Re: Bruce Schneier on Google Apps. Do you trust Google?

["J. Oquendo" <sil () infiltrated net>]

Ali, Saqib wrote:
> 3) Documentation process for Chain of Custody will not change (AFAIK).
> Once you get a e-discovery request or learn that a lawsuit has been
> filed, you can retrieve the required data from SaaS provider, and then
> proceed with the investigation.
>   

"you can retrieve the required data from SaaS provider, and then proceed
with the investigation/"

Really? Like spot-on write-protected copies of hard drives "in the
cloud"?. I'd like to see the first company willing to comply with
something like that.

"At present, there is no foolproof, universal method for extracting
evidence in an admissible fashion from cloud-based applications, and in
some cases, very little evidence is available to extract. As such, cloud
computing represents just one of the fast-paced technological
developments that is presenting an ongoing challenge to legislators, law
enforcement officials and computer forensic analysts."

http://www.articlesnatch.com/Article/Cloud-Computing-And-Computer-Forensics/663389

It's only going to be a matter of time before someone(company) stumbles
over compliance (EDD/Elect. Data Disc.) because - a) "Engineer
Accidentally Deletes Cloud" [1] b) "Storms in the Clouds Leave Users Up
Creek Without a Paddle" [2] or maybe just maybe - at the time or
e-discovery there is a simple outage... And while you can transfer risk,
you CANNOT transfer responsibility.

So for your comment, on #3, makes little sense. Besides how do you even
know your cloud provider has individuals competent in forensics. Are you
willing to trust your business' livelihood on "I thought they did!" I'd
forget anything cloud related when it comes to business. [4] Its adding
on more unnecessary risk to save a buck or two whereas at the end of the
day, it could cost you who knows how much more than that buck.

[1] http://www.theregister.co.uk/2008/08/28/flexiscale_outage/
[2]
http://arstechnica.com/news.ars/post/20080813-storms-in-the-clouds-leave-users-up-creek-without-a-paddle.html
[3]
http://www.pcworld.com/article/160153/gmail_outage_marks_sixth_downtime_in_eight_months.html
[4] http://www.infiltrated.net/cloud-insecurity.pdf

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------