Skip Links

Network World

RE: Survey: Security policies neglect off-network devices

By Ryk Edelstein on Thu, 08/30/2007 - 1:03pm

Off-Network..... This is a start. Off-Line.... now this is a huge risk.

The loss of a mobile computing asset, or storage device typically will be noticed within a short period of time since the device went missing, such as if a notebook were stolen from a car, or during a break and enter. Yet, with the application of policy, DLP technology, a centralized backup, and whole disk encryption, the downside of such a loss is limited to lost productivity and the cost of the asset. The notion of the exposure of the lost information is not of considerable concern, as chances are that even with reasonable effort, the encrypted data will remain inaccessible, and the motive behind the theft is the value of the sold asset.

What keeps me up at night are thought of all the hard drives out there sitting in retired computers waiting to be purged and reused, or destroyed. Typically, each one of these devices has had its data transferred to the newer asset, and the original device shelved waiting decommissioning. Typically if one item goes missing, who will notice its loss? No one is using it regularly, No one is checking to make sure that the inventory has not changed through the day (or week, or month), and only when the decommissioning or redeployment cycle is started does anyone actually notice that the asset has disappeared.

Thinking about the contents of the asset, one realizes that the decommissioning process must be conducted at the time of the devices retirement from its current purpose. Yet, how often does this happen, even if it is known that this is best practice? Sadly, I believe that in most organizations the answer is rarely. This could be attributed to the fact that out dated decommissioning technologies such as software are still being used, and the process is excessively time consuming; or that the policy states physical destruction, and the collection cycles are few and far between. It would be safe to say that the root cause for the failure to decommission upon retirement can be attributed to weak policy and the amount of time required to manage a continual decommissioning cycle.

Add to the challenges the risk associated with handing such data rich devices to an external service provider for physical destruction, and not only should CISO’s be losing sleep, they might want to consider a steady diet of Nexium and a ready copy of a fresh CV in case of impending disaster.

Having worked with a number of large organizations in addressing various aspects of alignment of policy goals with actionable IT objectives, it became evident that this situation was not isolated to a few organizations, but was in fact common, and truly in need of a solution. Reading policy after policy referring to the decommissioning process as ‘data destruction as per industry standards’, where no standard or even common criteria exists, it became evident that there is a severe need for an effective solution to this issue. In fact, this very situation was recognized by both the US government and the storage industry and was the reacted to by engaging the University of California’s Center for Magnetic Recording Research to establish a technology by which the industry could create a standard. This technology is known as Secure Erase.

Referencing at the US government’s classification for data destruction, we see that there are 2 recognized modes of data removal, these being ‘clear’ and ‘purge’ technologies. In the class of CLEAR technologies, software based solutions fall under this classification, whereas PURGE technologies being the preferred means, includes Physical destruction of the asset (to a specific particle size), Degaussing, and Secure Erase.

Clear technologies such as had been addressed in the often referenced DOD 5220 Spec, cannot assure effective complete eradication of all data beyond forensic reconstruction. Essentially overwriting each accessible sector with data patterns designed to obfuscate the original contents, this technology is very slow and can take up to 18 hours to process a single 100 Gig device with a triple pass operation. The reason for the multi-pass process is necessary due to the landing zone of the drive head having a skew tolerance of 10% when the head lands on the track. As such, the triple overwrite process reduces the probability of legacy edge track data being left on the track in a restorable state. ... and once the process is completed fully recoverable data can still be found in sectors or tracks flagged as bad. Likewise, using forensic recovery technology, data may still be recoverable from artefacts remaining on the platter in the form of lower level magnetics. As such, Clear technology is not a favoured means to decommission hard drives.

Purge technologies typically involve the physical destruction of the asset. The exception being Secure Erase, which uses a technology specifically designed to deliver optimal destruction of legacy data beyond forensic reconstruction. Referencing the specifications established by the NIST in their recommendation 800-88 and studies published by the CMRR, we see that effective physical destruction is achieved when a particle size is no larger than the diameter of a single 512kb block. This diameter varies in each publication from 1/32nd of an inch to 1/125th of an inch. The reason for the variation in this specification being due to the chemistry of the platter technology available at the time of the report creation. In fact, with the advent of perpendicular magnetic platter chemistry, and higher platter densities, this particle size spec will need to be even smaller. The same issues effect degaussing, as platter magnetic evolve into higher densities, the energy required for coercion of each bit is expected to reach 11,000 oerstead within the year. Considering that most Degaussing equipment designed for office use typically delivers energy in the range of 5000 – 8000 oerstead, the need to externally degauss hard drives becomes necessary.

In the case of both Physical destruction and degaussing, the device is not reusable at the end of the process, and involves the loss of the clients care, custody and control of the asset when handing off the device to the destruction company’s agent for delivery to the destruction facility. Regardless of the responsibility of the driver to get the device to its final resting place, I would not be comfortable with anyone’s promise to collect my devices for processing where the devices provided have valuable and confidential company, or client information. In some cases, it is policy that the devices are accompanied to the destruction point and logged as they are destroyed.

Secure Erase, designed to simplify the purge process, refers to the technology developed by the CMRR, despite various software manufacturers claiming Secure Erase technology. Unfortunately, Secure Erase simply cannot be delivered as a reliable software based solution, and can only be effectively launched by appliances specifically designed to process devices with the Secure Erase protocol. The reason for this limitation is not due to the software vendors not being capable of issuing the command, it is merely due to the fact that the BIOS and OS vendors recognizing the threat that the Secure Erase command poses, have inhibited the hand off of the Secure Erase command to the drive. This being the case in most currently built PC’s.

Presently, Ensconce Data technology Inc. of Portsmouth New Hampshire manufactures the Dead on Demand Digital Shredder offering a Secure Erase appliance that can process 3 drives at a time with a purge rate of ~100Gig/hour. Typically, in a single work day 24 100 gig devices can be destroyed. As a portable stand alone appliance, this device affords clients the ability to purge data from their legacy storage devices beyond forensic reconstruction, and re-use the hard drive at the end of the process. In fact, the current version of this appliance will even leave a format of the users choice on the drive at the end of the cycle, and can even re-image the processed drive with a standard image that can be loaded into the device in the appliance’s 3rd drive bay. Incorporating automated process logging features, the Dead on Demand digital Shredder maintains a defendable audit log of each device processed and produces an adhesive certificate of destruction for each device processed, as well as, an exportable audit log.

Considering the acceptance of Secure Erase technology and the fact that the processed devices have been proven to contain no recoverable data, government and enterprise now have a means by which to develop standards based decommissioning policy using proven technology. It is understood that physical destruction will be required in cases of utmost security, yet, by processing devices slated for physical destruction with Secure Erase before leaving the premises, the client affords enhanced protection when the device to be destroyed needs to travel the last mile to the point of destruction, whereby assuring no loss of control of confidential data.

Considering heightened concern over securing confidential data, and the development of Secure Erase we are all coming closer to the establishment of a respected protocol for reliable and efficient on-site data destruction leveraging a reliable cost effective solution.

Click to read the article this is in response to.

Tags:

fsdfosdkrjhfskjf .

0
By Anon on Fri, 10/23/2009 - 9:07am.

fsdfosdkrjhfskjf
.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in