Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 11 09/27/2011 Security and Privacy in Cloud Computing

Data Forensics in a Cloud Goal: Examine the data forensics problem in cloud computing Assignment #6: Lu et al., Secure Provenance: The Essential Bread and Butter of Forensics in Cloud Computing, AsiaCCS /22/20112Fall 2011 Lecture 10 | UAB | Ragib Hasan

Cloud Forensics: An overview Related reading: Ruan et al., “Cloud Forensics: An Overview”, /22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan3

Digital Forensics Digital Forensics is the “application of science to the – identification, – collection, – examination, and – analysis of data while preserving the integrity of information and maintaining a strict chain of custody for the data.” [Kent 2006] 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan4

Cloud Forensics Cloud forensics is a cross-disciplinary subject – an overlapping of cloud computing and digital forensics 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan5

Modeling crime in a cloud Cloud crime is any crime involving cloud computing [Ruan et al., 2011] Cloud can be the subject, object, or tool of crime – Subject: Cloud is attacked by external attackers – Object: Cloud provider attacks clients – Tool: Cloud computing used to attack external parties 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan6

Cloud forensics is useful for … Investigation – Cloud crime and policy violations – Reconstructing events in the cloud 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan7

Cloud forensics is useful for … Troubleshooting – Pinpointing the physical location of data and hosts in a cloud – Unearthing the root cause of problems – Security incidence handling 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan8

Key Goals of Cloud Forensics Identifying data related to a particular user Attributing data to its creator/owner Identifying intrusions/reconstructing events 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan9

Many issues complicate cloud forensics Technical issues Organizational issues Legal issues Question: Why is cloud computing different? 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan10

Recap: Why is cloud forensics different? Data stored in different jurisdictions Data is replicated many times for redundancy Separation/segregation of duties/control between client and cloud provider is not clear Clouds are multi-tenant environments 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan11

Multi-tenancy and Multi-jurisdicions create complicated scenarios No longer possible to grab the disk and image it for suspect’s data Sophisticated collaboration with cloud provider and possibly international law enforcement departments needed The law is not clear yet 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan12

Technical issues [see Ruan et al.] Data collection: – Finding, labeling, recording, and mining forensic data from a cloud is difficult – Information resides in many different locations, some of which may be offshore – Data collection from a cloud provider may violate privacy laws protecting other customers 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan13

Technical issues Data Collection – Access to cloud data / forensic logs may vary according to cloud model IaaS – easy access to data for forensic investigation PaaS – less flexible access through the cloud API SaaS – Almost no access from client side 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan14

Technical issues Elastic, Static, and Live Forensics – Time Synchronization is very difficult when data resides in multiple locations, machines, data centers – Log format unification is difficult – Recovering deleted data is almost impossible 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan15

Technical issues Evidence segregation – Very difficult to identify only the data belonging to a particular suspect – Separating log files per client is a huge management overhead – Weak registration allows criminals to use cloud almost anonymously – Tools do not exist yet 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan16

Technical issues Investigating virtual machines – Clients don’t use physical hardware directly, rather use virtualized hardware and virtual machines – The evidence may be spread across the client’s machine – Even clients cannot locate the physical position of a piece of data at any time 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan17

Legal issues Multi-jurisdiction and tenancy – One of the top legal concerns in digital forensics in clouds SLAs – Service level agreements still do not include support for cloud forensics 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan18

Clouds do provide some new opportunities for forensics Cost effectiveness: Cloud can be used for forensics as a service Data abundance: There are many replicas of a data object in a cloud. So, deletion does not remove all traces of data 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan19

Clouds do provide some new opportunities for forensics Performance: – Faster data processing, even for smaller law enforcement departments – Reduced total cost of investigation 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan20

Open Problems Creating a framework for a regulatory compliant cloud – i.e., a cloud that allows same level of forensic scrutiny as required by regulations such as Sarbanes-Oxley act, HIPAA, GLB, etc. Creating a privacy-preserving forensic audit framework 09/22/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan21