Data stored in the cloud replicates, moves, and is backed up and restored just as non-cloud data is. However, the dynamic and elastic nature of the cloud can present unique challenges when looking to build efficient data governance policies in the virtualized, multitenant environment of the cloud.
From time to time, an organization needs to collect and investigate data items in response to a security incident, data breach, or in support of litigation. In cloud environments, the ability to identify, obtain, preserve, and analyze potential digital evidence is a challenging task, and organizations that do not prepare in advance will find the incident handling, auditing, forensics, and investigation processes to be very challenging to undertake and manage successfully.
Data Security Relevant Event Sources
The relevant event sources you will draw data from will vary according to the cloud services modules that the organization is consuming.
Event Sources: IaaS
In IaaS environments, you typically will have control of and access to event and diagnostic data. Almost all infrastructure-level logs will be visible to you, along with detailed application logs. To maintain reasonable investigation capabilities, auditability, and traceability of data, it is recommended to specify required data access requirements in the cloud SLA or contract with the cloud service provider.
The following logs might be important to examine at some point but might not be available by default:
- Cloud or network provider perimeter network logs
- Logs from DNS servers
- Virtual machine monitor (VMM) logs
- Host operating system and hypervisor logs
- API access logs
- Management portal logs
- Packet captures
- Billing records
Event Sources: PaaS
In PaaS environments, you typically will have control of and access to event and diagnostic data. Some infrastructure-level logs will be visible to you, along with detailed application logs. Because the applications that will be monitored are being built and designed by the organization directly, the level of application data that can be extracted and monitored is up to the developers.
To maintain reasonable investigation capabilities, auditability, and traceability of data, it is recommended that you work with the development team to understand the capabilities of the applications under development, and to help design and implement monitoring regimes that will maximize the organization’s visibility into the applications and their data streams.
The Open Web Application Security Project (OWASP) recommends the following application events to be logged:
- Input validation failures: For example, protocol violations, unacceptable encodings, invalid parameter names and values
- Output validation failures: For example, database record set mismatch, invalid data encoding
- Authentication successes and failures
- Authorization (access control) failures
- Session management failures: For example, cookie session identification value modification
- Application errors and system events: For example, syntax and runtime errors, connectivity problems, performance issues, third-party service error messages, file system errors, file upload virus detection, configuration changes
- Application and related systems start-ups and shutdowns, and logging initialization: For example, starting, stopping, or pausing
- Use of higher-risk functionality: For example, network connections, addition or deletion of users, changes to privileges, assigning users to tokens, adding or deleting tokens, use of system administrative privileges, access by application administrators, all actions by users with administrative privileges, access to payment cardholder data, use of data encrypting keys, key changes, creation and deletion of system-level objects, data import and export (including screen-based reports), submission of user-generated content (especially file uploads)
- Legal and other opt-ins: For example, permissions for mobile phone capabilities, terms of use, terms and conditions, personal data usage consent, permission to receive marketing communications
Standard PaaS development modules should be established to ensure that these items are properly recorded and reported by every application.
Event Sources: SaaS
In SaaS environments, you will typically have minimal control of and access to event and diagnostic data. Most infrastructure-level logs will not be visible to you, and they will be limited to high-level, application-generated logs that are located on a client endpoint. To maintain reasonable investigation capabilities, auditability, and traceability of data, it is recommended to specify required data access requirements in the cloud SLA or contract with the cloud service provider.
If available, the following data source example could play an important role in event investigation and documentation:
- Web server logs
- Application server logs
- Database logs
- Guest operating system logs
- Host access logs
- Network infrastructure device logs
- Application-level logs
- Virtualization platform logs and SaaS portal logs
- Network captures
- Billing records
- User access records
- Management application logs
NOTE: Log availability is dependent on the selected cloud service provider.
Data security is a core element of cloud security. To attain this goal, organizations must:
- Intimately know and understand the data they have in their possession
- Track and understand the data’s context and environment throughout its journey through the cloud secure data lifecycle
- Use role-based access management to make data access decisions based on actor, channel, device, location, and function
- Select and implement the required data security controls needed to enforce access decisions at every data lifecycle stage
Potential controls and solutions can include encryption, DLP, file and database access monitoring, obfuscation, anonymization, tokenization, or masking.
Since these controls are applicable to different cloud service models, service model selection may be driven by data security requirements and cloud service provider SLAs. This important linkage significantly raises the importance of proper data classification processes and governance. Data classification can also determine the effectiveness of an organization’s data event logging and auditing process.