Cloud computing creates new challenges for data destruction, and cloud providers have a unique opportunity to give themselves a competitive edge in this changing landscape. In a nutshell, the situation is simple – cloud vendors own and operate the hardware they use, so clients can’t necessarily be assured that the data residing on hard disks is ever completely destroyed. In practice, this becomes even more complex as cloud providers will often want to reuse hardware for multiple clients over time and only truly sanitize storage devices when they are decommissioned. this leaves businesses in a difficult position because they often need to be sure that data is properly disposed of after the partnership is dissolved.
On top of all this, cloud providers must deal with the need to prove proper disposal and businesses often are left in a situation in which hard disks that may have trace amounts of their data are being used to support other customers. A Security Intelligence report called this type of information zombie cloud data and pointed out that a lack of clarity around data destruction is a mounting problem in the cloud space.
“Cloud providers that want to get ahead may have an opportunity with data sanitation.”
A TechTarget report echoed the potential risk in the cloud, pointing out that many leading service providers do not have NIST-compliant data sanitization processes built into service contracts, or at least only do so for some of their customer bases. This creates a major problem because many companies face regulatory laws that make data sanitization mandatory, but enforcing such practices in the cloud can be difficult.
Cloud providers that want to get ahead may have an opportunity here. Investing in the right solutions, such as hard drive degaussers and putting data sanitization procedures into place can help cloud vendors erase customer data in an efficient, cost-effective way. Here are five things to consider if you’re thinking about offering data sanitization as part of a cloud service model:
1. Establish the process in service level agreements
The SLA will govern expectations for all parties in the cloud partnership and creates an opportunity to set forth your strategy for data sanitization. A few questions to consider as you establish your plans include:
- When will you be sanitizing devices? Will it happen once the partnership ends or is the plan to track each hard disk that client data is stored on and sanitize them at the end of their service life, then notify the client?
- How will the client be notified of the data destruction?
- What regulatory requirements impact your data sanitization plans?
- Can clients ask for hard disks to be delivered to them so they can handle destruction? If so, how do you document that only authorized employees have handled the storage devices?
These are just a few questions you should ask, but finding the answers can establish the foundation for your processes and procedures as the contractual requirement will set a baseline for the client relationship.
2. Standardize your procedures
Because data sanitation is a highly regulated process that requires a careful chain of custody – something we’ll talk about in more detail later – it is incredibly important to standardize the procedures to ensure you can properly replicate best practices at all times. There are a lot of options here. Some companies will perform a software erasure initially, then follow up by degaussing the disk to destroy all data then shred the device for extra measure. You could also use a degaussing wand to allow for a more convenient initial erase, eliminating the software wipe, then physically destroy the disk with a shredder. Incineration and pulverizing are also options.
“Data sanitation is one area where the demand for innovation in the cloud is clear.”
Besides standardizing the steps that go into data destruction, it is also important to establish a clear line of best practices for how many people must be involved in the destruction process – it is usually good to have multiple witnesses involved. You also should set forth policies for how users will be expected to handle and store hard disks from the moment they are decommissioned until they are destroyed.
3. Establish documentation methods
Chain of custody is critical in data sanitization. It is essential to prove that only authorized users had access to storage devices, that there was never a point when other individuals were able to tamper with the hard disks and that the devices were fully destroyed. The importance of chain of custody is such that it is often best for businesses to handle data sanitation in house, which may be possible if cloud providers want to offer customers the chance to have decommissioned drives shipped to them. Alternatively, cloud vendors can establish methods to fully document and track each step of the data sanitization process so they can create a solid audit trail and verify destruction with clients.
4. Maintain data transparency at all times
All of this talk about what to do after the hard disk is decommissioned become moot if you can’t identify which storage devices actually contained a client’s data. Many cloud systems feature automation and orchestration tools that will move virtual machines between physical systems based on resource availability, and this can prove tricky when it comes to data storage. Luckily, a variety of management tools are available to help cloud providers maintain transparency and the storage environment tends not to change as much as the server configuration. The key in all of this is to maintain visibility at all times.
5. Consider the full waste management life cycle
Cloud providers generate a great deal of electronics waste in the form of decommissioned hardware, and different types of devices require different types of attention when it comes to disposal. Data sanitation can be built into waste management procedures, and can be turned into a valuable service if it is incorporated into the cloud plan.
The cloud industry is still fairly new, meaning there are still aspects of service models that are still being developed. Data sanitation is one area where the demand for innovation is clear, and cloud vendors that get ahead on handling data destruction can give themselves an advantage as clients become more aware of the need to have defined end-of-service plans in place as part of any cloud relationship.
