The following is an excerpt from The Official (ISC)2 Guide to the CCSP CBK, Second Edition, by Adam Gordon, CISSP-ISSAP,...
ISSMP, SSCP. This section from Domain 2 describes three pillars of data protection procedure -- retention, deletion and archiving -- and guidelines for implementing each of these components in a cloud-based environment.
Data-protection procedure and policies should include guidelines for the different data lifecycle phases. In the cloud, the following three policies should receive proper adjustments and attention: Data retention, data deletion and data archiving.
A data retention policy is an organization's established protocol for keeping information for operational or regulatory compliance needs. The objectives of a data-retention policy are to keep important information for future use or reference, to organize information so it can be searched and accessed at a later date, and to dispose of information that is no longer needed. The policy balances the legal, regulation, and business data archival requirements against data storage costs, complexity, and other data considerations.
As part of your cloud data protection procedure, a good data-retention policy should define each of the following:
- Retention periods
- Data formats
- Data security
- Data-retrieval procedures for the enterprise
Data-retention policies for cloud services
A data-retention policy for cloud services should contain the following components:
Legislation, regulation, and standards requirements: Data-retention considerations depend heavily on the data type and the required compliance regimes associated with it. For example, according to the Basel II Accords for Financial Data, the retention period for financial transactions should be between three and seven years, whereas according to the PCI DSS version 3.1 Requirement 10.7, all access to network resources and cardholder data and credit card transaction data should be kept available for at least a year with at least three months available online.
Data mapping: This is the process of mapping all relevant data to understand data types (structured and unstructured), data formats, file types, and data locations (network drives, databases, object or volume storage).
Data classification: This involves classifying the data based on locations, compliance requirements, ownership, or business usage -- in other words, its value. Classification is also used to decide on the proper retention procedures for the enterprise.
Data-retention procedure: For each data category, the data-retention procedures should be followed based on the appropriate data retention policy that governs the data type. How long the data is to be kept, where (physical location, and jurisdiction), and how (which technology and format) should all be spelled out in the policy and implemented via the procedure. The procedure should also include backup options, retrieval requirements, and restore procedures, as required and necessary for the data types being managed.
Monitoring and maintenance: These are procedures for making sure the entire process is working, including review of the policy and requirements to make sure there are no changes.
Data deletion procedures and mechanisms
A key part of data-protection procedure is the safe disposal of data once it is no longer needed. Failure to do so may result in data breaches or compliance failures. Safe disposal procedures are designed to ensure that there are no files, pointers, or data remnants left behind in a system that could be used to restore the original data.
A data-deletion policy is sometimes required for the following reasons:
- Regulation or legislation: Certain laws and regulations require specific degrees of safe disposal for certain records.
- Business and technical requirements: Business policy may require safe disposal of data. Also, processes such as encryption might require safe disposal of the clear text data after creating the encrypted copy.
Restoring deleted data in a cloud environment is not an easy task for an attacker because cloud-based data is scattered, typically being stored in different physical locations with unique pointers. Achieving any level of physical access to the media is a challenge.
Nevertheless, it is still an existing attack vector that you should consider when evaluating the business requirements for data disposal as part of your cloud data protection procedure.
To safely dispose of electronic records, the following options are available:
Physical destruction: Physically destroying the media by incineration, shredding, or other means.
Degaussing: Using strong magnets for scrambling data on magnetic media such as hard drive and tapes.
Overwriting: Writing random data over the actual data. The more times the overwriting process occurs, the more thorough the destruction of the data is considered to be.
Encryption: Using an encryption method to rewrite the data in an encrypted format to make it unreadable without the encryption key.
Because the first three options are not fully applicable to cloud computing, the only reasonable method remaining is encrypting the data. The process of encrypting the data to dispose of it is called digital shredding or crypto-shredding.
Another important aspect of data protection procedure, crypto-shredding is the process of deliberately destroying the encryption keys that were used to encrypt the data originally. The data is encrypted with the keys, so the data is rendered unreadable (at least until the encryption protocol used can be broken or is capable of being brute-forced by an attacker).
To perform proper crypto-shredding, consider the following:
- The data should be encrypted completely without leasing clear text remaining.
- The technique must make sure that the encryption keys are completely unrecoverable. This can be hard to accomplish if an external cloud service provider (CSP) or other third party manages the keys.
Data archiving procedures and mechanisms
Data archiving is the process of identifying and moving inactive data out of current production systems and into specialized long-term archival storage systems. Moving inactive data out of production systems optimizes the performance of resources needed there.
Specialized archival systems store information more cost effectively and provide for retrieval when needed.
As part of a robust data protection procedure, a data-archiving policy for the cloud should contain the following elements:
Data encryption procedures: Long-term data archiving with an encryption can present a challenge for the organization with regard to key management. The encryption policy should consider which media is used, what the restoral options are, and what threats should be mitigated by the encryption. Bad key management can lead to the destruction of the entire archive; therefore, it requires attention.
Data monitoring procedures: Data stored in the cloud tends to be replicated and moved. To maintain data governance, it is required that all data access and movements be hacked and logged to make sure that all security controls are being applied properly throughout the data lifecycle.
Ability to perform e-discovery and granular retrieval: Archive data may be subject to retrieval according to certain parameters such as dates, subjects, and authors. The archiving platform should provide the ability to perform e-discovery on the data to determine which data should be retrieved.
Backup and DR options: All requirements for data backup and restore should be specified and clearly documented. It is important to ensure that the business continuity and disaster recovery (BCDR) plans are updated and aligned with whatever procedures are implemented.
Data format and media type: The format of the data is an important consideration because it may be kept for an extended period of time. Proprietary formats can change, thereby leaving data in a useless state, so choosing the right format is important. The same consideration must be made for media storage types.
Data restoration procedures: Data restoral testing should be initiated periodically to make sure the process is working. The trial data restore should be made into an isolated environment to mitigate risks, such as restoring an old virus or accidently overwriting existing data.
CCSP® is a registered mark of (ISC)².