Zombie Cloud Data – Are You Leaving Your Company Exposed?

A cloud with a hand rising behind it.

Posted on Friday, May 26, 2017

For many businesses, the cloud is an important part of their storage strategy; limitless capacity allows them to offload archive data, or to cope with temporary peaks in demand. And as long as the service is in use, everything is fine.

Did your due diligence miss this one important factor?

When signing up for a cloud storage service, due diligence checks typically focus on how data is protected from external security threats. You probably already know how data is encrypted, decrypted and firewalled in the hosted data center, providing confirmation that your information is safe.

One factor that is often overlooked however is data deletion. When you press delete, what happens to that information?

On a local level, deleting files simply removes the file system pointer – the data still exists on the physical hard drive. It can even be recovered relatively easily using the right tools.

The same basic principle of the cloud is true too. Data “deleted” from cloud storage still exists on the physical disks, often in multiple physical locations as data is replicated across the world for redundancy and failover purposes. And this “zombie data” can also be recovered.

A question of control

The issue becomes even more complicated when you remember that the cloud service provider retains all rights to the infrastructure. You may be bound by their data deletion cycle – especially if you have not negotiated any specific data handling provisions.

The real problem occurs when your public cloud physical disk space is allocated to another subscriber before those clean up routines are run. Which means someone else could recover and exploit that data, creating a serious security problem for your business.

There is also the question of what happens when the cloud provider decommissions hardware and disk arrays. What are the data destruction safeguards in this scenario? Are these provisions compliant with the regulatory guidelines by which your business is bound? What guarantees are in place that all client data is fully destroyed before the drives are disposed of?

Check closely or face massive fines

CTOs need to confirm they are not being exposed by zombie data now, before they encounter problems. And they need to ensure that all cloud platforms they use in future offer proper safeguards against data recovery.

The cost of not carrying out these checks could be catastrophic. One the new General Data Protection Regulations come into force, exposure of personal data belonging to an EU citizen could result in a fine of up to 4% of your total global turnover. Which will immediately wipe out any savings made through public cloud service adoption.

Next steps

For more help and advice on your data storage strategy, and to explore other options outside public cloud, please get in touch.