Any good security professional is familiar with the term data sanitization. This is the process of deliberately,...
permanently and irreversibly removing or destroying the data stored on a memory device. This is not only a security best practice, but it is also often mandatory for compliance regulations.
For all traditional physical storage such as tape, disk and even paper, there are many well-documented standards and procedures available. Some sanitization standards go as far as removing the data beyond the recovery capabilities of advanced forensics tools. The standards and procedures can be detailed so their implementation is not complex from a design perspective.
But when data is stored with a third-party cloud provider, it does get more difficult than when it's stored traditionally for a few reasons. Let's take a look at the differences in data sanitization between physical and cloud storage.
The challenges of sanitizing data
Many data sanitization processes take care of data remanence at various levels. Data remanence is the term for the residual traces of the preexisting data still detectable in the disks sectors. Overwriting a disk multiple times with zero and one values can clean-up these traces. However, this brings an important issue for cloud: access to the physical media is often required for this low-level task. Due to the shared and often distributed storage resources and the limited access to the OS or underlying hardware, this access is not available.
This lack of access to the storage media is an issue in all service levels of the cloud computer stack, but there are some differences. Basically, the deeper the stack goes toward the physical system, the better the access will be because of the increased separation of resources. This ranges from software as a service where access and sanitization is almost impossible for the customer, to infrastructure as a service where, in theory, the customer should have some control over the servers. Of course, the control is still not as in-depth as in a situation where colocated, customer-owned equipment is used. For the most stringent of compliance regulations, this might be the only viable option for an organization.
How to handle data sanitization in the cloud
Surprisingly, cloud providers do not have many services for sanitizing data for their customers. A few options are available, but each with limitations. For instance, Amazon can provide storage in the form of EBS volumes which are raw, unformatted block devices that operate similarly to a physical disk. The volumes are wiped before use so the customer can be assured previous data has been erased. For sanitization, customers are given options such as those detailed in the National Industrial Security Program Operating Manual or NIST SP 800-88. Amazon makes a point of the fact that the responsibility of these optional measures lie with the customer and that the disposal of actual physical disks might not be done to the same standards.
Microsoft only states that its physical disks for the Microsoft Cloud platform are disposed according to NIST SP 800-88 Guidelines for Media Sanitation. Other services will have different options and, in the end, there needs to be a discussion between the customer and the cloud service provider to make sure the required methods are readily available or can be customized.
Another way to handle sanitizing data is to use storage -- or data at rest -- encryption within the cloud environment. This ensures that if the media is not properly sanitized after leaving the service, the old data is unreadable for any other party without the destroyed key.
Microsoft Azure offers AES-256 and other support, just like Amazon and most other cloud service providers. They claim the performance impact should be limited to none. There are also many third-party encryption services such as LUKS, PGP and BitLocker. As with the low-level sanitization, this requires the right cloud service and sufficient disk access. Regardless of compliance mandates, data at rest encryption is always good practice.
Most cloud customers have some degree of hybrid cloud model in use. In a hybrid model, some servers and services are hosted locally and some are located with a cloud service provider. This creates an opportunity to move the less sensitive data to cloud storage and leave the data requiring strict data sanitization policies stored locally. This can have a negative impact on performance as servers in the cloud will need to pull in data from the local storage systems and vice versa, but if the architecture allows for this, it can be a good way to handle sanitizing data.
For many organizations, sanitizing data is part of mandatory compliance requirements. For other organizations, data sanitization is part of a comprehensive, best practice security policy. It seems the cloud service providers have not made this subject as simple as their customers would require it to be, although some options have been made available over the last few years. This means there is a market still out there made up of organizations that cannot move some or all of their services to the cloud due to these limitations in data sanitization.
Get a better understanding of the different types of cloud services and their security risks
Learn how to factor hybrid cloud models into continuous monitoring
Discover what organizations need to know before putting e-commerce in the cloud