Resources for Data Center Facilties Management Professionals
The integration of software and hardware Delivery
|
NJ Senate bill S3159 Requires Certification for Surplused Electronic Equipment
|
New Regs encourage recycling but require certification of proper disposal
ADDITIONAL LINKS:
-
Download our exclusive “Simplifying Privacy Law document.
|
by Sean O’Leary
In an effort to encourage recycling and refurbishing of state owned surplus computers and mobile devices, the state of New Jersey’s proposed Senate bill S3159 has established new standards that will require a verifiable chain of custody for the equipment. The formalizes the process of declaring items to be surplus and tracks various possible outcomes, such as re-use of assets in state agencies or projects, or donation to schools or private charitable organizations. The objective of the initiative to establish the highest possible use when appropriate.
An essential component of the regulation mandates that each device undergo a certified data security process prior to recycling. Although the state already has a recycling program in place, the new regulations will most likely mean that state approved e-scrap processors will be required to obtain certification through the National Association for Information Destruction (NAID).
Certification requires that any hard drives residing on computers or devices be sanitized beyond the possibility of recovery if the equipment is intended for refurbishment, or that hard drives be destroyed through a range of approved physical means prior to reclaiming.
The act will require certification that all data storage devices have been removed when the equipment is declared to be surplus. According to the wording of the Act: Within 18 months of the effective date of this act, P.L. , c. (pending before the Legislature as this bill), the director of the division shall issue a report to the Governor, and to the Legislature pursuant to section 2 of P.L.1991, c.164 (C.52:14-19.1), regarding the disposition programs and data security measures established pursuant to this act.
In other words, the lawmakers want a report on how the Office of Information Technology plans to enforce the disposition and data security programs mandated. |
Manufacturer Shutdowns Causes Parts Shortages
|
Thai Floods Cause HDD Shortages
ADDITIONAL LINKS:
-
Download our exclusive “Simplifying Privacy Law document.
|
by Sean O’Leary
The epic October floods in Thailand have disrupted the global supply chain for HDD manufacturers, causing a shortage of drives that is affecting the entire PC market. Western Digital predicts that 32,400,000 fewer drives will be produced in the fourth quarter. According to Alexandre Mesquich’s Nov 21 column in ChannelWeb, Western Digital may be knocked out of production in Thailand for six months. Seagate has also warned of reduced production because of supply chain confusion. For example, motor manufacturer Nidec was temporarily knocked out, with limited production now resuming in temporary facilities. Between them, Seagate and Western Digital account for nearly 70% of the global market.
With pre-flood global HDD supplies already low, the net result is that refurbished SATA drives are now selling for 300 – 400% above previous market levels. Given the growing maturity in the e-waste and recycling markets, this combination of factors represents a potential windfall for ITAD and Technology Remarketing businesses.,
A key component required to take advantage of this opportunity is the ability to quickly and securely wipe all data from used HDD while leaving them fully functional. According to DestructData VP Sales and Technology Michael Cheslock, a massive inventory of usable HDD remains virtually untapped.
“The rapid maturity of the recycling and remarketing markets not-withstanding, this particular development could kick start the industry to a whole new level,” says Mr. Cheslock. “We are predicting that the benefits of the temporary shortage will outlive the crisis.”
A key component required to take advantage of this opportunity is the ability to quickly and securely wipe all data from used HDD while leaving them fully functional. According to Mr. Cheslock, requests for high volume loose drive erasure solutions have grown dramatically.
“We are getting more calls for higher volume platforms to allow service providers to keep up with the demand in the secondary market,” noted Mr. Cheslock
DestructData, Inc. is a media sanitization system integrator and service provider. As one of the first companies to enter the specialized field of end of life cycle data destruction, the organization implements the nuts and bolts solutions that assure compliance with complex data disposal legislation. |
Outsourcing asset storage and destruction services can be risky if you don’t spend time on due diligence up front. Even if your service provider is a giant technology contractor, questions regarding data security practices are best resolved up front.
The most recent example is a $4.9 billion lawsuit filed last month against the TriCare Military Health Care System and the Department of Defense when backup tapes containing the medical records of 4.9 million beneficiaries were stolen from an IT services vendor. TriCare is the Health Care provider for the DoD and the contractor was Scientce Applications International Corp.
The car was parked near a federal facility in San Antonio. It is reasonable to believe that SAIC has developed a data security protocol in compliance with HIPAA and HITECH legislation. It is also possible to conclude there are gaps in the implementation.
The records were related to patients treated in military clinics and hospitals from 1992 through 2011 and included clinical notes, laboratory tests and prescriptions, Social Security numbers, addresses and phone numbers.
How serious is the data breach? Considering the nature of the storage media, retrieving the data would be a major technical hurdle. If the tapes were stolen by garden variety burglary criminals, they are likely in a landfill by now. So the danger of criminal access to the records depends on who stole the tapes. However, that is almost irrelevant when the lawyers get t work. So the real answer to the question is” how serious is $4.9 billion?
Although, SAIC admitted fault on the breach and reported it to Tricare, no plan for remediation has been discussed. In the meantime, the very expensive wheels of justice will continue to turn.
In an increasingly common scenario, a recent random purchase of disk drives from a Singapore-based online vendor revealed that all data remained on the supposedly sanitized drives. Although the disks Data were described as “wiped”, they contained over 300 GB of private information, including emails, corporate databases and personal user information.
The HDD haul included units from RAID servers, PCs and a laptop. In addition to the obvious fact of advertising fraud, it is furthermore clear that the original disk owners had likely been charged a fee for securely removing data from the HDD.
This sort of security lapse doesn’t have to happen to anyone. Organizations performing their own data sanitization prior to resale need to use certified erasure products that are capable of producing audit trails that legally prove data has been permanently removed.
Before releasing any HDD to a service provider (recycler or reseller), onsite data erasure backed by a verifiable documentation is not only secure, it is relatively inexpensive. In the greater scheme of things, there a few business costs quite as expensive and damaging as a data breach.
Leading Names in Software and Hardware Mean More Choices for Customers
|
ADDITIONAL LINKS:
-
Download our exclusive “Simplifying Privacy Law document.
|
The following article is reprinted from Storage & Destruction Business
Marietta, Ga.-based Blancco U.S., which provides data erasure software, has joined forces with DestructData, North Andover, Mass., a company providing data destruction services, in a partnership designed to expedite the erasure of information on hard drives.
Under the partnership, Blancco’s certified data erasure software will power a series of DestructData erasure appliances for loose drives.
“The technology alliance between Blancco and DestructData is a natural fit, combining Blancco’s industry leading data erasure software brand with DestructData’s extensive experience as the most respected hardware systems integrator in the enterprise data destruction and ITAD (information technology asset disposal) marketplaces,” says Michael Lawlor, president of DestructData. “Recognized globally as the standard in certified data sanitization, Blancco’s software solution will be deployed via DestructData’s powerful, customizable hardware platforms to ensure the highest possible data security for ITADs,” he adds.
According to a news release issued by Blancco, through the partnership, industrial-grade erasure appliances from DestructData will include Blancco’s data erasure software. DestructData will design, assemble, test and deliver the systems, which will remain fully supported with Blancco’s latest erasure software. The software offers detailed reports on hardware health along with proof of erasure, the company says.
“The Blancco and DestructData collaboration builds on the respective strengths of both companies to provide ITADs a safe, high-speed way to remove information from loose drives,” says Markku Willgren, Blancco president of U.S. operations. “ITADs, along with their customers, will also benefit from auditable erasure reports that are automatically sent to a centralized management console or IT asset tracking system.” |
Why Physical Volume Erasure
Solutions Are Our First Choice
|
Physical vs. Logical Volume
ADDITIONAL LINKS:
-
Download our exclusive “Simplifying Privacy Law document.
|
by Michael Cheslock
When erasing enterprise storage, it is logistically advantageous to sanitize the storage media without removing it from the systems or arrays. The ability to erase large quantities of drives in their native storage environment is a major time saver. There are two fundamentally different ways to accomplish this task: Logical Volume Erasure and Physical Volume Erasure. Not all enterprise storage systems allow both options to be used, but understanding the differences between these two is critical in the majority of cases when both options are available.
Erasure of Physical Volumes erases the entire native storage capacity of the storage media. When the procedure is combined with direct-attach connectivity, it can accelerate erasure dramatically by making better use of available bandwidth. It takes advantage of SCSI commands only available when communicating directly with the drives. This approach also allows interrogation of each individual disk to ensure actual hard drive serial numbers are known and can be reported.
Logical Volume, or LUN, erasure, is common in “boot disk only” approaches. When erasing the currently configured LUNs on a storage sub-system, only data in those LUNs can be seen and overwritten by the erasure software. This means sensitive user data in blocks of storage not currently allocated in the existing LUN configuration may remain un-erased and fully accessible to malicious parties. This problem can be addressed by having a storage tech reconfigure the LUNs prior to erasure so that there is one LUN per drive, each LUN being equal to the storage capacity of the drive. This is very time consuming, however, and does not address the other drawbacks of Logical Volume erasure.
LUN erasure forces a tremendous amount of data through a single connection, often an arbitrated loop. This can result is extremely slow erasure. Lastly, on most storage subsystems LUN erasure provides no means to automate the acquisition of true HDD Serial Numbers. Currently, this requires manual data entry, which can be confusing when dealing with large volumes of storage.
At DestructData, we are set up to offer both types of solutions for pretty much any erasure environment. However we tailor our systems to address physical volumes rather than logical volume whenever possible…for all the reasons stated above. |
If a data owner destroys private information but can’t prove it, are they in compliance?
|
Safe Harbor for Data Security Compliance
ADDITIONAL LINKS:
-
Download our exclusive “Simplifying Privacy Law document.
|
by Sean O’Leary
While understanding that security measures for retired IT assets is the least sexy of ITAD security issues, it remains true that off-network breaches are as real and costly as any cyber hack. Consider the three embarrassing and costly incidents we covered recently. Even with a rigorous data security protocol in place, assets can end up in strangest places and some of those place are not good. Nevertheless, the lion’s share of IT capital budgets is dedicated to improving internal and network security, while off-network threats tend to be pushed to a back burner. Or stored in a warehouse while someone (not you) procrastinates on making the decision as to what to do with them.
Government guidelines direct data owners to establish a privacy security policy, but leave most of the details in the realm of “reasonable measures”. That sort of vagueness is can lead to confusion in some areas, but in the limited realm of asset disposal the core principle is simple: erase private data before digital media leaves your physical control and document the process so you can prove you did. This holds true whether or not you are performing the erasures job in-house with your own staff or using a service provider.
The second part of the principle means generating an audit trail that provides verification of what data was erased, before the hardware or other device is shipped or picked up for shredding. This standard holds true in both green and non-green scenarios. Certainly when a digital asset is going to be re-used or surplussed, the data it contains must be removed before it can migrate to its next phase. Similarly, even in a recycling or straight physical destruction scenario, regulatory guidelines indicate that verification of the sanitization process is essential. NIST Special Publication 800-88 indicates a policy that includes taking a representative sample of media, with verification conducted by personnel with no stake in the process. Tools used in sanitization must be calibrated, tested and maintained and personnel must be trained and attain the proper level of expertise to perform sanitization tasks.
The NIST document, which has become the go to standard for electronic data disposal, emphasizes that inadequate record keeping can have negative consequences in the real world. Document what, when and how media are sanitized, as well as the final disposition.
From a compliance point of view, there is little value in crushing or shredding digital media unless you can document what data you destroyed. |
Millions of Records Compromised by Lack
of Attention to Retired IT Assets
In a scenario that has become something of a classic for end-of-life related security breaches, Saint Francis Health System of Tulsa reports a data breach that exposed 84,000 patients records to identity theft. The hard drive in question was in a PC stolen from a defunct outpatient facility belonging to the hospital. Private data on the hard drive includes names, social security numbers, billing data and diagnostic records. Although the PC was retired in 2004, it was never removed from the facility, nor was the private data on the hard drive erased. As is often the case, the hospital’s data security protocol ignored the need to erase or physically destroy private data on retired assets.
St. Francis has now retained a third-party to implement advanced security for stored electronic data. In order to comply with regulations and avoid fines, such a program will include a verifiable audit trail. Compared to the cost of notifying 84,000 patients about the data breach, the expense of erasing the drive is negligible. The hospital has experience two other similar breaches in the last few years.
MidState Crisis
What do you mean you lost the hard drive? MidState Medical Center of Merien, CT is missing a hard drive containing private data on about 93,500 patients. Patient records on the missing hard drive include names, addresses, dates of birth, marital status and medical record numbers as well as, in some cases, Social Security numbers. According to MidState, the drive was lost when an employee took it home, in violation of the HealthCare organization’s security policy. The incident will be investigated by Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William M. Rubenstein.
Although MidState has developed a written data security policy, the employee was clearly in violation of the policy. In order to assure compliance with HITEC and other legislation, most experts incorporate an employee training protocol into the overall security policy.
Health Net Faces Class Action Suite for ExposingTwo Million Patient Records
While the government agencies investigate, Health Net Inc. finds itself looking at a $5 million class-action lawsuit due to the loss of nine computer storage devices containing the medical histories, financial data and Social Security numbers of 2 million people. The complaint alleges violation of California’s Confidentiality of Medical Information Act, (Cal. Civ. Code § 56; Cal. Civ. Code § 1798.2) which covers the unauthorized disclosure of customer records. Also named in the suit is IBM, which is in the middle of a contract to manage Health Net’s IT database. IBM says it lost the hard drives.
This not Health Net’s first trip down this road either. In 2009, it lost similar records for 1.5 million people, then compounded the problems by waiting six months before notifying the victims. When it settled the lawsuit with the State of Connecticut, the company promised it would do a better job.
An Analysis of the Regulatory
Matrix Points the Way to Safe Harbor
|
Safe Harbor for Data Security Compliance
|
by Sean O’Leary
In addition to better known Federal legislation such as Sarbanes-Oxley, FACTA and HIPAA, there are now forty six state and territorial laws that regulate the management of private electronic data. In addition, two more major federal acts are making their way through Congress, one in the House another in the Senate. In spite of the shifting political landscape, they have a high probability of enactment.
HR2221, the Data Accountability and Trust Act (DATA), is intended to establish a uniform set of regulations governing the collection and protection of consumer’s Personally Identifi able Information (PII). S.1490 is the Senate version of HR2221 (DATA) bill. If the past is any indication, impending initiatives to standardize data privacy protection via more legislation will produce the opposite outcome, but that is beside the point of this discussion.
Within this expanding body of legislation, there is significant variation in terms of purpose and scope. The individual Acts differ with regard to the classes of entities covered, definitions of personal information, identification of agencies selected for rulemaking, enforcement and other considerations. Some are intended to promote transparency within a specific industry segment, others are written for the purpose of expanding the use of electronic records. Civil and criminal penalties for failure to secure private data also differ from law to law, the common feature being a markedly upward trend in recent years. Criminal penalties now augment civil fines.
Regardless of other variations, recent privacy legislation consistently includes two common requirements:
1) establishment of formal data security programs and 2) notification of individuals in the case of a data breaches. As a key component of these mandatory data security programs, virtually every new law also includes a provision that covered entities must securely destroy end of life cycle electronic private data. This is because – despite the focus on protecting data-in-motion – a significant percentage of data theft involves retired storage media.
This segment of privacy law is the topic of the following discussion. I believe there is a compelling argument that “real world” compliance in the somewhat narrow area of electronic data disposal and destruction is simpler than it appears. (I explicitly distinguish, by the way, “simpler” from “easier” in this context.) In this article, I hope to briefly distill the interpretation of regulatory data destruction requirements to a level at which practical strategy decisions can be made with some confidence.
The Matrix
There is a perception among some compliance professionals that they are up against an interlocking, conflicting and overlapping matrix of government oversight. They are essentially correct about the interlocking and overlapping characteristics, but the “conflicting” attribute is not actually the case. It is true that when one initially confronts the multitude of privacy legislation, it is far from clear what methods, procedures and technologies should be deployed for specific data destruction scenarios.
However, a more comprehensive analysis of the current state of legislation reveals indicators that help us focus the search. First, the specific technical nuts and bolts of data erasure and destruction are not referenced in any actual legislation language I know of, so it isn’t strictly accurate to describe a company or procedure as “FACTA compliant” or “HITECH approved”. Instead the various legislative Acts describe the intent of the law, then direct a government agency to develop real world “guidance” that determines rules governing practical execution.
Once the initial guidance or “Rule” has been written, it is published in the Federal Register for public comment. Eventually the final Rule goes into effect. Although many laws identify multiple agencies for oversight, the lead federal agency for rulemaking in this aspect of privacy law is often the Federal Trade Commission (FTC).
In terms of practical solutions then, a privacy or compliance professional will be looking to the guidance Rule rather than to the legislation itself. Many laws reference the same Rule. In almost very case we know of, these guidelines are expressly meant to be flexible and to be consistent with similar laws. Federal and state agencies are by their nature disinclined to establish new standards
and best practices, especially in highly technical areas. By the same token, they are highly likely to incorporate language already used in other legislation guidance, meaning “best practices” are similar from one law to the next.
Furthermore, most agency rulemaking specifies that compliance with Rules imposed by other jurisdictions is satisfactory. As a result, most federal guidance is notably (and perhaps notoriously) non-specific, tending toward “examples” than requirements. The FTC describes its key Disposal Rule, for example as allowing covered organizations to “determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology”. Reasonability, of course, is a word that invites many alternative interpretations. NIST Special Publication 800-88: Guidelines for Media Sanitization. This self-referencing rulemaking process increasingly creates de facto adaptation of the recommendations published in the National Institute of Standards and Technology’s (NIST) Special Publication 800-88: Guidelines for Media Sanitization. Issued in 2006, this analysis identifies multiple methods for
destroying data on electronic storage media and ranks them according to security level. An example of high profile guidance language from the HITECH Act is a follows: “electronic media have been cleared, purged or destroyed consistent with NIST Special Publication 800-88 such that PHI cannot be retrieved.”
A number of legal experts in the field have indicated that the language found in government data disposal rules in most cases establishes a Safe Harbor scenario for covered entities that have applied technologies and methods referenced in the guidance. A safe harbor is a provision of a statute or regulation that minimizes liability on the condition that the party performed its actions in good faith. Good faith is a term that also invites a range of alternative interpretations.
In general, government guidance does not require specific data sanitization methods, but acknowledges that if used, they will “create the functional equivalent of a safe harbor” for security levels below top secret classification.
Nevertheless, it is important to note that data destruction solutions and products describing themselves as NIST-approved are also not being strictly accurate. NIST establishes guidelines. It does not approve or disapprove of any product. It is therefore up to the organization to match its objectives with a particular method or combination of methods. The NIST 800-88 guidelines don’t eliminate the need to take relevant technical, cost/benefit, environmental and custody/control factors into consideration, rather, they provide an outline for evaluating these parameters. Similarly, the report clearly recommends the data disposal process be well documented, but without spelling out specific protocols that would assure that goal. In a nutshell, the forty-one page document provides a framework within which privacy professionals can implement data destruction solutions with a high degree of confidence that they are in compliance with this specific aspect of privacy law.
There are other standards that can apply to the destruction of electronic data, but they almost always apply to Classified and Top Secret data. Even so, the Department of Defense’s own Clearing and Sanitization Matrix references the NIST report in the following language:
“In addition, NIST Special Publication 800-88, Guidelines for Media Sanitization, dated Sep 2006, can assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of their information, ensuring cost effective security management of their IT resources, and mitigate the risk of unauthorized disclosure of information.”
In terms of specific technologies, the NIST guidelines deal with a manageable range of possibilities which are ranked according to security level. The methodologies are split between physical (or mechanical) destruction and non-destructive. Physical destruction ranks the highest in terms of security,
but renders the storage media unusable. The non-destructive methods are described as purging and over-writing; they securely erase data without destroying the functionality of the hard drive or other electronic media.
Within any particular media storage scenario, IT managers should be able to choose one or more methodology consistent with scale of operations, business objectives, environmental considerations, security requirements and insurance-based considerations. As the discipline matures, more companies
are seeking data disposal solutions within a greater business or mission context, such as the ability to maximize asset value through re-sale or recycling, or social and tax benefits through charity donation.
When establishing a data disposal procedure, an additional critical factor is verification of data disposal I a manner consistent with the data security program scenario. Given that paperwork is likely to remain a significant component of government compliance, the ability to document the data destruction process is as important as the method of sanitization itself. Especially in the case of a privacy
breach, it will be necessary to show that data has been securely removed from electronic storage devices.
Once a hard drive is physically destroyed, for example, it is no longer possible to prove that the data it contained was destroyed. Other parameters, such as physical location and access to the drive are also part of this process. For this reason, most enterprise level erasure products are designed to generate a device list and audit logs that track hard drive serial numbers, date and time, erasure method, operator identification and other parameters as part of the data destruction process. In this sense, the level of verification selected for a given data sanitization environment should be seen as a factor in the disposal technology decision loop.
Conclusion:
The safe harbor benefit will accrue to organizations that choose an appropriate, verifiable NIST-recommended data disposal solution, and apply it within a written, well documented data security program.
|
Recent Research Shows A Security
Downside for Solid State Drives
|
Solid State Drives Represent a Whole New Security Challenge
|
No one doubts that new solid state hard drives (SSD) deliver better performance than conventional drives. Currently the big new thing with techies, SSD’s non-volatile NAND has no moving parts, a big advantage from the get go. With no actuator arm and read/write head to go looking for data on a platter, SSDs are read and write data faster.
Unfortunately for those of us in the data destruction business, SSDs are also tougher to erase than conventional hard drives. According to a new study at the Departmentof Computer Science and Engineering, University of California at San Diego, the methods that have previously worked on magnetic media are not necessarily reliable on SSDs. The research team included Frederick Spada from the Center for Magnetic Recording and Research, the technology entity that originally developed Secure Erase for the NSA.
The tests deployed fourteen standard sanitization methods on the target SSDs, including Gutman’s 35-pass method, Schneier 7-pass method and Secure Erase. Every one of the methods left at least 10% of the original data intact, with some techniques having virtually no affect at all. Many of the drives they examined didn’t support the “ERASE UNIT” command for securely destroying data. On many of the drives which did support it, the command didn’t successfully erase the data.
Although solid state drives now comprise a fairly small percentage of all drives, the numbers are going to increase, probably quickly. In the short term, this means organizations must take the security factor into consideration when considering their next purchase or lease. Although the data erasure experts are working full time on the problem, for the time being the only secure means of destroying all sensitive data on an SSD is to physically destroy the drive. |
|
Outstanding Selection of Specialty Shredding Systems
|
