you really want to be assured that your cloud vendor will have your back.
While it might be obvious to you already, it is your company’s reputation that is at risk with such a breach, and your obligation, morally and otherwise, to address the issues that surface with the affected individuals. So if your cloud vendor isn’t prepared to help you in promptly assessing the nature, scope and extent of a breach, then your life is likely to be much less pleasant for a long while.
Doug Pollack, CIPP, is chief strategy officer at ID Experts, responsible for strategy and innovation including prevention analysis and response services. As a veteran in the technology industry, he has over 25 years of experience in computer systems, software, and security concerns focusing on creating successful new products in new emerging markets. Prior to ID Experts, he held senior management roles at Digimarc, several successful software startups, 3Com Corporation and Apple, Inc. Doug holds a BSEE from Cornell University and an MBA from the Stanford Graduate School of Business.