Thursday, September 17, 2009

Take your time when in the "Clouds" ... Think Defense

... continued from May 2009 post http://tinyurl.com/cmesul ...

1. What lives in your "Cloud"?
2. Where does your "Cloud" hover?
3. What is stated in your "Cloud" EULA?

Lets begin with those simple questions. If the answer includes a stutter or hesitation the discovery phase of litigation just got real expensive.

Listen up (read closely)!

The bleak economy has caused most companies to panic over luxury expenses like new desktops, laptops, servers and storage. The notion of cloud computing is extremely appealing as a form of modern day Technology Outsourcing. Electronic communications and other edata considered Highly Confidential is re-assessed and downgraded to levels that don't require as much privacy. Privacy that is challenged within the "Cloud".

Wait how dare one suggest that your "Cloud" is not secure? ....
.... Secure maybe ... but definitely not Private and definitely Easily Accessible ... definitely Discoverable!!!

Corporations use of external "Cloud" computing and storage should only be limited to normal course of business documents and document templates. This applies to entities where an internal VMware, SBS and/or Email Server setup is not existent or feasible. Thus services from Amazon, Google and Microsoft are appealing as the bright idea light shines a message reading it's safe to store and manage all corporate data in their stratosphere.

"... their stratosphere" ...

The company is provided a block of space with the ability to grant endusers access to the block. Endusers have the permissions to read, edit and publish content within the block via any internet connection. The uptime and maintenance are managed by the block provider. A true convenience and excellent method for reducing costs related to capital expenditures.

Soooo ... Where is this "block" of space?; Which server is being accessed that provides and tracks permissions for the corporation to the storage device?; Who is monitoring activity to slow and deter unauthorized intrusions?; When the shared storage is full how is block space reallocated, distributed and made seamless when more is requested?; Should one really be concerned with such a trivial thinking? ... Is this a Privacy concern? ... Perhaps ....

Hopefully with adding "Cloud" computing and storage solutions to the business process model, the wildly old Veteran IT Professional is still employed (or at least on retainer). Most human beings treat the complexity of "Cloud" computing as a simple brainless way to manage and store edata "however you like". Which is great, until an investigation ensues.

Investigations are no longer centric to office equipment and storage. In recent years there has been sharp increase in the seizure of endusers "personal" home and portable equipment in response to a corporate investigation. The primary goal of the Investigator is to report on where information was created, when it was created, who the information was shared with and the number (location) of instances for where the information lives. A cumbersome yet fairly straightforward task for the Investigator ... except .... today the "Cloud" renders new challenges for Investigators.

When investigating data sources not managed directly by the company nor the enduser, the "Cloud" EULA agreement is critical. Within a matter of seconds the Veteran IT Professional can provide the internal computer architecture Archive & Retention policy as well as the backups if required for the investigation. Investigators are very interested in how data is kept as it gives character and shows trends within the business process model. Most have no working knowledge of how nor when or where their data is being replicated or archived by the "Cloud" provider. There is not any legislation that currently addresses the expected role of the "Cloud" provider to assist/respond in such investigations. Nor are there any standards for accessing and "downloading" data kept within the "Cloud" for preservation and review. Email host (cloud) providers included.

How to prepare for a "Defensible Collection" from the Heavens? ... The common sense approach

Collecting eDocs
Investigators, with the Veteran IT Professional, first focus on obtaining access and usage log reports from the "Cloud" provider. If attainable, will present a tenative roadmap depicting the history of when files where published, accessed and modified within the "Cloud". Second, if attainable, a request of system maintance logs for the corporate "block(s)" from the "Cloud" provider. Third, a directory listing of data stored within the "block". This is used in the attempt to implore visual logic in the identification of potentially responsive edata, in most cases this is not nearly as effective for data in "blocks". The system metadata is not reliable thus all of the data needs to be shut off from access to the endusers so the data can be downloaded and preserved for review. Depending on the sensitvity of the case, good lawyering skills and shear volume of data will determine the amount of time the corporation, endusers and "Cloud" will be potentially be crippled. During the course of a typical investigation any unauthorized proprietary information violations are removed before returning collected evidence ... This topic alone deserves a separate post for how to permanently remove such edata from within the "Cloud".

Collecting eMail
Microsoft Outlook is no longer the standard for accessing, downloading and managing web-based email. In the same manner that implementing a Hosted Exchange Server is becoming a standard for businesses as it has become increasingly burdensome to combat spam and the hackers.

The Investigator no longer just ask "where is your exchange server and what is your email retention policy?". Today it is more concise to ask, "how is email managed?". Are endusers permitted to access personal webmail through the corporate email client?

In this mobile age the demand from technophytes to have unlimited access to information has birthed FREE resources to meet every need. Especially EMAIL. Internet email giant AOL just within the last 5yrs began offering free screen names in a move to compete with the popularity of Yahoo, Google and Windows Live (the new hotmail). It is predicted that 1 out of every 5 humans has a gmail, aol, hotmail and/or yahoo email account. For the humans that are employed, 3 out of 5 forward business emails to their personal email account as a matter of future reference.

Taking these types of statistics into consideration, the Investigator is required to engage each enduser about their personal email management. Typically IT can't and doesn't control or regulate these activities.

"... everyone received and signed the handbook acknowledging the Computer and Internet policy ..."

As this trend becomes even more common the need to collect from enduser personal webmail clients becomes a necessary intrusion. The most common forms are POP3 and IMAP mail. The method of analysis and collection will vary for each type of webmail client. The most common collection utility for webmail is to capture (download) to Microsoft Outlook Client and export to a .PST file. The process needs to be recorded in the chain of custody documentation and audited for accuarcy.

In closing for now, in the event your company is considering implementation of "Cloud" computing make certain of these items:

1. Update the Archive and Retention Policy to include the "Cloud"; and
2. Update the Internet and Computer Use Policy to include business emails and transmission of business email including using personal thumb drives.

The author is a supporter of cloud computing and believes that caution must be exercised before one leaps. The opinions are solely those of the author and experiences of the author's tenure in Legal Discovery.