Cloud and the issue of data deletion
Data – it’s the gift that keeps on giving. Almost every action we take, such as the click of a mouse or the tap of a credit card in a shop, creates more and more, writes Fredrik Forslund, the vice president for Enterprise & Cloud Erasure at Blancco Technology Group.
Data is not a finite resource, and the challenge of storing and managing this ever-multiplying asset is just as important as the process for extracting value. Continued storage ceases to make sense at the point when the data begins to hold more value to hackers than it does to the organisation.
Maintaining an ever-growing estate of onsite servers and data centres is expensive, leading to the growing use of the cloud as a repository for expanding data stores. For data that is useful or must be held on to for legal purposes, cloud storage is a sensible and appealing option. However, too often, the ease of uploading data to the cloud means information is put there with little purpose in mind. All this does is create one more problem for the IT team and one more target for hackers.
Company data breaches related to cloud insecurity make the headlines regularly on an almost weekly basis, particularly relating to iCloud. However, with access to the right software, it is relatively straightforward to securely erase all the data on any given device. True erasure of data is known as data sanitisation. Data sanitisation is the process of deliberately and irreversibly removing or destroying data to ensure it is fully irrecoverable. Most people and organisations still don’t understand this, believing that factory reset, deleting, reformatting, data wiping and data clearing are capable methods of ensuring data is truly gone, never to return.
This leads to many organisations failing to employ the appropriate steps to implement data sanitisation. If security processes are not adequate, organisations are unable to guarantee the protection of both customers and corporate sensitive information. This also means that if they were asked to erase a person’s data, as dictated by the GDPR, they would not be doing so correctly and are opening themselves up to hefty fines.
In order for organisations to adequately secure themselves against data breaches, they must regularly perform data protection audits. That way, they can identify any existing gaps or problems within their IT infrastructure and security posture. By doing so they are able to both correct any issues, as well as implement any necessary changes to ensure that they are always in regulatory compliance going forward. As with anything, the more often this process is performed, the more confident organisations can be in terms of knowing exactly the type and quantity of the data for which they are responsible.
Without a comprehensive picture of where and how data is stored, it is nearly impossible for organisations to fully comprehend the scale of a potential data breach, and to know which customers have been affected and how severely. Regular data sanitisation alone will not prevent a data breach. However, it will limit its impact and free up resources elsewhere to invest in better protection. At the point when data no longer needs to be kept for legal purposes and has more value to hackers than it does the organisation, is it really worth the risk to keep it?