Cloud data sanitization best practices for secure storage

Security professionals know that data sanitization isn't just best practice — it's often a compliance requirement. The process of deliberately, permanently and irreversibly removing or destroying data stored on memory devices has clear standards for traditional physical storage media such as tape, disk and paper. Those standards can guide implementation with well-documented procedures that remove data beyond the recovery capabilities of advanced forensics tools. 

Cloud storage changes everything. Understanding the security risks of cloud migration is crucial before moving sensitive data to the cloud. When your data lives with a third-party provider, you can't simply overwrite disk sectors or physically destroy hardware. The shared, distributed nature of cloud resources creates unique challenges that require different approaches to achieve the same goal: making your data truly unrecoverable. 

This article outlines cloud data sanitization best practices and across Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). 

Editor's note: If you're new to the cloud and technology like AWS, we have a free interactive AWS workshop you can take right now. Access it here: Learn how to build and deploy cloud infrastructure.  

View Free Course

Why cloud data sanitization differs from traditional methods 

Traditional sanitization methods like DoD 5220.22-M rely on multiple overwrite passes to eliminate data remanence, the residual traces of data still detectable in disk sectors. A typical approach might involve writing zeros, then ones, then random characters, verifying each write to ensure complete coverage. 

Cloud environments make this impossible for several reasons. First, you rarely have direct access to physical media. Your data exists across distributed, virtualized storage systems that abstract the underlying hardware. Second, cloud providers use replication and redundancy to ensure data availability, meaning your data exists in multiple locations simultaneously. Third, the multi-tenant nature of cloud storage means the physical hardware you're using today might serve another customer tomorrow. 

These architectural differences require a fundamental rethink of data sanitization, and implementing cloud security best practices helps address these unique challenges. 

Understanding cloud service models and sanitization challenges 

Your sanitization options vary significantly depending on which cloud service model you're using: 

Software as a Service (SaaS): You have almost no control over sanitization. The provider manages everything from the application down to the physical hardware. You can delete your data through the application interface, but you're trusting the provider to handle the actual sanitization. 

Platform as a Service (PaaS): You get more control over your application and data, but still can't access the underlying infrastructure. Sanitization happens at the application layer, with the provider responsible for the physical media. 

Infrastructure as a Service (IaaS): This offers the most control, letting you manage virtual machines and storage volumes. You can implement your own sanitization procedures, though you still can't access physical hardware directly. 

For the most stringent compliance requirements, some organizations find that only co-located, customer-owned equipment provides sufficient control. Most organizations, though, can meet their needs by understanding provider capabilities and implementing complementary controls. 

Modern cloud data sanitization approaches 

Provider-managed sanitization 

Major cloud providers have evolved their sanitization practices over the past few years. AWS, for instance, offers EBS volumes that operate like physical disks. These volumes are wiped before allocation to ensure no residual data from previous customers remains. AWS supports sanitization methods aligned with NIST 800-88 ("Guidelines for Media Sanitization") — the current industry standard that replaced the outdated DoD 5220.22-M. 

NIST 800-88 Rev. 2, released in September 2025, focuses on establishing enterprise sanitization programs rather than prescribing specific techniques. The standard defines three sanitization categories: 

• Clear: Protects against basic recovery methods using standard tools. Think of this as making data unrecoverable through normal operating system commands or commercial recovery software. 

• Purge: Protects against advanced laboratory techniques. This requires methods that prevent recovery even with sophisticated forensic tools and direct hardware access. 

• Destroy: Makes data recovery completely infeasible by physically destroying the storage media. 

In cloud environments, you primarily use Clear and Purge methods because you can't physically destroy the provider's hardware. 

Microsoft Azure follows similar practices, using NIST 800-88 for physical disk disposal. When hardware reaches end-of-life, Azure uses secure destruction methods like shredding or pulverization. The company tracks each piece of storage media from acquisition through destruction using asset management systems. 

Google Cloud Platform has taken an interesting approach. Starting in November 2025, GCP transitioned away from traditional disk erasure and relied entirely on cryptographic erasure for media sanitization, recognizing that modern storage technology has become too large and complex for traditional overwriting methods to remain practical. 

The challenge? Providers make it clear that customers remain responsible for implementing appropriate sanitization procedures for their data. The provider handles physical media destruction, but you need to handle the logical deletion and verification.

Platform-specific implementation: AWS 

AWS gives you several tools for secure data deletion. 

S3 object deletion 

Delete a single object: 

aws s3 rm s3://bucket-name/object-key 

Delete all objects with a prefix: 

aws s3 rm s3://bucket-name/prefix/ --recursive 

Verify deletion: 

aws s3 ls s3://bucket-name/prefix/ 

When you delete an S3 object, AWS removes the mapping from the object name to the underlying data within seconds. The storage space is then reclaimed for reuse, making the data inaccessible remotely. AWS uses encryption at rest by default, adding another layer of protection. 

S3 object lock 

S3 Object Lock prevents deletion or overwrite for a specified retention period. This Write-Once-Read-Many (WORM) capability protects against both accidental and malicious deletion. 

Enable object lock on a new bucket: 

aws s3api create-bucket \ --bucket secure-bucket \ --object-lock-enabled-configuration ObjectLockEnabled=Enabled 

Set retention on an object: 

aws s3api put-object-retention \ --bucket secure-bucket \ --key important-file.txt \ --retention Mode=GOVERNANCE,RetainUntilDate=2026-01-01T00:00:00Z 

EBS volume sanitization 

Before deleting a volume, optionally overwrite with zeros: 

sudo dd if=/dev/zero of=/dev/xvdf bs=1M 

Delete the volume: 

aws ec2 delete-volume --volume-id vol-1234567890abcdef0 

Platform-specific implementation: Azure 

Azure Storage provides several sanitization capabilities. 

Blob deletion 

Delete a specific blob: 

az storage blob delete \ --account-name mystorageaccount \ --container-name mycontainer \ --name myblob.txt 

Delete all blobs in a container: 

az storage blob delete-batch \ --source mycontainer \ --account-name mystorageaccount 

Soft delete protection 

Azure offers soft delete for both blobs and containers, providing a retention period (7 to 90 days) during which deleted data can be recovered. This protects against accidental deletion but requires eventual permanent deletion.

Enable soft delete with 14-day retention: 

az storage account blob-service-properties update \ --account-name mystorageaccount \ --enable-delete-retention true \ --delete-retention-days 14 

Permanently delete soft-deleted blobs: 

az storage blob undelete \ --account-name mystorageaccount \ --container-name mycontainer \ --name myblob.txt 

Immutable storage 

Azure's immutable blob storage with time-based retention or legal holds prevents premature deletion of compliance-critical data. 

Platform-specific implementation: GCP 

Google Cloud Storage handles deletion through its API. 

Object deletion 

Delete a single object: 

gsutil rm gs://bucket-name/object-name 

Delete all objects in a bucket: 

gsutil -m rm -r gs://bucket-name/* 

Verify deletion: 

gsutil ls gs://bucket-name/ 

Soft delete feature 

GCP introduced soft delete in March 2024, enabled by default with a 7-day retention period (adjustable up to 90 days). This protects against accidental deletion. 

Configure soft delete retention: 

gcloud storage buckets update gs://bucket-name \ --soft-delete-duration=14d 

Disable soft delete: 

gcloud storage buckets update gs://bucket-name \ --soft-delete-duration=0s 

GCP uses cryptographic erasure as its primary sanitization method for retired storage media. When data is encrypted at rest and the encryption key is destroyed, the encrypted data becomes permanently inaccessible. This is a faster and more reliable method than traditional overwriting for modern, high-capacity storage.

Cryptographic erasure: The modern solution 

Crypto-shredding, or cryptographic erasure, has become the gold standard for cloud data sanitization. The concept is elegant: if all your data is encrypted with a unique key, destroying that key makes the data permanently unrecoverable. No amount of forensic analysis can decrypt data without the key. 

Here's why cryptographic erasure works so well in cloud environments: 

• Speed: Key deletion happens in milliseconds, regardless of data volume. Compare this to traditional overwriting, which could take hours or days for large datasets. 

• Effectiveness: Without the encryption key, encrypted data is essentially random noise. Recovery is computationally infeasible with current technology. 

• Scalability: You can render petabytes of data inaccessible instantly by destroying a single key. 

• Verification: You can easily verify that keys have been deleted from key management systems, providing audit evidence. 

All three major cloud providers support customer-managed encryption keys (CMKs).

Implementing effective crypto-shredding 

Follow these practices to implement cryptographic erasure: 

1. Use dedicated encryption keys for sensitive data. Don't use the same key for everything — segregate by data classification or retention requirements. 
2. Implement proper key lifecycle management. Document when keys are created, rotated and destroyed. Maintain audit logs of all key operations. 
3. Verify key destruction. Don't just assume deletion worked. Check key management system logs to confirm keys are permanently destroyed. 
4. Consider multi-layer encryption. Encrypt data with one key, then encrypt that key with another. This provides defense in depth. 
5. Test your process. Regularly verify that you can successfully destroy keys and that data becomes unrecoverable. 
6. Document everything. Maintain detailed records of your crypto-shredding procedures for audit and compliance purposes. 

In a recent Cyber Work Podcast episode, Infosec instructor Wilfredo Lanz discussed how cloud administrators must understand the security implications of data management. 

"When you move to the cloud, you are going to be dealing with the same type of issues,” he said. “You still need to handle threats and protect data — understanding how that security applies on the cloud is very important to successfully protect those resources." 

Compliance frameworks and cloud sanitization 

Different regulatory frameworks have specific data deletion requirements: 

GDPR (General Data Protection Regulation) 

The "right to erasure" (Article 17) requires organizations to delete personal data upon request. GDPR doesn't specify technical methods, but you must be able to demonstrate effective deletion. Cryptographic erasure combined with audit logs provides strong evidence of compliance. 

Key requirements: 

• Respond to deletion requests within one month 

• Delete data from all processing systems, including backups 

• Notify data processors to delete their copies 

• Document your deletion procedures 

HIPAA (Health Insurance Portability and Accountability Act) 

HIPAA requires secure disposal of electronic protected health information (ePHI). The Security Rule doesn't mandate specific sanitization methods but requires procedures to remove ePHI from media before reuse or disposal. 

Best practices: 

• Follow NIST 800-88 guidelines 

• Use cryptographic erasure for cloud storage 

• Maintain disposal logs 

• Conduct regular audits 

PCI DSS (Payment Card Industry Data Security Standard) 

PCI DSS Requirement 3.1 requires secure deletion of cardholder data when no longer needed for business or legal reasons. The standard specifically mentions cryptographic erasure as an acceptable method. 

Implementation: 

• Define retention periods for cardholder data 

• Automate deletion when retention expires 

• Use crypto-shredding for cloud-stored data 

• Document and test deletion procedures quarterly 

Compliance framework mapping table

 

Framework	Primary Requirement	Recommended Method	Verification
GDPR	Right to erasure within 30 days	Crypto-shredding + audit logs	Deletion confirmation records
HIPAA	Secure ePHI disposal	NIST 800-88 Purge level	Disposal logs + periodic audits
PCI DSS	Delete cardholder data post-retention	Crypto-shredding or Purge	Quarterly testing + documentation
SOC 2 Type II	Demonstrable data deletion controls	Provider attestations + crypto-shredding	Control testing reports
FedRAMP	NIST 800-88 compliance	Provider follows NIST guidelines	Third-party audit verification

Hybrid cloud sanitization strategies 

Most organizations operate hybrid environments with some resources on-premises and others in the cloud. This creates opportunities for strategic data placement. 

Store less sensitive data in the cloud and keep data with strict sanitization requirements on-premises, where you have full control. This approach works well for organizations with stringent regulatory requirements or legacy compliance frameworks that predate cloud computing. 

Be careful of "data spills" — situations where sensitive data accidentally ends up in cloud storage. Implement data loss prevention (DLP) tools and access controls to prevent sensitive data from reaching unauthorized storage locations. 

Consider a tiered approach: 

• Tier 1 (On-Premises): Highly sensitive data requiring physical media destruction 

• Tier 2 (Private Cloud): Sensitive data needing dedicated resources 

• Tier 3 (Public Cloud): General data suitable for shared infrastructure 

Data discovery and classification 

Before you can properly sanitize data, you need to know where it is and what it contains. Cloud environments make this challenging because data can spread across multiple services, regions and accounts. 

Discovery tools and techniques 

AWS: 

• Amazon Macie: Uses machine learning to discover and classify sensitive data in S3 

• AWS Config: Tracks resource configurations and changes 

• CloudTrail: Logs all API calls for audit and compliance 

Azure: 

• Microsoft Purview: Discovers and classifies data across Azure services 

• Azure Policy: Enforces data handling requirements 

• Storage Analytics: Tracks access patterns and data location 

GCP: 

• Cloud Data Loss Prevention (DLP): Discovers and classifies sensitive data 

• Cloud Asset Inventory: Provides visibility into all resources 

• Cloud Logging: Tracks data access and modifications 

Classification framework 

Establish clear data classification levels: 

• Public: No sanitization requirements, standard deletion sufficient 

• Internal: Basic sanitization, verify deletion completion 

• Confidential: Crypto-shredding required, audit trail mandatory 

• Restricted: Crypto-shredding plus verification, potential on-premises requirement 

Tag cloud resources with classification levels to automate appropriate sanitization procedures.

Verification and audit procedures 

Sanitization without verification is incomplete. You need evidence that the data has been properly deleted. Automate your verification or create a verification checklist: 

1. Confirm deletion requests completed
   1. Check the cloud provider console
   2. Review API logs
   3. Verify backups updated
2. Document the sanitization
   1. Record what was deleted
   2. Note the method used
   3. Identify who performed the deletion
   4. Timestamp all actions
3. Test data recovery
   1. Attempt to access deleted objects
   2. Check if backups contain the data
   3. Verify encryption keys are destroyed
4. Generate compliance reports
   1. Create certificates of destruction
   2. Compile audit logs
   3. Document policy compliance
5. Review third-party processors
   1. Confirm data processors have deleted data
   2. Obtain deletion confirmations
   3. Update data processing agreements 

Building a cloud data sanitization program 

Successful cloud data sanitization requires an organizational program, not just technical tools: 

1. Create a data inventory 
   1. Catalog all cloud resources 
   2. Classify data by sensitivity 
   3. Document data flows and storage locations
2. Define retention policies 
   1. Establish how long different data types are kept 
   2. Automate deletion when retention expires 
   3. Balance compliance requirements with business needs
   4. Deploy encryption at rest 
   5. Configure automated deletion
   6. Set up monitoring and alerting 
3. Document procedures 
   1. Write clear sanitization instructions
   2. Create decision trees for different scenarios 
   3. Maintain templates for documentation
4. Train your team 
   1. Educate staff on cloud sanitization requirements 
   2. Provide hands-on training
   3. Update training as technologies evolve 
5. Audit regularly 
   1. Test sanitization procedures quarterly 
   2. Review cloud configurations 
   3. Validate compliance with policies 

The future of cloud data sanitization 

As Google's recent shift to cryptographic erasure demonstrates, the cloud industry is moving away from traditional physical sanitization methods. Expect these trends: 

• Increased automation: Machine learning will help identify data for deletion and automate sanitization processes. 

• Better verification: Cloud providers will offer more robust deletion verification and audit capabilities. 

• Standardization: Industry standards specific to cloud sanitization will emerge, building on NIST 800-88 Rev. 2's program-focused approach. 

• Zero-trust data lifecycle: Organizations will adopt zero-trust principles for data management, assuming data could be compromised at any stage and implementing controls accordingly. 

• Quantum-resistant cryptography: As quantum computing advances, crypto-shredding will evolve to use quantum-resistant encryption algorithms.

 

Taking the next step 

Cloud data sanitization presents unique challenges, but modern approaches like cryptographic erasure provide effective solutions. Understanding your cloud provider's capabilities, implementing proper key management and maintaining comprehensive documentation will help you meet both security and compliance requirements. 

The key is to plan for sanitization from the beginning — not as an afterthought when retiring systems. Build sanitization into your data lifecycle management, automate where possible and verify rigorously. 

Want to advance your cloud security skills? Check out these resources: 

• Download our Entry-level cybersecurity certifications guide to explore cloud security certifications 

• Access our Mid-career certification roadmap for advanced cloud security credentials like CCSP 

• Get the Cybersecurity salary guide to understand compensation for cloud security roles 

Organizations that master cloud data sanitization will find themselves well-positioned for compliance, security and operational excellence. Those that don't may face limitations in which services they can move to the cloud, and potentially costly compliance violations.