Does Data Need a Lifecycle? Checking In from the IT Scrap Heap

I just got through developing and delivering a fascinating webinar for Iron Mountain at Spiceworks this morning. The topic was "Undead IT: Preventing eWaste from Coming Back to Bite You."

As sometimes happens in working through such events, the questions from attendees at the end of my presentation brought up some of the most interesting discussions of the whole experience.

To me, the most thought-provoking interaction centered around how best to make sure that companies and organizations don't expose themselves to risk when disposing of devices or equipment. This can be particularly problematic when said rubbish may include disk drives, flash drives, or other storage media.

All too often, old storage media contain data that shouldn't be disclosed to anyone else.

As it turns out, most laws and regulations governing safe destruction of IT assets — often called "IT Assset Disposal," or ITAD — don't amount to much more than requiring the demolition agent to obtain a valid, verifiable certificate of disposal. There really aren't any standards or laws mandating the cleansing, removal, or destruction of data-bearing components from IT assets.

Even more interesting, while there are plenty of standards for — and software that implements — cleansing operations for conventional hard disks (magnetic storage devices with rotating platters and read-write heads), there is nothing similar available yet for SSDs and other flash-based storage devices.

It turns out that cleansing flash devices isn't as easy to guarantee or verify as it is for conventional hard disks. A fair mount of work still remains to be done to get all of this squared away.

What does this mean for companies and organizations with old stuff to get rid of? It turns out that a data disposal policy may very well be the answer.

In the absence of governing rules, regulations, or laws, best practices and fiduciary responsibility argues for the following elements in any such policy:

1. All data bearing devices should be carefully examined to determine what kinds of information they contain.

2. If that information can't be safely and verifiably cleansed, then those devices (or their data-bearing components) should be destroyed. Best practice is to put them through an industrial shredder that chips things up into 2mm particles.

3. If the information can be safely and veriably cleansed, then it should be cleansed thoroughly. Random checks with high-level forensic data recovery utilities should be used to verify that nothing readable remains behind.

4. Companies should recognize that cellphones use flash memory for storage. Given current the lack of verifiable cleaning technology for such storage, those devices should be destroyed at the end of their lifecycles.

5. Companies and organizations must carefully consider what impact BYOD has on the safe and verifiable disposal of user-owned devices at the end of their lifecycles.

6. Companies and organizations should recognize that many devices and pieces of IT equipment — fax machines, networking gear (routers, switches, firewalls, and so forth), and so on — do include data-bearing elements that can include potentially valuable or risky data in need of protection.

Though phone, numbers, IP addresses, names, and so forth may not appear to pose serious security threats. This information about network internals, communications, and users, however, can be employed to mount attacks or conduct social engineering to support later attacks, and must be protected.

The bottom line for safe disposal appears to be this: If you can't be absolutely, positively sure that a given device contains no data that could possibly be resurrected to nefarious ends, then shred it.

Yes, that means reducing hardware to itsy-bitsy pieces at some expense. It's the only failsafe mans of ensuring that data can't possibly be recovered.

Consider yourselves warned. There may be a test, and you'd better hope your organization passes: future profits and business viability could depend on it!

I sincerely hope that all of the security certification organizations take a bead on this. This kind of policy needs to become boilerplate for cybersecurity, IT processes and governance, and for general best practices for IT.