Lora O'Haver
Senior Solutions Marketing Manager

How to enable security forensics in the cloud

January 15, 2018 by Lora O'Haver

Why is security forensics important?

In our digital economy, we have largely come to accept that a network breach is inevitable or is already underway. Given this reality, we must work to quickly find the source of the attack and take steps to block further data access or exfiltration. This is the goal of network security forensics, which focuses on the capture, recording, and analysis of network events in order to discover the source of a security attack or other problem incident. [1]

The rising use of cloud computing makes security forensics no less important--only harder. The standards organization, Cloud Security Alliance, tracks forensic readiness as part of their Security and Risk Management domain and notes that the ability to identify, obtain, preserve, and analyze potential digital evidence is now a critical business capability. [2]

In addition to breach investigations, cloud forensics is also important in troubleshooting when performing root cause analysis, for rebuilding systems lost during disasters or accidents, and for complying with compliance requirements or legal proceedings. (See Figure 1 below.) Whether responding to a security incident, data breach, or in support of litigation, an organization needs to have a highly-effective platform for accessing the digital traffic that impacts their business.


Uses for Cloud Security Forensics


What are the challenges of security forensics in the cloud?

Forensics analysis is more complicated in the highly-virtualized, multi-tenant environment of public or hosted private cloud. The technical issues include [3]:

  • Data collection: Cloud service providers (CSPs) have data centers around the world in different jurisdictions providing services. Data stored in one data center is replicated to multiple locations to ensure availability and eliminate single points of failure.
  • Dynamic environments: Since cloud instances can be provisioned and de-provisioned on demand, cloud investigations need to be elastic and scalable, to keep up. In cloud forensics, you need access to timestamps and the ability to synchronize across multiple virtual in distributed environments. In addition, CSPs may have dependencies on other CSPs to host log files or other related services.
  • Data isolation: The components of cloud infrastructure are built for resource sharing, not resource segregation. This makes it more difficult to isolate the data of a single tenant. Special tools and procedures are needed to locate data at a given time.
  • Investigation tools: Tools and procedures for conducting forensic investigations in virtualized environments are different from those in traditional data center environments and, in some cases, are still being developed.
  • Expense: Proactive measures, such as data logging, can be costly when the cloud provider charges for supplying information that would be easily accessible on-premises.

Don’t cloud providers ensure security?

Cloud providers have had little incentive to provide deep administrative access to the kind of information that is used in forensics so what they provide is often not adequate for forensics, auditing or compliance. Organizations expecting forensic support from their CSPs may be frustrated to find out that the data they need is not included in the Service Level Agreement they have with their provider. Alternatively, even if the contract with their CSP includes “forensic support,” that may only include responding to an alert or incident and rebuilding the system attacked. The customer may find their contract does not include access to the underlying data necessary for a full forensic investigation.

AWS describes the cloud customer’s security responsibility like this: “As the customer, you retain control of what security you choose to implement...This includes, but is not limited to: encrypting sensitive data, implementing proper identity and access management policies, and managing operating system, network, and firewall configurations. In the event a security incident occurs in your AWS environment, you are responsible for determining when the attack happened, how systems were breached, and which resources were compromised.” [4] AWS provides CloudWatch, a fee-based logging service that can be configured to detect dangerous conditions and send alerts. It provides some metric visibility, but not the details required for deep forensic investigation.

What can be done to facilitate security forensics in the cloud?

  1. Have a cloud forensics plan

The best time to build your plan is before you sign a contract with a cloud provider, when you can still negotiate what will happen in the event of a breach. In addition, document the process you will use for investigations, evaluate the available forensics solutions, and understand exactly what data your chosen solutions will require—packet data, NetFlow metadata, and/or application data.

  1. Deploy cloud visibility that is automatic and scalable

A cloud-native visibility platform is created by embedding containerized agents or sensors inside each cloud or virtual machine instance created. The agents/sensors mirror the traffic flowing through each instance and relay to a centralized visibility engine for further processing. Because visibility is established at the creation of the cloud instance, it scales automatically along with your clouds. Find out more about CloudLens cloud-native visibility.

  1. Use a single visibility platform that can serve all tools

Many tools on the market include their own agents for collecting the data they need at the source. With multiple tools and agents trying to access cloud traffic, management and maintenance can get very complex. A better option is a single visibility platform with access to traffic in all your clouds that can deliver customized data to each of your security and forensics solutions. A single interface for managing data filter and specifying advanced processing functions is more efficient and easier for your IT team to manage.

  1. Get cost-efficient search and filter functionality

Logging is very expensive to conduct in the cloud. A visibility platform gives you the ability to combine data from multiple sources to establish synchronization and to have a search and filter function for restricting the relevant data and minimizing the time and cost of the investigation.

  1. Hire the right staff

Forensics is an area that requires special skills and a persistent for uncovering a series of connected events. Hire people with a passion for discovering the truth, the patience for lengthy research, and a talent for complex puzzle solving.


[1] Wikipedia definition of ‘network forensics,’ accessed online on 12 Jan 2018.

[2] Cloud Security Alliance, “Cloud Forensics Capability Maturity Model,” accessed online on 12 Jan 2018.

[3] Keyun Ryan, Prof. Joe Carthy, Prof. Tahar Kechadi, and Marc Crosbie: “Cloud Forensics: An Overview,” Centre for Cybercrime Investigation, University College Dublin, accessed online on 12 Jan 2018.

[4] AWS Marketplace: “Simplify Security Incident Response and Digital Forensics on AWS,” accessed online on 11 Jan 2018.