Domain 2 of 6 · Chapter 7 of 8

Data Retention, Deletion & Archiving

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • One lifecycle: retain, archive, delete, hold
  • Retention policies: tie every period to a driver
  • Deletion in the cloud: crypto-shredding is the answer
  • Archiving: cheap, cold, and not a backup
  • Legal hold: the override that beats every schedule

Retention lifecycle stages and the control that enforces each

StagePurposeCloud mechanismKey constraint
RetentionKeep data for a required periodLifecycle/retention policy tied to a classificationPeriod must trace to a regulation, contract, or business driver
ArchivingCheaply keep rarely-read data that must be retainedCold/archive storage tier (WORM where immutability is required)Retrieval is slow and may be billed; not a backup substitute
DeletionDefensibly destroy data at end-of-lifeCrypto-shredding (destroy the key); overwrite/destroy only on media you controlMust be logged; cannot reach multi-tenant physical media
Legal holdFreeze data for litigation/investigationObject-lock legal hold / immutable WORM that blocks delete and transitionOverrides retention expiry and any lifecycle deletion until released

Decision tree

Is the data under legal hold?litigation anticipatedYesPreserve: immutable controlobject-lock hold; stop scheduleNoHas the retention period expired?period tied to a driverNo, still requiredRead rarely but must keep?access patternYesControl the media?dedicated vs sharedYes, archiveCold archive (WORM)slow, cheap; not a backupNoKeep in active tierNo (shared)Crypto-shreddestroy the keyYesOverwrite /physical destroyAlways: log the action and authority for defensibility

Cheat sheet

  • Crypto-shredding is the cloud-canonical secure delete
  • Crypto-erase only works if you control and can destroy the key
  • Scope encryption keys so you can shred one dataset without the rest
  • NIST SP 800-88 recognizes cryptographic erase as a Purge technique
  • Every retention period must trace to a driver
  • Over-retention is a risk, not a safe default
  • Automate retention with lifecycle rules, not manual cleanup
  • A real end-of-life delete must reach every copy
  • Log every destruction to make it defensible
  • Archiving is for cheap long-term keep, not fast recovery
  • An archive is not a backup
  • Archived keys must outlive the data they protect
  • A legal hold overrides retention expiry and lifecycle deletion
  • Destroying data you were obligated to preserve is spoliation
  • Enforce a legal hold with immutability, not a request to staff
  • Legal-hold mode fits an open-ended hold; retention lock fits a fixed term
  • Scope and release a legal hold to avoid new over-retention
  • Physical destruction is available only on media you actually control
  • RPO sets the maximum backup interval; RTO sets the required restore speed
  • WORM Compliance mode blocks deletion even by admins; flexible mode lets policies be changed

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization Whitepaper