Trust no one. That's the increasing sense users have when it comes to protecting data, and it's now throwing a wrench into every aspect of managing storage, whether a company is regulated or not. The latest uncomplicated process to inspire new paranoia: data on failed disks sent back to a vendor for repair.
When disks are sent to vendors, they are sometimes disassembled in order to replace faulty parts. Other times the disks are simply diagnosed as failed and a whole new drive is issued to the user from the vendor. Parts left over, or whole disks, are sometimes recycled into new disks or simply repaired and resold on the open market. All of that leaves the original user's data exposed if it's still on the failed disk.
"I once got a shipment of remanufactured disks for a set of 25 laptops that had data on them," said Paul Ressler, a systems support analyst for J&J PRD Instrument PC Support. "The fact that there was any data on them means that if I wanted to, with the right tools, I could have recovered all of it."
Discussion cropped up about this growing concern on SearchStorage.com's IT Knowledge Exchange message boards this past week, specifically having to do with sending hard disks off site for repair.
"With the ever increasing threats, identity theft and regulations, corporate data on failed hard disks that come out of storage cabinets and servers is being more scrutinized," said one user.
Respondents to the discussion thread highlighted several options for handling disks being sent off site. One is to do what is known as a "Department of Defense (DoD) wipe," writing random bits of data over the disk seven times.
Users said there are several software programs that also work well to remove data from a disk, many of them designed by at-home hackers, including Ultimate Boot for Windows and BartPE, and disk overlay diskettes provided by data recovery outsourcer OnTrack Inc. Both these options, however, require that the user can get the disk spinning.
Disk encryption was also among the suggestions. "The real opportunity would be proactive," said one user. "Implement encryption of data on disks. There are numerous ways to implement in DAS, NAS and SANs." Encrypting hard drives, however, comes with its own set of problems, including performance issues and expense.
Yet another suggestion: degaussing, a process for removing data from a disk physically using a magnetic field. Degaussing machines are readily available -- "You can get them at Radio Shack," said Brett Osborne, a systems engineer who asked that his large aerospace company not be named -- and don't require that the disk be accessible or operational.
"Degaussing, as long as it's performed properly, is fairly simple. It's the first and most serious way to remove data from any disk, and a good choice if the equipment has value, Osborne said.
But he admitted, "For my critical data, I don't trust it. Even through degaussing, data is still theoretically recoverable. You can never get everything."
Destruction the only totally foolproof optionIn fact, users agreed, right now it seems to just be the frightening fact that advances in technology also mean virtually no data is totally unrecoverable.
"In 1986 when the Challenger Shuttle had its black box recovered from the bottom of the Atlantic three weeks after the disaster, it was sent to Tucson, Ariz. to have its data reconstructed," said Claus Mikkelsen, senior director of storage applications for Hitachi Data Systems Inc. "We could reconstruct the data of magnetic media involved in a horrible explosion and submersed in salt water for three weeks, which was ultimately delivered in shreds of magnetic particles, and that was 20 years ago."
Add to that the fact that no company wants to devote man-hours to running demagnetizing machines over failed hard drives, and users also agree that for the time being there is no 100% foolproof method for ensuring data doesn't fall into the wrong hands without total destruction of media.
Ressler said, "The best answer to the question about data destruction came from a member of the U.S. Army who stated that he wasn't concerned with the issue: he simply let an M1A1 Abrams tank roll over the drive in question a few times and POOF! No data."
"Of course," he mused, "Not all of us have access to an M1A1 tank..."
More importantly, simply destroying every disk that fails renders a warranty with a vendor virtually useless -- and it's back to square one.
Vendors wishy-washy on liability
There are places vendors could step in to mitigate the situation, and most of the big vendors, including EMC Corp., Hitachi and Hewlett-Packard Co. (HP) do try to address customers' concerns about safety by offering to fix disks on site, or perform DoD wipes and carry out destruction on their end.
But still, vendors hem and haw when it comes to accepting ultimate legal liability for the process, and users say they don't trust the vendors' assurances just yet.
"The word liability makes it a bit loaded," said Michael Gallant, director of public relations for EMC. "Liability is usually determined if one party breaches a contract or is deemed to have done something negligent. The determination of liability would be handled on a case-by-case basis."
"I'm not going to jump into liability issues," said Abbot Schindler, senior technologist for HP's Storageworks division. "That's a legal issue and I'm not sure I can address it."
"Our primary storage vendor is HP," one user said on ITKE. "And they aren't giving us definitive answers about the data on failed hard disks nor can they guarantee that our data will be protected and destroyed before sending the disk to the next location after repair. I would expect the storage vendor to accept responsibility for destroying the information on the disks -- but HP isn't giving us the necessary comfort level about the data on failed drives."
Schindler said HP sends returned drives back to their original manufacturers, and that remanufacturing means different things to different companies. One disk company, he said, might disassemble and "grind up" a disk, while another may simply refurbish the unit and send it back out into the world. He said HP had no formal process of tracking what the original manufacturers did with failed disks.
Generally speaking, users said, a third party handling your disks away from your data center should be experienced, specialized and legally accountable. One day that may be the disk vendor or manufacturer, they said, but for now there are independent companies, such as OnTrack Data Recovery or Iron Mountain Inc. that offer guaranteed secure services.
Ressler and Osborne agreed that users sending disks to any of these vendors should still transport disks personally or use a secure courier, ask for a certified statement of security from the company and require that the failed disk be returned so destruction could still be performed in-house.
"In our situation, it's not applicable," Osborne said. "We just don't let data go out. But if users have to send data elsewhere for some reason, my suggestion would be to either have a contract with their vendor laying out minimum privacy and nondisclosure requirements or to use a third-party service that's bonded, experienced and could guarantee security."