The proliferation of smartphones and tablets within the enterprise is prompting many asset managers and other IT professionals to examine their data destruction strategy. According to a recent Gartner report, by 2017 the majority of end-point data breaches will shift from personal computing to smartphones and tablets. Of those breaches, 75% will come from mobile application misconfiguration. This will challenge the reliance on remote, application-based erasure strategies used by many today.
Selecting the right data destruction approach depends on your organization’s aversion to risk, the technology you deploy and the resources at your disposal. In this article, we’ll offer key considerations that should inform your decision-making and assist in the pursuit of the best solution for your enterprise.
Evaluating Risk Levels
Risk assessment methods offered by the National Institute of Standards and Technology (NIST) have not changed in recent years, but data erasure recommendations for mobile devices have received a needed revision. For those unfamiliar with the risk categories identified by NIST, a review of Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, will offer data categorization based on the impact of its breach. The risk categories assigned by a risk level of low, medium and high can be leveraged in policy-making throughout the management and disposal of data-bearing assets.
Erasure methodologies have recently been updated with the completion of the first revision to NIST 800-88, Guidelines for Media Sanitization. Published in December 2014, this revision includes protocols for mobile devices and offers organizations technical criteria for erasure utilities. Since the technique applied to mobile devices is different from standard magnetic overwriting to hard drives, enterprises should consider incorporating the specifications into policies, documentation, contracts and training for both internal use and that of vendors.
Due to the lack of standardization between mobile devices, what may seem a standard approach to erasure can render significantly different results. For example, hard-resetting an iOS device cryptographically removes keys that decipher data. But for Android devices, a hard reset may only reset settings and leave user data readable. Mobile device management (MDM) vendors, encryption, hard-resetting, cloud-based application hosting and device-locking each have their strengths and weaknesses. Adding to the complexity are Bring Your Own Device (BYOD) policies and user environments that allow differing operating systems with dozens of version releases. When selecting a destruction method, it’s worthwhile to understand what happens to the device with each approach.
This feature will return all device settings back to the factory defaults but retain all user data. Settings include wallpaper, ringtones, fonts and other user preferences. Any information recorded to the unit, such as photos, texts and emails, will remain. This approach does not typically destroy user data.
The term “hard reset” is not strictly interchangeable among the various operating systems.
For Apple devices, the “Erase All Content and Settings” option implements a cryptographic erase that overwrites the encryption key with a new one and forces the device to download and install the latest firmware. Although the data remains on the device, it’s encrypted. Third-party tools may be used to overwrite addressable areas for further security.
For BlackBerry devices, the “Security Wipe” option overwrites all user data. Additionally, if “Content Protection/Encryption” is enabled, the device performs a scrub of the BlackBerry device memory.
For Android devices, the “Factory Data Reset” option typically resets all settings and removes all file pointers. The data is not usually overwritten. While later versions of the Android operating system support encryption, some do not enable it by default. The dozens of makes and models that carry the Android O/S make systematic encryption and erasure difficult to implement consistently. Some independent data erasure utilities have dedicated engineering teams to design software that can address each make and model, but careful screening should be undertaken to ensure each of your device types have been researched properly.
For Windows devices, the “Reset Your Phone” option clears all settings and overwrites user data. Most Windows devices cannot be encrypted natively on the device. Like Android, there are different manufacturers, each with different limitations and capabilities, which makes the results of this reset dependent on the device.
It’s also worth noting that each of these methods requires the device to complete the reset process. Common issues include insufficient battery life, poor connectivity for firmware updates, competing third-party applications and user error.
MDM and EMM
MDM and enterprise mobility management (EMM) are terms given to the general administration of mobile phones and tablets, including business software applications and security policies. MDM is now considered a part of the overall EMM environment. To manage data, an application is downloaded to the device that installs policies and profiles that are managed by a central server. A common service of the EMM is “containerization” of confidential data. The container records information using an encryption key that, once removed, makes the recovery of data very difficult. Savvy users may find methods to store data outside the container, and policies should be designed to limit this activity.
As mobile device theft grows, locking features have risen in popularity. The most common is the “Find My iPhone” (FMiP) security feature from Apple. It enables users to identify the location of their mobile device in the event that it is lost or stolen. FMiP also gives one the ability to remotely erase the device, prompt an alternate phone number to contact if lost, and make an audible sound if lost in your home or office. The feature uses GPS, Wi-Fi and carrier data to identify the location and perform remote actions. It is integrated into iOS 7 and 8 and can be turned off or on. If enabled, the user can log in to the iCloud website via any device to track and issue commands. If FMiP is enabled, it cannot be unlocked for use without the original password. Not only does this pose a deterrent to theft, but it also significantly impacts the unit’s secondary market value.
Since mobile devices can maintain cellular and Wi-Fi connectivity, they carry additional risks during disposal.
Occasionally devices are retired with a service plan that remains active. This most commonly occurs on tablets whose cellular connection is managed by a corporate office versus a smartphone line which typically transfers to a user’s new phone. Until the service is canceled, organizations may pay for unused lines. An activation check, by the organization or its disposition provider, can catch these active lines so they may be terminated.
Many devices are enabled with a cloud-syncing feature that backs up user data. If the cloud-sync profile is not removed from the device, data may be pushed back onto the unit after its retirement. When sync profiles have not been terminated, these devices pose a data security risk even if erasure has been attempted.
An Auditable, Documented Process
Much like other data-bearing technology, mobile device disposition should follow an auditable, documented process of data destruction. There are far too many stories of employees leaving retired devices unattended, stolen equipment or inappropriate trashing of hardware by disreputable vendors. Either your staff needs to follow a process of risk assessment, method selection and documentation, or your disposition vendor should be contracted to do so.