Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of April 2005 

[an error occurred while processing this directive]

 Home > Vendor Voice
 Print Friendly Page ||  Email this story

Securing storage

Erase it, completely!

When old disks are replaced, the data on these disks is erased before they are discarded. This leaves open a potential security hole as sensitive enterprise information can be recovered from supposedly blank disks using tools that are freely available. Here's how you should protect your information. by Arun Rawtani

Out of sight, out of mind. When storage systems are upgraded, retired on account of proactive maintenance, reach the end of their lease, or are re-purposed or re-sold, companies often delete the data on these disks and then they are forgotten. Unfortunately, a tremendous amount of critical, confidential and competitive information remains on those disks, and this information cannot be erased by pressing 'delete.'

The existence of this data exposes competitive intelligence, increases vulnerability to industrial espionage and litigation, and jeopardises an organisation's compliance with corporate governance practices and government and industry regulations protecting proprietary and confidential corporate, customer, and patient information. For example, regulations such as DOD Pub., 5220-22.M, Sarbanes-Oxley and HIPAA require proof of secure erasure.

Consequently, it is vital that data is completely erased and the erasure recorded to ensure that critical and confidential information stays secure from accidental or malicious recovery. Done correctly, data removal meets important compliance regulations and guidelines for erasing data such as sensitive patient records or financial procedures.

Rationale for ensuring erasure

There are many reasons for completely and provably erasing stored data, including:

  • Data disposal and erasure has to conform to industry and other regulatory requirements.
  • Potential litigation, loss of intellectual property, or financial loss can result from insecure data disposal.
  • Information that isn't properly erased remains accessible when storage systems are returned under lease, re-deployed, swapped or re-purposed.
  • Corporate guidelines require data erasure and removal of proprietary information prior to returning leased systems or re-purposing storage systems.
  • Some companies or industries require proof of data erasure and overwrite levels.
  • Companies have different data disposal standards for different types of information.
  • Some companies and industries require a three-pass or greater overwrite process (recommended in DOD 5220.22-M level).
  • Companies have strict security requirements to retain all disks, and you need to secure them.

Wipe that disk clean

Most companies know how to implement security measures to protect existing data. However, the options for safely and securely removing data from a drive so that it cannot be retrieved are not nearly as advanced. Common measures include one-pass overwrites, degaussing, physical destruction, and physically storing old drives.

One-pass overwrites: Replacing data stored on hard disk drives with a variable bit pattern of 1s and 0s effectively renders the data unrecoverable. A single pass will successfully overwrite some of the data, but not all disk sectors are visible to overwrite applications.

This can leave highly critical information perfectly intact. Multiple passes yield better results, but the overwrite application must be sophisticated enough to locate and overwrite hidden and damaged sectors, as well as produce audit reports for compliance purposes.

Degaussing: Demagnetising to remove all data. Degaussing can be effective, but it often leaves the disk drive unusable. This is not a good thing if a company intends to re-purpose its drives. It is also not cost-effective to degauss large numbers of high capacity disks in storage systems.

Destruction: Physically crushing and shredding drives is very effective and can even be therapeutic for stressed-out IT professionals. That said, the process is time-consuming, costly, and impractical for retiring a large number of drives.

Storing old drives: Physically storing drives that have presumably been erased before they are stored. It has been estimated that 85 percent of business espionage crimes are inside jobs. Thus, this technique may make it easier for employees to access retired drives to commit these crimes. Physical storage does not meet most compliance regulations regarding erasure, nor does it protect a firm in the event of litigation.

When it comes to returning, reselling, re-purposing, trading, or swapping out storage assets, companies need secure and complete data erasure to meet corporate governance, industry specification, and government mandates

Best practices

The most efficient, cost-effective and compliant method of erasing data is to completely overwrite the drive to render the data virtually unrecoverable, and be able to report the procedure.

This is harder than it looks, especially when large and complex storage systems are involved. Companies can assign service levels according to the relative importance of the data, with more overwrite passes for critical information. (Common overwrite levels go from three passes for non-critical data up to seven for the most sensitive information.) Once done, the professional service or erasure application should deliver an independent audit and written proof of service completion.

Observing best practices in data erasure has a number of benefits for security-conscious firms. Complete data erasure maximises compliance measures by managing risk, ensures information in the lifecycle disposal phase is really being disposed, enables the utilisation and re-purposing of storage, and lets IT professionals sleep at night knowing they have secured important data on released storage assets.

Data erasure services

A number of hardware and software vendors provide data erasure services for the PC market, but storage systems are ignored for the greater part. Due to the sheer size and complexity of storage systems, efficient and complete data erasure is beyond the capabilities of simpler methods. Managing data lifecycle from creation through deletion includes making sure that data has actually been disposed.

Storage system data erasure services can completely erase data on storage assets and prove that they have done the job. Any secure data erasure for storage systems should be able to handle the specific requirements of storage assets, be available from highly-trusted professional services (for complete security and audit purposes), erase multiple disks and frames concurrently, have a flexible overwrite pattern for differing specifications, be delivered at the customer location to increase security and eliminate delays, and provide independent audit and documentation of data erasure.

While firewalls and other security measures protect data at the front-end of the storage lifecycle, it is equally important to protect data at the back-end. When it comes to returning, reselling, re-purposing, trading, or swapping out storage assets, companies need secure and complete data erasure to meet corporate governance, industry specification, and government mandates.

Reliable and proven data erasure services dramatically reduce potential litigation resulting from the uncontrolled distribution or viewing of confidential information, help avoid the physical destruction of perfectly good equipment, and address security concerns. Companies can safely sell or re-use storage equipment and ensure they have the audit trail necessary to meet corporate and industry conformance requirements by availing of these services. Importantly, this will protect an organisation's most valuable asset-its information.

The author is Country Manager, Technology Solutions Group,EMC

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.