July 25, 2018
Organizations today continue to focus on strengthening data security. From implementing multi-factor identification to encrypting files at rest and in transit, the urgency of protecting information from unauthorized access is increasing, particularly in light of ongoing data breaches, legislative updates, and potential fines.
While each security measure an organization adopts can significantly reduce the chance of a data breach, few approaches to data security are, when applied individually, fail-safe.
For example, while the use of encryption as a solution to data security continues to gain in popularity, encryption alone doesn’t eliminate the risk of data being retrieved from hard drives…it merely makes a data breach less likely due to the time, labor, computational power, and luck it would take to gain access to an encrypted file without the associated private key.
The technology behind encryption isn’t where the vulnerability lies, however…it’s the human factor in design and implementation that can open a path to access. And then there’s the matter of simple human carelessness.
Some encryption systems come with a “backdoor” in the code that could provide access to the private key necessary to decrypt the protected data. Also, encryption keys may be lost or stolen, just like real keys. And just like leaving a real key to your house hidden under a rock in the garden, a digital key can be stored in an insecure location, subject to access by someone who knows – or can guess – where to look.
Encryption and Asset EOL
While encryption can play an important role as part of a comprehensive data security plan, when it comes to device end-of-life it’s important to realize that encrypting information is not the same as destroying it…it’s merely a method of making it difficult for outsiders to access information.
While the chances of an encryption breach are low, drive sanitization and drive destruction are considered the most secure approach to safeguarding information at asset end-of-life. If the drive is encrypted, then encryption and sanitization/destruction used together are like the extra security of wearing a belt and suspenders to ensure your “assets” aren’t exposed.
Naturally when considering encryption and asset end-of-life you’ll want to evaluate which encryption approach to choose if your goal is ROI. There are three basic types of drive encryption, and if you want to recover residual value when you retire assets you’ll want to make sure the drives can be sanitized for reuse.
If your organization uses software-based encryption drive erasure is straightforward since erasure tools override the operation system. Once sanitized, the drive is ready for reuse.
If the drive is self-encrypting – that is, the drive has a built-in encryption mechanism that doesn’t rely on software – it will usually support a “Sanitize Crypto Erase” command that alters the encryption key making the contents unrecoverable. After sanitization the drive, and the system in which it resides, may be safely remarketed.
Drives that are encrypted with a combination of software and hardware methods, like OPAL, are often referred to as self-encrypting drives (SEDs). These create more of a challenge for organizations who want to sell used equipment because the drive can’t be erased unless the OPAL security feature is first disabled. The drives may can be sanitized once the OPAL lock is removed, but IT organizations will need to take that extra step before the drives can be sanitized and remarketed.
Onsite Services Provide Added Security
Whether your company requirements call for drives to be erased or destroyed, an ITAD provider with mobile services can come directly to your site and work with you to ensure all drives are sanitized, degaussed, or shredded before they leave your building. This approach offers the shortest chain-of-custody, allows you to witness the process, and results in a Certificate of Data Destruction to prove data eradication in the event of an audit.
The certificate is critical. In light of the legal and regulatory obligations many organizations face when it comes to data security, it’s not enough to implement multiple safeguards to eliminate any single point of failure…you must also have proof that data has been destroyed. Encryption does not provide that proof, while a Certificate of Data Destruction does.
The Take-Away
Security is important to all of us, both in our private and business lives. And while few of us feel the need to implement multiple safeguards against the proverbial “wardrobe malfunction” when getting dressed in the morning, when it comes to our personal and company data multiple security measures decrease the chance of a data breach.
Working with an experienced ITAD company to ensure data destruction at asset end of life should be a key part of every company’s wardrobe of security strategies.
Mary Couse
Mary has been involved with the IT Asset Disposition (ITAD) industry since 2004, however she’s been passionate about reuse and recycling since her college days.