Interview with Blancco

July 2007

Interviewee: Rob Crawford, Country Manager Canada, Blancco Canada

Subject: Large-Scale Electronic Data Destruction

Nymity: What are the challenges related to removing data from a single computer?

Crawford: Removing data from a single desktop or laptop hard drive is actually a more complex process than most users would think. Unfortunately, today, there are still a large number of users who believe that when you delete files and send them to the recycle bin, they are gone for good. A more alarming fact is that others believe that formatting a hard drive will erase files permanently. Neither of these processes is effective for protecting or deleting your data. All hard drives, whether for a single computer or a thousand computers, must be erased using a systematic method of overwriting, using 1’s and 0’s to completely “wipe” or “sanitize” the drives. This process is known as data erasure or data destruction.  For a single computer, the challenges are:

• Time
• Using tools or freeware that does not completely erase the hard drive
• Using tools or freeware that have no reporting, no verification, no guarantee of 100% erasure
• Secure Erasure of the HPA -- Host Protected Area
• Secure Erasure of the DCO Device Configuration Overlay
• Secure Erasure of the Remapped Sectors

Nymity: What are the challenges in large-scale data destruction of 1000 plus computers?

Crawford: Companies or Governments that have hundreds or thousands of computers face all the same issues that a user or small companies face when erasing a single computer plus these logistical challenges. The management of their IT assets is paramount but as important is proper reporting that is auditable. A large security gap exists when companies do not know what computers have been erased, where, when and by whom creating the possibilities for information loss. Companies and Governments must utilize best security practices that ensure the proper safeguards are in place for the process of secure data erasure.  For large scale deployments, the challenges are:

• Time
• Resources (people)
• Managing the assets
• Data Integration

Nymity: When are organizations faced with large-scale data destruction projects?

Crawford: Most organizations are faced with large-scale data destruction projects on a yearly basis. Scheduled hardware refresh/upgrades, lease expiration, server consolidation, reuse management (machine drift), warranty claims, process restructuring and changing technology are the reasons why organizations will require a formal policy for the data destruction process. In the marketplace there are still organizations who are not using some method of data destruction, they either have a warehouse/rooms/closets full of used drives that are holding old information, or they are sending hard drives or computers to be recycled or destroyed with information on them. Both of these scenarios present a huge security gap.  Common large-scale data destruction projects include:

• Shorter refresh rates
• Lease expiration
• Server Consolidation
• Reuse management
• Warranty Claims
• Process restructuring
• Changing technology

Nymity: What are risks of not removing data securely?

Crawford: Security risks associated with drives that have information stored on them are far and wide. Identity theft is becoming the most common concern arising from data theft/loss that includes people’s personal information, which may be a credit card number, social insurance number or medical records. Industrial espionage through organized crime or by a disgruntled employee may be looking for trade secrets or customer/ employee information for nefarious uses. These types of data breaches can be extremely valuable in the wrong hands. The liabilities incurred during a data breach can be absolutely devastating to companies, as public disclosure through regulatory legislation has become the norm. Governmental legislation that is being passed regarding the protection of people’s personal information throughout the world today, proves that anyone involved in the hosting of information must use end-of-life and reuse management processes to ensure the best security policy possible.  Risk include:

• identity theft
• Industrial espionage
• Data Leaks
• Lost revenue
• Hefty fines and/or expensive lawsuits
• Tarnish a company’s brand

Nymity: How do automated data destruction solutions work?

Crawford:  Centrally controlled application software that features:

• Asset inventory, erasure, report, audit
• Automated centralized report repository/database
• High-speed erasure regardless of the OS and hardware
• Network delivery within organizations LAN/WAN’s without limitations
• Integration to external databases

Nymity: What are the advantages of automated data destruction?

Crawford: Efficiency. Efficiency translates into money. By making the process faster, clients are able to save time, labor costs and additional management overhead. Measurable ROI (return on investment) and TCO (total cost of ownership).  Besides efficiency, that advantages are:

• Data Destruction onsite for extra Security
• Increased Process Efficiency for asset life cycle management
• Detailed asset and hardware management reporting
• Easy to setup for end user
• Reports can be easily integrated with existing databases

Nymity: What are the alternatives?

Crawford:  Physical destruction is the most common alternative to automated data erasures. The issues with physical destruction are security, no traceable audit trail and no possibility of remarketing the computers for return revenue. Some companies will use a hammer system to smash the drives, or a drill press system to drill holes in the drives or shedding the drives into 1” to 2” pieces. Although this sounds very attractive, usually because of the cost effectiveness, it is NOT a secure way to destroy data. It has been proven by many forensic labs throughout the world that data can be removed from the drives even after this process has been performed. The other expensive inefficient way of destroying hard drives, is by using a degaussing machine. This process uses large electromagnets to essentially render the hard drive completely useless. The problems associated with this process are the long period of time it takes to perform the degaussing, and once the hard drive has been degaussed, it is not reusable or resalable. Finally Corporate and Government Canada must start to embrace an environmental policy to RETHINK, REUSE, RECYCLE.

Nymity: How can Blancco help organizations interested in large scale data destruction?

Crawford: Blancco is able to completely eliminate the risks and liabilities associated with the disposal of IT assets. Our products are designed to save the customers time, money and resources required during the disposal process. With a digitally protected, gapless audit trail, and Blancco’s easy integration methods, customers are protected with a guarantee throughout the process. Blancco has received over 14 international standards and certifications because we have the right products and processes to ensure an efficient, cost effective, secure service, utilizing the ERA Concept (Erase>Report>Audit) guaranteeing compliance in every Country, Province, State and local municipality.  Blancco helps organizations:

• Elimination of RISKS and LIABILITES associated with the disposal of IT assets
• Saving of time, money and resources required to dispose of corporate IT assets
• Digitally protected gapless audit trail
• Easy integration to corporation’s other services
• 14 International Certified Supported Standards
• Compliant in every Country, Province, State and Local Municipality

For More Information

T

o learn more about Blancco visit www.blancco.com or contact Robert Crawford at robert.crawford@blancco.com or 905.452.9222.