The ISF have just published a helpful report on how to avoid pitfallls in taking to cloud computing. Many very sensible “sins” are exposed : https://www.securityforum.org/userfiles/public/ISF_Cloud_computing_flyer.pdf
• SIN – information placed in the cloud is not classified correctly, stored appropriately or destroyed completely.
• ISSUES – inappropriate data ends up being stored on third parties’ systems,without formalised access control procedures. For highly regulated industries,it becomes difficult to identify and prove what users are doing.
• ACTION – organisations should classify and assess data before it is moved to the cloud, and should ensure that access control procedures deliver the level of assurance required.
We see many organisations looking at the cloud for its upfront cost benefit. The challenge from an electronic investigation perspective is this disorder.
Who owns the data? How forensic can searches of that data be? How expensive are they in the cloud? How can you ensure your data retention policies are embraced? How can you prove in a court of law that you’ve disclosed it all? How can you truly identify who did what to whom? Many issues that require upfront planning and, importantly, contractual clarity.
Cloud computing, like almost every IT initiative, can bring significant benefits but, like every IT initiative, should not be adopted on blind faith without significant due diligence across the entire spectrum of need not just cost.