Over on the ISO27k Forum recently, someone raised the concern that a cloud services provider may have deleted and certified deletion of a customer's data at the primary location but somehow neglected to delete the copy/copies at their Disaster Recovery location/s, leading to problems later if the data then turns up unexpectedly, possibly in a different legal jurisdiction such as an overseas DR facility.
That scenario is possible and might be a concern (e.g. for GDPR compliance reasons) so yes it’s an information risk of sorts.
Potential mitigating controls include:
- Clarifying the requirement for the cloud services provider to delete and certify deletion of ALL data copies including DR, backups, archives, caches and assorted fragments that might be loitering in odd corners of the data centres, IT systems, networks, fire safes and filing cabinets, and reinforcing it with additional checks/audits plus strong penalties and liabilities;
- Using encryption with a small, tightly-controlled set of extremely strong keys which can be deleted and verified as such, for sure, no questions, using appropriate processes and controls;
- Some sort of time-bomb arrangement that automatically destroys stored data or those crypto keys after the expiry date;
- Some sort of remotely-triggerable data bomb that destroys the data or keys when triggered by a reliable mechanism;
- Insisting that ALL the data remain within a defined boundary or jurisdiction where stronger controls can be both ensured and assured;
- Improving the provider’s understanding and appreciation of the risk by building a strong working relationship, mutual respect and trust;
- Improving their trustworthiness further with awareness and training, governance, compliance and assurance measures … such as a ‘mole’ – someone working within the provider but for the customer – or whistleblowers;
- Insisting that ALL the data remain fully traceable at all times, then systematically deleting them and confirming that – possibly independently or in conjunction with the provider;
- Planting tell-tale beacons in the data so that, if it ever does turn up unexpectedly, the leak will be noted and an incident flagged for some sort of urgent response;
- … others? How else might this risk be mitigated? I'm quite sure there are other possible controls.
Personally, unless the risk really was high (i.e. high probability meaning significant threats and vulnerabilities, and high impact – perhaps highly-classified mission-critical data?), I would be tempted to accept it or to share it (through the contract/SLA/agreement with the provider), or better still avoid it in the first place (by not passing such important data to a third-party). Chances are high in such a scenario that there would be many other significant information risks as well, so the relative risk level might not justify such extreme controls.
In other words, there are probably other things I would be even more concerned about.
Returning to the original issue, in any risk analysis, it is always possible for some bright spark to come up with some bizarre, highly unlikely scenario - the 'little green men from Mars' type of situation, or quantum computing (which can simultaneously check all possible crypto keys), or a total meltdown of all electronic devices (e.g. due to an electromagnetic pulse), or an asteroid impact, or … whatever.
These are the extreme outliers, the black swans, the things that keep poor old Bruce Schneier awake at night.
They include possible but unlikely combinations and cascades of events – unfortunate coincidences as several things all go wrong 'at the worst possible moment'.
They include control failures, a surprisingly common yet often neglected cause of incidents - a massive blind-spot in the information risk management sphere, I fear. A risk to the profession.
Generally speaking, I would argue the best way to deal with them is through business continuity arrangements, specifically resilience, recovery and especially contingency since we can’t tell for sure exactly what might occur hence our response is contingent on what actually happens. Although these extreme events are extremely unlikely, it is true that something unexpected might just happen so plan for that eventuality by preparing to cope as well as possible with the aftermath and minimize the resulting damage, rather than pouring all available resources into avoiding or preventing them. That's a black hole, a bottomless pit.
And here's today's Hinson Tip: extreme risks may require unusual forms of mitigation implying the need for more creative out-of-the-box thinking in your risk workshops etc.
For some of us risk nerds, such a challenge qualifies as fun!