The Critical Imperative of Data Center Physical Security

September 12, 2023 at 8:00 am by Amanda Canale

In our data-driven world, data centers serve as the backbone of the digital revolution. They house an immense amount of sensitive information critical to organizations, ranging from financial records to personal data. Ensuring the physical security of data centers is of paramount importance. After all, a data center’s physical property is the first level of security. By meeting the ever-evolving security mandates and controlling access to the premises, while maintaining and documenting a chain of custody during data decommissioning, data centers ensure that only authorized personnel have the privilege to interact with and access systems and their sensitive information.

Levels of Security Within Data Centers

Before any discussion on physical security best practices for data centers can begin, it’s important to think of data center security as a multi-layered endeavor, with each level meticulously designed to strengthen the protection of data against potential breaches and unauthorized access. 

Data centers with multi-level security measures, like Google and their six levels of data center security, represent the pinnacle of data infrastructure sophistication. These facilities are designed to provide an exceptional level of reliability and high security, offering the utmost advances in modern day security, ensuring data remains available, secure, and accessible. 

Below we have briefly broken down each security level to offer an inside peek at Google’s advanced security levels and best practices, as they serve as a great framework for data centers. 

  • Level 1: Physical property surrounding the facility, including gates, fences, and other more significant forms of defenses.
  • Level 2: Secure perimeter, complete with 24/7 security staff, smart fencing, surveillance cameras, and other perimeter defense systems.
  • Level 3: Data center entry is only accessible with a combination of company-issued ID badges, iris and facial scans, and other identification-confirming methods.
  • Level 4: The security operations center (SOC) houses the facility’s entire surveillance and monitoring systems and is typically managed by a select group of security personnel.
  • Level 5: The data center floor only allows access to a small percentage of facility staff, typically made up solely of engineers and technicians.
  • Level 6: Secure, in-house data destruction happens in the final level and serves as the end-of-life data’s final stop in its chain of custody. In this level, there is typically a secure two-way access system to ensure all end-of-life data is properly destroyed, does not leave the facility, and is only handled by staff with the highest level of clearance.

As technology continues to advance, we can expect data centers to evolve further, setting new, intricate, and more secure standards for data management in the digital age.

Now that you have this general overview of best practices, let’s dive deeper.

Key Elements of Data Center Physical Security

Effective data center physical security involves a combination of policies, procedures, and technologies. Let’s focus on five main elements today:

  • Physical barriers
  • Surveillance and monitoring
  • Access controls and visitor management
  • Environmental controls
  • Secure in-house data decommissioning
Physical Barriers

Regardless of the type of data center and industry, the first level of security is the physical property boundaries surrounding the facility. These property boundaries can range widely but typically include a cocktail of signage, fencing, reinforced doors, walls, and other significant forms of perimeter defenses that are meant to deter, discourage, or delay any unauthorized entry.  

Physical security within data centers is not a mere addendum to cybersecurity; it is an integral component in ensuring the continued operation, reputation, and success of the organizations that rely on your data center to safeguard their most valuable assets.

Surveillance and Monitoring

Data centers store vast amounts of sensitive information, making them prime targets for cybercriminals and physical intruders. Surveillance and monitoring systems are the vigilant watchdogs of data centers and act as a critical line of defense against unauthorized access. High-definition surveillance and CCTV cameras, alarm systems, and motion detectors work in harmony to help deter potential threats and provide real-time alerts, enabling prompt action to mitigate security breaches.

Access Controls and Visitor Management

Not all entrants are employees or authorized visitors. Access controls go hand-in-hand with surveillance and monitoring; both methods ensure that only authorized personnel can enter the facility. Control methods include biometric authentication, key cards, PINs, and other secure methods that help verify the identity of individuals seeking entry. These controls, paired with visitor management systems, allow facilities to control who may enter the facility, and allows staff to maintain logs and escort policies to track the movements of guests and service personnel. These efforts minimize the risk of unauthorized access, and by preventing unauthorized access, access controls significantly reduce the risk of security breaches.

Under the umbrella of access controls and visitor management is another crucial step in ensuring that only authorized persons have access to the data: assigning and maintaining a chain of custody. 

But what exactly is a chain of custody?

A chain of custody is a documented trail that meticulously records the handling, movement, and access, and activity to data. In the context of data centers, it refers to the tracking and documenting of data assets as they move within the facility, and throughout their lifecycle. A robust chain of custody ensures that data is always handled only by authorized personnel. Every interaction with the data, whether it’s during maintenance, migration, backup, or destruction, is documented. This transparency greatly reduces the risk of unauthorized access or tampering, enhancing overall data security and helps maintain data integrity, security, and compliance with regulations.

Environmental Controls

Within the walls of data centers, a crucial aspect of safeguarding your digital assets lies in environmental controls, so facilities must not only fend off human threats but environmental hazards, as well. As unpredictable as fires, floods, and extreme temperatures can be, data centers must implement robust environmental control systems as they are essential in preventing equipment damage and data loss. 

Environmental control systems include, but are not limited to:

  • Advanced fire suppression systems to extinguish fires quickly while minimizing damage to both equipment and data.
  • Uninterruptible power supplies (UPS) and generators ensure continuous operation even in the face of electrical disruptions.
  • Advanced air filtration and purification systems mitigate dust and contaminants that can harm your equipment, keeping your servers and equipment uncompromised. 
  • Leak detection systems are crucial for any data center. They are designed to identify even the smallest amount of leaks and trigger immediate responses to prevent further damage.

These systems are the unsung heroes, ensuring the optimal conditions for your data to (securely) thrive and seamlessly integrate with physical security measures.

In-House Data Decommissioning

While there’s often a strong emphasis on data collection and storage (rightfully so), an equally vital aspect in data center security is often overlooked—data decommissioning. In-house data decommissioning is the process of securely and responsibly disposing of any data considered “end-of-life,” ultimately empowers organizations to maintain better control over their data assets. Simply put, this translates to the physical destruction of any media that is deemed end-of-life by way of crushing for hard disk drives (HDDs), shredding for paper and solid state drives (SSDs), and more. 

When data is properly managed and disposed of, organizations can more effectively enforce data retention policies, ensuring that only relevant and up-to-date information is retained. This, in turn, leads to improved data governance and reduces the risk of unauthorized access to sensitive data.

In-house data decommissioning ensures that sensitive data is disposed of properly, reducing the risk of data leaks or breaches. It also helps organizations comply with data privacy regulations such as GDPR and HIPAA, which often require stringent secure data disposal practices.

Physical Security Compliance Regulations

We understand that not all compliance regulations are a one-size-fits-all solution for your data center’s security needs. However, the following regulations can still offer invaluable insights and a robust cybersecurity framework to follow, regardless of your specific industry or requirements. 

ISO 27001: Information Security Management System (ISMS)

ISO 27001 is an internationally recognized standard that encompasses a holistic approach to information security. This compliance regulation covers aspects such as physical security, personnel training, risk management, and incident response, ensuring a comprehensive security framework.

When it comes to physical security, ISO 27001 provides a roadmap for implementing stringent access controls, including role-based permissions, multi-factor authentication, and visitor management systems, and the implementation of surveillance systems, intrusion detection, and perimeter security. Combined, these controls help data centers ensure that only authorized personnel can enter the facility and access sensitive areas. 

Data centers that adopt ISO 27001 create a robust framework for identifying, assessing, and mitigating security risks. 

ISO 27002: Information Security, Cybersecurity, and Privacy Protection – Information Security Controls

ISO 27002 offers guidelines and best practices to help organizations establish, implement, maintain, and continually improve an information security management system, or ISMS. While ISO 27001 defines the requirements for an ISMS, ISO 27002 provides the practical controls for data centers and organizations to implement so various information security risks can be addressed. (It’s important to note that an organization can be certified in ISO 27001, but not in ISO 27002 as it simply serves as a guide. 

While ISO 27002’s focus is not solely on physical security, this comprehensive practice emphasizes the importance of conducting thorough risk assessments to identify vulnerabilities and potential threats in data centers, which can include physical threats just as much as cyber ones. Since data centers house sensitive hardware, software, and infrastructure, they are already a major target for breaches and attacks. ISO 27002 provides detailed guidelines for implementing physical security controls, including access restrictions, surveillance systems, perimeter security and vitality of biometric authentication, security badges, and restricted entry points, to prevent those attacks.

Conclusion

In an increasingly digital world where data is often considered the new currency, data centers serve as the fortresses that safeguard the invaluable assets of organizations. While we often associate data security with firewalls, encryption, and cyber threats, it’s imperative not to overlook the significance of physical security within these data fortresses. 

By assessing risks associated with physical security, environmental factors, and access controls, data center operators can take proactive measures to mitigate said risks. These measures greatly aid data centers in preventing unauthorized access, which can lead to data theft, service disruptions, and financial losses. Additionally, failing to meet compliance regulations can result in severe legal consequences and damage to an organization’s reputation.

In a perfect world, simply implementing iron-clad physical barriers and adhering to compliance regulations would completely eliminate the risk of data breaches. Unfortunately, that’s simply not the case. Both data center security and compliance encompass not only both cybersecurity and physical security, but secure data sanitization and destruction as well. The best way to achieve that level of security is with an in-house destruction plan. 

In-house data decommissioning allows organizations to implement and enforce customized security measures that align with their individual security policies and industry regulations. When data decommissioning is outsourced, there’s a risk that the third-party vendor may not handle the data with the same level of care and diligence as in-house teams would.

Throughout this blog, we’ve briefly mentioned that data centers should implement a chain of custody, especially during decommissioning. In-house data decommissioning and implementing a data chain of custody provide data centers the highest levels of control, customization, and security, making it the preferred choice for organizations that prioritize data protection, compliance, and risk mitigation. By keeping data decommissioning within their own control, organizations can ensure that their sensitive information is handled with the utmost care and security throughout its lifecycle.

At SEM, we have a wide range of data center solutions designed for you to securely destroy any and all sensitive information your data center is storing, including the SEM iWitness Media Tracking System and the Model DC-S1-3. 

The iWitness is a tool used in end-of-life data destruction to document the data’s chain of custody and a slew of crucial details during the decommissioning process. The hand-held device reports the drive’s serial number, model and manufacturer, the method of destruction and tool used, the name of the operator, date of destruction, and more, all easily exported into one CSV file. 

The DC-S1-3 is specifically designed for data centers to destroy enterprise rotational/magnetic drives and solid state drives. This state-of-the-art solution uses specially designed saw tooth hook cutters to shred those end-of-life rotational hard drives to a consistent 1.5″ particle size. This solution is available in three configurations: HDD, SSD, and a HDD/SSD Combo. The DC-S1-3 series is ideal for the shredding of HDDs, SSDs, data tapes, cell phones, smartphones, optical media, PCBs, and other related electronic storage media. 

The consequences of improper data destruction are endless, and statute of limitations don’t apply to data breaches. No matter what the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment. This can in turn potentially save your data center more time and money in the long run by preventing breaches early on.

SEM Introduces NSA EPL Listed High Security Solid State Disintegrator

January 24, 2023 at 8:00 am by Amanda Canale

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to announce that its new Model SSD2-HS high security solid state disintegrator meets the requirements of NSA/CSS 9-12 Storage Device Declassification Policy Manual. This revolutionary device is now listed on the NSA/CSS EPL and was specifically designed for the destruction of classified and highly sensitive solid state media and devices, producing an NSA mandated 2mm squared final particle size. 

“The SEM Model SSD2-HS is an exciting new addition to our long line of disintegrator devices and fills a large void within the intelligence community when it comes to classified SSD destruction,” commented Todd Busic, SEM Vice President of Sales. “This NSA listed device incorporates technologies to mitigate jams and increase operator health and safety via HEPA filters, making the SSD2-HS an industry first.”

The NSA states that in order for a solid state disintegrator to be NSA/CSS listed, it must be able to “reduce any solid state storage device to a maximum edge size of 2 millimeter or less” (NSA.Gov), making the SEM Model SSD2-HS a viable option for the destruction of end-of-life classified solid state material.

The Model SSD2-HS disintegrator has the power to cut through multiple steel plates, carriers, and other drives. The model’s dual stage cutting system features an auto unjam in both stages, robust safety features, and premium sound proofing. Together, the model’s dual stage cutting system combined with the solid steel rotor and cutting blades efficiently destroy multiple SSD-type devices.  

“The Model SSD2-HS is a state-of-the-art, clean, and revolutionary device that ensures the secure end-of-life destruction of any and all solid state devices,” commented Andrew Kelleher, SEM President and CEO. “Our engineers have been working tirelessly on this product and the device performance reflects that. Whether it’s laptop boards, thumb drives, or other memory modules, this machine can destroy it.”

In addition to powerful steel rotors, the device is equipped with premium sound dampening insulation, a waste evacuation system with high efficiency particulate filtration and external vacuum, and other features to ensure optimal operator and environmental health and safety.

“SEM has long been an innovator of high security information destruction technology and the new SSD2-HS continues that tradition of excellence,” noted Busic.

For more information on the Model SSD2-HS, visit https://www.semshred.com/explore-model-ssd2-hs/. 

Security Engineered Machinery Gives Back to Veteran Family with Operation Playhouse

March 7, 2022 at 7:25 pm by Amanda Canale

WESTBOROUGH, MA, February 23, 2022 – Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, once again partnered with Metrowest Habitat for Humanity for Operation Playhouse. The operation allows the opportunity for local Worcester County businesses to partner with veteran and military families to build and donate a playhouse to the family’s children. Each year, participating local businesses receive construction plans, paint, and a deconstructed house to build, and are given free rein to decorate the playhouses based on the children’s interests.

The SEM team decorated the playhouse for U.S. Army veteran Sgt. Christopher Cutliffe’s family. Sgt. Cutliffe served in the U.S. Army from 1998 to 2006 with a 2003 tour in Afghanistan during Operation Enduring Freedom. 

“SEM was founded by a Korean War veteran in 1967, and ever since then we have worked very closely with all branches of the military and intelligence community, so any opportunity we have to give back, we take it,” said Andrew Kelleher, SEM President. “This cause has always been so close to our hearts, and it is always an absolute honor to come together and give back to a family that has given so much to our country.”

SEM Marketing Assistant, Amanda Canale, and Customer Care Representative, Cindy Haskell, painting the playhouse’s window frames.

SEM Director of Marketing, Heidi White (left), and Marketing Assistant, Amanda Canale (right) intertwining ivy garland into the playhouse’s porch.

The SEM team took full creative control with Operation Playhouse 2022 and produced a jungle-themed playhouse for the Cutliffe family’s two small children. The playhouse, painted dark green, is adorned with bamboo, greenery, jungle-themed activity books and toys, a removable front porch with gate, and even a rope swing with jungle vines. 

“Every year, we try to take creative liberty and produce a truly unique and special playhouse,” said Amanda Canale, SEM Marketing Assistant. “Our team really outdid themselves with this year’s concept. It’s by far the most creative we have been and it was incredibly heartwarming to see it received so lovingly by the Cutliffe family.”

Members of the SEM Sales, Engineering, and Service teams working together to construct the playhouse’s roof.

 

SEM Director of Marketing, Heidi White, presenting Sgt. Christopher Cutliffe and his family with a certificate and the playhouse.

 

This is SEM’s fourth year taking part in Operation Playhouse and certainly won’t be the last. “Operation Playhouse has become a tradition here at SEM and we are eagerly awaiting next year’s opportunity,” added Kelleher.

Watch a recap of the day in the video below.

About Habitat For Humanity

Habitat for Humanity is a global nonprofit housing organization working in local communities across all 50 states in the U.S. and in approximately 70 countries. Habitat’s vision is of a world where everyone has a decent place to live.

SEM Introduces New Line of Shredders for Commercial Data Center Market

September 1, 2021 at 9:00 am by Amanda Canale

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to introduce a new line of hard drive and solid state shredder models: the SEM Model DC-S1-3 Series. This unique series of devices are specifically designed for the destruction of enterprise rotational hard drives and solid state media, such as those found in data centers. 

Designed at SEM’s Westborough, MA headquarters, the DC-S1-3 Series includes three models: the DC-S1-3 HDD for rotational hard drives, DC-S1-3 SSD for solid state drives, and DC-S1-3 HDD/SSD Combo for HDDs and SSDs. All are made in the USA and TAA compliant. 

“The DC-S1-3 series is an exciting new addition to our already extensive line of data destruction devices that was designed as a result of feedback gathered over the years from our data center clients,” commented Nicholas Cakounes, SEM CTO. “In addition to robust health and safety features, the DC-S1-3 incorporates very high torque and solid steel cutting heads to easily destroy the toughest, most dense hard drives and devices.”

The S1-3 series of devices are designed with a 3HP motor, high torque, and 3-phase power, ensuring the machines’ longevity and consistency. The S1-3 HDD and SSD both come with a single feed opening while the S1-3 HDD/SSD combo unit includes two separate feed openings and cutting chambers, one for rotational, platter-based hard drives and the other for solid state hard drives and devices. 

“Our new DC-S1-3 Series fills a gap for our data center clients when it comes to end-of-life hard drive destruction,” said Ben Figueroa, SEM Strategic Account Manager. “These devices not only offer consistent and efficient drive destruction, but also feature a compact footprint, which is so critical to our data center clients.”

In addition to rotational and solid state hard drives, the DC-S1-3 Series is ideal for the shredding of data tapes, cell phones, smartphones, optical media, memory sticks, thumb drives, PCBs, and other related electronic storage media.

For more information on the DC-S1-3 series, visit https://www.semshred.com/product/model-dc-s1-3-hdd-ssd/ and watch our YouTube video.

The Growing Size of Media: Just How Much Information Can Be Stored on 1TB?

November 3, 2020 at 9:00 am by Amanda Canale

When it comes to data storage, it’s difficult for many of us to fathom just how much information can fit on a portable hard drive or basic USB thumb drive. Many of us probably haven’t even filled up our own personal hard drives or come close to it. In the age of Big Data, USBs and portable hard drives have become the technological highways that bridge data between devices.

Now let’s think about how much information and data can be stored on a one terabyte (1TB) hard drive. For reference, a 1TB hard drive is equivalent to 1,000 gigabytes (GB). Maybe a couple thousand photos? A hundred movies or so? Well, the answer may shock you so let’s break it down by media type.


Photos
Depending on the file type and size, a 1TB hard drive can hold anywhere between 250,000 and 310,000 photos. Just imagine how many family photo albums you can fill with 250,000 photos. It’s incomprehensible! Some of you may be thinking, “what would a thief want with my personal photos?” While the data stored in personal photos may not be always be confidential, it’s still private and personally identifiable. This means that if a thief were to steal your 1TB drive filled with family photos, the risks of the breach can still be high as whatever information that is offered in the photographs is now fair game. The thief could find out about what kind of material possessions you own, such as cars, jewelry, and furniture, where you like to vacation, where you live, and what you look like, making future theft and targeting that much easier.

Photographs may seem low on the ladder as far as sensitive information, but they can offer up more information than you’re probably willing to give up. Take for instance last year’s U.S. Customs and Border Protection (CBP) data breach. In June 2019, the CBP released a statement that photographs and video recordings of fewer than 100,000 people and their vehicles were stolen as part of an attack on a federal subcontractor. The photographs and video recordings were used in a growing facial-recognition program to assist the CBP in tracking the identity of people entering and exiting the United States. The photographs and footage were originally taken at various American airports and land border crossings where vehicle license plates and faces were captured over a short period of time. While the thieves were not able to capture other identifying information such as passports or travel documents, this type of breach isn’t to be downplayed as the victims are now at major risk for identity theft.

Circuit board futuristic server code processing. Orange, green, blue technology background with bokeh. 3d rendering

Video and Audio
Home video enthusiasts can rejoice because storing all of your family videos in one place has become so much easier. A 1TB hard drive can hold up to 500 hours of high-definition 1080p video – that’s just over 20 full days! To put that into perspective, the total runtime of all the Marvel Cinematic Universe films (23 total) is approximately 50 hours – one-tenth the amount of storage.

Have a large music library? You’re in luck, too! A 1TB hard drive can hold up to 17,000 hours of audio files, totaling approximately 708 days’ worth. Still can’t fathom that much music? Imagine listening to the entire U2 studio album discography 24 times. Or listening to the entire Rolling Stones discography 15 times. Now that’s quite the road trip playlist!

data-security
Documents
Here comes the truly mind-boggling part. If we’re talking strictly Microsoft Word documents, a 1TB hard drive can hold (…wait for it…) 85 million documents. Take that in for a moment. Eighty-five million documents. A person’s entire life can fit onto a drive and still have plenty of room to spare. Bills, social security numbers, bank account information, deeds, birth certificates, and more can be stored on 1TB which makes them a gold mine for hackers and thieves.

Leslie Johnston, Chief of Repository Development for the Library of Congress, noted that a 1TB hard drive can hold as much information as one-tenth of the Library of Congress. Now that comparison makes our heads spin! It can be scary thinking about the irreparable damage hackers and thieves can cause with that much information at their fingertips.

In the United States, the average cost of a data breach can cause an organization to pay upwards of $8.9 million, averaging out approximately $146 to $250 per compromised record. Now imagine how much a breach of 85 million documents would cost. The risks of a data breach can be immeasurable, and the consequences are not always immediate. You can read more about how the purchase of in-house end-of-life data destruction equipment can save you and your organization millions of dollars here.

Clearly, a single 1TB hard drive can easily hold a lifetime’s worth of information (and then some), which is why having a secure end-of-life destruction plan is crucial in protecting that data. Protect yourself, your employees, and your company against future data breaches with one of our various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

History of Data Destruction

October 20, 2020 at 9:00 am by Amanda Canale

For thousands of years, humans have recorded and documented history, stories, and their life experiences. These written records have transformed from cave wall drawings and papyrus scrolls to printed novels and Kindle books. With the transformation of the written word, the methods of destruction have also evolved. Let’s dive into some of the history of data destruction methods and some of the key players involved.

4000 B.C. Egypt: The Invention of Papyrus
Papyrus, the world’s first ever form of paper, was invented in ancient Egypt thousands of years ago in approximately 4,000 B.C. People began using it to document history, life events, news, and stories. With the inception of recorded information came the need to destroy that information, whether to prevent confidential information from being stolen or placed into the wrong hands or destroying information that was deemed inappropriate or blasphemous. When the need for destruction would arise, without modern day shredding technology, people were forced to resort to manual destruction of papyrus scrolls. Fire was also a viable option to destroy recorded information, as seen in the 48 B.C. destruction of the Royal Library of Alexandria and its loss of 500,000 scrolls’ worth of recorded history.

1909 New York City: Abbot Augustus Low’s Paper Shredder Patent
New York City-based inventor Abbot Augustus Low is known for his invention of the first ever paper shredder in 1909. Unfortunately, Low passed away shortly after filing the shredder’s patent and was unable to manufacture it beyond just an initial prototype. His invention was primarily intended to be used in banks and counting houses.

1935-1959 Germany: From Pasta to Particles
It wasn’t until thirty years later in 1935 when the paper shredder was actually first manufactured. Adolf Ehinger created the first real paper shredder as a matter of life or death; at the time, he was living in Nazi Germany and was being questioned about the anti-Nazi literature in his garbage. Ehinger created a paper shredder that mimicked a hand-cranked pasta maker to destroy the literature and was able to successfully avoid persecution.

After this incident, Ehinger added an electric motor to his paper shredder which he was able to market and sell throughout the Cold War in the 1950s. Once his machine quickly started gaining popularity, his company, EBA Maschinenfabrik, crafted the first cross-cut paper shredder. This newer model not only shredded the documents into strips, but also sliced them into smaller pieces similar to confetti to ensure extra security.


1940s: The World’s First Degausser
After the introduction of iron ships in the late 1800s, scientists and crew members soon discovered that iron had an interesting effect on compasses and magnetic fields. It wouldn’t be until decades later when they would use this information to create the first ever magnetic degausser.

Decades later during the early days of World War II, Canadian chemist Charles F. Goodeve was working for the British Royal Navy researching methods to disarm war mines. In 1939, a British naval shore was targeted by a German mine that, luckily, had been disarmed before causing any harm. After conducting research on the now disarmed mine, Goodeve and his team were able to discover that the mines were equipped with triggers that would detonate based on the surrounding gauss level. A gauss level, named after scientist and mathematician Carl Friedrich Gauss, is a unit for measuring magnetic density. This discovery was major news back then as the British Navy was able to install electrical cables lining the circumference of their ships that would carry an electrical current, ultimately neutralizing the ship’s magnetic field. This first act of degaussing allowed the British naval ships to remain completely undetected by the Germans and enemy mines. It was this revolutionary technology that has led to modern-day degaussing of tapes and other magnetic devices.

1968: The Inception of Security Engineered Machinery
Korean War veteran and SEM founder Leonard Rosen created the first ever paper disintegrator in 1968 after the infamous Pueblo Incident. The Pueblo Incident occurred on January 23, 1968 when the USS Pueblo, a U.S. Navy intelligence vessel, was intercepted by North Korean patrol boats. In an act of desperation to protect national secrets, the Pueblo crew members began furiously trying to destroy the onboard classified information. Unfortunately, the crew was unsuccessful in their mission and were forced to surrender, leaving their attackers with free reign over the remaining documents.

In comes Leonard Rosen. This incident didn’t sit well with Mr. Rosen, a Korean War Veteran, who began to draft a better paper destruction method specifically for confidential and classified information. Within a matter of a few weeks, he had created the world’s first paper disintegrator. What makes the disintegrator different and more secure than a paper shredder is that it uses a repeating knife chopping process and screen that the particles must pass through. Disintegrator particles pass through the sizing screen in irregular shapes, sizes, and orientations and fill the waste chambers at different times, all of which makes it much more difficult to piece the now destroyed records back together.

SEM Founder Leonard Rosen with his invention, the disintegrator.

Since 1968, data destruction methods have only become increasingly more advanced and secure. The commodified use of paper shredders has transformed from being solely in government buildings to now virtually every place of business and personal homes. Shredders have steadily gained popularity over the years due to infamous incidents like the Watergate Scandal in 1973 and the Iranian Embassy siege in 1979, and are now equipped to shred magnetic drives and other forms of optical media.

For over 50 years, SEM has been the driving force behind innovative data destruction methods and has laid the groundwork for end-of-life best practices. Today, we are the industry leader for electronic media crushers and shredders, and have data destruction equipment in every U.S. embassy, military base, naval ship, and government building across the globe. We know that the best way to protect federal and personal information is to conduct all end-of-life data destruction in-house with SEM’s state-of-the-art destruction equipment.

Cost of a Data Breach vs. Hard Drive Crusher: How You Can Save Millions

October 6, 2020 at 8:15 am by Amanda Canale

In the age of Big Data, data breaches are, unfortunately, no longer a possibility of “if” but “when.” As we get deeper into the digital age, hackers and thieves no longer need to breach a facility’s physical barriers in order to steal your or your clients’ personally identifiable information (PII). They can access your confidential information through hacking the cloud, phishing company employees via email, and other more advanced virtual methods, with some resorting to the tried and true methods of dumpster diving or surfing eBay for hard drives.

From January to June 2019 there were more than 3,800 publicly disclosed data breaches that resulted in 4.1 billion records being compromised. That’s only within a six-month time window. While the rate of data breaches so far is slightly lower in 2020, there’s no real sign of it slowing down. For example, in July of this year, financial institution Morgan Stanley came under fire for an alleged data breach of their clients’ financial information after an ITAD (IT asset disposition) vendor misplaced various pieces of computer equipment storing customers’ personally identifiable information over a period of four years.

As we’ve stated in previous blogs, introducing third party data sanitization vendors into your end-of-life destruction procedure significantly increases the chain of custody, meaning that companies face a far higher risk of data breaches every step of the way. There have even been reports of some vendors selling end-of-life devices and their sensitive information to online third parties.

As the number of data breaches increase every year, so does the cost. According to the IBM and Ponemon Institute report, the cost of an average data breach in 2020 is $3.86 million, a 10% rise over the past five years. These costs range from money lost and reputation maintenance to regulatory fines and ransomware, among other direct and indirect costs. Depending on the company’s client demographic, state privacy lawyers may also need to be hired, which adds additional costs.

Settlement newspaper headline on money

The most expensive type of record is client PII and the least expensive type is employee PII, with healthcare taking the cake as the number one industry in terms of average cost of a data breach. In the U.S., organizations pay on average $8.9 million per data breach, averaging out to approximately $146.00 per compromised record. For reference, a one terabyte (1TB) hard drive can hold up to 310,000 photos, 500 hours of HD video, 1,700 hours of music, and upwards of 6.5 million document pages. Multiply those document pages by the average cost per record and you have a hefty, burning hole in your company’s pockets.

On average, 61% of data breach costs are within the first year, with 24% in the next 12-24 months, and the remaining 15% more than two years later.  It is because of this statistic that it is important to remember that there is no statute of limitations when it comes to data breaches. Companies with proper data security and end-of-life data destruction methods are likely to pay less in the case of a data breach but for those with little or no protection methods in place, the cost could be astronomical. Take for instance, British Airlines and Marriott: the two companies suffered data breaches in 2018 that cost them both upwards of $300 million.

According to the IBM report, it can take about 280 days for a company to identify and contain a data breach. Unfortunately, some companies may not be aware of these data breaches within that time, which can increase the cost of the prolonged breach. Marriott and Morgan Stanley had only discovered their data breaches after they had both been hacked over a four-year period. In cases like these, time really is money.

The consequences of improper data destruction are endless. It’s why we at SEM stress that companies handling confidential information opt for in-house end-of-life destruction as their sole destruction method. By purchasing an in-house IT crusher, such as our Model 0101 Automatic Hard Drive Crusher, companies have complete oversight and can be certain that their clients’ information has been securely destroyed. As we’ve learned, a reactionary approach is simply not enough.

Our Model 0101 has the capability to destroy all hard drives regardless of size, format, or type up to 1.85” high, which includes desktop, laptop, and server drives. With a simple push of a button, our crusher delivers 12,000 pounds of force via a conical punch that causes catastrophic damage to the drive and its internal platter, rendering it completely inoperable. That’s a lot of force. This model has a durability rating from the National Security Agency (NSA) of 204 drives per hour but has the ability to destroy up to 2,250 laptop drives per hour.

When comparing the cost of our Model 0101 at $5,066.88 (and an average lifespan of ten years) to a possible data breach resulting in millions of dollars, the right answer should be simple: by purchasing in-house end-of-life data destruction equipment, your company is making the most cost-effective, safest, and securest decision. Think of it as VERY inexpensive insurance!

At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

For more information on how maximizing every square foot of your facility with in-house data destruction is the best financial investment when it comes to proper data security, you can hear from Ben Figueroa, SEM’s Global Commercial Sales Director, below.

 

 

Security Engineered Machinery Destruction Devices Showcased in Google Data Center Security Video

September 21, 2020 at 5:17 pm by Amanda Canale

Security Engineered Machinery (SEM), global leader in high security end-of-life data destruction, was recently showcased in Google’s Data Center – Security Risk and Management video. The video, which was published to YouTube, showcases Google’s abundant commitment to data protection by virtually touring visitors through each step of the multi-layered security system.

The video details the six-layer security system the protects data within all Google data centers, ranging from smart fences and patrols that surround the edges of a data center property to the critical physical destruction of hard disk drives (HDDs) and solid state drives (SSDs) once they have reached the end of their useful life. Each additional measure adds a level of complexity and specificity, as even entering the building after initial security outside requires an extra identification check and an iris scan.

The sixth and final layer, which consists of erasing and physically destroying HDDs and SSDs, is showcased at the end of the video with SEM hard drive destruction equipment. Custom engineered to Google’s specifications, the devices shred high volumes of enterprise drives into tiny strips of metal, effectively destroying the platters of the drives, rendering them completely useless.

SEM hard drive destruction equipment can be seen in use in Google’s Data Center – Security Risk and Management video.

“SEM has always been about protecting information from those who wish us harm,” said Andrew Kelleher, CEO and President of SEM. “After 50 years of working with the US Government to protect classified information, it only makes sense for our business to extend to protect individual citizens’ information as well in areas like data centers that house private, sensitive information,” Kelleher added.

The physical destruction location is referred to as “the mysterious sixth layer” by Wong, the narrator of the video. The smallest number of building personnel are allowed in this data destruction room, where drives must be passed through a locker system to even reach the inside the room.

“We are honored to have our machines in use by one of tech’s greatest innovators,” commented Ben Figueroa, Strategic Account Manager at SEM. “We pride ourselves on having the most efficient, secure end-of-life solutions for sensitive data, and to be showcased in this video by one of the world’s largest data holders is a sign we are continuing to engineer our products with the future in mind.”

SEM additionally manufactures destruction devices that are capable of destroying paper, optical media, SSDs, and other electronic media devices for commercial and government clients around the world.

Why Data Centers Need Formal Data End-Of-Life Processes

December 16, 2019 at 4:02 pm by Paul Falcone

Concerns about data security and privacy are no longer restricted to just IT and security professionals. Due to more mainstream security breaches—as well as documentaries like Netflix’s The Great Hack—people everywhere are now concerned about the disturbing implications of today’s data-saturated, data-driven cultural environments.

Data centers are at the heart of both the problem and solution regarding sensitive data storage, security, and decommissioning. Many people falsely believe data centers are becoming obsolete because of the omnipresent cloud; in reality, cloud data is reliant on reimagined data centers being able to handle the ever-increasing capacity of data that is transferred. A 2016 study estimates that global IP traffic will reach 3.3 zettabytes by 2021. (If that doesn’t sound too impressive, consider that one zettabyte is equal to one sextillion bytes or one trillion gigabytes.)

 

The costs of setting up and maintaining a data center can be astronomical. Even if situated on existing property, data centers cost an estimated $200 per square foot to build. This figure does not include the tens of thousands of dollars that could be spent to have fiber installed to reach the location, nor the daily operating expenses the facility incurs in and of itself.

To maximize ROI, data center operators often skimp on hardware and software upgrades/installations when their current system has reached end-of-life. Some operators also waste physical space storing old equipment that contains sensitive or classified data because they lack the means to destroy it. Many data centers rely on third-party on-site or off-site solutions that may be ineffective; in fact, these “solutions” can often end up costing exorbitant amounts in instances like breaches of equipment that unjustifiably “escaped” destruction. Ultimately, the failure to create and act on a thorough in-house end-of-life process can cost data centers in several respects, including lost business to better-equipped, more-secure facilities and financial penalties for noncompliance with regulations like HIPAA, PIPEDA, or the GDPR.

The Importance of Having an In-house Data Security and Destruction Process

The first rule of data security is to maintain control of the data throughout its entire lifecycle—something that’s simply not possible when using a third-party destruction vendor. A 2017 study from Kroll Ontrack demonstrates how assurances from third parties often prove meaningless. The company purchased 64 used drives on eBay and discovered that many of them still contained sensitive information despite the sellers’ assertions that the devices had been effectively wiped. In 2009, BT’s Security Research Centre headed a study examining the purchase of 300 secondhand hard disks. Alarmingly, one disk contained classified details regarding the Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system used to shoot down Scud missiles in Iraq.

It’s an eye-opening reminder: To guarantee complete, error-free data end-of-life destruction, data centers must assume firsthand control and oversight of the underlying processes.

Managing End-Of-Life Hardware and Software

A crucial component of a through end-of-life process will address the technology used to store and encrypt data. As technology marches forward, manufacturers are constantly releasing new hardware and software versions to ensure systems can be kept current with regard to efficiency and security functionality and capabilities. Over time, manufacturers stop offering tech support, updates, and critical patches to products that are discontinued, giving cybercriminals ample opportunities to exploit security vulnerabilities and breach outdated security firewalls. Specifically, widespread damage—including corruption and theft of data—can occur if end-of-life technologies (e.g., operating systems) are still used by facilities like data centers. For example, Microsoft stopped offering mainstream support in 2011 and extended support in 2014 for Windows XP. Despite this, VICE’s Motherboard found that London’s Metropolitan Police had over 35,000 computers still running the aging operating system well into 2015. Since a police department houses a great deal of sensitive data, such a situation is highly disconcerting.

All data centers should employ a Chief Security Officer (CSO) or a Chief Information Security Officer (CISO) to manage their end-of-life plans for all data and equipment. As manufacturers release new software and hardware, it is imperative to ensure that current systems are still supported and that a plan exists to replace or destroy outdated equipment before it becomes vulnerable.

Wiping or Storing Old Equipment is not Sufficient

Don’t be swayed by claims alleging that saving the environment requires that old hard drives or machines still be functional in order to be recycled. The reality is that thoroughly destroyed hard drives can just as easily have their materials harvested for recycling. By not destroying hard drives and relying on data wipes instead, data centers greatly increase the chances that the data survives and that it can fall into the hands of whomever purchases or finds the devices.

Many organizations retain outdated devices simply because they are unsure how to dispose of them. Moreover, these companies often falsely assume that literally “closeting” these devices (and their embedded data) somehow eliminates all possible risks of data theft.

Given the realities of life, however, that’s a dangerous assumption. Remember that data is always subject to theft or corruption as long as it remains intact (in fact, as long as humans are subject to making mistakes or being anything less than one-hundred-percent vigilant!). Case in point: In 2015, Fortune 500 health insurance provider Centene Corporation realized that six unencrypted hard drives containing protected health information for 950,000 people went missing. And in August of 2019, the New York City Fire Department lost a hard drive containing over 10,000 medical records.

The most effective solution involves in-house destruction of data storage devices, including highly durable enterprise-class hard drives, to NSA standards. By owning in-house destruction equipment, you will save costs over the long term—not  just by avoiding third-party service fees, but also by mitigating the risks and avoiding the catastrophic consequences of a major data breach and the associated regulatory fines. Companies like SEM offer a wide variety of NSA-rated equipment to handle all your in-house data destruction needs; in fact, SEM is the only manufacturer offering equipment that’s capable of destroying enterprise-class drives like those used in data centers.

For more information on the importance of maximizing every square foot of your facility with in-house data destruction, you can hear from Ben Figueroa, SEM’s Global Commercial Sales Director, below.

 

SEM 2 in 1 Crusher for Either HDD or SSD Media

June 13, 2018 at 4:04 pm by SEM

WESTBORO, MA — The SEM Model 0101, an NSA evaluated and listed destruction device for all computer hard drives regardless of their size, format or type, can now be factory configured for dual media destruction of either HDD or SSD media. The Model 0101 Hard Drive Crusher from Security Engineered Machinery has long been the choice of the Federal Government, US Military and Fortune 1000 companies for physical destruction of HDDs.

The SEM Model 0101 Crusher can now be purchased with a factory installed SSD Kit allowing the system to perform dual media destruction of either HDDs or SSDs. The SSD Kit consists of a specially designed hardened steel anvil with 292 piercing spikes, an SSD Wear Plate, and an SSD Press Plate. The large number of spikes on the anvil ensures each data bearing chip is damaged during the operating cycle. Solid State media that can be destroyed include memory sticks and circuit/controller boards found on hard drives, SSD drives, cell phones, tablets and similar devices up to 5.39” x 5.39” (137mm x 137mm).

The Model 0101 with integrated SSD Kit also includes a standard HDD anvil and can be easily exchanged in the field for the destruction of conventional hard drives and other rotational magnetic media.

Offices, hospitals, data centers, and other facilities can destroy confidential/sensitive information in a timely manner in accordance with government regulations and industry standards (HIPAA, FACTA, SOX, PCI DSS, etc.). The Model 0101 also satisfies National Security Agency requirements for physical destruction of rotational drives after they have been degaussed in an NSA-listed degausser.

The unit is compact, portable (22”H x 10”W x 19”D, 105 lbs.), quiet and virtually vibration free. It operates on standard 120V power, international voltages are also available. A safety interlock prevents the unit from functioning while the door is open and is the only crusher on the market that allows hard drives to be crushed with carriers still attached.

ISO 14001 Registered, Security Engineered Machinery, “SEM” is a global supplier of information security solutions and the largest producer of data-destruction equipment in the United States and operates a manufacturing and design facility adjacent to its headquarters in Westboro, Massachusetts. SEM’s full-service engineering department designs custom systems, such as high volume centralized security destruction systems with integrated waste briquetting and evacuation systems in use by the Federal Government and commercial entities. SEM’s areas of expertise include the design and production of destruction equipment for any type of data storage media from paper to hard drives to solid state, where data security and end of life measures are essential.

For more information, contact James T. Norris, Norris & Company, 264 Bodwell Street, Avon, MA 02322 Tel: (508) 510-5626, FAX: (508) 510-4180, E-mail: jim@norrisco.com