According to a survey, many data center operators waste a lot of money and face the risk of data leakage due to failure to properly handle storage hardware.
When autonomous car engineer Andrew Levandowski moved from Google to work at Uber, he claimed that it was only a few weeks later that he found five hard drives filled with source code, design and engineering files in his wardrobe. Chopping the hard drive seems to be a good way to handle it safely, but when Google’s driverless car business, Waymo, sued Leberdowski’s Uber company and claimed that he had stolen the information files, the result was Awkward (the two companies accidentally reached a settlement in just five days after the court proceedings).
Data centers should have better processes to handle used hard drives that might store corporate or client secret data. But a recent survey by data erasure expert Blancco showed that many organizations fail to properly handle decommissioned hard drives and face the risk of fines exposing customer and employee information, or hundreds of thousands of dollars in storage hardware.
According to the survey, a quarter of organizations spend at least $50,000 a year on hard drives in accordance with the Return Authorization Process (RMA), and 39% spend more than $100,000 a year. In the past two years, more than half of organizations have been penalized for failing to comply with data protection laws and may increase costs.
To make matters worse, the 600 global data center professionals surveyed said they didn't seem to know that their way of handling hard drives was unsafe and did not comply with European general data protection regulations or California numbers that will take effect in January 2020. Privacy law.
It is nothing new for companies to deal with hard drives without following the correct procedures. But the underlying consequences are now different. “Organizations need effective data retention and processing policies and procedures,” said Pat Walshe, managing director of data protection consultancy Privacy Matters. “This is not new. It has been a key aspect of ethics and compliance data management for decades. (RMA) hard drives are no exception. The difference is the responsibility for not handling personal data in a way that protects people's data."
Manual erasure is costly
While data security, privacy, compliance, and efficiency are top priorities, few respondents have an effective process to delete data and clean hard drives for reuse or return to the manufacturer, or to review to ensure completion. This operation. Only one-third of respondents said they used automatic remote tools for secure erasure. Other respondents said that by manually removing the hard drive of the rack and server, half of the respondents said that the deletion was done manually, and the other half said that the hard drive was stored on site.
The irony is that they are already aware of the risk of data leakage. Fredrik Forslund, vice president of corporate and cloud erasure solutions at Blancco, said, "They store storage hardware in free space, which adds to the cost. These users don't get any residual value from the hardware, they need to take up valuable resources and space. And management, and in most cases, many companies will be penalized by suppliers for not returning the hard drive."
For hard drives that are no longer in use, more than half of the companies use manual tools such as DBAN to wipe them out manually. “They just download something from the internet and run it as part of the process, which is terrible.” Forslund pointed out, “The free online tools are only for personal use, which means they will face licensing issues and there is no Audit trail."
If the enterprise decides to physically destroy the disk, the destruction of the SSD hard disk will cause more trouble. "Even if the SSD drive is destroyed, data may be found," Forslund pointed out. While ultra-large-scale cloud computing providers like Microsoft Azure and Google Cloud use shredders to process drives (Google uses robotic automated destruction), this is rare in traditional enterprise data centers. Audit trails are not performed unless the serial number of each drive and the shredding process are taken. Conversely, some organizations concerned with security use a magnetically degaussing device to erase data, rather than physically damaging the hard drive. But today's hard drive shells will block the magnetic, and the data of the SSD hard drive will not be affected by the magnet.
Third-party services can provide effective physical smashing through audit trails, but will increase the cost of protecting drives during the transfer. “Users need service providers to safely ship hard drives to their facilities,” Forslund said. “Many security teams will not allow such transportation. If allowed, there will be strict requirements, such as transport by armed escort vehicles. Drives, which cost a lot of money. That's why the cost of a large amount of used hard drives is high: it's a cumbersome operation."
Prepare to encrypt all content
Password erasure of hard disks by simply deleting keys is becoming more popular because it is both fast and simple. According to the study, 64% of organizations use password removal measures, and this ratio is even higher in regulated industries such as healthcare and pharmaceuticals.
Forslund warned, "This is not a foolproof measure. Users need to encrypt the data of the storage device all the time, because if it is open at any time, there may be data leakage. Users need to have a good system to manage the encryption key, so it is not necessary. Worried about losing keys that might be used to recover data."
Verifying and auditing wipes is important even if the hard drive's data has been deleted and the management tool marks it as failed. Forslund estimates that in 70% to 80% of the time, the old hard drive can be erased to an auditable level, which means that the data can be recovered from it using the right tools.
Today, there is little research on the effectiveness of hard disk decommissioning, but Steve McDowell, senior analyst at Moor Insights&Strategy, says it is usually a process rather than a policy issue. He said: "Most IT organizations do have relevant policies, but proper clean-up and recycling of hard drives and other devices, even if policies are in place, will not be implemented or missed well. Most organizations They are very savvy, removing the hard drive before the computer is scrapped, but the disposal of these hard drives is usually just equivalent to electronic recycling of landfills."
He warned, "As more and more decommissioned storage devices are available, their security issues will go beyond the hard drive itself. Storage systems begin to build with multiple levels of persistent cache, which will only start with the industry. Accelerated by technologies such as server-level memory (such as Intel Optane), where static encryption may not be a good choice."
These storage hardware devices will not be able to be returned to the vendor or recycled over time, but high capacity and high price will make their integration into the asset management system that spans the entire storage lifecycle become even more important.