E-discovery Is an Information Lifecycle Management Problem, Not a Security Problem
The more I learn about e-discovery, the less I think it's a security problem. The vast majority of e-discovery issues are pure Information Lifecycle Management (ILM) concerns. The one area where I think security has a role is countering the subject's utilization of anti-forensics and counter-forensics (defined previously as attacking evidence and attacking tools, respectively).
I was reminded of this opinion while reading Find What You're Looking For? in Information Security magazine. Take a look at these Evidence Sources, for example.
Given the data sources depicted in the figure, why should information security have anything to do with e-discovery? I'll answer that question: history and tradition. In the "old days," internal investigations primarily meant imaging hard drives, reviewing content for disgusting images or incriminating documents, and producing them for management. Only the security team had the necessary expertise for this exercise. Today, the age of thinner clients, centralized storage, remote outsourced backup, and so on, we need to image hard drives less and less. Those who support the IT infrastructure should be responsible for e-discovery. In fact, I've seen a lot of attention to e-discovery in the storage press (One year after FRCP, struggles continue with e-discovery, How to purchase an e-discovery tool, and so on). I think this is appropriate.
Note this is totally different from intrusion investigations. Analyzing what an intruder did (insider or outsider) is not the same as producing documents for opposing counsel, a regulatory agency, or another party. E-discovery is not about investigating violations of CIA -- it's a document production exercise.
I liked the following figure in the Information Security article.
It's probably easy to see where your organization falls on this continuum.
I think it's time to push the e-discovery issue to where it belongs -- with the data managers or at least the legal team. As the number of true security mandates increase the load of the security team, I suggest sending work where it should be done, not where it might traditionally have been done. (I could say the same thing about backup, by the way. Wait, isn't that an availability issue? No -- availability is a security responsibility when it is at risk due to attack, not because someone's hard drive died.)
Finally, I'd like to reproduce part of the article that is not online but which is very important in my opinion.
Spare the White Gloves: Electronic Evidence does not need to be handled with excessive care.
Organizations need to debunk a chain-of-custody myth that perseveres in security circles: that evidence must be handled with white gloves, plastic bags and forceps (metaphorically speaking). In other words, the assumption that electronically stored information (ESI) must have extreme tamper-proofing and virtuous handling procedures and be pure as the driven snow for presentation in court simply isn't true.
Enterprises are not law enforcement and the cases they are usually involved in are not criminal ones. ESI comprises business records, and as long as it is stored in accordance with policy and as part of the normal IT operation in support of the business, then it is adequate for e-discovery purposes.
The US Federal Rules of Evidence state that just because data can be manipulated doesn't mean it can't be used. Rather, an enterprise simply must show that methods used to collect and store the information are essentiallyl trustworthy. Although prudent integrity protections should be employed -- such as access controls and logs of the actions of administrators who can delete or modify information -- an elaborate digital signature infrastructure or cryptographic checksums is unlikely to be required.
This is a worthwhile matter to discuss with a legal team. Consider the email records of Microsoft senior executives that were used as part of multibillion-dollar antitrust investigations. There were no intricate antitampering mechanisms for the ESI in that case, yet the evidence stood and few cases have stakes so high.
This reflects my own opinion too. You don't want to act irresponsibly, but you don't have to approach every event like it's a criminal case and you're the investigating detective.
I was reminded of this opinion while reading Find What You're Looking For? in Information Security magazine. Take a look at these Evidence Sources, for example.
Given the data sources depicted in the figure, why should information security have anything to do with e-discovery? I'll answer that question: history and tradition. In the "old days," internal investigations primarily meant imaging hard drives, reviewing content for disgusting images or incriminating documents, and producing them for management. Only the security team had the necessary expertise for this exercise. Today, the age of thinner clients, centralized storage, remote outsourced backup, and so on, we need to image hard drives less and less. Those who support the IT infrastructure should be responsible for e-discovery. In fact, I've seen a lot of attention to e-discovery in the storage press (One year after FRCP, struggles continue with e-discovery, How to purchase an e-discovery tool, and so on). I think this is appropriate.
Note this is totally different from intrusion investigations. Analyzing what an intruder did (insider or outsider) is not the same as producing documents for opposing counsel, a regulatory agency, or another party. E-discovery is not about investigating violations of CIA -- it's a document production exercise.
I liked the following figure in the Information Security article.
It's probably easy to see where your organization falls on this continuum.
I think it's time to push the e-discovery issue to where it belongs -- with the data managers or at least the legal team. As the number of true security mandates increase the load of the security team, I suggest sending work where it should be done, not where it might traditionally have been done. (I could say the same thing about backup, by the way. Wait, isn't that an availability issue? No -- availability is a security responsibility when it is at risk due to attack, not because someone's hard drive died.)
Finally, I'd like to reproduce part of the article that is not online but which is very important in my opinion.
Spare the White Gloves: Electronic Evidence does not need to be handled with excessive care.
Organizations need to debunk a chain-of-custody myth that perseveres in security circles: that evidence must be handled with white gloves, plastic bags and forceps (metaphorically speaking). In other words, the assumption that electronically stored information (ESI) must have extreme tamper-proofing and virtuous handling procedures and be pure as the driven snow for presentation in court simply isn't true.
Enterprises are not law enforcement and the cases they are usually involved in are not criminal ones. ESI comprises business records, and as long as it is stored in accordance with policy and as part of the normal IT operation in support of the business, then it is adequate for e-discovery purposes.
The US Federal Rules of Evidence state that just because data can be manipulated doesn't mean it can't be used. Rather, an enterprise simply must show that methods used to collect and store the information are essentiallyl trustworthy. Although prudent integrity protections should be employed -- such as access controls and logs of the actions of administrators who can delete or modify information -- an elaborate digital signature infrastructure or cryptographic checksums is unlikely to be required.
This is a worthwhile matter to discuss with a legal team. Consider the email records of Microsoft senior executives that were used as part of multibillion-dollar antitrust investigations. There were no intricate antitampering mechanisms for the ESI in that case, yet the evidence stood and few cases have stakes so high.
This reflects my own opinion too. You don't want to act irresponsibly, but you don't have to approach every event like it's a criminal case and you're the investigating detective.
Comments
I'm really struggling to see the day when the CEO will give legal responsibility for ediscovery. If you were the boss of a mid-large sized company would you really want to tie up your expensive legal resources with 'doing ediscovery'? You would certainly want them driving it but probably not actually doing it. Skilled IT resources cost money, but compare that to a tech-savvy laywer!
Cheers,
Craig
but if you can prove it, why not eliminate any room for doubt?
With our technology model, one can rank both audit logs and users for integrity. Once the security officer sets the appropriate integrity levels (audit trail>users), then you have tamper-proof traces, and systems people can easily follow-up to obtain docs for e-discovery purposes, as you rightfully propose.
This should make the work of both e-discovery and forensic analysis easier.
Why does it matter then? I believe that my department's growth to handle e-discovery cases has come at the expense of other areas that need it more. Now if I ask senior management for more headcount to confront the emerging threats of the day, they'll say "but we just gave you a full time person for e-discovery." As Richard has pointed out, I just don't think it's aligned with what our core mission should be.
However, e-discovery demands on an IT department should be minimal, provided they already have good procedures in place:
1. Know who has access to what
2. Know what you have
3. Know where it is, and in what formats.
If you can answer this, you're pretty much ready for e-discovery.