Remove the Data, Remove the Risk
The golden rule when it comes to data security when retiring hard drives is “remove the data, remove the risk.” Another more useful way to look at this is that the sooner the data is removed in the process, the lower your risk. Retired drives containing data are an invitation for both intentional and unintentional misuse. This problem is magnified if drives are stored in an unsecure location where large numbers of employees have access. At best, retired drives and computers, and the sensitive data they contain, may be innocently or unintentionally compromised, as was the case where one company executive donated some retired computers to her child’s school figuring they weren’t being used anymore and should go to a good purpose. At worst, data may be compromised intentionally by a disgruntled employee or as an act of sabotage.
Risk vs Cost
There is no such thing as a perfectly secure system or process. Instead you have to make trade-offs that maximize your security compared to the investment. Many companies still perceive that it’s difficult, time-consuming, and costly to wipe data from retired computers, but that’s simply not the case. Wiping software is now capable of being initiated remotely with minimal technician time and effort. If you’re retiring or processing batches of computers simultaneously, a simple PXE configuration can allow you to process hundreds of computers a day with just one technician. The bottom line is there’s no excuse for poor data security when it comes to your computer and hard drive retirement process.
Good, Better, Best
With these ground rules in place, let’s look at some general approaches to properly securing data during the hard drive retirement process.
A good process is one in which data on retired drives gets wiped at some point, even if it’s late in the process. And late it usually is. That’s because most companies rely exclusively on a “remarketer” or ITAD (IT Asset Disposition) vendor to do the data sanitization. By the time the ITAD vendor receives the hardware, it has often been sitting in storage for months if not years in a vulnerable state. This is the absolute tail end of the process. Most companies understand the importance of wiping their data and therefore do meet the “good” requirement. However, with marginal effort they could do so much better.
A better process is one in which data on retired drives gets wiped at the company where the drive originated or was in use. Better still is wiping the drive immediately upon its being retired. As mentioned earlier, wiping software is now capable of remotely initiating a wipe on any computer connected to the company’s network. In just a few minutes a wipe can be initiated. The drive may take a few hours to wipe but no further effort is required by the technician. Once the drive is wiped the results can be automatically logged to a database or sent via email. The ideal is to wipe drives within a day or two of it being retired. Any longer and you create an environment ripe for accidental misuse or intentional malfeasance.
The best process is one in which data on retired drives gets wiped at the originating company and then is either wiped again or validated using a third party, such as an ITAD vendor. In this scenario the drive is wiped upon being retired. Because the data is gone, there is little risk in the drives sitting in storage, even if it’s unsecured. The data is gone, so the risk is gone. Then once the drives are sent for final disposition, the ITAD vendor can either sanitize the drives again or validate using a random sample that the drives were properly wiped. This “best” practice both lowers risk by removing the data early as well as providing a failsafe to protect against problems and errors.
What Level Should I Choose?
The good news is that the “best” level is obtainable for most companies and budgets and should be the ultimate goal. Some companies don’t store data that is innately sensitive and needs to be protected and maybe feel comfortable with a lower level of security. On the other hand, companies that store financial, health, or personal data are typically under strict regulation and must be particularly vigilant about protecting their data. In these cases, the “best” level should be a requirement.
Moving from the “good” to the “better” level represents a substantial increase in security with minimal investment. Doing so means your data is at risk for months or years less and really covers a multitude of sins later in your process. At minimum, such a move is recommended.