Data protection policies should include guidelines for the different data lifecycle phases. In the cloud, the following three policies should receive proper adjustments and attention:
- Data retention
- Data deletion
- Data archiving
Policies serve as the operational foundation for all aspects of data management and should be clearly reflected in data retention, deletion, and archival activities.
Data Retention Policies
A data retention policy is an organization’s established protocol for retaining information for operational or regulatory compliance needs. The objectives of a data retention policy are to keep important information for future use or reference, to organize information so it can be searched and accessed later, and to dispose of information that is no longer needed. The policy balances the legal, regulatory, and business data archival requirements against data storage costs, complexity, and other data considerations.
A good data retention policy should define:
- Retention periods
- Data formats
- Data security
- Data retrieval procedures for the enterprise
Data Retention Policy Components
A data retention policy for cloud services should contain the following components:
Legislation, regulation, and standards requirements: Data retention considerations are heavily dependent on the data type and the required compliance regimes associated with it. For example, according to the Basel II Accord, which governs financial data, the retention period for financial transactions should be between three to seven years, while according to the PCI DSS version 3.11 Requirement 10.7, all access to network resources and cardholder data and credit card transaction data should be kept available for at least a year with at least three months available online.
Data mapping: The process of mapping all relevant data to understand data types (structured, unstructured), data formats, file types, and data location (network drives, databases, object, or volume storage).
Data classification: Classifying the data based on locations, compliance requirements, ownership, business usage, or value to the organization. Classification is also used to decide on the proper retention procedures for the enterprise.
Data retention procedure: For each data category, the data retention procedures should be followed based on the appropriate data retention policy that governs the data type. How long the data is to be kept, where (physical location, jurisdiction), and how (which technology and format) should all be spelled out in the policy and implemented via the procedure. The procedure should also include backup options, retrieval requirements, and restore procedures as required and necessary for the data types being managed.
Monitoring and maintenance: Procedures for making sure that the entire process is working, including review of the policy and requirements to make sure that there are no changes.
Data Deletion Procedures and Mechanisms
A key part of data protection procedures is safely disposing of data once it is no longer needed. Failure to do so may result in data breaches and/or compliance failures. Safe disposal procedures are designed to ensure that there are no files, pointers, or data remanence left behind within a system that could be used to restore the original data.
A data deletion policy is sometimes required for the following reasons:
- Regulation or legislation: Certain laws and regulations require specific degrees of safe disposal for certain records.
- Business and technical requirements: Business policy may require safe disposal of data. Also, processes such as encryption might require safe disposal of the clear text data after creating the encrypted copy.
Restoring deleted data in a cloud environment is not an easy task for an attacker because cloud-based data is scattered, typically stored in different physical locations with unique pointers; therefore, achieving any level of physical access to the media is a challenge. Nevertheless, it is still an existing attack vector that you should consider when evaluating the business requirements for data disposal.
Data Archiving Procedures and Mechanisms
Data archiving is the process of identifying and moving inactive data out of current production systems and into specialized long-term archival storage systems. Moving inactive data out of production systems optimizes the performance of resources needed there, while specialized archival systems store information more cost-effectively and provide for retrieval when needed.
A data archiving policy for the cloud should contain the following elements:
Data encryption procedures: Long-term data archiving with encryption could present a challenge for the organization regarding key management. Encryption policy should consider which media are used, restoration options, and which threats should be mitigated by the encryption. Bad key management could lead to the destruction of the entire archive and therefore requires attention.
Data monitoring procedures: Data stored in the cloud tends to be replicated and moved. To maintain data governance, it is required that all data access and movements be tracked and logged to make sure that all security controls are being applied properly throughout the data lifecycle.
Ability to perform e-discovery and granular retrieval: Archived data may be subject to retrieval according to certain parameters such as dates, subjects, authors, and so on. The archiving platform should provide the ability to do e-discovery on the data to decide which data should be retrieved.
Backup and disaster recovery options: All requirements for data backup and restore should be specified and clearly documented. It is important to ensure that the business continuity and disaster recovery plans are updated and aligned with whatever procedures are implemented.
Data format and media type: The format of the data is an important consideration because it may be kept for an extended period. Proprietary formats can change, leaving data in a useless state; therefore, choosing the right format is very important. The same consideration must be made for media storage types as well.
Data restoration procedures: Data restoration testing should be initiated periodically to make sure that the process is working. The trial data restore should be made into an isolated environment to mitigate risks such as restoring an old virus or accidentally overwriting existing data.