Protecting the Cloud: Data Erasure as a Best Practice
May 22nd, 2012 By: Industry Perspectives
Markku Willgren is President of U.S. Operations for Blancco, where he focuses on the data security sector. His expertise encompasses asset disposal security and process efficiency, regulatory compliance and data erasure technology.MARKKU WILLGREN
How can data centers and businesses protect massive amounts of data created by cloud computing? Physical security is just one piece of the puzzle. For complete security, data centers need to implement total erasure of data on hardware slated for reuse, resale, or disposal as an industry best practice. The practice of erasure should also extend to redundant or expired data on active systems, without impacting data center operations by requiring a system reboot.
Removing Data is Critical
Several trends in the data center sector are influencing the need for an automated and auditable way to erase data. These trends include the explosion of digital information in the cloud, data center consolidation, sustainability and regulations mandating data security. Removing data is especially critical in protecting against leaks as data and applications move or as data center hardware changes hands.
Data erasure software addresses requirements for tighter data center security with automated erasure processes for a variety of mass storage hardware and configurations, as well as for both active, in-service systems and decommissioned ones. Certified to all major international erasure standards, the software protects sensitive customer data while also enabling compliance with regulations through auditable erasure reports. This safe, cost-effective technology supports either the reuse of costly and complex hardware, or its secure retirement at end of life.
Industry Drivers for Data Erasure
The explosion of digital data in the last ten years has brought with it a proliferation of hardware as data centers respond to cloud demands. In 2012, Gartner predicts that worldwide data center spending for hardware – including servers, storage and networking equipment – will total $106.4 billion, and will surpass $126.2 billion by 2015. The additional hardware, as well as that needed for technology refreshes, impacts data erasure requirements as centers respond to ongoing and emerging trends like those described here.
Sustainability: While power-saving technologies like server virtualization have resulted in less equipment for the same task and lower energy consumption, e-waste has become a major concern for sustainable data center operations and security worldwide. Developing countries like Ghana experience dangerous pollution levels as a result of receiving improperly disposed electronics from around the world. They often become a source of cyber-crime due to this unsecured e-waste.
Implementation of certified data erasure helps meet the growing demand from customers for sustainable operations. It also allows data centers to dispose of or resell older equipment without sensitive information falling into the wrong hands.
Information security standards and regulations: To attract customers in industries with highly regulated data like retail, banking, government and healthcare, data centers and cloud providers must comply with industry standards, regulations and certifications like PCI DSS, HIPAA and Sarbanes-Oxley, respectively. Cloud providers in particular will compete based on compliance support, but they must also absorb compliance costs with automated processes.
Certified data erasure software offers an automated process for removing data, while providing an auditable erasure report to prove data was thoroughly removed. The report provides hardware details, including serial number, number of server drives, size, and speed, as well as information about the erasure, such as how long the process took and who performed it.
Consolidation: Mergers, acquisitions and right-sizing have led to the consolidation of data centers. While many data centers opt for hardware refreshes when considering a move, Gartner recommends negotiating contracts for early availability of swing gear at the new site. Either way, data centers need an auditable report from a certified data erasure tool to prove that data was removed from equipment set for retirement or transfer.
Data Erasure in Practice
With certified data erasure software, data centers can automate and centralize data removal from a range of equipment. This best practice protects against data leaks at transition points in both the data’s and the hardware’s chain of custody and use, as the following equipment and use scenarios describe.
Data on active systems can sometimes end up in the wrong storage location, exist as an unnecessary duplicate, or expire, as with certain regulatory requirements. For these circumstances, data erasure can target specific files and folders across the network for interval-driven erasure, as with PCI DSS requirements for removing data after five years. Such erasure practices are part of good “data housekeeping,” so that too many copies of data are not stored unnecessarily, increasing the chance of data breach.
Data erasure also supports remote erasure of logical drives like LUNs in an active storage environment where the storage array cannot be taken offline. Centralized erasure provides a secure, cost-effective option for reusing these valuable enterprise storage systems without reconfiguring them. It is especially useful after a disaster recovery or back-up recovery tests when multiple copies of LUN data exist and must be erased for full security. Also, data erasure can be helpful when a customer leaves and the LUN is assigned to a new client.
Servers, storage systems and individual drives can be securely reused or disposed when certified data erasure is adopted as a best practice. Data centers can use servers, for example, as the platform for erasing all connected drives, internal or external, with certified erasure. Server erasure can be performed locally or remotely, securing data at the end of a hardware refresh cycle, when an existing customer terminates hosting services, or when a data center is relocating.
Complex storage systems, when securely erased, can safely yield revenue after retirement. Because certified data erasure erases a broad range of hardware, it eliminates the need for multiple erasure products. Capable of erasing 200+ Serial ATA, SAS, SCSI, and Fiber Channel disks in high-end server and SAN environments, the software supports the massive scale and productivity needs of data centers. It is used for erasing storage arrays at the end of a hardware refresh cycle, when a data center relocates, and at the end of a lease, when a leasing company may impose settlement fees for keeping or physically destroying equipment or its components.
Loose physical drives, such as those from SAN servers, pose a security, housekeeping and productivity challenge for data centers. With certified data erasure, personnel can simultaneously erase multiple hard drives outside the original host. This automated process supports data center efficiency, while sanitizing drives with sensitive data that may have been backlogged due to lack of secure end-of-life processes. Erasure is also helpful when drive-swapping end-of-service servers, a common and fast process to expedite server retirement that may generate loose drives containing data.
Another important reason for erasing loose drives is for the replacement of RMA warranty drives. On-site erasure of “failed” disks removes the content so disks can be safely transported to the OEM for warranty replacement, avoiding costly disk retention fees.
For cloud computing needs, certified data erasure software offers an automated, auditable and secure process for removing data from files, LUNs, disks, servers and storage systems that complies with all major government and industry standards. As a best practice, this automated process helps data centers achieve more efficient operations, while protecting both information and investments in costly data center equipment that can be reused or resold.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
This is a great article. However, I do have one correction….There are no PCI DSS requirements for removing data after five years. PCI DSS Requirement 3.1.1.a States:
Verify that policies and procedures are implemented and include legal, regulatory, and business requirements for data retention, including specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons).