A topic that I've seen multiple times on cloud security/privacy evaluation questionnaires centers on the question of how data is disposed and erased such that it cannot be retrieved.
It goes without saying that there are many subtleties to this question is answered, and infrastructural characteristics become huge considerations.
Most people understand that commoditized operating systems do not remove files from physical media in the event of a delete request. Delete operations merely place a deletion mark in the index entry of a file system directory structure. Having marked a file as deleted makes the physical blocks or sectors of a file available for re-use, but over-write typically only takes place after writing new data or extending an existing file. Until that time, a deleted file is likely recoverable using simple and readily available utilities.
Within cloud services, multiple storage options are available. These range from locally attached HDD, SSD or Flash to SAN or NAS attached storage servers. For each of these options, the sanitization approach is likely to be different, and, depending on which cloud provider, it may be difficult to get a definitive answer about whether sanitization is even available.
Many of us have used destructive deletion utilities on our personal devices. These tools use a technique called over-writing in which a file or block is overwritten multiple times with 0s or streams of random characters. However, many people are yet to realize that the overwrite technique is uniquely applicable to magnetic media.
However, Cloud services are now making use of locally attached Flash or Solid State Drives (Flash in an HDD form factor). To preserve their performance and lifespan, flash controllers seek to distribute writes across the entire available memory capacity of a device. Overwrite is not possible without severely degrading lifespan by over-writing every single unused sector. To overcome this feature, flash manufacturers provide reset capabilities that destructively overwrite every device sector simultaneously. Overwrite is not available at the file level.
Therefore, as a cloud user, it is imperative to understand whether you can discover information about the physical infrastructure and piece parts of your server. IBM Cloud's bare metal servers make this knowledge readily available for information and audit purposes.
Before releasing a bare metal server back to a cloud provider's inventory, assuming operating system access, a client can choose to execute appropriate data destruction techniques or contract a service provider to do the same. It is also possible to contract that a cloud provider will physically destroy a server and storage components as needed, especially at end-of-life.
As one moves further away from physical infrastructure to virtualized network-attached and potentially multi-tenant storage, the question of assured media sanitization becomes much more challenging, if not impossible.
For this reason, other techniques such as encryption of data at rest become necessary. We'll discuss these another time.
For more background reading on this, you might enjoy:
NIST Guidelines for Media Sanitization (PDF)
As always, your thoughts and comments will be enjoyed and appreciated.
No comments:
Post a Comment