In the days of Solid-State Disks (SSD), RAID10 disk drive arrays, databases taking snapshots of data, automated backups, and active-active data mirroring; how does one reliably and securely destroy data?
Each of the technologies mentioned above is dedicated to making sure data does not get lost! What do you do when you positively need to ensure that the data you now want to erase or destroy is not recoverable?
Cloud storage is particularly interesting in this respect since in all likelihood you don’t know where the storage device is and you don’t have the serial number of the disk that the data is stored on, plus the cloud provider may be taking care of backups automatically for you. During a PCI DSS assessment, you need to be able to prove to your QSA that you have an inventory and that you know how any data you no longer need is being rendered unrecoverable, even if you can’t point to an actual disk as you could in the good old days of on-prem data centers.
One more consideration: At least the State of Maryland has a law on the books which makes it an offense to store data unreasonably longer than its stated retention schedule. This means that if you claim to retain it for 3 years, you had probably better not still be able to retrieve it after 3.5 years unless someone put a Legal hold on it.
As a bonus thought, how do you prevent ransomware from affecting both sides of your mirrored data simultaneously?
All these tie in with your Data Security and/or Data Privacy disclosures to your customers or clients from your website, terms of service, responsibility matrix, or contractual boilerplate.
In short, you will need to research the recommended data destruction method for each of the data storage methods and repositories you use, and for each of the technologies that are used to create the data on those repositories. This research must be an explicit step in the development process so that it can be documented in the specific application’s data lifecycle management plan, and any technical considerations can be ironed out before either a data loss or a retention crisis erupts.
Each time data destruction is performed, all possible locations of the data need to be addressed. This is why having an inventory of the media on which it was stored, and knowing the locations of all that media, is so important.
Finally, it is still necessary to keep one form of backup offline to reduce the possibility of ransomware knocking out both copies of the active-active mirror. This is where comprehensive programmatic (API) access control is also paramount in preventing the ransomware from accessing the sensitive data.
And before you decide that exposing disks to ransomware is an active method of destroying data, note that the extortionists are hedging their bets in making their own copy first, or exfiltrating their encrypted copy and threatening the release of the data on the dark web. So make sure you are the owner of your data at all times.
Truvantis can assist in designing data retention and destruction plans to satisfy several different governance programs. If anything here worries you, give us a call or fill out the contact request form for more information.