Are You Throwing Away Sensitive Data?

New technology makes it harder to completely sanitize discarded IT equipment.

Keeping the information contained in the company’s IT equipment secure is an obvious priority. But as technology becomes outdated and is recycled, replaced or repurposed, keeping the data secure is still a vital part of the process.

“Confidential information has a lifecycle: it is created; it is stored; it is transferred; it is deleted or destroyed,” advises Mark Lobel, a partner in security, privacy and risk practice at PricewaterhouseCoopers. “Each part of that lifecycle should be important to companies.”

The security issues involved in IT disposal gained prominence from a 2010 CBS News investigation into data stored on digital photocopiers. But with new technologies come new challenges.

Solid-state drives, which are faster than traditional hard drives and used in many laptops, tablets and cellphones, and most recently were offered by Amazon’s cloud service, cannot be wiped clean in the same manner as traditional disk drives.

About a billion pieces of computer equipment will be retired this year, according to Jim O’Grady, the director of asset management at HP Financial Services, and the disposal of IT assets is subject to 163 regulations worldwide.

To securely remove data, traditional drives undergo a process called a “military wipe,” which overwrites old data, erasing the previous data as it goes. Simply hitting “delete” will erase the index that points to where a file is stored on a disk, but those files would still be accessible using forensic technology. Government and industry standards typically call for multiple overwrites to insure all data is removed.

However, even a military wipe isn’t effective on a solid-state drive, which stores information directly in the hardware. A military wipe erases only 20% to 30% of the data on a solid-state drive, according to PwC’s Lobel. “Some organizations have tested it and they recovered quite a lot of data,” he notes.

Companies can make data unreadable using hardware-based encryption, which is effective and doesn’t take as many iterations to wipe clean. “But you have to know [the encryption function is] there, and you have to know this is an issue and take the extra step to enable the hardware-based encryption,” Lobel says.

When erasing the data is possible, it comes with its own challenges. Solid-state drives have to be programmed correctly to successfully implement an erase command, cautions Steven Swanson, an associate professor of computer science at the University of California, San Diego, who studies solid-state memory technologies. Some drives don’t implement the command at all, and some have bugs and don’t implement it correctly. In the case of USB thumb drives, there is no reliable way at all to erase data short of physically destroying the drive, Swanson adds, unless you are using a high-end, secure drive that can wipe itself. 

“There’s not an easy way for a user to check,” he says. “If there’s a bug or an error in the software that runs inside your drive, you may tell it to erase the drive, it may tell you that it did that successfully, and if you go back and look for that data, you won’t find any—but that data can actually still be there.”

Some systems may even claim to be securely erasing data in a way that’s not currently possible. On a Mac laptop or desktop, Swanson says, “there’s a command to securely erase the trash, and that involves just going in and erasing particular files.” But there could be many older versions of that file in other locations, “so erasing a single file is really, really hard. I don’t know of a reliable way to do it currently.”

Swanson recommends asking manufacturers about it to ensure that they’re aware of the problem. “That will make it clear to them that they need to provide a good solution. It’s not hard to do…but it does require that you know a little bit of what you’re doing on the manufacturer’s side.”

And just as it’s not hard for manufacturers, it’s not very difficult for someone looking to recover your data: Swanson says an electrical engineer with a four-year degree and a moderately well-equipped laboratory could manage.

Keeping data around longer than required is a liability, PwC’s Lobel says, even if the company isn’t getting rid of the hardware. “If you have the IT assets and you aren’t disposing in a secure fashion, you have a fiduciary responsibility,” he says. Companies could face an economic liability if information is compromised. 

Even after a company sells IT assets, it is still held responsible. “Once you’re in that chain, you can’t separate yourself—that’s a big surprise for a lot of our clients,” O’Grady says. “Never let your asset off your premise site without wiping the data. There’s lot of leakage that can occur.”

“You’re putting your company’s brand at risk,” O’Grady adds. “Especially when we talk to CFOs and treasury, they clearly see that how they treat e-waste is a major brand concern for them.”

 

 

For more on IT risk management, see Cyber Security Review and Fail-Safe for Clouds.

 

Page 2 of 2
Comments