As a continuation to my previous blog entry: An Introduction to Cloud Forensics, this entry explains how well enteprises understand IT security and cloud forensics.
What is the level of understanding among Asian enterprises when it comes to IT security and cloud forensics?
That’s tough to answer. We have not performed a survey to identify the level of understanding for cloud forensics and I’m uncertain whether anyone has gone out to do such a study in a systematic way. That being said, I believe, based on past conversations I’ve had with industry counterparts, that certain industries such as financial services and Government agencies (especially law enforcement, defense, and intelligence) are much more advanced than other organizations.
I think all organizations can do better and I truly believe that given the threat landscape that cloud security and forensics is an area that organizations should be investing in over the next two years.
Ideally what is the minimum level of understanding to ensure sound security best practices are enforced and adhered to?
Fundamentally, information security is a risk management function. The highest levels of the organization should be engaged (even up to the level of the board of directors). It is important for organizations to understand their risks and then make informed business decisions regarding the level of risk mitigation (and suitable residual risk) that the business should accept.
Information Security is about partnering with the business to provide the desired level of security solutions to achieve organizational business goals. In order to do this effectively, Information Security should not be buried within the IT organization with limited contact with the executive level of the business. Instead, Information Security should be independent of IT and fully aligned with the business strategy and providing the solutions which will allow the business to achieve business objectives at the identified level of risk.
Regarding enforcement and adherence, by running this from the highest level of the organization, it is much more likely that it becomes ingrained within the culture; however, appropriate consequences should exist for violations and these consequences should be applied across all levels of the organization regardless of the person’s position, job title, and importance to the company.
Are all ‘cloud’ forensics solutions the same or equal? How can an enterprise know what is right for them?
Not all forensic solutions are the same and not all forensic solutions implemented by cloud providers are equal either.
Ignoring private cloud for the moment, enterprises should perform adequate due diligence checks when evaluating cloud providers in general – an area where many organizations can improve in terms of at least understanding and then choosing mitigation strategies for addressing the risks of going onto the cloud. This evaluation should include an understanding of how forensic investigation will be performed and how cloud vendors will respond when the worst happens.
When it comes to private clouds, organizations should be investigating what their risks are and then appropriately choosing controls (including forensic investigative solutions) to mitigate the risks identified. This is really no different from the process of implementing any new technology in an organization.
