One of the inherent benefits of cloud computing is to have efficient and optimal utilization of resources for applications. The pay-as-you-go model that cloud computing provides requires elasticity of these resources. Cloud computing provides a self-serve model with an ability to scale resources up or down depending upon the needs of the customers. NIST’s definition of elasticity is as follows: “Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.” Enabling elasticity in the cloud strongly implies the use of virtualization of these resources. In Cloud Computing, elasticity of these resources poses a significant challenge with regards to the mobility of these resources across physical boundaries i.e. servers, switches and possibly data centers.
The elasticity and mobility of resources coupled with the huge amount of data flowing in, out and within a cloud pose a significant challenge for digital forensics. Digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation systems capable of storing digital data, which now includes the cloud. The cloud in particular poses some specific challenges for digital forensics. Waldo Delport and MS Olivier in their paper present the process for conducting digital forensics. A presentation based on their paper is available online. An instance or a group of instances would need to analyzed for a particular investigation. The process of analyzing these “crime” domains presents challenges some of which are listed below:
- Identification of the location of a instance or a group of instances
- Blocking and isolating traffic for a particular instance before the start of the investigation process
- Guaranteeing non-contamination of the instance
- Separation, i.e. data unrelated to the incident is not part of the isolation.
Isolation of these resources during operations and during the forensics process in the event of a investigation is important. This isolation is necessitated due to the inherent multi-tenant and sharing of resources available in the cloud. It is required to maintain a successful isolation of a instance and to provide Confidentiality, Integrity and Availability (CIA) of the resources at all times. The data collected from the instances for forensics is not part of this blog post though Nimbula Director provides all the necessary data from the infrastructure for analysis.
Nimbula Director provides the following mechanisms to aid digital forensics:
It provides a scalable and unique identification mechanisms for instances from the nodes across the clouds.
- It provides the security mechanisms to blocking and isolating traffic. Nimbula Director has a highly scalable and distributed role based network policy mechanism. Security policies are defined and access between VMs is defined in terms of these policies, called security lists. In a cloud environment, where dynamic resource provisioning can see instances launched or terminated frequently, assigning an instance to one or more security lists enables cloud administrators or auditors to isolate instances at the behest of a API.
- The role based and resource based object permissions systems unique to Nimbula Director enables cloud administrators to manage ownership of the instances and guarantee isolation in cases of audits
- To extend the isolation of an instance or set of instances, Nimbula Director supports the ability to snapshot instances and tag nodes. A particular set of instances which are under the investigation can be isolated by moving instances under investigation to isolated areas or by moving other instances to other nodes.
- All critical events and configuration changes are logged to enable postmortem of specific instances.
Nimbula Director supports these advanced mechanisms using RESTful APIs which makes it easier for cloud administrators or cloud auditors to develop digital forensics auditing and data collection mechanisms in a programmatic way and enable automation for digital forensics.