Cloud and Fraud
Issues in the context of fraud
Data Expert, Intelligence Experience 2013 3 October 2013
Legal&Regulatory compliance
In practice
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 2
In practice
Content
►
Fraud
►
Trends
►
Technical / Security Issues
►
Prevention
►Discover(y)
►Security
►Data privacy
►Compliance
►Take aways
Fraud (1/3)
►
In criminal law, fraud is intentional deception
made for personal gain or to damage another
individual.
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 4
Fraud (2/3)
►
Pharming, Phishing, Spy ware,
►
Acquisitiefraude, Afpersing, Faker,
►
Nigeriaanse oplichting, Koersmanipulatie,
spoofing, Romantische fraude,
piramide spelen,
►
piramide spelen,
Fraud (3/3)
“Hij die, met het oogmerk om zich of een ander
wederrechtelijk te bevoordelen, hetzij door het aannemen
van een valse naam of van een valse hoedanigheid, hetzij
door listige kunstgrepen, hetzij door een samenweefsel van
verdichtsels, iemand beweegt tot de afgifte van enig goed,
tot het ter beschikking stellen van gegevens met
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 6
tot het ter beschikking stellen van gegevens met
geldswaarde in het handelsverkeer, tot het aangaan van een
schuld of tot het teniet doen van een inschuld, wordt, als
schuldig aan oplichting, gestraft met gevangenisstraf van ten
hoogste vier jaren of geldboete van de vijfde categorie”. (Art
326 WvSr)
Trends (2/5)
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 8
Trends (4/5)
►
PRISM
►
FISA
►
Art 50 USC 1881a
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 10
Trends (5/5)
► TILT/WODC: Misdaad en opsporing in de wolken. Knelpunten en
kansen van cloud computing voor de Nederlandse opsporingspraktijk
(Febr 2013 en vervolgonderzoek TILT juli 2013)
► EU/EC Proposal EU Cybersecurity Directive (Febr 2013)
► EUROPOL: Serious and Organised Crime Threat Assessment
(SOCTA) report (Mar 2013)
(SOCTA) report (Mar 2013)
► “(...) the to existing criminal investigations and digital forensic practice”.
increasing adoption of cloud computing technologies will continue to have profound impact on law enforcement investigation. It will see users and criminals storing less data on their devices, which will present a significant challenge
► CaaS
Technical architecture
Public vs private
Hypervisor & virtual machine
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 12
Security issues
I run my applications on an unknown platform I store my data in an unknown location. What about: Confidentiality ? Integrity? Availability?IF THE CLOUD SERVICE PROVIDER IS CONTROLLING YOUR DATA, THEN YOU’RE NOT.
I use hardware I do not control. I have outsourced my data!
Prevention - Data centric approach
Data governance
Policies and standards Identification Risk assessment Classification Architecture
Data control Structured data F o cu s a re a s Data in use Data anonymisation Privileged user monitoring
Access/Usage monitoring
Data in motion
Perimeter security
Network monitoring
Internet access control
Data at rest
EndPoint security
Host encryption
Mobile device protection Quality
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 14
Supporting information security processes
Unstructured data F o cu s a re a s
Use of test data
Data redaction
Export/Save control Data collection and exchange
Messaging (Email, IM)
Remote access
Network/intranet storage
Physical media control
Disposal and destruction
Configuration management Physical security Employee screening and vetting
Training and awareness Third-party management and
assurance Vulnerability management Incident response
Data privacy/document protection Digital rights management
Asset management
Identity/access management Security information/event management
Prevention - Access management
► Unauthorized access from the inside should be prevented by
profound access controls.
► For access form the outside the authentication and autorisation model
of the cloud user should be the framework
► SAML (Security Assertion Markup Language ► OpenID Connect:
► XACML (eXtended Access Control Markup Language) ► SPML (Service Provisioning Markup Language)
Prevention - Awareness
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 16
Paradigm
Cloud computing Forensic IT investigations
I have NO knowledge about the underlying technology
I want to know EVERYTHING about the underlying technology
Discover - e-Discovery
► The process of identifying,
preserving, collecting and producing documents and electronically stored information (ESI) that may be used as evidence in a legal proceeding
► Information exchanged through
discovery is subject to review and
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 18
„Iceberg“ of data
discovery is subject to review and analysis
► While discovery is a civil litigation
term, the basic processes of e-discovery (identification, preservation, collection, review and analysis) also apply
Electronic Discovery Reference Model
WWW.edrm.net
e-discovery reference model (EDMR)
Preservation Processing Volume Relevance Preservation Collection Presentation Information
Management Identification Review Production
EDRM case study
Initial situation: 126,000 eMails from four custodians preserved and collected
Client Machines
Processing
► Automatic de-duplication of all
emails down to 52%
126‘000 emails
66‘000
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 20
Keyword Search
► Search for relevant keywords
► Reduction of all emails down to 1%
Smart Filters
► Filters for senders and receivers
► Filters for specific time slots (Q2 2012)
► Reduction of all emails down to 4.2 %
66‘000 emails 5‘300 emails Email Servers Files Servers Archives 1‘250 emails to review
Security - Basic Security
How is the data protected from malware? Anti virus in the cloud
How can an attack on applications or data in the cloud be detected? An IDS looks at abnormal behavior or works signature based, but the systems it’s protecting is constantly changing
How do you monitor incoming and outgoing traffic to the cloud? How do you monitor incoming and outgoing traffic to the cloud? If the boundaries of the cloud keep changing?
Security - Privileged User Access
Who has access to your data? Do you know their names, have they been vetted?
What happens if they go on a holiday?
What happens when your data needs to be moved to other
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 22
needs to be moved to other systems, locations?
How does access to your data get logged?
Are these logs tamper resistant?
Are your security policies used as a minimum standard?
For example two factor authentication, no shared accounts/credentials
Information Security Compliance
Requirements
Who is ultimately responsible for your data?
Can you have your provider audited?
Does your provider undergo regular 3rd party audit?
Do you have access to their audit reports?
Is your provider certified in any way?
Security - Data Segregation
What happens with data at rest?
Backup tapes for example
Is your data on shared systems with other customers?
Does your provider use encryption?
If so what are their encryption schemes?
WITH GREAT DATA COMES GREAT RESPONSIBILITY
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 24
schemes?
Are these schemes tested and good security practise?
What if somebody makes a mistake and renders your data useless?
A lot of data also makes an attractive target.
Security - Recovery
Is data replicated and stored in multiple locations located at a wide distance?
How long does it take to do a full restore of your data?
And can they even do that?
What if clouds are used for peak performances, where does the data go in the end?
How do you wipe a cloud?
A great example of software infrastructure that scales is an online town hall meeting held by the US President. The Administration was able to instantly scale its database to support more than 100,000 questions and in excess of 3.5 million votes, without worrying about usage spikes that typically would be tough to manage. Because of the cloud, there was no need to provision extra servers to handle the increased
Security - Data Location
Where is your data located? Is your data allowed to be located
in this location?
Safe harbor, EU privacy regulation
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 26
Are your users aware where their data resides?
Can your provider meet your requirements?
Can investigative services be formed on the data in that location?
Security - Investigative Support
How does logging take place?
Is the logging exclusive for your data?
Can the provider provide you with useful documentation and log files when an incident has occurred?
Does the provider have any proven experience with this? How long will it take the provider?
Can you get a sample? Can you get a sample?
How long are log files retained? Are log files rotated?
What about application and database logs?
How will data be exported for investigative purposes?
It’s not possible to make an image of a cloud
How much data needs to be analysed?
Data Privacy: Authorization to access
employee files, mails and logfiles
► Work related files vs. private files
► Private files always remain the domain of the employee and their
intrusion constitutes a clear personality violation unless certain prerequisites are fulfilled
► Implementation of technical safeguards but without using control
mechanisms, which potentially put the employees' contractual and personality rights in jeopardy
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 28
Scope of permitted investigation
► No systematic monitoring of a specific employee's activities
► No access to e-mails, which are marked or recognizable as private ► Punctual surveillance activities are allowed as far as they are clearly
described in a surveillance policy and they are in a first phase
conducted anonymously; the surveillance policy must be accessible to the employees
► When an abuse has been discovered, the employer may monitor
How to deal with requests
of investigation
► If there is adequate ground to
suspect illegal activities, secret investigations may be appropriate
► Such investigations may however
not be conducted at the
employer's discretion; criminal
investigations always require
?
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 30
investigations always require
notification of the authorities prior to taking surveillance measures. An employer may however secure evidence.
Compliance - ICO
Assessing the security of a cloud provider
54. The DPA requires that data controllers take “appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
55. When processing is undertaken by a data processor, the data controller must choose a processor providing sufficient guarantees about the technical and
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 32
choose a processor providing sufficient guarantees about the technical and
organisational security measures governing the processing to be carried out, and must take reasonable steps to ensure compliance with those measures.
56. The cloud customer should therefore review the guarantees of availability, confidentiality and integrity that the cloud provider provides.
Compliance - CSA
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 34
Take away - Opportunity
If you are considering moving to a cloud based solution, this may be the time to:
! Change and check for default passwords
! Do an application review
! Reconsider access rights and (move to) strong authentication ! Get rid of the unknown unknowns ! Make investigative support part of the contract
! Make a notification of
10 practical tips for your security program
1. Identify and classify your data
2. Be concerned about view only access 3. Implement a data management life cycle
4. Do not allow unauthorized devices on your network
TAKE A HOLISTIC APPROACH
Data privacy issues in the context of e-discovery, whistleblowing and fraud Page 36
4. Do not allow unauthorized devices on your network
5. Do not permit the copying of sensitive data to removable media 6. Improve authorization and access control measures
7. Understand data usage and flows and data leakage vectors 8. Take a risk based approach
9. Update your policies, models and contracts and create awareness 10. Audit your own compliance
Thank you
peter.kits@hollandlaw.nl 06 21252338
Ernst & Young
Assurance | Tax | Transactions | Advisory About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. © 2013 Ernst & Young.
All Rights Reserved.
ED None
EMEIA MAS 1214.0213 EMEIA MAS 1214.0213