Most large enterprises and many mid-sized businesses these days have some form of data governance program, usually including data retention and destruction policies. They have become imperative due to the increase in attacks on customer data and state and national laws mandating the protection of customer data. The old mindset of “Keep it all, forever” has become “If you don’t have it, you can’t violate it”.
In some ways, managing data retention policies has never been easier to implement in the cloud. Cloud providers often have simple templates and click settings to retain your data for a specific period of time and then move it to near-offline cold digital storage or directly to the bit bucket (deletion). Just click, configure and move on to the next information security priority.
Just click Delete?
However, I’m going to ask an embarrassing question, which has been floating around in my head for a while. What actually happens to this data once you click “delete”? on a cloud service? In the world of on-premises hardware, we all know the answer; it would simply be unregistered to the disk it resides on. The “deleted” data is still on the hard drive, gone from view by the operating system and waiting to be overwritten when space is needed. To really erase it, extra steps or special software is needed to overwrite the bits with random zeros and ones. In some cases, this needs to be done multiple times to truly erase the phantom electronic traces of deleted data.
And if you do business with the U.S. government or other regulated entities, you may need to comply with Department of Defense Standard 5220.22-M, which contains details of data destruction requirements for subcontractors. These practices are common, even if they are not required by regulation. You don’t want data you no longer need to come back to haunt you when breached. The Twitch game streaming service breachin which hackers were able to access virtually all of his data dating back almost to the company’s inception – including earnings and other personal details of his well-paid streaming customers – is a cautionary tale here, along with reports other breaches of abandoned or orphaned data files in recent years.
Lack of access to verify
So, while policies are easier to set and manage in most cloud services compared to on-premises servers, it’s much more difficult, if not impossible, to ensure they’re done properly according to the standard. DoD on cloud services. How do you perform a low-level disk overwrite of data on a cloud infrastructure where you don’t have physical access to the underlying hardware? The answer is you can’t, at least not like we used to – with software utilities or outright destruction of the physical disk drive. Neither AWS, Azure, or Google Cloud Services offer options or services that do this, not even on their Dedicated Instances, which run on separate hardware. You just don’t have the level of access necessary to do so.
Outreach from major services has been ignored or answered with generic statements about how they protect your data. What happens to data that is “published” to a cloud service such as AWS or Azure?? Is it just sitting on disk, unindexed and waiting to be overwritten, or is it put through some sort of “bit-mixer” to render it unusable before being returned to available storage on the service? No one, at this point, seems to know or want to say officially.
Adapt to the new reality
We need to develop a cloud-enabled way to do destruction that meets DoD standards, or we need to stop pretending and adjust our standards to this new reality.
Perhaps cloud providers can offer a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly many companies would be willing to pay for such a service, if the proper certificates of destruction were provided. This would likely be cheaper than the fees charged by some of the companies providing certified physical destruction services.
Amazon, Azure, Google, and all major cloud services (including software-as-a-service providers) need to address these issues with real answers, not obfuscation and marketing. Until then, we’ll just pretend and hope, praying that some brilliant hacker doesn’t figure out how to access this orphaned data, if they haven’t already. Anyway, the tough questions about cloud data destruction need to be asked and answeredsooner rather than later.