The Missing Link in Cloud Security

Why End-of-Life Destruction is Critical to a Successful Cloud Security Policy

Recently, there has been a hyper-focus on cloud security — and with good reason. According to a report by McAfee, cloud services are now a regular component of IT operations, utilized by more than 90% of organizations globally. In fact, 80% of all IT budgets are committed to cloud apps and solutions. Service companies have the highest adoption of public cloud platforms with engineering and government having the highest adoption of private clouds.

Cloud security threats have escalated alongside cloud data expansion due in large part to the sheer number of records now being stored. According to IBM’s Cost of a Data Breach Report 2021, there were over 22 BILLION compromised records in 2021 alone, while another recent study suggests that there is a new victim of identity theft every two seconds in the United States alone. This increase in compromised records shows that one data breach affects far more records today than it did just five years ago with more and more sensitive information being stored digitally.

Numerous methodologies have been recommended in an effort to combat the reputation degradation and astronomical cost associated with compromised data. The establishment and enforcement of cloud security policies are critical to the success of any data protection program. In researching cloud security, any number of articles and guides can be found that address the aforementioned strategies. An incredible amount of focus is placed on encryption, endpoint security, user controls, and conducting security audits. All of these strategies focus on protecting data from digital threats such as hackers and bots, which is of huge importance. However, a critical piece of security control is missing from most data security plans – an end-of-life policy.

Cloud security providers who actually define an end-of-life strategy are rare. Many providers erroneously think that erasing or overwriting a disk is sufficient, or more unsound thinking that a failed drive is precisely that – failed, and non-recoverable. Unfortunately, nothing could be further from the truth. A recent study based on an analysis of 200 hard drives purchased from second-hand sites such as eBay and Craigslist found a total of 67% of devices had recoverable information, including PII such as names, addresses, and social security numbers. In-house physical media destruction is the most secure way to manage drives at end-of-life, which is why the National Security Agency (NSA) requires it for classified drives.

There is simply no one-size-fits-all solution when it comes to data destruction; therefore, organizations looking to incorporate data destruction into their cloud security program should receive a thorough evaluation to determine which solutions best fit their need. One thing is for sure: no cloud security program is complete without addressing end-of-life destruction. Security-minded organizations must evolve towards a risk mitigation approach to data security that includes in-house data end-of-life destruction and disposal.

Brought to you by: