Reusing hardware: Erase data but leave an audit trail
California county extends IT life with auditable data erasure
Santa Barbara County in California manages computers for most of its roughly 4,000 employees, and it also maintains servers and storage devices. Each year, about 1,000 machines reach the end of their life with the county, but they typically don't land in a junk pile.
“We try to surplus everything that we can,” said John Snyder, the county’s electronic data processing automation specialist.
That extends the life of the machines, in effect reducing their carbon footprints, and can save the county money. But the county must ensure that it removes all data from the drives without destroying them, which can be time-consuming.
“Anything that can help automate the process is helpful,” Snyder said.
The county found help from Blancco, a company based in Finland that's moving into the United States. The company’s erasure tool lets users erase data so it cannot be recovered and create an audit trail for the process. Santa Barbara users can download the tool and use it in a decentralized environment, which is important in the sprawling county on the Pacific coast north of Los Angeles, with offices as far as an hour away from the county seat.
What's required to overwrite classified data
At the GCN Best of FOSE Awards, a glimpse of the future
“The county has a lot of different departments,” Snyder said. “The management and surplussing of computers is a challenge.” But what really sold the county on the tool was the availability of a centralized database service that allows officials to document the erasure of drives without having to lay hands on every machine. “The surplus people can look at the database and see if the machine has been wiped. That saves them a ton of time.”
Data erasure products are not hard to come by, said Markku Willgren, president of Blancco’s U.S. division. “But erasure is just the first step,” he said. “You need to have proof of it if you are challenged. The audit trail is perhaps the vital component.”
With sensitive information now being created, stored and used digitally and with computers, servers and storage devices being regularly upgraded and replaced, ensuring that data is not accessible when computes leave the control of their original owners is a growing security problem. Deleting data or formatting a drive isn't adequate protection because that process merely removes index allocation tables and pointers to the data. That makes data harder to find, but it is still there and can be recovered by someone using forensics tools.
Degaussing, which uses strong magnetic fields to destroy data, is effective, but it destroys the drive, making the hardware worthless. It also can be labor intensive, because someone usually must remove the drives first.
Erasure is a third option. The term is something of a misnomer because data is not erased but overwritten with random bits. After a bit has been overwritten, it no longer is readable. The trick to making it effective is to ensure that every original bit is overwritten. Making a single pass over the drive is not enough, because the pattern of coverage on the overwrite might not exactly match the original pattern, leaving some original bits uncovered. The general standards for effective erasure call for three to seven overwrites, depending on the sensitivity of the data.
Another problem is that some sectors of a drive often are hidden from an operating system and BIOS, so a simple utility that gives a command to overwrite doesn't see those areas.
“We work much closer to the hardware in our R&D,” Willgren said, adding that the company works with manufacturers to ensure that the Blancco tool has access to hidden sectors.
The popularity of erasure over degaussing or physical destruction is growing, Willgren said.
“It’s becoming more standard because the drive is reusable afterward,” he said. “That is one of the big arguments for this. It is greener and more sustainable.”
Sustainability drew Santa Barbara County to erasure, but it was not always convenient.
“We had a process in place for surplussing equipment,” but it was centralized and created a choke point, Snyder said. “They had to power up every machine that came through and see if there was anything on it.” And there was no audit trail. “What it lacked was the ability to have good documentation through the life cycle.”
The Blancco tool eliminated the need to erase or check each computer with a centralized database in which the erasure is documented with the serial number and a digital fingerprint of the drive, which Willgren described as a death certificate.
The tool also is available as a download or bootable CD that can run on the computer that houses the drive, which eliminates the need to remove and install the drive on another platform for erasure. That also allows local departments to conduct erasures, helping to avoid choke points at a central location.
“There are fewer chances for things falling between the cracks,” Snyder said.
Each department has users authorized to do erasures. When someone boots the Blancco CD on a computer to be cleaned, the user authenticates with the central database before erasing data on the computer. Each department has an account that contains records of its equipment, and there is a central account that lets those disposing of surplus equipment view all records.
Customers can maintain their own database in-house with a management console, but Blancco also offers it as a hosted service, which Santa Barbara County opted for.
“It was cost effective to use their service as opposed to having our own server,” Snyder said.
The time required to fully overwrite a drive varies based on the size of the drive and speed of the computer. But as a rule of thumb, it takes about a minute to overwrite a gigabyte of memory three times. That can add up for a large drive, but the software can write over multiple drives at the same time to hasten the process, and it does not require oversight after it begins.
Santa Barbara County is using the PC and server editions of Blancco, which are the most popular. Willgren said interest is growing in the company's tool for cleaning storage devices. Blancco also offers programs for erasing mobile devices, such as smart phones, a market that he predicted will explode.
State and local governments are the most common government customers for Blancco, though the company has military and civilian users in the federal government. Some federal customers that require physical destruction of drives for disposal use Blancco to first erase the data and create an audit trail, Willgren said.
The company is pursuing an evaluation under the Common Criteria for security products.
“The lack of Common Criteria has been a roadblock to federal adoption,” Willgren said, although its use without the certification is not prohibited because no performance profile for such a tool has been developed. “We see a large potential in the federal government.”
William Jackson is a senior writer of GCN and the author of the CyberEye blog.