December 2012

Myths about ITAD

Myths about IT Asset Disposition (ITAD) Data Erasure

By: Cindy Miller, LifeSpan Technology Recycling

Data security is a top priority for most organizations for the disposition of their IT assets. Sensitive data must be cleared from the drives of retired IT equipment before it can be remarketed. However, many misconceptions exist about the process, standards and technology related to data erasure.  Here, we try to clear up a few: 

Myth #1: “It’s cheaper to do it myself.”

Truth: While many organizations believe it’s less expensive to permanently erase data from IT equipment in-house than by partnering with an asset disposition solution provider, some basic math reveals costs that may be overlooked. Consider what your organization pays its technicians and the value of the time it takes them to set up, perform the erasure, and document it. There’s also the cost of taking your team away from a project that may be more strategic for your organization. Finally, there are costs associated with the space, systems, and software required to perform data erasure.  Make sure you consider all the costs.

 Myth #2: “It is more secure to use my team than to outsource data erasure.”

Truth: Security is the whole purpose for erasing data from retired IT equipment. Some companies reason that the best way to ensure total data erasure is to do it internally. That way, they have total control of the process. However, LifeSpan has found that as many as 10 percent of the drives it receives from clients who say they have erased the data on them still contain some form of data, either in remnant form or completely intact. For firms concerned about security, this is a major risk. Your IT team may be skilled in a number of areas, but they may not all be familiar with proper data erasure procedures, or they may be doing multiple things during the erasure process and not be able to ensure the end to end quality of the process. A staff dedicated solely to data erasure at a certified partner, on the other hand, will be trained in the process, software tools, standards and best practices.  They can offer a documented data erasure process certified according to industry standards.

Myth #3: “Freeware works good enough for us.”

Truth: You can’t beat free for the cost of data erasure software. But free isn’t always free when you factor in the loss of productivity from using slow and inefficient software, and the time it takes to manually document each drive that is wiped. Free software often comes from unknown sources and its creators may rarely, if ever, update it.  Carefully review your tool’s origins and documentation, and have a process to quality check the results.

Myth #4: “I trust the local vendor that I’ve been using for years.”

Truth: Just because your organization has been partnered with the same vendor for years doesn’t mean that vendor can always be counted on for complete data erasure. It only takes one drive to get through the process with data still on it to cost your company a significant amount of money and time. If you use a certified IT asset disposition vendor, you can be sure that it meets the highest standards for data erasure and its entire disposition process had been documented. The National Association for Information Destruction (NAID) is one of the major certification bodies that focus exclusively on security, and it performs both an annual and a surprise audit each year on the organizations it certifies. By working with a certified ITAD provider, you’re saving yourself the trouble of checking up on the work of your vendor, because it’s already been done for you.

Myth #5: “I am protected because I encrypt my drives.”

Truth: While encryption is a good deterrent against those who try to access the data on your drives, it is not an accepted data sanitization standard. Though it’s in a derivative form, the information is still there. The technology may not currently exist to access it in a commercially viable way, but that could change in the future as new techniques are developed. For asset retirement, proper data erasure will provide you with an electronic record that the data has been completely destroyed and no remnants remain.

In the previous post, we discussed some common misconceptions about data erasure, which is a top priority for most organizations that deal with the disposition of their IT assets. We found that performing data erasure internally—using your organization’s own staff and resources—is not always the least expensive, most secure way to handle it. Here are five more myths to consider as you plan to optimize your organization’s IT asset disposition program.

 Myth #6: “I destroy all my drives to be secure.”

Truth: All the major standards organizations accept proper data erasure as equal to the physical destructions of drives. IT assets without hard drives lose about 20 to 30 percent of their remarket value. On the other hand, erasure does cost money, so erasing data from equipment that won’t have resale value is a waste. One method—erasure or destruction—does not fit all the possible disposition scenarios. A good ITAD vendor can help you analyze the different factors and create a plan that balances remarket value with risk and security.

Myth #7: “Solid state drives (SSDs) cannot be erased.”

Truth: Solid state drives have become a popular alternative to magnetic drives. Although they appear to operate the same as magnetic drives, their underlying technology is quite different. Some believe data can never be fully erased from solid state drives. However, experts at the University of California, San Diego Department of Computer Science and Engineering Non Volatile Systems Laboratory (NVSL) have found that performing Secure Erase and software based sanitization together can be effective for erasing readable data on these drives

Myth #8: “I erased the drives, so I’m covered.”

Truth: Simply believing data has been erased from retired equipment at some point is not enough to give IT managers peace of mind. Where is the equipment stored prior to erasure and where does it go after? Without a documented process and a clear chain of custody, there is risk equipment with data that hasn’t been erased can slip through the cracks in the process and into the outside world. A well-documented disposition process is a necessity for any organization that is concerned about data security.

Myth #9: “The standard for data erasure is DoD (Department of Defense), three-pass or seven-pass.”

Truth: The Department of Defense standard for data erasure, DoD 5220.22-m, often referred to in the industry as simply “DoD,” has been surpassed. The latest U.S. government standard, developed by the National Institute of Standards and Technology and Homeland Security, is NIST 800-88. The previous DoD requirement of 3 passes is effective.  However, experts say, modern drives are much more accurate writing than drives from 20 years ago, and really require only one pass to sanitize all data.