Developing new sources of revenue in a congested market can be a daunting challenge. Yet, despite the number of consultants and solution providers catering to the privacy compliance and security market, there remains ample opportunity to establish important services in a relatively untouched sector of the regulatory compliance market -- the management of end-of-life storage assets. The handling of these assets can represent a very real risk for clients. And, establishing responsible, risk-free decommissioning policies and procedures is not as easy as one might expect.
With the introduction of privacy legislation and industry regulations governing how confidential data is managed and secured, the risks associated with the unintentional exposure of confidential information can include personal liability, as well as the consequences normally associated with mandatory disclosure. As the frequency of reported data loss incidents increases, the need to implement an effective and reliable decommissioning policy that includes the protection of all legacy data stored on retired equipment is critical to a comprehensive compliance posture.
The increased attention to securing confidential data has led to increased security awareness and responsibility. When developing a properly drafted asset decommissioning policy, the interests of legal, finance and human resources may be as significant as those of IT, security and asset management -- regardless of who is responsible for the day-to-day application of the decommissioning process. Ensuring that all parties' interests are included at the beginning stages of policy creation is critical to the adequate protection of confidential information.
Although commercially available hard drive data destruction technologies and services exist, as do drive overwrite software and hardware technology, these solutions alone do not constitute acceptable best practices, as each solution, without a proper handling policy, may actually introduce additional risk. The role of the consultant in guiding clients to effective decommissioning practices requires an understanding of the drive technology, the risk and benefits of available decommissioning technologies and services, and the needs of the client. Ultimately, depending on the type of storage hardware in use and client-specific data storage policies, the decommissioning model may vary significantly from one client environment to the next. Accordingly, there can be no standard policy that applies all environments.
When developing a decommissioning policy, ask these questions at the onset of the project:
- What is the nature of the client's operation, and what type of data is to be protected?
- What type of hard drive storage is in use?
- What drive sanitizing practices are in place?
- Does the client currently inventory data or have established policy on how data is stored or managed?
- What privacy regulations does the client need to comply with?
- Who is accountable for the protection of confidential data?
- Who will maintain the policy?
Once the client's needs have been determined, you can begin defining the suitable methods to sanitize end-of-life or to-be-repurposed hard drives.
Defining decommissioning policies and procedures
Faced with a sea of confusing, often outdated and inaccurate guidance available from government, academic and vendor sources, defining what is acceptable best practice can pose a challenge. A valuable resource is the Special Report 800-88 published by the National Institute for Standards and Technology (NIST). In this report the NIST defines acceptable decommissioning practices, including a comparative review of inherent risks and benefits. With this knowledge, the creation of asset handling procedures can be defined. Be aware, however, that although a solution may address the client's needs, poor handling practices will impose risk.
With policy in place, an ongoing relationship with the client can be developed for the delivery of on-site data sanitizing services. With the recent availability of portable, appliance-based decommissioning hardware, best practice drive purge services can be conducted on-site by either the service provider or the client's asset management or security staff. These services offer significant value to clients, as the decommissioning process typically requires 35 minutes per 100 Gig of volume space, enabling the processing of up to 40 hard drives per appliance in a single eight-hour work day. This process is also more effective and efficient than using software-based overwrite technologies. Once processed, the hard drives can be securely repurposed, returned off-lease or resold with no possibility of data recovery by laboratory efforts or other means.
This process may not address all of the client's policy obligations, however. In situations where policy dictates that the drive must be physically destroyed, on-site purge services will not satisfy this requirement. Best practices in this case would dictate that the device be purged on-site before providing the asset to any third party for delivery to the physical destruction site. Purging the storage device before releasing it will ensure that in the event of loss or theft of the drive, no mandatory disclosure will be required as the client's confidential data was protected beforehand.
About the author
Ryk Edelstein is the founder and partner at Converge Net Inc., a Montreal-based solution provider specializing in the delivery of network performance optimization, security and privacy solutions. Employing a highly effective bottom-up approach to resolving IT challenges, Converge Net addresses application/bandwidth performance concerns, data loss prevention, risk and vulnerability issues, policy management, and security challenges using packet level analysis to rapidly resolve the root cause of hard to identify issues. Ryk has been actively involved in guiding enterprise and government clients in establishing best practice solutions for the decommissioning of end of life storage hardware using properly aligned technologies.
This was first published in September 2008