Recent advances in privacy laws and regulations like the right to be forgotten or GDPR show that secure deletion is becoming a requirement for organizations.
Most companies don’t consider this when using today’s cloud storage services. Established processes for the secure deletion of on-site storage do not apply to the cloud storage service of choice.
Deletion of Data
In a unix-style filesystem, every file or directory (technically there is no difference between them) has an inode. This inode contains all of the metadata like the owner or the creation date. The inode also contains a list of all the blocks in which a file is stored. Those blocks are called data blocks.
The default linux delete command removes just the inode information. The data blocks remain - no inode is pointing to them and the filesystem will overwrite them eventually. This means that the actual data is recoverable until the data blocks are used again by a new file.
Data sanitization is the process of deliberately, permanently and irreversibly removing or destroying the data stored on a device and make it unrecoverable. A device that has been sanitized has no usable data. Even advanced forensic tools will not be able to recover any data.
There are three methods to achieve data sanitization:
- physical destruction
- cryptographic erasure
- data erasure
Deletion in the cloud
Cloud providers use abstraction to map physical resources to logical endpoints. The resulting pool of virtual resources is used for servers, storage systems, or networks. This enables customers to scale their workload easily across multiple physical devices but makes it very difficult to verify the location and absolute state of an object.
Cloud-based storage solutions are a popular service today. But the adoption of such storage services challenges organizations in regards to secure data deletion.
In a cloud storage scenario, the data sanitization methods of physical destruction and data erasure are no longer applicable. Physical devices are shared amongst different applications or even customers and cloud providers use complex tiered-storage setups.
Cryptographic deletion or crypto-shredding is the practice of deliberately deleting or overwriting the decryption key for encrypted data. Effectively making the data unreadable until the deployed encryption protocol is broken or being brute-forced.
Crypto-shredding is an effective technique for the cloud since it ensures that any data in storage that’s outside of an organization’s physical control is unreadable once the keys are unavailable.
Consider the following for cryptographic deletion:
- a strong symmetric encryption algorithm like AES-256-CBC
- only store the sensitive data that you need (Art. 5 GDRP 1c)
- consider BYOE (bring your own encryption) and avoid vendor lock-in with cloud providers crypto services
- document your approach for the authorities and verify the key deletion
- crypto-shredding is only as good as the deletion of the key (consider key backups)
- the unpredictable pace of technological development could render many encryption methods unreliable in the future