The loss of a mobile computing asset, or storage device typically will be noticed within a short period of time since the device went missing, such as if a notebook were stolen from a car, or during a break and enter. Yet, with the application of policy, DLP technology, a centralized backup, and whole disk encryption, the downside of such a loss is limited to lost productivity and the cost of the asset. The notion of the exposure of the lost information is not of considerable concern, as chances are that even with reasonable effort, the encrypted data will remain inaccessible, and the motive behind the theft is the value of the sold asset.
What keeps me up at night are thought of all the hard drives out there sitting in retired computers waiting to be purged and reused, or destroyed. Typically, each one of these devices has had its data transferred to the newer asset, and the original device shelved waiting decommissioning. Typically if one item goes missing, who will notice its loss? No one is using it regularly, No one is checking to make sure that the inventory has not changed through the day (or week, or month), and only when the decommissioning or redeployment cycle is started does anyone actually notice that the asset has disappeared.
Thinking about the contents of the asset, one realizes that the decommissioning process must be conducted at the time of the devices retirement from its current purpose. Yet, how often does this happen, even if it is known that this is best practice? Sadly, I believe that in most organizations the answer is rarely. This could be attributed to the fact that out dated decommissioning technologies such as software are still being used, and the process is excessively time consuming; or that the policy states physical destruction, and the collection cycles are few and far between. It would be safe to say that the root cause for the failure to decommission upon retirement can be attributed to weak policy and the amount of time required to manage a continual decommissioning cycle.
Add to the challenges the risk associated with handing such data rich devices to an external service provider for physical destruction, and not only should CISO’s be losing sleep, they might want to consider a steady diet of Nexium and a ready copy of a fresh CV in case of impending disaster.
Having worked with a number of large organizations in addressing various aspects of alignment of policy goals with actionable IT objectives, it became evident that this situation was not isolated to a few organizations, but was in fact common, and truly in need of a solution. Reading policy after policy referring to the decommissioning process as ‘data destruction as per industry standards’, where no standard or even common criteria exists, it became evident that there is a severe need for an effective solution to this issue. In fact, this very situation was recognized by both the US government and the storage industry and was the reacted to by engaging the University of California’s Center for Magnetic Recording Research to establish a technology by which the industry could create a standard. This technology is known as Secure Erase.
Referencing at the US government’s classification for data destruction, we see that there are 2 recognized modes of data removal, these being ‘clear’ and ‘purge’ technologies. In the class of CLEAR technologies, software based solutions fall under this classification, whereas PURGE technologies being the preferred means, includes Physical destruction of the asset (to a specific particle size), Degaussing, and Secure Erase.
Clear technologies such as had been addressed in the often referenced DOD 5220 Spec, cannot assure effective complete eradication of all data beyond forensic reconstruction. Essentially overwriting each accessible sector with data patterns designed to obfuscate the original contents, this technology is very slow and can take up to 18 hours to process a single 100 Gig device with a triple pass operation. The reason for the multi-pass process is necessary due to the landing zone of the drive head having a skew tolerance of 10% when the head lands on the track. As such, the triple overwrite process reduces the probability of legacy edge track data being left on the track in a restorable state. ... and once the process is completed fully recoverable data can still be found in sectors or tracks flagged as bad. Likewise, using forensic recovery technology, data may still be recoverable from artefacts remaining on the platter in the form of lower level magnetics. As such, Clear technology is not a favoured means to decommission hard drives.
Source |
