Asset Disposal: Old Computers Bring New Security Worries
In an age where organizations are consolidating datacenters, embracing cloud, and data infiltrates everything via the Internet of Things (IoT), enterprises increasingly must consider how to securely, legally, and cost-effectively rid themselves of old servers, workstations, and other data-laden technologies.
Businesses are considering how to dispose of assets sooner in order to maximize value; the cost of disposal; centralized reporting tools; data security, and charging back departments, according to a survey by Cascade. At many organizations, though, removal of old technology is not a high priority.
"It's a very unsexy area. It's associated with waste management. It isn't brand new, snazzy equipment," said Steve Mellings, founder of ADISA – the British-based Asset Disposal & Information Security Alliance, in an interview. "It isn't a particularly attractive business process but what we see is corporations spend hundreds of thousands of pounds – if not more – on asset protection, but when they reach end-of-life there is a very real risk of data breach."
This sometimes-neglected process can fall under the jurisdiction of departments such as IT and compliance. Depending on the device, the federal government has stringent rules in place that dictate where high-end systems or other technologies can be resold, Jill Williamson, chief compliance officer at Liquidity Services, told Enterprise Technology. Organizations are governed by federal, state, and industry rules such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA), she said. And, of course, companies don't want to drum up the expense – which averages $1.57 million per breach, according to the 2015 Ponemon Institute's "Cost of Data Breach Study: Global Analysis" – or bad publicity typically associated with breaches, Williamson added.
While some organizations have few if any standards for the removal of data from old systems, most large businesses and government agencies have implemented procedures designed to remove data, destroy hard drives, and ensure data security. But that does not necessarily mean data is actually gone or safe? Not necessarily.
In 2014, for example, Washington State examined the computers 13 state agencies had sent to the state's surplus program for distribution or public resale, wrote Washington State Auditor Troy Kelley in the Camas-Washougal Post-Record. Although most agencies complied with state standards for data removal from hard drives, four had left confidential data on their unwanted drives. Information included medical records, applications for public assistance, IRS forms, employee evaluations, and Social Security numbers, he wrote.
In another study, ADISA conducted forensic analysis of the factory-reset function to determine whether it sanitized smartphones. While a sampling of Apple and Blackberry devices had removed users' data, the same did not hold true on "certain Android devices," according to the April 2015 report.
"In fact, the data recovered would indicate that even multiple factory resets would not be enough to erase all of the data. The reason for this conclusion is that forensic analysis of the Android devices showed that some of the devices still contained data from instant messaging services and from the test methodology point of view no instant messaging services data was placed on the phone," the whitepaper said. "It can be speculated that the poor performance of the Android devices is that as Android runs on multiple hardware platforms, the developers of Android are unable to integrate their software platform into the hardware such that specific hardware features cannot be utilized."
Pundits worry the move to cloud – and the model's built-in reuse of systems – coupled with the ongoing drive to infuse everything with data could create more data insecurities if not done carefully.
"If I work in IT, I've got to do more with less. It's different platforms, different locations, a whole range of different challenges to meet, and less resources. You have corporations struggling to deal with increased regulatory requirements with fewer resources. This unloved, unattractive process gets pushed to the bottom of the pile," said Mellings.
Removal as a Service
Perhaps unsurprisingly, one answer to this problem lies in partnerships with the many specialists in removal. These organizations come from an array of industries ranging from cybersecurity; facilities or waste management; IT service providers and distributors; brokers, and scrap metal companies, said Mellings. But they are typically unregulated, he said, and often, enterprises look at the process as a financial, not a security, transaction whereby the highest bidder gets the consignment, not necessarily the company with the best security procedures.
Enterprises should, therefore, conduct due diligence to ensure partners eliminate data, if that's one of the services purchased, and seek the highest value possible for their unwanted resources, executives agreed. It's also important to dispose of e-waste responsibly and locally, Mellings noted.
Enterprises have many partner choices. Liquidity Services, for example, evolved into technology from a legacy of helping companies dispose of surplus inventory or assets, Steven Jacobson, vice president of corporate services, told Enterprise Technology. "At the end of the day we're an auction house with professional services wrapped around it," he said. "We used to do factory closings then moved into the datacenter and were asked to help with IT."
The company helps organizations sell their systems or components, after wiping them clean, said Jacobson.
"It's all about bang for the buck, whether it be a dealer looking for the components, the boards, the processors, the networking pieces in some of these big superdomes, blades. There are a zillion chassis out there; they're looking for the components," he said. "It's a fraction of the original acquisition price and there's still value, and it doesn't go into e-waste."
Under their new partnership, Iron Mountain will offer CloudBlue’s IT Asset Disposition services paired with Iron Mountain’s secure chain of custody and logistics so customers' equipment is collected by vetted Iron Mountain employees, tracked through the company's chain of custody, then delivered to CloudBlue for processing, according to the companies. Arrow Electronics, for its part, just opened a center for asset tracking and reporting, data sanitization, testing and screening, recycling, remarketing, service parts management, and product returns management services in Singapore.