Internal Investigations and the Cloud


Published on

One hour

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Dan MichalukHicks MorleyWe work for managementSupport internal investigation workArgue cases that flow from internal investigation workWorked with organizations on outsourcings to cloudNot an IT proNot an forensics pro…About how cloud computing will affect your job as an internal investigator and what to do about itImportant topic for investigators because the success of your work depends on access to informationBusiness us of the cloud is a threat, but it can be managedIn a more obvious way social media use is a potential source of evidence… talk about one issue that’s come up recently… access to personal accounts
  • Let’s cover the basicsAnyone volunteer to describe what cloud computing is?Key features that create a problem-third-party owned-cost effectiveness supersedes control-distributed-server provision is “virtualized” (some degree of intermingling problem)Great trend-tell story about education sector pitchDeveloping distinction between consumer cloud (“public”) and enterprise (“private”) cloud-very important distinction for business-if business has any control, it must have the primary agreement with the cloud provider
  • Bigger problem for business is data portabilityToo easy to move data between systems nowTell story about Crown’s pitchA bunch of information that should be organization’s control is now “out there”Evidence trails will lead you to data sources that you can’t access through routine and authorized meansWhat do we do about that?There will be some compromise to your investigationYou’ll have to live with thatQuestion is how do we manage the risk when corporate security is not ideal
  • Summarizes the cloud problemLow cost – comment on cloud provider bias-Computer World UK article from Friday… cloud providers will compete on flexibilityInvestigations and e-discovery afterthought-Barry Murphy, eDJ Group Inc. survey-Anecdotally, investigation rights focused on data breach investigation rights-Forensic issues-Meaning from information-e.g. time stamps… beg more questions about how they are generated
  • Facilitated discussionLet’s draw from your current experience
  • This is a business problem not an investigation problemYou need to get identified as a stakeholder and make your needs knownUltimately there will be compromiseThere will be risksIt’s a less than ideal computing model for your needsBe open to thatThe cost savings will compel some level of adoption
  • Here’s the process I foreseeVery tailored approachThere will be great resistance to this type of analysis from most vendorsBut if you’re going in blind you should at least know that
  • Facilitated discussionLet’s brainstorm about potential requirements
  • Here’s what you must know-must know the jurisdiction -less willing to disclose than you think -will affect access to data -good due diligence will entail a local opinion on access to PI-how is data stored -data map/model-intermingling key -stories about law enforcement seizing whole servers -how are you protected from that-last bullet are the “money” questions -can only ask them if you have a good data map
  • -more questions-might have to prove authenticity of exports or images -cooperation essential -what’s arrangement? -what’s the protocol? -think ahead-how fast -speed of investigation is critical -delay increases exposure to risk of financial harm -increase cost of paying employees on leave -increase risk of employment damages claims
  • New topicInformation beyond your control Investigations lead to personal devices, computers and accounts
  • Example
  • Risks of hacking in
  • Here’s the solution
  • Here’s the solution
  • Internal Investigations and the Cloud

    1. 1. Internal Investigations and the CloudDan MichalukACFI Fraud ConferenceMay 28, 2012
    2. 2. Internal Investigations and the Cloud• What is cloud computing?• Why is it a problem for investigators?• What‟s the solution?• The problem with the consumer cloud• The consumer cloud – personal accounts• Good resourcesInternal Investigations and the Cloud
    3. 3. What is cloud computing?• Model for delivery of computing services• Services outsourced and accessed through the internet, on demand, at desired scale• Data resides on servers owned by third- parties, often with the data of others and often in one or more foreign countries• Consumer services differ from enterprise servicesInternal Investigations and the Cloud
    4. 4. What is cloud computing?• It is related to a “data portability” phenomenon • “We‟ve got work information on personal devices and personal information on work devices” • Add to that, multiple companies on physical servers • This creates ambiguity that can be dealt with by contract (and I assume by technology) – i.e. we need to replace physical control with legal controlInternal Investigations and the Cloud
    5. 5. Why is it a problem for investigators?• It threatens to timely access to reliable evidence • Providers default to low cost rather than service • Investigations and e-discovery are afterthoughts • Specialized forensic data capture services are rare • Logs and other forensic data can be intermingled • Proprietary software can make interpretation hard • Access restrictions create a chain of custody issue • Law of other jurisdictions may be restrictiveInternal Investigations and the Cloud
    6. 6. Why is it a problem for investigators?• Discussion • Do your employers or clients use cloud-based services for business? • Has this affected your investigations? • How?Internal Investigations and the Cloud
    7. 7. What’s the solution?• The solution is simple (in theory) • Outsourcing process requirements definition, vendor selection, due diligence and contracting and administration • You need to insert yourself in all aspects of this process to communicate your requirements and see that they are met • But… be prepared to compromise because the cloud is the cloud and physical control is supremeInternal Investigations and the Cloud
    8. 8. What’s the solution?• The solution is simple (in theory) • Understand the system and the data it generates • Develop investigation scenarios • Develop investigation requirements • Prioritize requirements • Discuss requirements • Ensure requirements can be met • Service level agreement is key, but is not everythingInternal Investigations and the Cloud
    9. 9. What’s the solution?• Assume your employer or a client is moving its accounting system to the cloud. As a fraud investigator, what are your key needs?Internal Investigations and the Cloud
    10. 10. What’s the solution?• Key questions (among others) • In what jurisdiction(s) will data reside? • How is data stored at application & system levels? • Can our data be extracted independently from others‟ data? • What forensic data do we want? Will you make it available to us? How? To others? How will that affect us?Internal Investigations and the Cloud
    11. 11. What’s the solution?• Key questions (among others) • Will your employee give evidence to establish the chain of custody? • How fast will you make all this happen?Internal Investigations and the Cloud
    12. 12. The problem with the consumer cloud• It is a data security risk – business information is leeching into personal accounts and home computers • Example – employee sends work home via a web based personal e-mail account • Example – business unit starts using Google docs to collaborate though the company has no enterprise services relationship with GoogleInternal Investigations and the Cloud
    13. 13. The consumer cloud - personal accounts• The Calgary Police Service case (April 2012) • Internal sexual misconduct investigation • E-mail review… search for “password” • Found login credentials for personal e-mail account • Accessed on “data leakage” theory • Found (unanticipated) evidence of sexual misconduct • Alberta OPIC finds a violation of privacy legislationInternal Investigations and the Cloud
    14. 14. The consumer cloud - personal accounts• Why unauthorized access is a bad idea • Except in extraordinary circumstances it is likely to be a criminal offence – Criminal Code s. 342.1 • A labour arbitrator may exclude evidence • Though not ideal, there is a work-aroundInternal Investigations and the Cloud
    15. 15. The consumer cloud - personal accounts• The work-around • Finish the covert investigation • Confront the employee • Make a preservation demand • Make a reasonable inspection demand • Be prepared to manage a refusal through an insubordination charge and an adverse inferenceInternal Investigations and the Cloud
    16. 16. The consumer cloud - personal accounts• “Friending” targets is risky • “Friending” as yourself may not be that helpful • Impersonation is a criminal offence (s. 403) • Do your professional rules prohibit the use of fake profiles to gain information?Internal Investigations and the Cloud
    17. 17. Related Resources• J. Cheng, “IBM‟s Siri ban highlights companies‟ privacy, trade secret challenges”• Digital Forensics Laboratories, “Digital investigations in the Cloud”• T. Harbert, “E-discovery in the Cloud? Not so easy.”• W. Manning, “Investigating in the Clouds”• K. Ruan et al, “Cloud forensics: An overview”• A. Savvas, “Cloud providers cave into more flexible contracts.”• T. Trappler, “In the Cloud, Your Data Can Get Caught Up in Legal Actions”• K. Zetter, “FBI Uses „Sledgehammer‟ to Seize E-Mail Server in Search for Bomb Threat EvidenceInternal Investigations and the Cloud
    18. 18. Internal Investigations and the CloudDan MichalukACFI Fraud ConferenceMay 28, 2012