Every company has to deal with the issue of disposing of old hardware. While it’s a problem we all deal with, surprisingly few handle it in a secure manner. The Harvard Business Review recently posted an article calling the IT Asset Disposition (ITAD) discipline the “soft underbelly of data security.” With the average organizational cost of a data breach at roughly $5.5 Million and the average cost per record compromised at $194, the ITAD process is starting to be targeted as the next area for substantial security gains and is getting the increased attention it deserves.
Charting your ITAD Process
The first step in auditing your hard drive retirement process is to chart out the flow. The easiest way to think of this is by looking at a “day in the life” of an individual asset. In other words, from the moment an asset is determined to be “retired,” what happens with it? Where does it go, who interacts with it and in what ways? As an example, let’s look at a standard hard drive retirement process in Figure 1.
From the hundreds of processes we’ve seen, Figure 1 is a common approach. First, the computer is deemed ready for decommission and will sit at its current location for a period of time. Next, the asset is moved to a central storage location where it is batched with other assets. Once a certain threshold is met, they are shipped to a third party, typically a remarketer, recycler, or the leasing company. Batched assets will remain at the third party in a holding location until they are ready to be processed. Once the drives are ready for processing, they may or may not be removed from the computer and are then either physically destroyed in some manner or sanitized using a software tool.
Your individual process will probably vary from this example but most will be similar. You may even have several different processes depending on the type of asset being retired. Be sure to outline all processes that deal with data storage.
Six Key Risk Factors in ITAD
Next we’ll examine our example process using the lens of the six primary risk factors in the ITAD process. These are:
- Asset Tracking
- Sanitization Velocity
- Third Party Providers
Let’s look at each of these factors and how they relate to your process.
1: Asset Tracking Risk
The HBR article cited a study that showed that IT assets were missing from 4 out of 5 disposal projects. This underscores the need to accurately track your assets. There are many solutions available to help with this. Ideally you should choose one that will allow you to track assets throughout the entire ITAD process. This may require third parties to provide you with tracking information or integrating into their systems. If you track an asset with perfect accuracy only to have it disappear into a black hole once it leaves your site, you still face a high degree of risk by not knowing that the assets were properly handled after that point.
2: Sanitization Velocity Risk
In this context we want to look at the velocity of sanitization. In other words, how quickly is a drive sanitized after it is ready for decommission? In our example process, the drive goes through several steps before it’s eventually sanitized. For example, computers often sit on a desk for several days before being moved. Once in storage, they will often stay there for up to a year or more before enough computers are batched to be shipped. Even after a batch of hardware has been shipped to a remarketer, it may sit at their facility for weeks before sanitization is actually performed. In the end, a drive may have been decommissioned for a year or more before the data is actually removed. In fact, we commonly talk with companies that have decommissioned drives sitting around for 2-3 years before they’re sanitized. Every moment data is on the drive, it is at risk of a breach. The sooner you remove the data, the sooner you remove the risk.
3 & 4: Location and Personnel Risk
Location risk and personnel risks are tightly related and have to do with the security of each location where there is decommissioned hardware and who has access to the assets. In our example, a decommissioned computer sitting on an employee’s desk in a cubicle environment is subject to much more risk than one in a locked office. In a large company, a decommissioned computer located in a cubicle may be accessible by hundreds of employees. Once the computer is moved to storage, risk typically declines, but it is still important to consider if the storage location is locked and assess who has access to it.
Personnel risk comes into play during the shipping process as well. If your company ships hard drives containing company data, they should at least be shipped using a secure chain of custody. This shipping method tracks every time the asset changes hands and ensures it is not generally accessible by other personnel. Of course, using a secure chain of custody also comes at an increased cost.
It’s easy to overlook what happens once a computer is shipped to a third party. The assumption is that everything will be taken care of properly, but in fact, this assumption can be dangerous since some third parties don’t handle equipment using proper security protocols. While there are many remarketers who have first-class security measures, some have major holes in their security. This is partly due to the fact that some remarketers are transient in nature. A remarketing business will spring up one day based on a large contract and disappear as soon as the contract ends. Even some who remain in business for some time may have lax security practices with location and personnel risk being their biggest problem.
Let’s compare a secure remarketer to an unsecure one. Reputable remarketers have very rigorous processes and procedures to keep your data safe. They have controls over personnel with secure access to their storage facility. Assets shipped to them are stored in securely locked storage areas. Employees are properly screened and often have technical certifications. In contrast, some remarketers fail in all these same areas; they have no controlled access to their warehouse facility so visitors, friends, or others may have access; they don’t store assets in locked storage areas and have palettes of assets sitting in the open; their employees are not properly screened and may include transient labor without technical certifications. It is important to consider how your data is being handled once it leaves your company.
5: Tool Risk
Tool risk relates to what methods of sanitization or destruction are used to ensure your data is properly removed. There are two main options here: physical destruction and software erasure. Physical destruction includes any form of sanitization performed by rendering a hard drive inoperable. This includes degaussing (using a large magnet to demagnetize the drive), shredding or pulverizing the drive, drilling holes in the drive platter, bending the drive, shooting the drive, etc. We’ve seen just about any method of physical destruction you can think of.
Software erasure consists of overwriting the data on the drive with a pattern of bits (0s and 1s) so that the data is unrecoverable while leaving the drive in an operable condition.
Of primary concern is that the data is completely removed or destroyed. Some methods of physical destruction completely destroy the data while others don’t. For example, pulverizing a drive into very small particles makes it impossible to recover any data. However, drilling holes in a drive leaves the majority of the platter area intact, making the data recoverable using forensic methods.
The same holds true for software erasure. If you use a properly certified software program that wipes the entire drive including HPAs, DCOs, and re-mapped sectors, you can rest assured that your data is completely erased. However, many tools, including the widely-used freeware programs, don’t access or erase the entire drive, potentially leaving you at risk.
When evaluating software, look for certifications, including the Common Criteria or NIAP certification, which indicates the software was independently evaluated. Software evaluated at NIAP EAL4+ has also been validated at the source code level, to insure that no data risks are present. The EAL4+ certification is required by many government agencies and is a rigorous standard to apply to across all applications where possible. It isn’t enough for a software developer to say that they “comply” with these standards, it is very important that a reputable independent body verifies that you comply with the standard.
There are other pros and cons to consider when deciding between physical destruction and software erasure and, in general, software erasure proves to be the winner.
Physical Destruction Pros/Cons
- Pro – Some methods completely destroy the data
- Con – Some methods don’t completely destroy the data
- Con – Not as logistically efficient requiring the removal of hard drives adding 5-10 minutes to the process
- Con – No secure, automated audit trail. Audit trails are prone to human error or manipulation
- Con – The cost of a third party destroying a drive can hover around $10/drive
- Con – Not environmentally friendly as drives cannot be reused
- Con – Requires either on-site equipment which is large and/or expensive or must be done by a third party
Software Erasure Pros/cons
- Con – Some cheap free software doesn’t wipe the entire drive and may miss certain sectors
- Pro – Certified software will erase 100% of the drive so that data is forensically unrecoverable
- Pro – Much less expensive than physical destruction
- Pro – Can be done on-site
- Pro – Requires minimal technician time to initiate a wipe
- Pro – Using some software, a wipe can be initiated remotely
- Pro – Software can create an automated log file verifying a drive was wiped and by whom
- Pro – Environmentally friendly. Drives can be re-used internally or donated
In general, software erasure is growing more popular than physical destruction due to its cost, efficiency, and effectiveness. One of the major advantages of software erasure is the ability to perform it in-house which, as we’ll soon see, is a major boost to security.
6: Third Party Risk
We’ve already covered several ways in which a third party might put you at risk. Third parties face the same risk factors you do and should be audited accordingly. If you don’t know how your third party handles your assets, find out. If possible, make an on-site visit to see their facilities and how their work flow is organized. How quickly they sanitize your drives after they arrive? Are your assets stored in a secure storage bin? How many employees have access to your assets? Are their employees screened and properly trained? What method of sanitization do they use? Do they provide a secure audit log as proof that your drives were sanitized?
The Single Easiest Change to Bolster Your Security
Now that we’ve evaluated your processes using the six critical risk factors, it’s time to make enhancements to your process. By far the most important change you can make to bolster your security is to sanitize your assets as quickly as possible after they are decommissioned. The sooner in the process data is sanitized, the less risk you face. By removing the data at the beginning, you also can be much more relaxed about the rest of your process from a security perspective. By erasing data quickly, you alleviate every other risk factor.
The good news is that it’s easy to remove data internally using software tools. In five minutes, it’s possible for an IT technician to initiate a wipe on a decommissioned computer and, depending on the software, may be able to do this remotely without leaving his desk.
Additional Security Enhancements
If you still can’t sanitize drives at the very beginning of the process, go through the six risk factors and determine which ones represent the biggest risk. Here are some questions to ask:
- How many days pass between a drive being retired and being sanitized?
- How many days at each step of the process does the drive sit? Where is the biggest room for improvement?
- Are assets stored in secure locations at each step of the process?
- How can we further enhance the security at each location?
- Can drives be remotely sanitized?
- Can I track assets from one location to the next accurately?
- How many people have access to assets at each location? Are they authorized to have access?
- What tools are used to sanitize drives? What tools does my third party use?
- Can my tools be deployed quickly and efficiently?
- Can the sanitization process be audited accurately? Is it prone to human error or manipulation?
By using this list of questions, you should be able to identify the low hanging fruit when it comes to your retirement process. Any changes that will help you sanitize your drives more quickly (velocity risk) will be most leveraged since your security risk is gone once the data is gone. Remember: Remove the data, remove the risk.