How to Secure Data Destruction in the Cloud
By Colleen Frye
Like a classic horror film that has you believing the monster is dead, only to roar back to life, will the data you thought was securely deleted from the cloud come back to haunt you-and possibly put you at risk for a breach?
It's a huge issue, says Johannes Ullrich, director of the Internet Storm Center at the SANS Technology Institute. "You cannot securely delete anything in the cloud; you don't control the medium."
Jim Reavis, co-founder and CEO of the Cloud Security Alliance (CSA), says, "From the beginning we've talked about this and understood it was an issue." It's even more important now, he says, as organizations are "all-in" with cloud.
Market research firm IDC forecasts worldwide public cloud services spending to reach $195 billion by 2020. In a separate report, IDC found that 58 percent of all organizations surveyed are embracing the cloud, using public or private cloud for more than one or two small applications or workloads, up from 24 percent just over a year ago.
And according to Transparency Market Research, the increased adoption of cloud services is boosting demand for data center IT asset disposition (ITAD) solutions, and TMR projects the global cloud ITAD market to grow from $3.5 billion in 2015 to $4.6 billion by 2020.
For public, private and hybrid cloud infrastructures, the best practices around data disposal are the same, says Steve Malmskog, co-author of Cloud Security for Dummies and chief network architect of Netskope Inc. "But the processes by which data disposal is done can vary, and the owner of each part of the process can vary. In a private situation, everything is under the control of the enterprise and they can perform proper audits to ensure compliance. For public and hybrid cloud situations, they are relying on a third party to adopt and practice the proper processes."
While organizations still own their data in the cloud, "the management of that data is now largely relinquished to a third party," Malmskog says. "This requires that businesses evaluate their cloud vendors and understand what static risks their data management policies may present, especially as it pertains to secure data destruction. This requires a great deal of due diligence. For example, a cloud vendor who uses SSDs will have a very difficult time proving to a business that their data has been properly erased due to wear-leveling algorithms used in the SSD. This is one of the reasons Apple removed their 'Secure Empty Trash' option in Mac OS X when they moved to SSDs."
In addition, cloud providers' businesses depend on providing 24/7 redundant access to information, and at a minimum there may be six copies of an organization's data, the CSA's Reavis says. Secure data destruction is complicated by the fact that there is a wide variety of cloud services and different policies that relate to the data lifecycle. Cloud providers "don't want to inadvertently destroy customer information and have a legal liability," Reavis says. "They also want to provide information for a customer that cancels the service and then wants that service back, so they need to preserve the data for a while." Cloud providers need to describe their policies "in a way that's believable to the customer."
In terms of physical destruction of hardware, the provider must deliver assurances that it is doing so properly. Malmskog noted how Google touted its physical drive shredder at the Google Next conference last March, emphasizing that its drives are physically destroyed to ensure that no data can be recovered downstream in the waste collection process. "So for those who use Google Drive, they can be confident that their data is physically inaccessible. But in many situations, this is an unknown and can lead to serious data breach issues."
For securely protecting and deleting data at the logical level, Reavis recommends strong encryption and key management as best practices. Ideally, the provider holds the information and the customer holds the key. "As you revoke keys, you make that information unusable/unreadable. From a logical perspective that's the best way to manage the deletion of data. . . . You would have to have a pretty amazing compromise to attack those separate entities to get the information." Encryption and key management also prevent the cloud provider from being able to provide a customer's data to a third party, he adds.
Data encryption is not just becoming more important, Malmskog maintains, "but actually becomes a cornerstone for an organization to protect itself against potential mishandling of data by a cloud application." For example, if a cloud storage company disposes of some failed hard drives carrying unencrypted data simply by sending them intact to an e-waste recycler, rather than physically destroying them, the data can potentially be recovered and lead to a breach. "Additionally, proper encryption requires proper key management, which is where the ability for an organization to manage [its] own keys apart from the cloud provider becomes important."
SANS's Ullrich says encryption can help, but he doesn't recommend storing encrypted or confidential data in the cloud. Instead, he recommends the tokenization method used by organizations that handle medical records and payment card data.
For organizations seeking guidance on secure data destruction in the cloud, the CSA recommends STARWatch, a SaaS application to manage compliance with CSA STAR (Security, Trust and Assurance Registry) requirements. Using the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ), organizations can manage compliance of cloud services with the CSA best practices. "We [provide] a lot of the questions so that providers can tell you how they manage and handle deletion of information and destruction of media," Reavis says. "Then you can use the STAR program as a repository of CSPs. It's a free resource; all big-name cloud providers are in there, niche providers as well."
Organizations can also turn to an independent cloud access security broker (CASB), a relatively new type of services provider that "offers some promise but is no perfect solution," he adds.
Organizations that need to comply with industry regulations "can be overwhelmed in trying to evaluate if every potential cloud provider meets the required regulations," Malmskog says. "This is where the use of CASBs can help, as they often maintain a database of cloud provider security assessments similar to the Cloud Security Alliance's CCM. This can be used to quickly create a short list of potential cloud vendors that can be then vetted at a more detailed level."
While all three experts say they are unaware of any breaches occurring due to lack of secure data disposal in the cloud, Ullrich urges organizations to take precautions, at the very least by signing a contract that covers them legally.
"In the end," he says, "it comes down to trusting cloud providers to do right thing, and in many ways they do."
Colleen Frye is a freelance writer and contributor to InfoSecurity Professional magazine. This is her first article for Cloud Security Insights.