Cloud and Fraud Issues in the context of fraud

Transcription

1 Cloud and Fraud Issues in the context of fraud Data Expert, Intelligence Experience October 2013 Peter Kits, Attorney at Law IP/IT

2 Legal&Regulatory compliance In practice Clients & Providers perspective Page 2

3 Content Fraud Trends Technical / Security Issues Prevention Discover(y) Security Data privacy Compliance Take aways Page 3

4 Fraud (1/3) In criminal law, fraud is intentional deception made for personal gain or to damage another individual. Page 4

5 Fraud (2/3) Pharming, Phishing, Spy ware, Acquisitiefraude, Afpersing, Faker, Nigeriaanse oplichting, Koersmanipulatie, spoofing, Romantische fraude, piramide spelen, Page 5

6 Fraud (3/3) Hij die, met het oogmerk om zich of een ander wederrechtelijk te bevoordelen, hetzij door het aannemen van een valse naam of van een valse hoedanigheid, hetzij door listige kunstgrepen, hetzij door een samenweefsel van verdichtsels, iemand beweegt tot de afgifte van enig goed, tot het ter beschikking stellen van gegevens met geldswaarde in het handelsverkeer, tot het aangaan van een schuld of tot het teniet doen van een inschuld, wordt, als schuldig aan oplichting, gestraft met gevangenisstraf van ten hoogste vier jaren of geldboete van de vijfde categorie. (Art 326 WvSr) Page 6

7 Trends (1/5) Page 7

8 Trends (2/5) Page 8

9 Trends (3/5) Page 9

10 Trends (4/5) PRISM FISA Art 50 USC 1881a Microsoft, 1st transparency report (Mar 2013) Page 10

11 Trends (5/5) TILT/WODC: Misdaad en opsporing in de wolken. Knelpunten en kansen van cloud computing voor de Nederlandse opsporingspraktijk (Febr 2013 en vervolgonderzoek TILT juli 2013) EU/EC Proposal EU Cybersecurity Directive (Febr 2013) EUROPOL: Serious and Organised Crime Threat Assessment (SOCTA) report (Mar 2013) (...) the to existing criminal investigations and digital forensic practice. increasing adoption of cloud computing technologies will continue to have profound impact on law enforcement investigation. It will see users and criminals storing less data on their devices, which will present a significant challenge CaaS NFC Page 11

12 Technical architecture Public vs private Hypervisor & virtual machine Page 12

13 Security issues IF THE CLOUD SERVICE PROVIDER IS CONTROLLING YOUR DATA, THEN YOU RE NOT. I run my applications on an unknown platform I store my data in an unknown location. What about: Confidentiality? Integrity? Availability? I use hardware I do not control. I have outsourced my data! IF THERE S A HACK, IT S YOUR NECK Page 13

14 Prevention - Data centric approach Data governance Policies and standards Identification Risk assessment Classification Architecture Quality Data control Structured data Data in motion Data in use Data at rest Perimeter security Privileged user monitoring EndPoint security Focus areas Network monitoring Internet access control Data collection and exchange Access/Usage monitoring Data anonymisation Use of test data Host encryption Mobile device protection Network/intranet storage Messaging ( , IM) Data redaction Physical media control Remote access Export/Save control Disposal and destruction Unstructured data Supporting information security processes Identity/access management Security information/event management Configuration management Vulnerability management Digital rights management Incident response Physical security Training and awareness Asset management Data privacy/document protection Employee screening and vetting Third-party management and assurance Business continuity Disaster recovery Regulatory compliance management Change management/sdlc Page 14

15 Prevention - Access management Unauthorized access from the inside should be prevented by profound access controls. For access form the outside the authentication and autorisation model of the cloud user should be the framework SAML (Security Assertion Markup Language OpenID Connect: XACML (extended Access Control Markup Language) SPML (Service Provisioning Markup Language) SCIM (System for Cross-domain Identity Management) Page 15

16 Prevention - Awareness Page 16

17 Paradigm Cloud computing Forensic IT investigations I have NO knowledge about the underlying technology I want to know EVERYTHING about the underlying technology Page 17

18 Discover - e-discovery Iceberg of data The process of identifying, preserving, collecting and producing documents and electronically stored information (ESI) that may be used as evidence in a legal proceeding Information exchanged through discovery is subject to review and analysis While discovery is a civil litigation term, the basic processes of e-discovery (identification, preservation, collection, review and analysis) also apply to investigations and audits Page 18

19 e-discovery reference model (EDMR) Electronic Discovery Reference Model Preservation Processing Information Management Identification Review Production Presentation Collection Analysis Volume Relevance Page 19

20 EDRM case study Initial situation: 126,000 s from four custodians preserved and collected Client Machines s Processing Automatic de-duplication of all s down to 52% Servers Files Servers Archives s s Smart Filters Filters for senders and receivers Filters for specific time slots (Q2 2012) Reduction of all s down to 4.2 % Keyword Search Search for relevant keywords Reduction of all s down to 1% s to review Page 20

21 Security - Basic Security How is the data protected from malware? Anti virus in the cloud How can an attack on applications or data in the cloud be detected? An IDS looks at abnormal behavior or works signature based, but the systems it s protecting is constantly changing How do you monitor incoming and outgoing traffic to the cloud? If the boundaries of the cloud keep changing? Page 21

22 Security - Privileged User Access Who has access to your data? Do you know their names, have they been vetted? What happens if they go on a holiday? What happens when your data needs to be moved to other systems, locations? How does access to your data get logged? Are these logs tamper resistant? Are your security policies used as a minimum standard? For example two factor authentication, no shared accounts/credentials Page 22

23 Information Security Compliance Requirements Who is ultimately responsible for your data? Can you have your provider audited? Does your provider undergo regular 3rd party audit? Do you have access to their audit reports? Is your provider certified in any way? Page 23

24 Security - Data Segregation WITH GREAT DATA COMES GREAT RESPONSIBILITY What happens with data at rest? Backup tapes for example Is your data on shared systems with other customers? Does your provider use encryption? If so what are their encryption schemes? Are these schemes tested and good security practise? What if somebody makes a mistake and renders your data useless? A lot of data also makes an attractive target. Page 24

25 Security - Recovery Is data replicated and stored in multiple locations located at a wide distance? How long does it take to do a full restore of your data? And can they even do that? What if clouds are used for peak performances, where does the data go in the end? How do you wipe a cloud? A great example of software infrastructure that scales is an online town hall meeting held by the US President. The Administration was able to instantly scale its database to support more than 100,000 questions and in excess of 3.5 million votes, without worrying about usage spikes that typically would be tough to manage. Because of the cloud, there was no need to provision extra servers to handle the increased demand or forecast demand ahead of time. Page 25

26 Security - Data Location Where is your data located? Is your data allowed to be located in this location? Safe harbor, EU privacy regulation Are your users aware where their data resides? Can your provider meet your requirements? Can investigative services be formed on the data in that location? Page 26

27 Security - Investigative Support How does logging take place? Is the logging exclusive for your data? Can the provider provide you with useful documentation and log files when an incident has occurred? Does the provider have any proven experience with this? How long will it take the provider? Can you get a sample? How long are log files retained? Are log files rotated? What about application and database logs? How will data be exported for investigative purposes? It s not possible to make an image of a cloud How much data needs to be analysed? The need for another investigator cloud Page 27

28 Data Privacy: Authorization to access employee files, mails and logfiles Work related files vs. private files Private files always remain the domain of the employee and their intrusion constitutes a clear personality violation unless certain prerequisites are fulfilled Implementation of technical safeguards but without using control mechanisms, which potentially put the employees' contractual and personality rights in jeopardy Page 28

29 Scope of permitted investigation No systematic monitoring of a specific employee's activities No access to s, which are marked or recognizable as private Punctual surveillance activities are allowed as far as they are clearly described in a surveillance policy and they are in a first phase conducted anonymously; the surveillance policy must be accessible to the employees When an abuse has been discovered, the employer may monitor an employee s use of the internet Page 29

30 How to deal with requests of investigation If there is adequate ground to suspect illegal activities, secret investigations may be appropriate Such investigations may however not be conducted at the employer's discretion; criminal investigations always require notification of the authorities prior to taking surveillance measures. An employer may however secure evidence.? Page 30

31 Compliance - CBP - SurfNet Page 31

32 Compliance - ICO Assessing the security of a cloud provider 54. The DPA requires that data controllers take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 55. When processing is undertaken by a data processor, the data controller must choose a processor providing sufficient guarantees about the technical and organisational security measures governing the processing to be carried out, and must take reasonable steps to ensure compliance with those measures. 56. The cloud customer should therefore review the guarantees of availability, confidentiality and integrity that the cloud provider provides. Page 32

33 Compliance - Art 29 Working Party Page 33

34 Compliance - CSA Page 34

35 Take away - Opportunity If you are considering moving to a cloud based solution, this may be the time to:! Change and check for default passwords! Do an application review! Reconsider access rights and (move to) strong authentication! Get rid of the unknown unknowns! Make investigative support part of the contract! Make a notification of governmental requests part of the contract Page 35

36 10 practical tips for your security program TAKE A HOLISTIC APPROACH 1. Identify and classify your data 2. Be concerned about view only access 3. Implement a data management life cycle 4. Do not allow unauthorized devices on your network 5. Do not permit the copying of sensitive data to removable media 6. Improve authorization and access control measures 7. Understand data usage and flows and data leakage vectors 8. Take a risk based approach 9. Update your policies, models and contracts and create awareness 10. Audit your own compliance Page 36

37 Questions? Page 37

38 Thank you

39 Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit Ernst & Young. All Rights Reserved. ED None EMEIA MAS