Concerns about data security and privacy are no longer restricted to just IT and security professionals. Due to more mainstream security breaches – as well as documentaries like Netflix’s The Great Hack – people everywhere are now concerned about the disturbing implications of today’s data-saturated environment.
The costs of setting up and maintaining a data center can be astronomical. Even if situated on existing property, data centers cost an estimated $200 per square foot to build. This figure does not include the tens of thousands of dollars that could be spent to have fiber installed to reach the location, nor the daily operating expenses the facility incurs in and of itself.
To maximize ROI, data center operators often skimp on hardware and software upgrades/installations when their current system has reached end-of-life. Some operators also waste physical space storing old equipment that contains sensitive or classified data because they lack the means to destroy it. Many data centers rely on third-party solutions that may be ineffective; in fact, these ‘solutions’ can often end up costing exorbitant amounts in instances like breaches of equipment that ‘escaped’ destruction. Ultimately, the failure to create and act on a thorough in-house end-of-life destruction can cost data centers in several respects, including lost business to better-equipped, more-secure facilities and financial penalties for noncompliance with regulations like GDPR.
The Importance of Having an In-House Data Security and Destruction Process
The first rule of data security is to maintain control of the data throughout its entire lifecycle – something that’s simply not possible when using a third-party destruction vendor. A 2017 study from Kroll Ontrack demonstrated how assurances from third parties often prove meaningless. The company purchased 64 used drives on eBay and discovered that many of them still contained sensitive information despite the sellers’ assertions that the devices had been effectively wiped. In 2009, BT’s Security Research Centre headed a study examining the purchase of 300 secondhand hard disks. Alarmingly, one disk contained classified details regarding the Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system used to shoot down Scud missiles in Iraq. It’s an eye-opening reminder that to guarantee complete, error-free data end-of-life destruction, data centers must assume firsthand control and oversight of the processes.
Wiping or Storing Old Equipment is Insufficient
New data privacy regulations are sprouting up all around the world thanks to cases like these. US states are enacting their own laws to protect consumers privacy. The California Consumer Privacy Act (CCPA) for example, allows customers to sue companies if the privacy guidelines are violated, even if there is no breach. The state of New York follows suit enabling consumers also to file lawsuits against individual companies who violate those guidelines. The GDPR is Europe’s strongest data protection rules for consumers. India also enacted their initial take on privacy guidelines in late 2019, requiring that technology companies gain consent from citizens before collecting personal data. All of this data is stored on media, whether digital or paper, making it more critical than ever to thoroughly destroy information at end-of-life.
By not destroying hard drives and relying on data wiping instead, data centers greatly increase the chances that the data can fall into the wrong hands. Many organizations retain outdated devices simply because they are unsure of how to dispose of them. In 2015, Fortune 500 health insurance provider Centene Corporation realized that six unencrypted hard drives containing protected health information for 950,000 people went missing. In August 2019, the New York City Fire Department lost a hard drive containing over 10,000 medical records. Clearly, even ONE drive can wreak havoc on an organization if the data on it is compromised.
The most effective compliance solution for data at end-of-life involves in-house destruction of data storage devices to NSA standards. When owning in-house destruction equipment, you will save costs in the long-term by avoiding third-party service fees and the catastrophic consequences of a major data breach and its associated fines.
The post "Why Data Centers Need Formal End-of-Life Process" was first posted on infosecurity magazine, written by Heidi Parthena White