Concerns about data security and privacy are no longer restricted to just IT and security professionals. Due to more mainstream security breaches—as well as documentaries like Netflix’s The Great Hack—people everywhere are now concerned about the disturbing implications of today’s data-saturated, data-driven cultural environments.
Data centers are at the heart of both the problem and solution regarding sensitive data storage, security, and decommissioning. Many people falsely believe data centers are becoming obsolete because of the omnipresent cloud; in reality, cloud data is reliant on reimagined data centers being able to handle the ever-increasing capacity of data that is transferred. A 2016 study estimates that global IP traffic will reach 3.3 zettabytes by 2021. (If that doesn’t sound too impressive, consider that one zettabyte is equal to one sextillion bytes or one trillion gigabytes.)
The costs of setting up and maintaining a data center can be astronomical. Even if situated on existing property, data centers cost an estimated $200 per square foot to build. This figure does not include the tens of thousands of dollars that could be spent to have fiber installed to reach the location, nor the daily operating expenses the facility incurs in and of itself.
To maximize ROI, data center operators often skimp on hardware and software upgrades/installations when their current system has reached end-of-life. Some operators also waste physical space storing old equipment that contains sensitive or classified data because they lack the means to destroy it. Many data centers rely on third-party on-site or off-site solutions that may be ineffective; in fact, these “solutions” can often end up costing exorbitant amounts in instances like breaches of equipment that unjustifiably “escaped” destruction. Ultimately, the failure to create and act on a thorough in-house end-of-life process can cost data centers in several respects, including lost business to better-equipped, more-secure facilities and financial penalties for noncompliance with regulations like HIPAA, PIPEDA, or the GDPR.
The Importance of Having an In-house Data Security and Destruction Process
The first rule of data security is to maintain control of the data throughout its entire lifecycle—something that’s simply not possible when using a third-party destruction vendor. A 2017 study from Kroll Ontrack demonstrates how assurances from third parties often prove meaningless. The company purchased 64 used drives on eBay and discovered that many of them still contained sensitive information despite the sellers’ assertions that the devices had been effectively wiped. In 2009, BT’s Security Research Centre headed a study examining the purchase of 300 secondhand hard disks. Alarmingly, one disk contained classified details regarding the Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system used to shoot down Scud missiles in Iraq.
It’s an eye-opening reminder: To guarantee complete, error-free data end-of-life destruction, data centers must assume firsthand control and oversight of the underlying processes.
Managing End-Of-Life Hardware and Software
A crucial component of a through end-of-life process will address the technology used to store and encrypt data. As technology marches forward, manufacturers are constantly releasing new hardware and software versions to ensure systems can be kept current with regard to efficiency and security functionality and capabilities. Over time, manufacturers stop offering tech support, updates, and critical patches to products that are discontinued, giving cybercriminals ample opportunities to exploit security vulnerabilities and breach outdated security firewalls. Specifically, widespread damage—including corruption and theft of data—can occur if end-of-life technologies (e.g., operating systems) are still used by facilities like data centers. For example, Microsoft stopped offering mainstream support in 2011 and extended support in 2014 for Windows XP. Despite this, VICE’s Motherboard found that London’s Metropolitan Police had over 35,000 computers still running the aging operating system well into 2015. Since a police department houses a great deal of sensitive data, such a situation is highly disconcerting.
All data centers should employ a Chief Security Officer (CSO) or a Chief Information Security Officer (CISO) to manage their end-of-life plans for all data and equipment. As manufacturers release new software and hardware, it is imperative to ensure that current systems are still supported and that a plan exists to replace or destroy outdated equipment before it becomes vulnerable.
Wiping or Storing Old Equipment is not Sufficient
Don’t be swayed by claims alleging that saving the environment requires that old hard drives or machines still be functional in order to be recycled. The reality is that thoroughly destroyed hard drives can just as easily have their materials harvested for recycling. By not destroying hard drives and relying on data wipes instead, data centers greatly increase the chances that the data survives and that it can fall into the hands of whomever purchases or finds the devices.
Many organizations retain outdated devices simply because they are unsure how to dispose of them. Moreover, these companies often falsely assume that literally “closeting” these devices (and their embedded data) somehow eliminates all possible risks of data theft.
Given the realities of life, however, that’s a dangerous assumption. Remember that data is always subject to theft or corruption as long as it remains intact (in fact, as long as humans are subject to making mistakes or being anything less than one-hundred-percent vigilant!). Case in point: In 2015, Fortune 500 health insurance provider Centene Corporation realized that six unencrypted hard drives containing protected health information for 950,000 people went missing. And in August of 2019, the New York City Fire Department lost a hard drive containing over 10,000 medical records.
The most effective solution involves in-house destruction of data storage devices, including highly durable enterprise-class hard drives, to NSA standards. By owning in-house destruction equipment, you will save costs over the long term—not just by avoiding third-party service fees, but also by mitigating the risks and avoiding the catastrophic consequences of a major data breach and the associated regulatory fines. Companies like SEM offer a wide variety of NSA-rated equipment to handle all your in-house data destruction needs; in fact, SEM is the only manufacturer offering equipment that’s capable of destroying enterprise-class drives like those used in data centers.
For more information on the importance of maximizing every square foot of your facility with in-house data destruction, you can hear from Ben Figueroa, SEM’s Global Commercial Sales Director, below.