OPINION: Securing your (data’s) retirement

3 Aug 2010

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Paul Hands looks at the options for disposing of critical information correctly when a hard disk reaches the end of its days.

Data security is an ever-present concern for all companies. If you handle or store customer or other personally identifiable information, you have legal responsibilities in most countries to safeguard it. For many other companies, internal data is their crown jewels and losing or inadvertently disclosing it can mean the difference between survival and death in competitive markets.

An additional concern is that regulatory compliance requirements mean that control of access to data is a mandatory requirement for doing business at all. This affects all aspects of a business – a common example is Sarbanes-Oxley compliance for financial information having effects on IT systems, such as databases and reporting tools.

Many of these aspects are well understood and solutions are available. However, some are not so obvious and it is one of those I will talk about here: do you know what happens to data on your company’s hard disk drives (HDDs) when they fail or when machines are retired or replaced?

Two years ago, I was asked by a major bank to take delivery of a server which was being replaced and to erase the data still on the HDDs for them. I refused, because that would have meant accepting responsibility for their data, and certifying destruction. I was shocked to find that a company of this sort did not have a pervasive and comprehensive approach to data removal.

Hardware failures or replacements

Most of the time, when hardware fails, you just repair or replace it and move on without giving it another thought. In large installations like data centres, the most common hardware failures tend to be RAM modules and HDDs. RAM failures don’t have any implications for data security – they don’t store data when power is off. Hard disk drive failures do have consequences because they are persistent storage – data is still present when power is removed. Disks fail in different ways, so let’s look more closely at this.

Many of you will have heard that ominous noise from your laptop or desktop PC – grinding, scraping or clicking noises which are different and usually louder than normal, fault-free disk operation. Your hard disk is about to die! That is a soft or partial failure. The other kind is complete and total death of the drive; the machine won’t boot at all, and the drive doesn’t show up at boot time, or shows as faulty.

Partial or soft HDD failure

In these cases, the HDD is still operating, but is likely having to work around faulty patches on the disk surfaces, and is doing a lot of error correction and multiple re-reads of certain places on the disk. The sensible thing is to immediately back up any changes since your last backup (you do have regular backups, don’t you?) and have the drive replaced.

Total HDD failure

The HDD is electrically dead. (You dropped your laptop at airport security; a power failure caused the HDD to fail when the power came back on …) In this case, the disk is replaced anyway, and hopefully that resolute backup policy saves you from the worst, right?

HDD upgrades and replacements

So, you ran out of space on your laptop or your server, and the obvious answer is to swap the HDD for a newer, faster and bigger model. No backup issues or loss of work here.

Now there are all these removed HDDs …

… Usually sitting in a cupboard shelf somewhere, often not even particularly secured or locked away. What do we do with them? The obvious answers are: get rid of them or re-use them if they are still good. In large enterprises, good HDDs are sometimes sold off to the second-hand market in bulk.

Electrically dead HDDs are thrown out (hopefully recycled in an environmentally responsible way.). Soft failures shouldn’t be thrown out, as data is still accessible. Unfortunately, they often are.

No matter how that HDD ended up in the disposal queue, there is still data on it. How do you deal with this? First thought is, for good HDDs or soft fails, format them, right? Unfortunately not. Formatting a disk, especially if you use a quick-format like that offered by Windows, doesn’t actually clean the data from the disk. What often happens is that the data remains on the HDD; only the extra information which the file system uses to find it is overwritten.

It is very easy to use commonly available tools to copy the data and to reconstruct it. Over the years, I’ve used the Linux/Unix utility, dd, to copy a HDD to a big file and then used ordinary file editors to browse the contents at will. Given an idea of what you are looking for, it’s relatively simple to piece together many files, especially text-based ones.

How do I get rid of that data?

For HDDs which are still accessible to an operating system, the answer is erasure. A commonly accepted mechanism for this is defined by the US DOD 5220.22-M standard. In essence, it requires that any disk is completely overwritten by all zeroes, then all ones and then with random data. A fourth pass verifies the random data. For HDDs which are electrically dead, the answer is mechanical destruction. I have much experience with a simple hydraulic device which crushes single HDDs beyond recovery. They cost less than $10,000 in single-unit quantities. For bulk operations, a certified bulk crushing company is a better option.

Why go to all this trouble?

Why overwrite the data three times? Why crush dead HDDs? The answer depends on how important your data is, and how much it might therefore be worth. Losing customer or market confidence is not to be taken lightly.

Given enough resources, a HDD can be read by someone using equipment like an STM (Scanning Tunnelling Electron Microscope), after dismantling the HDD carefully. Even after writing to all ones or all zeroes, this is still possible for the very sophisticated data retrieval specialist, hence the random pass in Erasure. STM also requires that the surfaces to be scanned are very flat, which is why the crushing option is good – it renders the disk platters mechanically useless.

The bottom line

This is often described as the information age. I have seen cases where HDDs with personally identifiable information have been up for sale on eBay, advertised as containing valuable data and naming the company concerned.

Keeping your data safe and in the right hands is paramount – not just commercially, but as a regulatory requirement. If you don’t have a data removal and HDD disposal policy, you should. If you’re not aware of whether your company has one or not, you should ask.

Paul Hands is a consultant with Verify Partners, the consulting and interim management firm. His most previous role was as international data centre manager for Google across Europe and Asia.