©2014 Navigant Consulting, Inc. All rights reserved.

When legal and forensic technology meet clouds

HIDDEN CHALLENGES WITH CLOUD COMPUTING

Page 2 ©2014 Navigant Consulting, Inc. All rights reserved.

TABLE OF CONTENTS

Section 1: Introduction Section 2: Cloud Complexities Section 3: Cloud Access Section 4: Cloud Response Section 5: Cloud Governance Section 6: Questions

Page 3

Page 3 ©2014 Navigant Consulting, Inc. All rights reserved.

INTRODUCTION

Page 4 ©2014 Navigant Consulting, Inc. All rights reserved.

ABOUT ME

» Stephen Ramey, GCFA » Cell: (203) 648-2231 » Steve.ramey@navigant.com

» Work Experience:

› 9+ years experience conducting digital investigations › Joined Navigant in early 2014 to lead their Digital Forensics practice in NYC › Former Alumni of two Big 4 firms › Worked on several high profile litigations and network breaches

Page 5 ©2014 Navigant Consulting, Inc. All rights reserved.

ABOUT NAVIGANT

Navigant Consulting, Inc (NYSC:NCI) is a specialized consulting firm. We help clients address critical business risks and opportunities with a combination of technical and subject matter expertise. Legal Technology Solutions

› 275+ professionals › 35+ project managers › 20+ Forensic Specialists

United States

Canada

Shanghai, China Wanchai, Hong Kong Singapore, Singapore

Dubai, United Arab Emirates

United Kingdom

Page 6

Page 6 ©2014 Navigant Consulting, Inc. All rights reserved.

CLOUD COMPLEXITIES

Page 7 ©2014 Navigant Consulting, Inc. All rights reserved.

CLOUD BENEFITS

The Cloud

Reduced IT Spend

Security

Uptime

User Connectivity

Collaboration

Productivity

Page 8

Page 8 ©2014 Navigant Consulting, Inc. All rights reserved.

"THE BASIC ISSUE IS, DO I TRUST THAT OTHER LEGAL ENTITY THAT HAS MY DATA ON THEIR HARD DRIVE?“ - BRUCE SCHNEIER, CTO CO3 SYSTEMS SOURCE: COMPUTER WORLD, CLOUD SECURITY CONCERNS ARE OVER BLOWN, HTTP://WWW.COMPUTERWORLD.COM/ARTICLE/2488086/CLOUD-SECURITY/CLOUD-SECURITY-CONCERNS-ARE-OVERBLOWN--EXPERTS-SAY.HTML

Page 9 ©2014 Navigant Consulting, Inc. All rights reserved.

PRIMARY AREAS TO FOCUS

» What are the access controls to your information when it’s stored in the cloud?

» How will your cloud provider interact or participate during investigations, litigations, and legal holds?

» Do you have governance over and/or the “right to audit” your cloud provider’s service, security, and access controls?

Page 10

Page 10 ©2014 Navigant Consulting, Inc. All rights reserved.

CLOUD ACCESS

Page 11 ©2014 Navigant Consulting, Inc. All rights reserved.

THERE ARE MANY CLOUDS

» What type of cloud services will your company allow? › Individual file sharing: Dropbox, Google Drive, Microsoft Azure ‒ Concerns: ◦ Insider threat leaks Intellectual Property (“IP”) ◦ Preservation of company information from a personal account

› Enterprise wide: Box.com, Google Enterprise, Office 365 ‒ Concerns: ◦ “Someone” is accessing your information without your knowledge ◦ Data export speeds are throttled by the provider

› Social: Twitter, Facebook, Google+ ‒ Concerns: ◦ The “over-sharer” discloses non-public information

Page 12 ©2014 Navigant Consulting, Inc. All rights reserved.

» Choosing a provider is about trust… and due diligence » Ask questions about the cloud provider:

› Who has access to the data, server rooms, and the facilities? › How are access controls monitored? › What’s the cloud provider’s obligation to release data to third parties? ‒ Law enforcement, government, previous employees

› Who works for the provider? Are background checks performed? ‒ Full time employees, contractors, vendors

› Where will my data be stored, physically? In what countries/territories?

» Employ your IT security teams to review controls of the providers and compare them to that of your organization

YOUR DATA IS YOUR DATA

Page 13

Page 13 ©2014 Navigant Consulting, Inc. All rights reserved.

CLOUD RESPONSE

Page 14 ©2014 Navigant Consulting, Inc. All rights reserved.

YOUR DATA CAN’T BE PRESERVED BY YOU

» Data collection can be difficult, costly and time consuming › Cloud providers may not have the expertise to preserve files, defensibly › Organization of exported data can create challenges for investigators ‒ Custodian identification may be difficult ‒ Metadata time/dates may be inaccurate from mass copying or moving

› Cloud providers may prohibit access to their systems with forensic collection tools » Data from multiple accounts can be co-mingled on the same hard drives

› Creates complexities with physically accessing the system › Confidentiality constraints between the cloud provider and those accounts

» Artifacts may be more difficult to acquire, preserve, or access › Account access logs: log on/off; file access, deletion, modifications › The servers physical location may affect data privacy laws and regulations ‒ Ex. US data stored on a server in a EU country

Page 15

Page 15 ©2014 Navigant Consulting, Inc. All rights reserved.

CLOUD GOVERNANCE

Page 16 ©2014 Navigant Consulting, Inc. All rights reserved.

POLICIES AND CONTRACTS

» To your employees: › Provide direction by establishing a policy for the use of the cloud and its products ‒ Take a stance: utilize specific cloud services ‒ Establish a data classification system for data stored in the cloud ‒ Develop an Acceptable Use Policy (“AUP”) for cloud products

» To your cloud provider: › Negotiate terms of the contract ‒ Service Level Agreements (“SLA”) for ◦ Response to incidents (data breach, regulatory inquiries and litigations) ◦ Data preservation ◦ Physical locations for data storage

‒ Right to audit security controls and services, periodically ‒ Fees related to data export, access by third parties, and bandwidth

Page 17

Page 17 ©2014 Navigant Consulting, Inc. All rights reserved.

QUESTIONS?

Page 18

Page 19 ©2014 Navigant Consulting, Inc. All rights reserved.

ADDITIONAL MATERIAL

» Computer Weekly.com, “Azure CTO Mark Russinovich’s top ten public cloud security risks”, October 10, 2014 › http://www.computerweekly.com/news/2240232396/How-to-mitigate-top-ten-public-cloud-security-risks-Azure-CTO-

Mark-Russinovich » Computerworld.com, “Cloud security concerns are overblown, experts say”, February 27, 2014

› http://www.computerworld.com/article/2488086/cloud-security/cloud-security-concerns-are-overblown--experts-say.html » InformationWeek.com, “9 worst cloud security threats”, March 3, 2014

› http://www.informationweek.com/cloud/infrastructure-as-a-service/9-worst-cloud-security-threats/d/d-id/1114085 » National Law Review, “Security and privacy are key concerns as mobile devices push cloud computing

growth”, January 6, 2015 › http://www.natlawreview.com/article/security-and-privacy-are-key-concerns-mobile-devices-push-cloud-computing-

growth » Forbes.com, “Will security kill the cloud?”, August 26, 2014

› http://www.forbes.com/sites/sungardas/2014/08/26/will-security-kill-the-cloud/