The Most Dangerous Backdoor to Your Data Center’s Security
In 2005 one of the largest banks in the U.S. lost data tapes with credit card numbers and social security numbers of 1.2 million federal employees, including senators.1
In 2007 a single stolen data tape in Ohio contained the social security numbers and private information of 1.3 million individuals and businesses.2
In 2008 a Fortune 500 company had a computer tape stolen from a delivery truck that contained the names, addresses, birthdays, Social Security numbers, marital status, bank account numbers, salaries, and hiring and termination/retirement dates of hundreds of employees. In addition, the tape has Social Security and address information about dependents of former and current employees.3
A single misplaced, improperly stored/transported, or improperly disposed of data tape or hard drive can be catastrophic to any organization, their clients and employees. This breach, even if the theft never ends in abuse, creates a breach in trust that can damage a reputation for years.
Portable magnetic computer tape storage devices have been prevalent in the data processing world close to 50 years. This storage media has been invaluable in processing, storing, and restoring huge amounts of information for a relatively small cost.
Technology in this arena is fast moving and ever changing. As a result, in the past several years the capacity, speed, and price of magnetic storage (computer tape cartridges) have made incredible advancements. A common tape cartridge sold today has a compressed capacity of 1.6 terabytes.
The message is quite simple. In these very small packages are stored enormous quantities of data including company financials, payroll, proprietary files, human resources records, medical, personal, social security, investment, and identity information. The tape and its contents absolutely must be managed properly.
As technology changes, newer, faster, cheaper and more compressed types of computer tape cartridges are adopted, the older tape cartridges are retired. Most of this retired tape still holds valuable data. Security and liability issues make the destruction of this tape (and more importantly, the data) a real serious concern. The legal, security, facilities, IT, and management departments all have the same concerns in disposition of this media. As a result, many times the tape sits idle in the computer facility, tape library, or off-site storage location taking up valuable space and naturally poses a higher exposure to loss.
Over the years many solutions have been proposed to this growing problem. But on-site degaussing, shipping to an incineration site, or manual one-by-one destruction options all have significant issues with time, cost, or risks of security breach.
If sent off-site for total destruction, once those cartridges, holding live data, leave the confines of the data processing center, tape library, or off-site storage facility, a lot of bad things can (and have) happened. Consider trucking accidents where the trailer is wrecked and computer tape spread onto the highway. The shipment is occasionally delivered to the wrong location, delayed because of weather, goofs, or miscommunication. Once delivered to a destruction or incineration plant, the tape is generally staged and/or batched with other materials, allowing further possibilities of loss, theft, viewing, and other general mistakes. While there are methods and procedures to minimize exposure, including shadow trucks, company personnel as passengers, satellite tracking, etc, the possibilities remain very real that this densely packed media can be compromised at some point along the transportation trail.
Degaussing is generally effective when proper attention is paid; the degausser has the capacity and strength to fully erase data. Many cartridges require multiple passes to ensure total erasure. Only the best grade and sturdy commercial degaussers can be operational for more than a few minutes at a time. The equipment is expensive and one particular degausser will not necessarily be the panacea for every type of computer tape in the library because of various cartridge density or size considerations. Costs for internal personnel resources and time play significant roles as well. Degaussing is a very slow, monotonous process.
Tape guillotines, whether manual or automated will destroy a tape cartridge…one at a time. Multiply the size of the tape library to be destroyed by a couple of minutes per cartridge to determine how many hours are involved. Add to it the cost and maintenance of the machine, the manpower, space, diversion and time. At the end, the computer tape, while totally un-useable or recoverable, still has to be disposed of properly.
Ultimately, best practices dictate that certified on-site secure shredding of computer tape or hard drive is a complete, thorough, visual, real-time and proof-positive shredding method for destruction and disposal. This is an out-sourced service performed at the actual data center location under the supervision of any concerned employee in the company and in full view of all security devices, cameras and video monitoring systems. The process is quite fast, completely destroying tape cartridges. Several hundred can be shred every 4-5 minutes, with a constant flow possible, giving a capacity of tens of thousands in less than one 8-hour shift. Once the destruction process is complete, the mobile shredding vehicle leaves the facility and all liability, security, disposal, and logistical concerns are eliminated.
Hard drives, whether they are laptop, desktop, or server varieties all also carry the same concerns as retired tape. Hard drives can also be securely shredded on-site using the same certified procedures.
If transport is required then encrypted digital transport is recommended, followed by certified on-site destruction of the physical media.
About Mobile Data Shredding, Inc.:
Mobile Data Shredding, Inc. provides secure, on-site tape/hard drive/document destruction services to the Baltimore, Washington DC, Boston, Philadelphia, and general Northeast and Midlantic regions. For more information visit http://www.mdshred.com or call (877) 225-6010.
About the Author: Mike Dodson, founder of Mobile Data Shredding, is a nationally recognized data destruction expert with over 25 years in the data processing and computer media industry. He has provided consulting services and support to Fortune 500/100/50 corporations across the nation.
Sources:
1 http://www.msnbc.msn.com/id/7032779/
2 http://privacy.org/archives/002096.html
3 http://www.breachblog.com/2008/07/18/bms.aspx
This whitepaper was also published on the Data Center Journal: http://datacenterjournal.com/content/view/2867/40/
Back