Gordon Merrill, MSIA, concludes his series on security aspects of operating systems mobility and the cloud. Everything that follows is Mr. Merrill’s own work with minor edits.
* * *
The very nature of cloud storage, and one of its selling points, is that the cloud is dynamic. You only use what you need and shut down what you don’t. So if the court orders a forensic recovery of the lost data from the cloud hard drives:
• Do we even know which specific drives were in use by XYZ before the crash at EC2?
• Would Amazon have the ability to remove those drives and replace with others if ordered to do so?
• How many other companies' data have been written on those drives in the interim?
• If the original XYZ data have been overwritten by other companies and the drives are removed for recovery attempts, does the removal mean that the later users have now lost control of their data?
• Do the current users of the removed drives have to be served with a notice that the drives are being forensically reviewed?
• Is there a legal requirement that the current users need to be notified?
• Are the current users due a description of how their data was handled during the recovery and how it was destroyed when the exam was complete in order for them to produce the same to their customers as ordered for compliance with applicable laws?
One last concern facing most companies legally is that of legal hold orders and/or search warrants.
• If XYZ is being investigated by the Department of Justice (DoJ) and they want to find out more during an investigation, can the DoJ serve a warrant to Amazon and search without ever notifying XYZ that the search is going on?
• If the same hard drives are now in use by company ABC, does ABC get notified of the search and seizure or is the warrant on Amazon enough to search without any notice to the companies involved?
You can see from these examples that we have created more questions than answers. We may not be able to expect any reliable answers about the next generation of technology for some time.
I think the key for most information assurance (IA) professionals is that the U.S. government already recognizes the following principle in the Department of Defense (DoD) and it would not be a stretch to see it come into play here. The DoD principle is that you can delegate tasks and jobs, but you can never delegate responsibility.
With several compliance regulations now calling for jail time for company personnel who encounter a data breach, I think a lot of questions need to be answered before we can feel comfortable about opening up our company to mobile devices and cloud-computing services.
Working groups, anyone?
* * *
Gordon Merrill, MSIA, currently lives and works in Tennessee. His career has taken him to 48 of the 50 states and to six foreign countries. Gordon's information assurance background has included working for major computer companies such as IBM, managing IT projects for Fortune 250 companies in the risk management field, owning his own business, and working as a private consultant. He was chair of the School of Information Technology at the ITT Technical Institute in Chattanooga for three years.