Data sanitization for cloud storage
Any good security professional is familiar with the term Data Sanitization. This is the process of deliberately, permanently, and irreversibly removing or destroying the data stored on a memory device. This is not only a security best practice; it is often mandatory for compliance reasons.
For all traditional physical storage solutions such as tape, disk, and even paper, there are many well-documented standards and procedures available. Some sanitization standards go as far as removing the data even beyond the recovery capabilities of advanced forensics tools. The standards and procedures can be very detailed, so their implementation is not very complex from a design perspective; it has all been done before.
The DoD 5220.22-M data sanitization method, for instance, covers the following process:
Pass 1: Writes a zero and verifies the write
Pass 2: Writes a one and verifies the write
Pass 3: Writes a random character and verifies the write
This example method rewrites all sectors multiple times, and this requires very low-level (physical) disk access. When data is stored with a third-party cloud provider, this gets difficult. It is not impossible, though. So what are the differences?
Physical media access
Many of the data sanitization processes take care of data remanence down to various levels. Data remanence is the term for the residual traces of the pre-existing data still detectable in the disks sectors. Overwriting a disk multiple times with zero and one values can “clean-up” these traces. For cloud solutions, this brings an important issue, however: access to the physical media is often required for this low-level task. Due to the shared and often distributed storage resources and the limited access to the OS or underlying hardware, this access is not available.
Cloud architecture differences
This lack of access to the storage media is an issue in all service levels of the cloud computer stack, but there are some differences. The deeper the Stack goes towards the physical system; the better the access will be due to increased separation of resources. This ranges from Software as a Service where access and sanitization are almost impossible for the customer, down to the Infrastructure as a service where in theory, the customer should have some control over the servers. Of course, the control is still not as in depth as in a situation where co-located, customer owned equipment is used. For the most stringent of compliance regulations, this might be the only viable option for an organization.
Solution 1: Cloud provider sanitization services
Surprisingly enough, cloud providers do not have many options for data sanitization for their customers. A few options are available, but with limitations. Amazon, for instance, can provide storage in the form of EBS volumes which are raw, unformatted block devices that operate similarly to a physical disk. The volumes are wiped before use so the customer can be assured previous data has been erased. For sanitization, customers are given options such as those detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”). Amazon makes a point of the fact that the responsibility of these optional measures lies with the customer and that the disposal of actual physical disks might not be done to the same standards. Microsoft only states that (their) physical disks for the Microsoft Cloud platform are disposed of according to NIST 800-88 Guidelines for Media Sanitation. Other services will have different options and in the end, this topic will need to be discussed between the customer and the cloud service provider to make sure the required methods are readily available or can be customized.
Solution 2: Encryption
Another solution is to use storage (data at rest) encryption within the cloud environment. This ensures that if the media is not properly sanitized after leaving the service, the old data is unreadable for any other party without the (destroyed) key.
Microsoft Azure offers AES-256 support amongst others, just like Amazon and most other Cloud Service Providers. They claim the performance impact should be limited to none.
There are also many 3rd party encryption solutions such as LUKS, PGP, and BitLocker. As with the low-level sanitization, the right Cloud solution, and sufficient disk access is required for this.
In any case, whether compliance is a factor or not, encryption of data at rest is always good practice. Encryption of data “at rest” even takes care of any backups performed of the data by the CSP. Whatever is included in the backup is unusable for 3rd parties.
Solution 3: A hybrid solution
Most cloud customers have some degree of hybrid cloud model in use. In a hybrid model, some servers and services are hosted locally, and some are located with a Cloud Service Provider. This creates an opportunity to move the less sensitive data to cloud storage and leave the data requiring strict data sanitization policies stored locally. This can have an impact on performance as servers in the cloud will need to pull in data from the local storage systems and vice versa, but if the architecture allows for this, it can be a good solution. Beware of accidental “data spills” however, which is a situation where data too sensitive to be stored in the cloud, accidentally makes it into cloud storage.
Solution 4: Isolation and a (Virtual) private cloud
A (Virtual) Private Cloud often gives the customer more access to “their” isolated, dedicated network and hardware within that cloud. Amazon not only offers “Dedicated Instances”, but can also provide “Dedicated Hosts” within their Virtual Private Cloud product. This solution may not fully cover Media Sanitization, but it does allow for better Data Isolation, which is the process of keeping data away from shared media and instances.
For many organizations, Data Sanitization is part of their mandatory compliance requirements. For other organizations, Data Sanitization is part of a comprehensive, best practice security policy. It seems the Cloud Service Providers have not made this subject as simple as their customers would require it to be, although some options have been made available over the last few years. With rapid migration to the cloud, some important features and a lot of flexibility seem to have been left behind. This means there is a market still out there made up of organizations who cannot move some or all of their services to the cloud due to these limitations in Data Sanitization.