A blog entry from Cloud Security & Risk Track Chair Steve Orrin.
There is a lot of talk about threats to the Cloud and challenges facing organizations looking to adopt and take advantage of it. We will have several great sessions at this year’s Cloud Connect Chicago talking about both the challenges and solutions from various perspectives. I thought that I’d take this opportunity to look at a rising issue that affects the cloud, data management, more specifically, data expiry and erasure. A lot of concentration is paid to compliant data protection, access controls and more recently data retention. In these use cases, data controls are used for access to data, transfer of data between systems, and users and regular audits of these controls. Typically encryption is used to provide the appropriate protections for data both at rest and in transit and DLP (Data Loss Prevention) based solutions are deployed to ensure that important data doesn’t slip through the cracks. As organizations begin to look at ways to manage data retention requirements of various regulations and industry standards, I believe they should also be looking at how to deal with the future requirements for data erasure. After all, most IT shops are probably pretty established in their practices for data destruction on devices such as PCs, laptops or disk drives. Why should they be less concerned when it comes to the cloud?
There are 2 types of data destruction requirements: expiration and on demand; each with their own challenges. Some examples of Data Expiry requirements come from SOX Section 802 (expiration after 7 years), HIPAA in 45 CFR 164.530(j) (expiration after 6 years), and the FACTA Disposal Rule (deletion of data after use). The EU is currently considering a reform proposal to support a ‘right to forget’, (EU Data Protection Reform Proposal – EU DPA – Comm. 2012, Section 3.4.3) which means that an individual can request of a data holder that they ‘forget’ them, i.e. remove all data currently being held by the provider on demand. Now consider the distribution and movement of data in a typical cloud environment. Data is provisioned to virtual machines (VMs) as they are spawned or migrated, remnants of the data can be left on HDD’s (and page files) of systems where it was processed and users may access data from many devices and via many systems as dictated by availability and capacity. As an example, this research from 2011 showed how they found examples of user data left on systems where VMs ran. Plus when you take into count the highly distributed and dynamic (elastic) nature of public and hybrid clouds, it can be arduous if not impossible to keep track of all that data. Many companies can be lulled into a feeling of comfort knowing that they have 6 or 7 years to figure it out because of the previously mentioned retention rules. But, as the EU moves towards new reforms with “on demand” mandates and user control over data becomes a desire elsewhere, organizations need to prepare now.
One option is to leverage many of the same systems and controls that they use for Data Protection and Retention; when managing both the regulations and retention requirements for data, they can also tag the retention end dates and monitor the data movement using DLP approaches. Further research is needed by the security and data management industries to provide forensically provable data destruction in a highly dynamic cloud environments but one method that shows promise is an interesting use of well established encryption systems. Usually, great care is taken to maintain and back up the keys used to encrypt data to ensure availability and Disaster Recovery. However, we can also use this same system to provide data expiration and erasure by purposely ‘losing’ the key (i.e. deleting the key(s) and all copies) at expiration thus rendering the data irretrievable and effectively destroyed. It is a lot easier to monitor and track the encryption keys over the lifecycle of the data and it provides a single point of control for dealing with both Expiration and On Demand style Data Erasure requirements. Organizations managing regulated data that currently or may in the future require data erasure should begin working with their vendors and service providers to get ahead of the curve and implement available controls where possible and define the requirements they need from their providers for future capability to help ensure that we can all meet the data controls requirements of today and tomorrow.
In Cloud Securityand risk track, we’ll look at unique and growing issues with public/hybrid/private clouds and discuss ways to achieve visibility, compliance, and security leveraging best of breed solutions. We will discuss how to protect your workloads/systems/applications/data through new and existing technologies, auditing, monitoring, solutions, standards and proven best practices. Join us by registering today with priority code RFPQCH08 to save $400 on the onsite price of conference passes.