What is
cloud computing? According to Oxford Dictionary, Cloud Computing means the
practice of using a network of remote servers hosted on the Internet to store,
manage, and process data, rather than a local server or a personal computer.
The
definition of the term ‘Cloud Computing’ given by the US
National Institute of Standards and Technology (NIST) is as
follows:
“Cloud
computing is a model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly provisioned
and released with minimal management effort or service provider interaction”.
The above definition of ‘Cloud computing’ has been
widely accepted in India.
However, to
put it in simple terms, Cloud computing means storing and accessing data and applications
on the Internet rather than one’s own computer system. Cloud in the term of
Cloud Computing refers to set of hardware, networks, storage, services, and
interfaces that combine to deliver aspects of computing as a service.
The initiative of the Ministry of
Electronics & Information Technology, Government of India in this direction
is named as ‘Meghraj’. According to Worldwide Quarterly Cloud IT Infrastructure
Tracker, April, 21st 2015 Cloud computing accounted for about 33% of the total
IT expenditure in 2015 across the world and the cloud IT infrastructure
spending is expected to be 45% of total IT infrastructure spending.
At a time when the corporate are going through a
time of recession and are looking for ways and means to reduce costs, the
concept of ‘Cloud Computing’ is a boon for them, which helps in enhancing the
capacity without actually investing anything extra in infrastructure, training,
purchase of new software etc. Of late, this concept has grown by leaps and
bounds and is presently one of the important segment of the IT industry.
For
those who provide the ‘Cloud computing’ services, called ‘Cloud Service Providers’
or CSP, it is not an easy task to
co-locate the virtual machines from multiple organizations in the same physical
server and calls for extreme caution while handling. Major CSPs such as Microsoft, Google, Amazon,
Salesforce.com, GoGrid etc. ) are leveraging virtualization technologies
combined with self-service capabilities for computing resources via the
Internet.
Though
most of the corporates are looking upto ‘Cloud computing’ in order to expand
their horizons, what worries them is the security issues. The risk of the confidential data being
available in the public domain is something they dread of and there is no way that
they can afford to compromise on the security of their applications and data.
Well,
this is exactly the point the writer is looking at. The corporate needn’t worry too much as the
CSPs invest a lot of amounts in ensuring foolproof security to their data by
devising various methods. But on the part
of the laws enforcing agencies of the government, it is a real tough task to
gather intelligence on the possible financial frauds and successfully expose the
fraud before the competent courts along with adequate material evidences to
prove the case, lest all the efforts would be in vain. The six aspects that worry the corporate - i.e., availability, confidentiality, data integrity,
control, audit, cause a lot of concerns to these agencies too, albeit for a
different reason.
As we know, the law enforcing agencies and their
investigating officers in India still depend a lot on human intelligence and
human caliber rather than the technological aids, compared to the developed
countries. But at the same time, our business, technology and the corporate
sector are almost at par with any developed country, if not more efficient. This technological lag often creates a barrier
at the field level investigation. Recently,
an officer of a central agency who was in charge of investigating a multi-crore
scam reached the corporate office of a company named in the FIR and came across
a certain material evidences in the system.
Excited with the discovery of the clinching evidence, the officer
ordered the concerned person to immediately give ‘print’ of the entire data, in
the same style as he would seize the entire register for the evidence available
in some half page of the register. When
the executive informed that it would take at least two days to print the entire
data, the confused officer had to consult his senior in the office to go back,
without actually ‘seizing’ the material evidence.
In a case of financial fraud few years ago by an IT giant in
India in order to evade huge tax amount investigated by one of the premier
agencies, the investigators found it hard to collect the data from the company,
as the data were stored in a server located in a different country. It was only the sheer dynamism, command,
presence of mind and perseverance on the part of the investigators that resulted
in collection of the required data as well as the documents required for the
purpose of investigation. If this was
the case before the introduction of ‘cloud computing’ just imagine the fate of
the investigators in the present scenario.
The need of the hour is to strengthen the Forensic Investigation
skills of the investigator along with adequate and updated knowledge about the
compliance requirements and the laws governing the said technology. Since the ‘cloud’ can cross multiple
countries, the privacy laws applicable in the respective countries have to be
taken into consideration. Further, the details
of the agreements of the CSPs and their clients have to be studied in order to
find about the availability or the destruction of older data.
Now, what is Forensic Investigation? The word forensic comes from the Latin term forensis meaning of or before the forum. In the modern use, the term Forensic Investigation can be broadly understood as something related to authentic collection of evidence which would be accepted before a court of law. And when it comes to the frauds and investigations related to computers and internet, the term Çyber Forensic' is used. Further, digital forensics is
the application of proven scientific methods and techniques in order to recover
data from electronic / digital media.
Therefore, unless the investigators in general and
investigators of financial fraud in particular should know thoroughly well
about the techniques to collect evidence in the ‘cloud’ atmosphere. A conventional investigator need not know how
to do post mortem, but he should definitely know how it would help him
solve the case. Similarly, a financial fraud investigator need not be an IT
expert, but he should be trained to understand what he wants and how to collect
it effectively.
(With the given facilities for training in the field in India, an
ordinary investigator trained on basics of cyber forensics would be on cloud
nine and would not know about cloud computing!!)
National Institute of Standards and Technology (NIST),
US department of Commerce Special Publication 800-145
Cloud
computing security issues and challenges, Krešimir Popović, Željko Hocenski, Faculty
of Electrical Engineering, Institute of Automation and Process Computing, Croatia