Cloud Incident Readiness

Why is it important to prepare for an incident in the cloud?

According to Forbes, 83 percent of the enterprise workload will be in the cloud by 2020, and the biggest concern for 66 percent of IT professionals is securing the cloud. One of the greatest benefits of the cloud is the easiness of deploying and configuring machines. This flexibility and ease of use, however, introduces new risks like limited visibility and reduced control. It is often difficult for an organization to keep track of all the new configurations and provide complete detection and response capabilities during an incident in the cloud. Threat actors are also adapting to their vicitm's environments, which means they are shifting their focus to the cloud and further increasing associated risks. However, we believe this is an opportunity for organizations to do cybersecurity 'right' from the start. The 'right' way of doing cybersecurity in the cloud consists of having up-to-date procedures and technology, all of which are reflective of an organization's cloud environment. So, hopefully, in the unlikely event your cloud environment is breached, you are prepared and ready to respond.

Is your organization prepared?

The following are several questions we use to evaluate cloud readiness for your organization:
  • Is documentation available that covers incident handling procedures for cloud environments?

  • Is there a capability to forensically acquire logging, memory and disks from cloud environments?

  • Is there visibility across all cloud assets and who has access to these assets?

  • Are detection measures covering assets in cloud environments?

How can PwC help you?

Ideally, your organization is able to answer all of the above questions but organizations often struggle to answer several if not all, which is why we have developed our cloud Incident Readiness (CIR) service. The biggest challenge for organizations is often adapting their current way of working and technology to cover cloud environments. CIR helps organizations adapt traditional incident handling procedures and technologies to cloud environments. Since most organizations use the National Institute of Standards and Technology's Computer Security Incident Handling Guide for their Incident Response, we have chosen to structure the CIR around it. CIR is focussed mainly on the Preparation and Detection & Analysis steps of the NIST Incident Handling Guide. To make sure the CIR can be adopted and integrated with existing capabilities of organizations, we have developed bespoke technology solutions, which are not commercially available. These solutions include automated memory acquisition of Windows and Linux systems for all major cloud providers; incident handling procedures covering acquisition, processing and analysis for all major cloud providers; and security monitoring guidelines and best practices to detect threats in cloud environments.

Our methodology and approach

CIR is tailored towards your requirements and organization's cloud environment and typically includes the following phases:


In the preparation phase, we assess your organization's preparedness for incident handling in the cloud. We work with you to gain a better understanding of your organization's cloud environment and asses what materials are already available for incident handling. An assessment of the current configuration and procedures is conducted to understand the current state of preparedness and aid in updating procedures and documentation to include cloud environments.


Using the results of the preparation phase, we implement and integrate the necessary technology to help with the acquisition of evidence. The required procedures for acquiring evidence in your cloud environment are documented and maintained for future cases. An overview of your organization's available logs are made available and used to understand how it is used for incident detection and response in the cloud.


In the processing phase, we advise on the best ways to process all acquired evidence, whether it is a memory snapshot or logs from your cloud environment. The advice is tailored to your investigative environment to make sure it integrates with your technology and way of working.


In the final phase, we coordinate all output from the previous phases to ensure your organization is ready for an incident in your cloud environment. In practice, this means providing your organization with insights on what to search for in cloud environment logs and analysis tips relating to hard disk snapshots and memory. The end goal is to make sure that your organization understands how to analyze the evidence from your cloud environment.

Follow us

Contact us

Tom Driehuys

Tom Driehuys

Partner, Advisory Cyber Forensics & Privacy, PwC Netherlands

Tel: +31 (0)61 383 29 69

Wouter Otterspeer

Wouter Otterspeer

Director, PwC Netherlands

Tel: +31 (0)61 080 14 62