Data represents a very important enterprise asset. That makes the use of cloud-based services a significant risk. To mitigate that risk, organizations must consider options for removing their data from the cloud should the requirement arise. These environments host multiple types, structures, and components of data among various resources. For components within a multitenant environment, data deletion options are severely restricted. Reasons to delete data and sanitize relevant media include leaving a cloud service provider or migrating from one cloud provider to another. This could be especially difficult if it involves large amounts of structured data. This is where “vendor lock-in” and interoperability elements become crucial.
Aside from the hassle and general issues associated with reconstructing and formatting large data sets into a format that could be imported and integrated into a new cloud service or cloud service provider, the challenge related to secure deletion or the sanitization of digital media remains a largely unsolved issue among cloud providers and cloud customers alike.
Sanitization Options
To dispose of electronic records safely, the following options are available:
- Physical destruction: Physically destroying the media by incineration, shredding, or other means.
- Degaussing: Using strong magnets for scrambling data on magnetic media such as hard drives and tapes.
- Overwriting: Writing random data over the actual data. The more times the overwriting process occurs, the more thorough the destruction of the data is considered to be.
- Cryptographic erasure: Using an encryption method to rewrite the data in an encrypted format to make it unreadable without the encryption key.
Physical Destruction
Digital information can be destroyed by disintegration, pulverization, melting, incineration, or shredding. These are processes that entirely transform a storage device, such as a hard drive, into unusable media. The digital information, therefore, is 100% protected from exploitation.
Degaussing
Degaussing totally erases data by reducing or eliminating the magnetic field (information) stored on tape and disk media. This is done by changing the magnetic domain (where the data is stored) of magnetic data storage devices. During the process, all information is scrambled into random patterns.
Data Overwriting
While the process of overwriting data multiple times is not inherently secure and does not make the data irretrievable, it can make the task of retrieval far more complex, challenging, and time consuming. This technique may not be sufficient if you are hosting highly sensitive, confidential, or regulated information within cloud deployments.
When deleting files and data, they will become “invisible” to the user; however, the space that they inhabit in the storage media is made available for other information and data to be written to by the system and storage components as part of normal usage of the storage media. The risk with this is that forensic investigators and others with relevant toolsets can retrieve this information in a matter of minutes, hours, or days.
Where possible, overwriting data multiple times will help to extend the time and efforts required to retrieve the relevant information and may make the storage components or partitions “unattractive” to potential attackers or those focused on retrieving the information.
In the absence of degaussing or physical destruction, which are not practical or realistic options for cloud environments, rendering data unreadable should be the approach taken. Lack of knowledge regarding the location of data eliminates data overwriting as a data destruction option. Adopting a security mindset, if the availability, integrity, and confidentiality of the data can be restricted, the information becomes unreadable, which will act as the next best method for secure deletion.
Cryptographic Erasure
Since physical destruction, degaussing, and overwriting are not applicable to cloud computing, the only reasonable method remaining for data sanitization is encrypting the data. The process of encrypting the data in order to dispose of it is also referred to as digital shredding or crypto-shredding.
Crypto-shredding is the process of deliberately destroying the encryption keys that were used to encrypt the data originally. Since the data is encrypted with the keys, the result is that the data is rendered unreadable (at least until the encryption protocol used can be broken or is capable of being brute-forced by an attacker).
In order to perform proper crypto-shredding, consider the following:
- The data should be encrypted completely without any clear text remaining.
- The technique must make sure that the encryption keys are totally unrecoverable. This can be hard to accomplish if an external cloud service provider or other third party manages the keys.
A reliable way to sanitize a device is to erase and/or overwrite the data it contains. With the recent developments in storage devices, most now contain built-in sanitize commands that enable users and custodians to sanitize media in a simple and convenient format. While these commands are mostly effective when implemented and initiated correctly, like all technological commands, it is essential to verify their effectiveness and accuracy.
Where possible (this may not apply to all cloud-based environments), erase each block, overwrite all with a known pattern, and erase them again.
When done correctly, a complete erasure of the storage media will eliminate risks related to key recovery, side-channel attacks on the controller to recover information about the destroyed key, and future attacks on the cryptosystem.
NOTE: Key destruction on its own is not a comprehensive approach, as the key may be recovered using forensic techniques.