Crypto-Shredding is NOT panacea for The right to be forgotten (RTBF)


A recent survey by Trend Micro revealed alarming results. When asked for feedback on companies’ approaches to cloud data destruction, 25% of the population responded with “What’s that?” as the response. Another 31% said their cloud provider handles cloud data destruction, but they are not aware as to what happens in that case. Given the growth of cloud computing, it's imperative for security professionals to understand the details of data destruction in the cloud. This is required from a contractual point of view and a regulatory point of view.


Crypto shredding is the concept of destroying data through the destruction of the cryptographic keys protecting the data. Without the decryption keys, the encrypted data is unusable — like a safe without the combination.


From a cloud perspective, there are multiple tenants that a cloud provider serves. From a cloud customer perspective, the data is stored in physical locations where they cannot visit, let alone perform any data destructions in the resources allocated to it. Changes are ephemeral and so are the resources created by the end-user. If data needs to be destroyed from a contractual or regulatory point of view, it’s a nightmare.


Let’s look at it from a regulatory point of view. Alice ( yeah the encryption lady who has a thing for Bob) wants to exercise the option of “Right to be forgotten” and sends a request to the organization Qwerty (Q for short). Now Q needs to identify all data they have on Alice. While this collation of data on Alice will be a nightmare for organizations that have not implemented the concept of labels with data, let’s assume that Q has this in place. 


So Q collects all this information and performs crypto shredding. Let’s revisit the definition of crypto shredding.


“Crypto shredding is the practice of rendering sensitive data unreadable by deliberately overwriting or deleting encryption keys used to secure that data.”


So Q will have to perform either of the three options for removal of Alice’s data. However, this is easier said than done. Most organizations take multiple backups of their data to ensure data availability. If Q has 4 copies of data, then overwriting/ encryption key deletion has to be done for Alice at all the locations before confirming back to her.


Crptoshredding is built on the premise that you would have one encryption key per customer, which makes key management a logistical nightmare. Consider that Q has around 250,000 customers all across the globe. If there is a requirement of a separate key for each, we would need this or double the keys. We also need keys for protecting the keys and a master key in case the key corruption takes place. Storage space or a third party to help with the key management. 


If for the sake of this example, we assume that Q has a key for Alice, then it just becomes a simple task. Simply delete the key associated with Alice which will make all the data associated with her unreadable. This exercise when performed practically will present more challenges and that will be unique for every organization.


Add to it the complexity where some organizations have multiple vendors and different applications that are in a mixture of legacy, on-prem systems, and the cloud. 


While crypto shredding is touted as the only measure ( even in books) to destroy the data in the cloud, it is not a practical solution unless you are shutting down the business and wiping out the complete data you had. 


Would like to understand your views as a cloud security expert. What do you think solves the problem in the real world?

Comments

You may also like to read...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

Identification, Authentication, Authorization, and Accountability

How to Pass SSCP Exam in the First Attempt

The Endorsement Process - CISSP, SSCP & other (ISC)2 certifications