silencing data forever - iaitamws.iaitam.org/misc/converge_itad_wp.pdf · silencing data forever...

www.converge .com

A Converge IT Asset Disposition White Paper

Silencing Data

Forever

www.converge.com Copyright © 2009 Converge

Silencing Data Forever A Converge White Paper

In June 2009, PBS’s “Frontline” documentary program took viewers to

Africa and Asia to investigate what it called “digital dumping grounds,” or

offshore locations where old computers go to die. The images of toxic

smoke emanating from the filthy, burning equipment was horrifying

enough, but IT professionals had one more reason to squirm: Reporters

uncovered mountains of personal data – including details about classified

U.S. government contracts – from disk drives retrieved at the scene.

Chances are that the organizations whose information was compromised by careless disposal weren’t

even aware of it. These companies may have handed off old equipment to agents that they thought were

legitimate refuse disposal services, thinking that any sensitive data would be safely destroyed. What

these companies didn’t know was that destroying or erasing digital assets like disks, memory and tape

can be devilishly difficult. Only the most reputable, ethical and process-driven organizations stand a

chance of delivering 100% compliance.

When it comes to disposing of outdated IT equipment, “out of sight, out of mind” is all too often the rule.

Old computers are an unsightly nuisance to be removed from view, and it’s easy for organizations to

overlook the fact that current and sensitive data may still live on them. Data destruction and the vital

auditing processes that accompany it are a time-consuming job. The risk of exposure may seem so small

that it’s easier to just hope for the best. IT organizations and their users may cut corners by using a

simple “delete all” function to remove data.

Unfortunately, proper erasure is not that easy. Secure and complete data erasure may involve multiple

stages, up to and including the physical destruction of the storage device. Government and regulatory

reporting requirements may apply. Issues related to choosing processes and equipment must be

untangled. Hard drives in nonworking computers may go un-erased, or drives with bad spindles still may

contain data, even though the disk appears to be clean. The problems only mount as the number of

outdated computers grows.

In this white paper, we’ll look at some of the options and trade-offs for secure data destruction and

examine the benefits of using a professional services firm for the task. The process is more involved than

many people might think.


Growing Risk

The risk of privacy breaches due to improper data disposal is growing.

Gartner forecasts that consumers and businesses will replace more than 925 million PCs

worldwide between 2008 and 2010.

Ongoing research by British Telecom found that only one-third of secondhand hard drives on

the market were wiped clean of information.i

An examination of 100 hard drives purchased on eBay by a New York computer forensics

firm found that 40% of them contained personal or sensitive information.ii

At the same time, there is mounting evidence that the cost of data breaches is climbing.

A Ponemon Group study of 43 companies that suffered data breaches in 2008 found that the

average cost per compromised record was $202, a 2.5% increase over the previous year.

Ponemon also found that customer “churn,” or turnover rates, increased at companies that

had been compromised. When factoring in these additional expenses, the cost of a breach in

the health care industry rose to more than $280 per record.

Earlier research reached similar conclusions. A 2007 analysis by Darwin Professional

Underwriters estimated that the average data breach cost an organization approximately

$157 per record. Forrester Research surveyed 28 companies in 2007 and estimated the

costs at $90 to $305 per record.

The growing exposure of sensitive data comes as regulators are turning up the heat on offenders.

Data breaches can result in severe fines and even imprisonment under regulations such as

the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act,

the Sarbanes-Oxley Act (SOX) and Safe Harbor Principles. Ignorance of the law isn’t a

defense.

Banks and credit card firms may pass along the cost of closing accounts or reissuing credit

cards to business partners that they deem guilty of improper security practices.

Businesses that unwittingly expose customer data can suffer damage to their brands and loss

of customer confidence from the accompanying publicity. Citibank and Heartland Payment

Systems are among the large and respected corporations that have had to conduct damage

control in the wake of attacks that compromised tens of millions of credit card accounts.


Table 1

Policies and Procedures

Not all data is a privacy risk, of course, but there is a wide range of information that can cause loss or

embarrassment if exposed. Examples of sensitive data include:

Corporate intellectual property, such as policies, strategy documents, custom pricing

information, financial data (draft and final), tax filings, software license codes, employee

records, meeting minutes and confidential e-mails;

Customer information, such as profiles, bills, account records, contracts and personal data;

Shareholder information, including identities, account numbers, Social Security numbers,

holdings and transactions; and

Employee information, including personnel records, Social Security numbers, performance

reviews and family records.


In practice, it is rarely time-efficient or convenient to thoroughly analyze and classify all information on a

storage device. It often is easier simply to thoroughly destroy all data on a device that contains any of the

information listed above.

Sensitive information isn’t limited to hard drives and

PCs, of course. Noncomputing devices such as

routers, switches and even fax machines may be at

risk. Cell phones, PDAs and media players also may

carry gigabytes of customer records and financial

data. Removable media such as flash drives, DVD-

ROMs and Zip drives also may need special handling.

Even nonvolatile memory like RAM, EPROMs and

firmware may be at risk.

Effective policies can limit exposure by providing clear

definitions and accountability standards for

maintaining and disposing of sensitive information

(see Table 2). However, these procedures also must

be accompanied by procedures for sanitizing media in

the most appropriate and cost-effective manner.

Beyond Deletion

When most people first learn to use a computer, they are taught that deleting data is as simple as

dragging files to a trash can or executing a simple “delete” command. For routine needs, that is basically

true. What many people don’t know, however, is that data deleted from view is not actually deleted from

the media on which it resides. A standard delete function simply erases the information that tells the

operating system where to find the file. The information itself usually is untouched and may remain on the

storage media for days or even weeks until it is overwritten by more recent information. This scenario is

sometimes called “data remanence.”

Table 2

Considerations for Data Destruction Policies Media type Confidentiality of data Need for a controlled area In-house or outsourced process Volume of media to be sanitized Tools to be used Verification of destruction equipment Level of expertise required Time requirements Reusability of media Contractual obligations with

customers/suppliers Accountability Measurements/penalties Verification procedures Reporting and compliance User training


There are good reasons why

computers work this way. The

process of thoroughly

expunging data from the disk

by overwriting it with random

characters is both time-

consuming and unnecessary

for most people’s day-to-day

needs. As long as the

computer is controlled by the

owner or another trusted

source, there is little reason to

worry about a compromise.

When complete disk erasure

is required, a “format”

command is typically used.

Formatting appears to wipe all

information from the disk

other than that required by the

operating system. The disk

looks empty to the user, but it

really isn’t. Think of formatting

as a kind of super delete program. It removes information about files, but may leave most of the actual

data in place. This data often can be recovered with software that enables inspection of the individual

bytes on the storage media.

Thorough sanitization requires that all sensitive data be completely removed from the storage media or

overwritten with nonsensitive data. There are several ways to do this, each with different costs and trade-

offs. Here is a look at some of the most common techniques.

Deleting or Reformatting

File deletion is the fastest and easiest way to remove information from view, but it also is the least

reliable. All operating systems provide basic utilities to reformat hard disks. Some include additional

features, like the Linux “shred” command, that deliver a higher level of data destruction. File deletion has

the advantage of low cost and speed. It can be a good choice for nonsensitive data or redeployment of

information assets within an organization.

Table 3 This flowchart provided by the National Institute of Standards and Technology offers a useful approach to selecting appropriate data

disposal procedures.iii It encompasses such variables as whether the organization wishes to reuse the equipment and whether the equipment

will leave the organization’s control.


However, if an asset is being disposed of, sold on the public market or even redeployed to another

company department, these techniques do not provide adequate levels of data destruction. File

destruction utilities included in operating systems do not claim – and are not certified – to delete every

shred of data they touch. While many provide a very good level of sanitization, there is no guarantee that

a skilled forensic specialist would not be able to recover usable information. Remember that Social

Security and credit card numbers consume less than 15 bytes of space. Multiple reformats improve

effectiveness but still are not foolproof.

Overwriting Data

This relatively simple approach to data destruction involves

replacing information on the storage medium with random

characters so that the original data is indecipherable. There

are many software applications available for this purpose,

ranging from free open source utilities to commercial

packages designed for high-volume use. Ideally, such

software should support the U.S. Department of Defense

5220.22-M standardv for the protection of classified

information. This standard specifies that 100% of the data

on the disk must be erased.

While simple in principle, data overwriting isn’t simple to

implement. Replacing every byte on the storage medium

may involve as many as 50 passes through the data – a

time-consuming process. The verification process also may

last for several hours, depending on the size of the disk and

the software used.

License fees for data-overwriting software can be expensive, and the task of differentiating between the

features claimed by different vendors can be bewildering. Users must be able to confirm total erasure,

which may require special expertise and technology. Overwriting also does not work on storage media

that are not accessible through conventional read/write means. Media that are scratched or damaged

may contain retrievable information that cannot be overwritten by software.

Professional IT asset disposal (ITAD) firms provide a valuable service by certifying destruction to the level

desired by the customer, thereby significantly reducing the likelihood of customer liability in the event of a

breach. The most reliable and professional ITAD firms also are more likely to license the highest-quality

data destruction products and be thoroughly trained in their use. They also can identify unusual situations

Table 4

On most desktop computers, deleting a file simply overwrites a small amount of information needed to “see” the file. Proper deletion requires complete overwriting of data in each physical storage block. (Lifehacker imageiv)


such as damaged media and apply appropriate alternative process and tactics as necessary to protect

your brand.

Degaussing

This technique works with magnetic media and is considered an effective way to render information

unreadable. It involves a specialized machine called a degausser, which delivers a high-powered

magnetic charge that leaves the magnetic bits on the media in random patterns.

Degaussing is not appropriate or practical in all situations. For one thing, verification of data destruction is

nearly impossible because, in the case of a hard drive, the electronics are destroyed and the drive is

made inoperable.

Professional degaussing equipment can be very expensive, with prices exceeding $10,000 for high-end

units. Operators require special training, and the machines themselves are delicate and require frequent

recalibration.

The degaussing process also has the side effect of destroying delicate electronics within the storage

devices, which renders them worthless. This is a downside for companies that hope to realize some

residual value from their equipment. Finally, degaussing has no effect on optical media such as CD-

ROMs and DVDs.

In the hands of a professional service provider that can achieve economies of scale, degaussing is one of

a suite of tools that are effective at sanitizing media. However, many in-house IT operations probably will

find it an overly complex and expensive solution for occasional use.

Manual Destruction

In the “Frontline” documentary referenced earlier in this report, an FBI spokesman demonstrates a data

destruction tactic by smashing a disk drive with a hammer. While this technique is an effective way to

make a drive inoperable, it actually is not an accepted form of data destruction under the guidelines

provided by the National Institute of Standards and Technology.vi It also may be hazardous to employees.

Physical destruction of storage media is the ultimate form of data destruction. A disk drive that has been

smashed into small pieces is almost impossible to read. In practical terms, a few strokes with a hammer

will render most storage media unreadable to the average person. However, in the hands of a

professional, information still can be recovered.


That is why NIST specifies shredding, disintegration and pulverization as the three recommended means

of physical disposal. In the same way that paper shredding tears printed information into pieces that are

too small to put back together, these disposal techniques reduce storage media to fragments that are

impossible to reassemble or read. In the case of disintegration, components actually are melted down.

Striking a disk drive with a hammer isn’t sufficient. Melting a disk drive or grinding it into pieces requires

special equipment and facilities. In order to ensure operator safety, equipment should be kept in a

secured room and handled with special safety equipment such as masks and gloves. Personnel also

must be trained to operate and maintain the equipment. Also, organizations may incur additional

expenses for insurance, hazardous material control and disposal. Finally, equipment that is dismantled in

this manner cannot be reused, so any residual value is lost. Altogether, the cost and complexity of

effective, verifiable physical destruction is by far the most expensive option for data sanitization. It is,

however, also the most effective.

Method of Destruction Effectiveness Low Medium High

Features

Deleting/Reformatting

Low cost Time-consuming Not effective on damaged tapes

or nonworking drives Wear and tear on tape drives Data still can be recovered

Overwriting

Time-consuming Overwriting software can be

expensive Damaged media cannot be

overwritten Quite effective

Degaussing

Verification is nearly impossible Time-consuming Destroys delicate electronics

within storage devices Degaussers can be expensive Low environmental impact Midrange effectiveness

Manual Destruction

Industrial shredders are expensive

Hammer or drill is not sufficient Time-consuming Causes noise pollution Low environmental impact Very effective

Table 5


The Build or Buy Decision

By now, you’ve probably observed that data destruction is neither a simple nor a cost-free process. The

techniques that an organization chooses depend upon a combination of factors, including sensitivity of

the data, regulatory requirements, costs, facilities, staff expertise and type of media used. The simplest

approach may be to invest in the most thorough forms of sanitization and simply apply them to every

piece of equipment. However, what about assets that could be recovered and reused if a simpler form of

data destruction, such as overwriting, was applied?

This is where the value of a professional ITAD firm becomes apparent. Full-service ITAD companies can

save their customers money in several important ways.

These firms have full knowledge of data destruction regulations and compliance standards for many

different industries. This knowledge enables them to categorize data and apply appropriate destruction

techniques, depending upon the situation. Client exposure is minimized, and the most cost-effective data

destruction techniques are applied in each case. Clients avoid extra costs by paying only for services that

they need.

ITAD providers use state-of-the-art equipment and methodologies. Because they are able to spread

the cost of expensive equipment across multiple clients (economies of scale), these companies reduce

overall expenses for everyone. The same factors apply to expertise, maintenance, licensing and other

operating expenses. Clients get access to the most-effective data destruction tools without paying the full

cost.

Security and peace of mind are part of the core service. The most reliable and professional ITAD

firms provide the highest level of secure storage, as well as client indemnification and liability protection.

Customers can breathe easy knowing that a reputable ITAD provider has the process in place for safe,

secure and effective data destruction using the most-efficient techniques.

Full validation and documentation is provided. As noted earlier, verification of data destruction can be

nearly as complicated and time-consuming as the destruction itself. Professional ITAD services firms

have the full range of resources needed to fulfill these requirements, and they can provide certified

documents and reports required by regulators.

Conclusion

With regulators and media turning up the spotlight on the risks of identity theft and privacy, businesses

and institutions are under greater pressure than ever to take responsibility for their data assets. The glare

of publicity amplifies this need. Organizations no longer can claim ignorance of the rules or hope that no


one will notice their miscues. An army of bloggers and consumer advocates calls attention to their

oversights, particularly since a proven solution exists for proper handling of these devices.

Data destruction is now part of the basic blocking and tackling of running any business that deals with

sensitive information and should be considered an obligation by any business to protect its employees

and customers. Although risks may appear to be slight in the short term, there can be significant long-

term negative consequences for failure to attend to these issues. We have seen that the cost and

complexity of developing procedures, procuring and maintaining equipment, and providing the necessary

reports and documentation can be considerable. On top of that, legal and regulatory requirements change

constantly.

We should add to the conclusion: the liability of the DIY situation.

In challenging economic times, businesses naturally are inclined to try internal solutions. However, as this

report has demonstrated, a do-it-yourself approach can be penny-wise and pound-foolish. The cost of

acquiring and maintaining appropriate tools and skills is substantial. More important, the cost of failing to

thoroughly dispose of sensitive data can be enormous, both financially and in damage to reputation.

Ultimately, an organization is responsible for identifying and implementing a process that meets its

requirements; it is that company’s business that is at stake. Using a professional ITAD firm may offer

significant advantages in the areas of cost, security, liability protection, process, scale and peace of mind.

These companies make a business of providing services that most of their customers would rather not

worry about. They deserve attention from any organization that is putting data destruction procedures in

place.

About Converge

Converge is the premier global supply chain partner for technology-driven companies. Converge’s ITAD

solutions provide secure, compliant, end-of-life IT asset disposition services, including data erasure,

disposal, recycling, and remarketing of systems and components to enterprise clients. Converge is

headquartered in Peabody, Massachusetts; Singapore; and Amsterdam, the Netherlands, along with

support centers throughout Europe, Asia and the Americas. For more information, please visit

www.converge.com.

i http://www.readwriteweb.com/archives/how_to_permanently_delete_data.php ii http://www.computerworld.com/s/article/9127717/Survey_40_of_hard_drives_bought_on_eBay_hold_personal_corporate_data?taxonomyId=19&pageNumber=1&taxonomyName=Storage iii http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf iv http://lifehacker.com/5153684/properly-erase-your-physical-media v More information on this standard is available at http://www.dtic.mil/whs/directives/corres/html/522022m.htm vi R. Kissel, M. Scholl, S. Skolochenko and X. Li, Guidelines for Media Sanitization (Gaithersburg, Md.: National Institute of Standards and Technology, 2006)

www.converge .com

Copyright © 2009 Converge.

The Americas

Converge Global Headquarters4 Technology DrivePeabody, MA 01960+1-978-538-8000+1-800-922-6327+1-800-961-9270 ITAD Services

EMEA

Converge HeadquartersCoengebouw 7th FloorKabelweg 371014 BA AmsterdamThe Netherlands+31 (20) 582-6200

Asia Pacific

Converge Headquarters20 Toh Guan Road#06-00 CJ GLS BuildingSingapore 608839+65-67998088

A Converge IT Asset Disposition White Paper

silencing data forever - iaitamws.iaitam.org/misc/converge_itad_wp.pdf · silencing data forever...

Documents