• No results found

Cloud and Fraud Issues in the context of fraud

N/A
N/A
Protected

Academic year: 2021

Share "Cloud and Fraud Issues in the context of fraud"

Copied!
39
0
0

Loading.... (view fulltext now)

Full text

(1)

Cloud and Fraud

Issues in the context of fraud

Data Expert, Intelligence Experience 2013 3 October 2013

(2)

Legal&Regulatory compliance

In practice

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 2

In practice

(3)

Content

Fraud

Trends

Technical / Security Issues

Prevention

Discover(y)

Security

Data privacy

Compliance

Take aways

(4)

Fraud (1/3)

In criminal law, fraud is intentional deception

made for personal gain or to damage another

individual.

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 4

(5)

Fraud (2/3)

Pharming, Phishing, Spy ware,

Acquisitiefraude, Afpersing, Faker,

Nigeriaanse oplichting, Koersmanipulatie,

spoofing, Romantische fraude,

piramide spelen,

piramide spelen,

(6)

Fraud (3/3)

“Hij die, met het oogmerk om zich of een ander

wederrechtelijk te bevoordelen, hetzij door het aannemen

van een valse naam of van een valse hoedanigheid, hetzij

door listige kunstgrepen, hetzij door een samenweefsel van

verdichtsels, iemand beweegt tot de afgifte van enig goed,

tot het ter beschikking stellen van gegevens met

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 6

tot het ter beschikking stellen van gegevens met

geldswaarde in het handelsverkeer, tot het aangaan van een

schuld of tot het teniet doen van een inschuld, wordt, als

schuldig aan oplichting, gestraft met gevangenisstraf van ten

hoogste vier jaren of geldboete van de vijfde categorie”. (Art

326 WvSr)

(7)
(8)

Trends (2/5)

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 8

(9)
(10)

Trends (4/5)

PRISM

FISA

Art 50 USC 1881a

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 10

(11)

Trends (5/5)

► TILT/WODC: Misdaad en opsporing in de wolken. Knelpunten en

kansen van cloud computing voor de Nederlandse opsporingspraktijk

(Febr 2013 en vervolgonderzoek TILT juli 2013)

► EU/EC Proposal EU Cybersecurity Directive (Febr 2013)

► EUROPOL: Serious and Organised Crime Threat Assessment

(SOCTA) report (Mar 2013)

(SOCTA) report (Mar 2013)

“(...) the to existing criminal investigations and digital forensic practice”.

increasing adoption of cloud computing technologies will continue to have profound impact on law enforcement investigation. It will see users and criminals storing less data on their devices, which will present a significant challenge

► CaaS

(12)

Technical architecture

Public vs private

Hypervisor & virtual machine

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 12

(13)

Security issues

I run my applications on an unknown platform I store my data in an unknown location. What about: Confidentiality ? Integrity? Availability?

IF THE CLOUD SERVICE PROVIDER IS CONTROLLING YOUR DATA, THEN YOU’RE NOT.

I use hardware I do not control. I have outsourced my data!

(14)

Prevention - Data centric approach

Data governance

Policies and standards Identification Risk assessment Classification Architecture

Data control Structured data F o cu s a re a s Data in use Data anonymisation Privileged user monitoring

Access/Usage monitoring

Data in motion

Perimeter security

Network monitoring

Internet access control

Data at rest

EndPoint security

Host encryption

Mobile device protection Quality

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 14

Supporting information security processes

Unstructured data F o cu s a re a s

Use of test data

Data redaction

Export/Save control Data collection and exchange

Messaging (Email, IM)

Remote access

Network/intranet storage

Physical media control

Disposal and destruction

Configuration management Physical security Employee screening and vetting

Training and awareness Third-party management and

assurance Vulnerability management Incident response

Data privacy/document protection Digital rights management

Asset management

Identity/access management Security information/event management

(15)

Prevention - Access management

► Unauthorized access from the inside should be prevented by

profound access controls.

► For access form the outside the authentication and autorisation model

of the cloud user should be the framework

► SAML (Security Assertion Markup Language ► OpenID Connect:

► XACML (eXtended Access Control Markup Language) ► SPML (Service Provisioning Markup Language)

(16)

Prevention - Awareness

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 16

(17)

Paradigm

Cloud computing Forensic IT investigations

I have NO knowledge about the underlying technology

I want to know EVERYTHING about the underlying technology

(18)

Discover - e-Discovery

► The process of identifying,

preserving, collecting and producing documents and electronically stored information (ESI) that may be used as evidence in a legal proceeding

► Information exchanged through

discovery is subject to review and

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 18

„Iceberg“ of data

discovery is subject to review and analysis

► While discovery is a civil litigation

term, the basic processes of e-discovery (identification, preservation, collection, review and analysis) also apply

(19)

Electronic Discovery Reference Model

WWW.edrm.net

e-discovery reference model (EDMR)

Preservation Processing Volume Relevance Preservation Collection Presentation Information

Management Identification Review Production

(20)

EDRM case study

Initial situation: 126,000 eMails from four custodians preserved and collected

Client Machines

Processing

► Automatic de-duplication of all

emails down to 52%

126‘000 emails

66‘000

Email

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 20

Keyword Search

► Search for relevant keywords

► Reduction of all emails down to 1%

Smart Filters

► Filters for senders and receivers

► Filters for specific time slots (Q2 2012)

► Reduction of all emails down to 4.2 %

66‘000 emails 5‘300 emails Email Servers Files Servers Archives 1‘250 emails to review

(21)

Security - Basic Security

How is the data protected from malware? Anti virus in the cloud

How can an attack on applications or data in the cloud be detected? An IDS looks at abnormal behavior or works signature based, but the systems it’s protecting is constantly changing

How do you monitor incoming and outgoing traffic to the cloud? How do you monitor incoming and outgoing traffic to the cloud? If the boundaries of the cloud keep changing?

(22)

Security - Privileged User Access

Who has access to your data? Do you know their names, have they been vetted?

What happens if they go on a holiday?

What happens when your data needs to be moved to other

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 22

needs to be moved to other systems, locations?

How does access to your data get logged?

Are these logs tamper resistant?

Are your security policies used as a minimum standard?

For example two factor authentication, no shared accounts/credentials

(23)

Information Security Compliance

Requirements

Who is ultimately responsible for your data?

Can you have your provider audited?

Does your provider undergo regular 3rd party audit?

Do you have access to their audit reports?

Is your provider certified in any way?

(24)

Security - Data Segregation

What happens with data at rest?

Backup tapes for example

Is your data on shared systems with other customers?

Does your provider use encryption?

If so what are their encryption schemes?

WITH GREAT DATA COMES GREAT RESPONSIBILITY

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 24

schemes?

Are these schemes tested and good security practise?

What if somebody makes a mistake and renders your data useless?

A lot of data also makes an attractive target.

(25)

Security - Recovery

Is data replicated and stored in multiple locations located at a wide distance?

How long does it take to do a full restore of your data?

And can they even do that?

What if clouds are used for peak performances, where does the data go in the end?

How do you wipe a cloud?

A great example of software infrastructure that scales is an online town hall meeting held by the US President. The Administration was able to instantly scale its database to support more than 100,000 questions and in excess of 3.5 million votes, without worrying about usage spikes that typically would be tough to manage. Because of the cloud, there was no need to provision extra servers to handle the increased

(26)

Security - Data Location

Where is your data located? Is your data allowed to be located

in this location?

Safe harbor, EU privacy regulation

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 26

Are your users aware where their data resides?

Can your provider meet your requirements?

Can investigative services be formed on the data in that location?

(27)

Security - Investigative Support

How does logging take place?

Is the logging exclusive for your data?

Can the provider provide you with useful documentation and log files when an incident has occurred?

Does the provider have any proven experience with this? How long will it take the provider?

Can you get a sample? Can you get a sample?

How long are log files retained? Are log files rotated?

What about application and database logs?

How will data be exported for investigative purposes?

It’s not possible to make an image of a cloud

How much data needs to be analysed?

(28)

Data Privacy: Authorization to access

employee files, mails and logfiles

► Work related files vs. private files

► Private files always remain the domain of the employee and their

intrusion constitutes a clear personality violation unless certain prerequisites are fulfilled

► Implementation of technical safeguards but without using control

mechanisms, which potentially put the employees' contractual and personality rights in jeopardy

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 28

(29)

Scope of permitted investigation

► No systematic monitoring of a specific employee's activities

► No access to e-mails, which are marked or recognizable as private ► Punctual surveillance activities are allowed as far as they are clearly

described in a surveillance policy and they are in a first phase

conducted anonymously; the surveillance policy must be accessible to the employees

► When an abuse has been discovered, the employer may monitor

(30)

How to deal with requests

of investigation

► If there is adequate ground to

suspect illegal activities, secret investigations may be appropriate

► Such investigations may however

not be conducted at the

employer's discretion; criminal

investigations always require

?

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 30

investigations always require

notification of the authorities prior to taking surveillance measures. An employer may however secure evidence.

(31)
(32)

Compliance - ICO

Assessing the security of a cloud provider

54. The DPA requires that data controllers take “appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

55. When processing is undertaken by a data processor, the data controller must choose a processor providing sufficient guarantees about the technical and

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 32

choose a processor providing sufficient guarantees about the technical and

organisational security measures governing the processing to be carried out, and must take reasonable steps to ensure compliance with those measures.

56. The cloud customer should therefore review the guarantees of availability, confidentiality and integrity that the cloud provider provides.

(33)
(34)

Compliance - CSA

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 34

(35)

Take away - Opportunity

If you are considering moving to a cloud based solution, this may be the time to:

! Change and check for default passwords

! Do an application review

! Reconsider access rights and (move to) strong authentication ! Get rid of the unknown unknowns ! Make investigative support part of the contract

! Make a notification of

(36)

10 practical tips for your security program

1. Identify and classify your data

2. Be concerned about view only access 3. Implement a data management life cycle

4. Do not allow unauthorized devices on your network

TAKE A HOLISTIC APPROACH

Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 36

4. Do not allow unauthorized devices on your network

5. Do not permit the copying of sensitive data to removable media 6. Improve authorization and access control measures

7. Understand data usage and flows and data leakage vectors 8. Take a risk based approach

9. Update your policies, models and contracts and create awareness 10. Audit your own compliance

(37)
(38)

Thank you

peter.kits@hollandlaw.nl 06 21252338

(39)

Ernst & Young

Assurance | Tax | Transactions | Advisory About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity.

Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. © 2013 Ernst & Young.

All Rights Reserved.

ED None

EMEIA MAS 1214.0213 EMEIA MAS 1214.0213

References

Related documents

The authors have taken on an age-old discussion in athletic training, one that has occurred in many other allied and medical health disciplines: What is the best way

Global and re- gional diabetes prevalence estimates for 2019 and projections for 2030 and 2045: Results from the International Diabetes Federation Diabetes Atlas, 9th edition.

Thirty-six Chinese compound characters comprising two radicals each, one semantic and one phonetic, from a pool of 21 phonetic and 21 semantic radicals, were used for training and

* F/G = INDICATOR ALLOCATED TO THE UNITS WITHIN A CONFIGURATED ORDER THAT ARE INCLUDED IN THE PACKING OF A HEAD BOX AND IF ORDERED SEPARATELY HAVE THEIR OWN PACKING. LEAD TIME

 The total cost of acquisition and ownership favors IBM Power Systems, and the business value of IBM POWER8 systems in Big Data and analytics environments will continue to exceed

Whereas Young’s approach is individualistic, my account applies to individuals and to collectives as non-distributive responsibility holders in both the liability model and the

Findings indicate that the state’s new definition a low-performing school negatively impacted teacher working conditions at newly designated low-performing schools and suggest

being conSCiously aware of our Movies. One is about consciousness, the other about consciousness of consciousness. 4) The pictures that flash through our mind-body-emotion