NSA vs NAID – What’s the Difference?

November 29, 2018 at 3:41 pm by SEM

There are many different types of paper shredders in the marketplace today. Paper shredders are designed and manufactured to produce a variety of security end-results, known as the shred type or “size”. When shopping around, types such as strip shredders, straight-cut models, or cross cut shredders will stop to pop up. Straight-cut models abs cross cut shredders, though still available, are rarely used in the for high end security destruction due to their lack of data security protection from too much bulk waste generated from strip shredding. When it comes to security, the smaller the particle size the better, which is why when protecting classified or confidential information cross-cut shredders rule the shredding world.

Most organizations oversee some responsibility of security destruction, such as the National Association for Information Destruction (NAID), which requires that materials be destroyed to a particle or cross-cut end result. Almost every data regulation in the U.S. includes a requirement that organizations have written data protection policies and put procedures in place to protect their information. These organizations require that data protection processes are identified; however, there are no regulations in place that dictate any specific particle size that they must meet.

The National Security Agency (NSA) has the highest standard and requirements for destroying classified materials. The NSA evaluates tests and compiles a listing of approved shredders that meet their security standards for destruction. Some government agencies and shredder companies refer to this as a level 6 shredder but the NSA does not. The NSA/CSS Evaluated Products Listing for Paper Shredders is the ultimate guide of which the entire DoD community is governed for the destruction of one’s classified paperwork. This is the highest level of security shredding, where the shred sizes must not exceed 0.8 x 4mm. The NSA /CSS EPL are updated on an annual basis where shredders are added and ratings modified based on evaluations of retesting. Older shredder models are not removed from NSA EPL.

When dealing with the destruction of any classified material you are mandated by your own security destruction regulations to follow the NSA guidelines in purchasing an approved shredder from the NSA/Evaluated Products List. Not using an approved shredder could result in a failed security inspection.

With NAID standards you are required to use a particle or crosscut shredder and to follow the same specific guidelines should you elect to contract with a commercial destruction service that is NAID certified and will adhere to those same standards.

Bottom line: Know what your data security destruction requirements are and follow in accordance to what is governing your information destruction program.

The Missing Link in Cloud Security

November 16, 2018 at 4:16 pm by Heidi White

cloud-securityDefinition of Cloud Security from the Cloud Security Alliance (CSA):
Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Recently, there has been a hyper focus on cloud security — and with good reason. According to a report by McAfee titled “Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security,”cloud services are now a regular component of IT operations, utilized by more than 90% of organizations globally. In fact, 80% of all IT budgets are committed to cloud apps and solutions. Service companies have the highest adoption of public cloud platforms with engineering and government having the highest adoption of private clouds. Amazingly enough, this surge in cloud adoption is not equally met with security and trust with only 23% of organizations today trusting public clouds to keep their data secure. And yet, 62% of organizations reported storing personal customer information in public clouds.

cloud-data-securityThese statistics indicate that cloud security is lagging far behind cloud storage and adoption — similar to cell phone batteries. Cell phone technology continues to advance at an exponential rate while cell phone battery technology advancements are sluggish at best. As a result, cell phone battery life continues to be a major consumer issue regardless of the technological advancements made by cell phone manufacturers. What good is a beautiful, high resolution screen with lightning fast processor if the phone can’t handle the battery load? Likewise, cloud security threats have escalated alongside cloud data expansion due in large part to the sheer number of records now being stored. For example, the number of data breaches from 2014 to 2015 actually decreased, while the number of compromised records containing sensitive information more than doubled from 67 million to 159 million in the same time period. The decreased number of data breaches is indicative of the consolidation of cloud data storage providers, and yet the large increase in compromised records show that one data breach affects far more records today than it did just five years ago.

IT-asset-managementAs a result of the serious challenges presented by cloud data security, numerous methodologies have been recommended in an effort to combat the reputation degradation and astronomical cost associated with compromised data. Some of the more frequently utilized processes include user authentication, encryption of data both in transition and at rest, ongoing vulnerability testing, role-based access control (RBAC), intrusion detection and prevention technology, and staff training. In addition, the establishment and enforcement of cloud security policies is critical to the success of any data protection program. In researching cloud security, any number of articles and guides can be found that address the aforementioned strategies. An incredible amount of focus is placed on encryption, end point security, user controls, and conducting security audits. All of these strategies focus on protecting data from digital threats such as hackers and bots, which is of huge importance. However, a critical piece of security control is missing from most data security plans – an end-of-life policy.

circuit-boardCloud security providers who actually define an end-of-life strategy are rare, and a comprehensive program is even rarer still. Many providers erroneously think that erasing or overwriting a disk is sufficient, or more unsound thinking that a failed drive is precisely that – failed, and non-recoverable. Unfortunately, nothing could be further from the truth. Drives that were “erased” have shown up on eBay with sensitive information and overwritten and failed drives invariably contain original data that is fairly easy to recover. Criminals and thieves tend to be one step ahead of security and law enforcement initiatives, and cyber criminals are no exception.

Degaussing followed by crushing is one methodology for sanitizing hard drives that has been approved by the NSA.

Fortunately, many compliance regulations do address data end-of-life, which is why any cloud security provider should adhere to an appropriate regulation. Whether HIPAA, FACTA, FISMA, PCI DSS, or the most stringent NSA requirements, these compliance regulations are put in place to protect sensitive data and personally identifiable information from falling into the wrong hands whether through firewall vulnerabilities or data retrieval at drive end-of-life. In-house data destruction is the ideal way to securely manage drives at end-of-life; however, the method of data destruction varies greatly depending on volume, location, regulatory requirements, and operational procedures. There are many data destruction devices available from high security disintegrators capable of handling up to 500 drives per hour to enterprise specific, portable, and NSA listed solutions. There is simply no one-size-fits-all solution when it comes to data destruction; therefore, organizations looking to incorporate data destruction into their cloud security program should receive a thorough evaluation to determine which solutions best fits their need. One thing is for sure: no cloud security program is complete without addressing end-of-life destruction.

Many third-party providers offer drive end-of-life services, including degaussing and crushing as well as shredding. But while it is possible to outsource data disposal to third parties, it is NOT possible to outsource risk. Therefore, security-minded organizations must evolve towards a risk mitigation approach to data security that includes in-house data end-of-life destruction and disposal. By maintaining a proactive approach to security operations, companies and businesses can reduce the reputation degradation, frantic clean-up, and astronomical cost that typically comes with a reactive approach. Cloud security should not and cannot follow the path of the cell phone battery without disastrous consequences.

Todd Busic Promoted to Vice President of Security and Intelligence Operations at Security Engineered Machinery

June 28, 2018 at 2:29 pm by Heidi White

Growing secure data destruction device manufacturer enhances government relations and client care with key promotion

todd BusicSecurity Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to announce that D. Todd Busic has been promoted to Vice President of Security and Intelligence Operations. The announcement was made by Andrew Kelleher, President and CEO of SEM. Mr. Busic has been with SEM for 19 years and has targeted expertise in federal contract negotiation, federal BPAs, and green destruction facilities. He also has extensive experience with security and intelligence operations, global business development, project management, and international and domestic federal sales.

“Todd’s vision for the company, robust experience, and unparalleled integrity make him a perfect fit for a senior leadership position here at SEM,” said Mr. Kelleher. “I am confident that Todd’s business acumen and customer centricity will enable SEM to enhance relations with our extensive government client base while also expanding our commercial division.”

“I am thrilled to receive this promotion,” commented Mr. Busic. “I am very passionate about security and data privacy, which aligns perfectly with SEM’s mission and vision. I take pride in and truly appreciate the expansive government associations I have forged over the last 19 years. Relationships formed with integrity and trust are the cornerstones of building success. I look forward to the new challenge of expanding the business by augmenting product and service offerings as well as enhancing client relations.”

Mr. Busic will also be responsible for interactions with the NSA Center for Storage Device Sanitization. He will be working out of the company’s Virginia office.