Secure data disposal – is it a user’s or service provider’s responsibility?
Fri 20 Jun 2014
As more organisations move data to the cloud, keeping track of what is where, its retention status and finally its ultimate destruction, is a growing challenge. Mustafa Naja explains the key areas of responsibility for both user organisations and cloud providers
Although data accessibility and retrieval are key areas of concern for organisations, the area of secure data disposal, post retrieval, is often overlooked and considered the inherent responsibility of the cloud provider. While it is essential that cloud vendors dispose of data correctly, there are still some key areas of accountability for organisations too.
Cloud provider responsibility
The key to data disposal is more about securing the data rather than its destruction. Understanding how cloud data storage and retrieval operate provides a good insight into this security. Typically, data is spread across a number of disks in different storage arrays, so in effect it is broken up into many different segments. This provides a natural security which can be further protected with encryption keys – which the customer holds.
When it comes to the destruction, deletion or expiration of the data a number factors come into play. Firstly, a front end application can be used to set the retention policy which determines when data expires, so when the expiry date is reached, the index and data disappear. As a result, the SAN (storage area network) will free the disk space for it to be re-allocated and re-written – often multiple times. Recovering the data is not possible unless the physical discs can be accessed and proprietary, on-track applications are run, and even in these circumstances, data recovery is questionable. Even if successful, the data will be gibberish.
There are methodologies and compliance requirements in place for secure destruction of data that cloud providers are required to follow, from routine quality control, data protection – as well as compliance with ISO27001. Cloud service providers can also be audited and the SAS70 Audit (Statement on Auditing Standards (SAS) No. 70) is a comprehensive standard that covers the deletion process.
Furthermore, the Waste Electrical and Electronic Equipment (WEEE) Directive requires cloud providers to manage the disposal of legacy storage and hardware which often involves wiping the disks using multiple erase applications and then physically shredding them to ensure that nothing is recoverable. This type of data destruction is a highly specialised task and performed by specialist companies.
However, from a compliance perspective, data is data, and its security is treated extremely seriously – regulations apply equally to data stored on premise or in the cloud – there is no differentiation. Cloud providers need to follow these to legally comply with current legislation and any discussion around the provision of further proof or certification, that cloud hosted data has been successfully erased, is potentially a belt and braces approach.
As organisations move data to the cloud and spread it around, keeping track of what’s where and its retention status, is a growing challenge and the more cloud service providers a client uses, the harder it becomes to manage. The cloud provider is required to take “reasonable” measures to protect the data while it is in their domain, but the organisation is ultimately responsible for the data held and its management.
Front end applications are important to write the data, manage and discover it. However, clear audits of what data sits where and strict data retention / expiry / review policies with each cloud provider, is critical for the enterprise to be confident that data is appropriately erased and destroyed – once no longer needed. All the cloud provider can do is act on instructions from the customer and ensure this is in-line with the change management process stipulated as part of the contract agreement.
Mustafa Naja is a hosting and managed services solutions specialist at Bluesource