When it comes to collecting forensic evidence from cloud providers and determining whether a data breach has occurred, what used to take two weeks now takes a month for Greg Thompson, vice president of enterprise security services at Scotia Bank.
"Often we find it is a challenge to get sufficient forensic data from the cloud to prove the event or action did occur," says Thompson, who oversees the forensics team at Scotia bank, the third largest bank in Canada.
Specifically, he finds the move to cloud services more challenging for forensic practitioners than the traditional methods of acquisition of evidence in pursuing an investigation. In addition to not having access to a full suite of forensic data, including net flows, log files and hard drive images in a cloud environment, now there also is a strong dependency on a third party whose system settings and administration may differ. "This often stretches the time-frame needed to make conclusions on a case, as we have to deal with legal implications and inconsistencies in how data is overall collected and maintained."