Digital Forensic Readiness to Mitigate Insider Threats in the SaaS Cloud Environment

Abstract

Insider threats continue to pose significant risks in Software-as-a-Service (SaaS) environments, where
legitimate users hold varying levels of access and control. Existing mitigation measures remain largely reactive,
focusing on post-incident investigation and evidence recovery, which often result in delayed detection and
incomplete forensics. A proactive and forensically sound approach is therefore required to identify and contain
insider activity before major compromise occurs. This paper presents the Digital Forensic Readiness to Bust Insider Threats (DFR-BUST) model, a framework that embeds forensic readiness principles within SaaS environments to enable early detection, secure evidence
capture, and legally defensible investigations. The model is aligned with the ISO/IEC 27043 digital investigation process, operationalising its readiness, acquisitive, and concurrent process classes. The model was evaluated using an experimental setup based on publicly available insider-threat datasets to demonstrate its readiness and detection capability. The evaluation confirmed that the proposed architecture supports proactive evidence generation, integrity verification, and traceable anomaly detection within a
controlled environment. Unlike conventional reactive approaches, DFR-BUST provides a proactive, evidence-centric mechanism that enhances both detection accuracy and forensic admissibility. Its modular design ensures adaptability across cloud platforms while maintaining compliance with international forensic investigation standards. Overall, this work bridges the gap between intelligent analytics and digital forensic readiness. By ensuring that insider detection outputs are accompanied by verified, admissible evidence, the framework contributes a practical foundation for developing forensic-aware, cloud-based security systems.