The data lifecycle specifies when data is created and when it is no longer needed. When data is no longer needed it can be disposed, archived, or deleted. Disposal of data can be performed by destruction, deletion, or even moving the data to a different location (such as to backups).

There are different compliance standards that specify how long the data must be kept. Some compliance standards specify that newer data is readily accessible, while older data is still accessible on backups or archived, and after some time period has passed secure deletion.

Data Retention Policies

Data retention has two primary objectives: operational needs and compliance requirements. When creating data retention policies, multiple factors must be considered such as availability, compliance, and operational objectives such as cost. An important cloud service to take into account is backups.

Storage Costs and Access Requirements

Not all storage is created equal. Some data may need to be accessed more frequently, while other data (usually older) does not need to be accessed as much. Data that needs to be accessed frequently usually needs to be stored on faster storage, while older data may be able to be stored on slower storage. Faster storage tends to cost more than slower storage.

Specified Legal and Regulatory Retention Periods

Some organizations may need to follow regulations that define retention periods for specific data. Some common regulations are, HIPPA, PCI-DSS, and EU GDPR.

Data Retention Practices

A retention policy must define what data is to be stored, why it is stored, and the amount of time it is to be stored. Other procedures that should be documented are:

• Schedules - TThe period of time that data must be stored
• Integrity Checking - Data in storage or when being copied may become corrupted, integrity checking procedures check the data integrity when being copied and periodically while in storage.
• Retrieval Procedures - How stored data is accessed and by whom.
• Data Formats - Over time formats change, this must be taken into consideration when storing data.

Data Security and Discovery

Data standards change over time including encryption standards. Data in long term storage may be encrypted with outdated cryptography. In order to secure this data, it is advisable to consider defense-in-depth strategies. Data retention should also take into consideration the ability to discovery data in case of an investigation.

Data Deletion Procedures and Mechanisms

When data has reached it's retention period it must be deleted in a secure way. NIST SP 800-88 Guidelines for Media Sanitization provides an excellent resource on removing data from information systems.

• Clear - Removing data from user-addressable storage. Just like clearing the recycle bin on the Desktop. Data may still be recoverable.
• Purge - Using specialized tools such as, overwriting data with dummy data, magnetic degaussing, or built-in hardware based data sanitization functions. Cryptographic erasure or Cryptroshredding is when the encryption keys are deleted so the data is inaccessible.
• Destroy - Destroying the physical media the data is stored on.

Data Archiving Procedures and Mechanisms

Adequate security protocols need to be followed as data moves from live systems to archives, this includes the data in transit and at rest.

Legal Hold

When data is under a legal hold, its retention schedule is indefinitely suspended. The data must be held even if the retention period has passed, it should be held until the legal hold has been lifted.