Cybersecurity incident response is a complicated issue at the best of times, but when tens or hundreds of different cloud services get involved, and the different companies and the mixed responsibility between ownership of servers and data, it becomes even more difficult. If a breach occurs, an enterprise won't have sufficient access to the cloud infrastructure to investigate, patch and run forensics in the same way it would if it had occurred on its own site.
Putting together a cloud incident response plan
The first step, as is the case in most cyberdefense strategies, is to have an accurate register of what cloud services are used by the organization. This register needs to not only include sanctioned cloud services, but also needs to take the likely large number of shadow cloud services into account. A data breach is just as likely, perhaps more, from the shadow cloud as it is from sanctioned services. This means involving key personnel in the process of making the cloud incident response plan to ensure that all possible cloud services are included.
Cloud providers should have their own incident response team that enterprises will want to communicate with when possible. This may be viable for large deployments in an infrastructure as a service, or IaaS, environment, but may not be as viable for smaller software as a service providers. Service-level agreements should always explicitly state the incident response process, including what will trigger it. The key is to accurately and explicitly state how the responsibility for cloud incident response is divided, so that when an incident occurs, it is obvious who needs to be involved at which stage.
Gather all the necessary information
It is important for an enterprise as part of due diligence to ensure it is satisfied with the cloud provider's own incident response process, as well as their business continuity and disaster recovery plans. Enterprises will also want to determine what monitoring tools the cloud providers have in place, and what level of access, if any, they have to them. Their ability to provide the necessary forensic data for investigating the incident should also be assessed, as this can be extremely complicated in IaaS environments where computing resources are pooled and the demands of a single customer can be elastic.
Enterprises should ensure that they have primary and secondary contacts for each cloud provider, and that the cloud providers have the same for them. If an incident occurs, the enterprise will need to contact the cloud provider's incident response team immediately and begin collaborating on the containment, eradication, recovery and subsequent investigation. Much of a standard incident response plan can come into play here -- just make sure to add cloud services to the incident response playbook. The standard incident response platform can be used to track the details of the incident and the interaction with the cloud provider.
Enterprises can combine the above processes into an easy checklist for a cloud incident response plan. This will allow them to quickly determine the correct course of action in the case of an incident. The initial few hours after an incident occurs are always the most crucial -- enterprises need to ensure they are ready and able to respond in a controlled manner.
Learn how to buy the best incident response tools for your enterprise
Find out how an enterprise incident response plan can be the most effective
Check out what enterprises need to know about cloud incident response and forensics