80
issuing time‐limited certificates and thus separating the wheat from the
chaff.
3.2.4
Detecting security incidents
Detecting security incidents is often a difficult task for Cloud users.
Conventional IT environments, with on‐premises data‐processing, can rely
on an internal security incident management process which uses
monitoring, log file analyses, intrusion detection systems as well as data loss
prevention (DLP).
When outsourcing in the Cloud, it is not only the Cloud service itself that is
outsourced, but also significant aspects of security incident management.
Security incident management should therefore be included in the contract
with the Cloud provider.
Cloud users should inform themselves about the provider's detection
capabilities before migrating to the Cloud. The existence of a security
operation centre (SOC) and suitable security incident management is an
important selection criterion for a Cloud service. Cloud users and providers
should have the same idea about what qualifies as a security incident. In
fact, the definition of a security incident is mandatory in international Cloud
computing as Cloud users and providers may be located in different
jurisdictions and, for example, the loss of personal data could have different
implications. The loss of certain personal data may be immaterial to a US
provider, but it could be consequential to a European Cloud user. The
process for communicating security incidents and their escalation should
also be set down.
A look at the tools for detecting and clearing security incidents can also
provide clues as to the maturity of the provider's security incident
management.
33
3.2.5
Reacting to Security incidents
Computer forensics
Computer forensics pertains to the identification, collection, analysis and
presentation of digital data in order to establish the facts of the case. In the
identification stage, possible evidence is identified together with the client,
depending on the actual case. Data collection entails establishing the 'scene
of the crime' and area of investigation, carefully preserving any evidence
33
An expanded version of this chapter can be found under