Many organizations or companies, that have no connection with state or federal government agencies, possess large amounts of information that reside on hard drives, backup tapes, and a variety of other magnetic media that contains extremely sensitive information. Depending on the nature of your business, much of this data requires complying with strict industry standards. It is difficult to mention all of the industry standards that are out there, but here are a few that may apply to your business: HIPAA (Health Insurance Portability and Accountability Act), FERPA (applies mostly to colleges and universities), FACTA (Credit Transactions Act), and Sarbanes Oxley Act and PCI DSS (Payment Card Industry- Data Security). Non-compliance on the part of your organization could result in fines or expose your company to criminal and civil liabilities.
Growing Need for Proper Media Sanitization & Destruction: Why Degauss?
Media sanitation and destruction is the one thing you can control internally to guarantee total confidentiality for your organization. Computer technologies are changing every day, creating more powerful computers with track densities that make previous methods of destruction totally obsolete. Degaussing is a method that exposes the magnetic media, like hard drives and backup tapes, to a powerful magnetic field. This method not only destroys the media but also the firmware that manages the device. Some of the more prominent high security IT organizations and test facilities in the U.S. prefer this method of destruction over all others.
Is Physical Destruction Really Necessary?
Some people consider physical destruction the ultimate form of media destruction. Physical destruction of hard drives can be accomplished by shredding, crushing, or using a device that bores a hole in the center of the drive creating severe damage to the housing and internal workings of the drive. Incineration and melting will also destroy media, but these methods may be impractical or unavailable to your average company. Most physical destruction devices have a relatively small footprint and can be located in your IT department or in a designated area within the company. Depending on the importance or security categorization of your data, you might consider a two-step process where degaussing and physical destruction go hand-in-hand. Most government agencies are dealing with extremely sensitive data, which requires degaussing and some form of physical destruction. This is something to seriously consider with the increasingly sophisticated level of encryption that is out there today.
Definition of Cloud Security from the Cloud Security Alliance (CSA): Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.
Recently, there has been a hyper focus on cloud security — and with good reason. According to a report by McAfee titled “Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security,”cloud services are now a regular component of IT operations, utilized by more than 90% of organizations globally. In fact, 80% of all IT budgets are committed to cloud apps and solutions. Service companies have the highest adoption of public cloud platforms with engineering and government having the highest adoption of private clouds. Amazingly enough, this surge in cloud adoption is not equally met with security and trust with only 23% of organizations today trusting public clouds to keep their data secure. And yet, 62% of organizations reported storing personal customer information in public clouds.
These statistics indicate that cloud security is lagging far behind cloud storage and adoption — similar to cell phone batteries. Cell phone technology continues to advance at an exponential rate while cell phone battery technology advancements are sluggish at best. As a result, cell phone battery life continues to be a major consumer issue regardless of the technological advancements made by cell phone manufacturers. What good is a beautiful, high resolution screen with lightning fast processor if the phone can’t handle the battery load? Likewise, cloud security threats have escalated alongside cloud data expansion due in large part to the sheer number of records now being stored. For example, the number of data breaches from 2014 to 2015 actually decreased, while the number of compromised records containing sensitive information more than doubled from 67 million to 159 million in the same time period. The decreased number of data breaches is indicative of the consolidation of cloud data storage providers, and yet the large increase in compromised records show that one data breach affects far more records today than it did just five years ago.
As a result of the serious challenges presented by cloud data security, numerous methodologies have been recommended in an effort to combat the reputation degradation and astronomical cost associated with compromised data. Some of the more frequently utilized processes include user authentication, encryption of data both in transition and at rest, ongoing vulnerability testing, role-based access control (RBAC), intrusion detection and prevention technology, and staff training. In addition, the establishment and enforcement of cloud security policies is critical to the success of any data protection program. In researching cloud security, any number of articles and guides can be found that address the aforementioned strategies. An incredible amount of focus is placed on encryption, end point security, user controls, and conducting security audits. All of these strategies focus on protecting data from digital threats such as hackers and bots, which is of huge importance. However, a critical piece of security control is missing from most data security plans – an end-of-life policy.
Cloud security providers who actually define an end-of-life strategy are rare, and a comprehensive program is even rarer still. Many providers erroneously think that erasing or overwriting a disk is sufficient, or more unsound thinking that a failed drive is precisely that – failed, and non-recoverable. Unfortunately, nothing could be further from the truth. Drives that were “erased” have shown up on eBay with sensitive information and overwritten and failed drives invariably contain original data that is fairly easy to recover. Criminals and thieves tend to be one step ahead of security and law enforcement initiatives, and cyber criminals are no exception.
Fortunately, many compliance regulations do address data end-of-life, which is why any cloud security provider should adhere to an appropriate regulation. Whether HIPAA, FACTA, FISMA, PCI DSS, or the most stringent NSA requirements, these compliance regulations are put in place to protect sensitive data and personally identifiable information from falling into the wrong hands whether through firewall vulnerabilities or data retrieval at drive end-of-life. In-house data destruction is the ideal way to securely manage drives at end-of-life; however, the method of data destruction varies greatly depending on volume, location, regulatory requirements, and operational procedures. There are many data destruction devices available from high security disintegrators capable of handling up to 500 drives per hour to enterprise specific, portable, and NSA listed solutions. There is simply no one-size-fits-all solution when it comes to data destruction; therefore, organizations looking to incorporate data destruction into their cloud security program should receive a thorough evaluation to determine which solutions best fits their need. One thing is for sure: no cloud security program is complete without addressing end-of-life destruction.
Many third-party providers offer drive end-of-life services, including degaussing and crushing as well as shredding. But while it is possible to outsource data disposal to third parties, it is NOT possible to outsource risk. Therefore, security-minded organizations must evolve towards a risk mitigation approach to data security that includes in-house data end-of-life destruction and disposal. By maintaining a proactive approach to security operations, companies and businesses can reduce the reputation degradation, frantic clean-up, and astronomical cost that typically comes with a reactive approach. Cloud security should not and cannot follow the path of the cell phone battery without disastrous consequences.
What’s the best in-house hard drive destruction for today’s drives?
The most commonly used hard drives in today’s computing world are the 3.5”, 2.5”, and 1.8” form factor drives. In fact, they represent over 95% of the drives being used in today’s offices. Larger drives only represent a small portion of the drives that are in use today. So what is the best method of hard drive destruction?
Until recent years, a practical solution for in-house destruction was not available other than deleting software, drilling holes in the drives, burning, or other methods that are not very practical and did not guarantee any level of security. From a security standpoint, there is no substitute to controlling your own IT destruction program in-house, especially if user-friendly, affordable equipment is available that can be utilized by IT personnel.
This device represents final destruction for some companies while other high security government organizations use them to disable drives after they have been magnetically degaussed to NSA standards. The Model 0101 takes up very little space (22” h x 10”w x 19” d) and can easily be transported to other locations. A deployment case is available for easy transport. The method of destruction is a hardened, pointed conical punch that comes in contact with the drive with 12,000 lbs. of force, causing trauma to the drive chassis and internal platter. The process takes about 10 seconds. While it sounds kind of menacing, this unit is actually quiet, safe, and requires minimal maintenance. It is also very affordable and ideal for in-house destruction.
Several years ago, the average hard drive shredder needed its own building! It was so big that it was only practical for most organizations to use an outside destruction service or salvage company when HDD’s needed to be shredded. Nowadays, there are plenty of options. When volume or total destruction is needed, the SEM hard drive shredder series is your best solution. These units have amazing destructive power with a very small footprint. They will destroy from 500-3,500 drives per hour and power consumption is minimal. They are quiet, compact, and built to last. Numerous safety features are incorporated into the design. Maintenance is minimal and can be done by your own company personnel or by PM contract with the manufacturer.
Degaussing is a method for destroying hard drives that utilizes powerful magnets. The SEM Model EMP1000-HS meets NSA EPL (Evaluated Products List) guidelines for destroying classified drives. Other commercial grade degausses are also available from SEM. All units are extremely safe, compact, and very practical for in-house destruction. All degaussers can also be bundled with HDD shredders or crushers if drives need to be destroyed after magnetic erasure as required by NSA.
For more information, Please visit www.semshred.com or call us at 800-225-9292 to speak to your representative.
When it comes to eliminating classified magnetic media, a government IT security manager must establish a process that ensures the media is properly destroyed and disposed of. To some, the options may be limited in getting this done. As required by NSA, classified magnetic media must be degaussed using an NSA evaluated degausser and then it is highly recommended to physically destroy the device. Most agencies will choose to eliminate their classified magnetic media in one of two ways, in-house or outsource. These options are usually weighed based on cost, volume, and level of security.
Agencies that eliminate their magnetic media in-house will purchase the necessary equipment and create a program to perform the destruction on-site. In most cases, security managers prefer in-house destruction because the media is never transported outside classified areas, where it is at risk to be lost or breached. Although these programs require agencies to purchase equipment up-front for their program, it eliminates the cost of having to coordinate high security transportation of the media, including cleared escorts and secure transportation. They can also take advantage of the high recyclable value of various magnetic storage drives.
While agencies can choose to outsource their magnetic media destruction, often by sending it to the NSA or another classified agency with in-house capabilities, it is both risky and more costly. Why? Outsourcing requires a scheduled secure shipment and cleared escorts every time the media leaves the classified area for transport. This process can be expensive and time consuming. Since it can be difficult at times for an IT security department to secure up-front funds for their own equipment, agencies find it easier to spend less money for each shipment and stay within their monthly operating budget. However, many agencies justify creating their own in-house program by weighing the long term costs vs. buying their own equipment. Outsourcing can also add unnecessary security risks by transporting the media outside of classified areas.
To get a more in depth understanding of finding the best data decommissioning policy, read SEM’s whitepaper on the topic here.