Reusing hardware: Erase data but leave an audit trail

Connect with state & local government leaders
Join Our Community
Featured eBooks
A New Era of Social Media Regulation
Strengthening State and Local Cyber Defenses
Making AI Work for Government
Insights & Reports
Get to know Bedlock Safety
Presented By BedLock Safety
Download Now
Using AI-powered location intelligence, state and local governments can build a sustainable future
Presented By Nearmap
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

The ability to document the erasure of data from hard drives makes it easier for Santa Barbara County, Calif., to reuse computers rather than destroy them when it's time for replacement.

Santa Barbara County in California manages computers for most of its roughly 4,000 employees, and it also maintains servers and storage devices. Each year, about 1,000 machines reach the end of their life with the county, but they typically don't land in a junk pile.

“We try to surplus everything that we can,” said John Snyder, the county’s electronic data processing automation specialist.

That extends the life of the machines, in effect reducing their carbon footprints, and can save the county money. But the county must ensure that it removes all data from the drives without destroying them, which can be time-consuming.

“Anything that can help automate the process is helpful,” Snyder said.

The county found help from Blancco, a company based in Finland that's moving into the United States. The company’s erasure tool lets users erase data so it cannot be recovered and create an audit trail for the process. Santa Barbara users can download the tool and use it in a decentralized environment, which is important in the sprawling county on the Pacific coast north of Los Angeles, with offices as far as an hour away from the county seat.

Related stories:

What's required to overwrite classified data

Clean sweep

At the GCN Best of FOSE Awards, a glimpse of the future

“The county has a lot of different departments,” Snyder said. “The management and surplussing of computers is a challenge.” But what really sold the county on the tool was the availability of a centralized database service that allows officials to document the erasure of drives without having to lay hands on every machine. “The surplus people can look at the database and see if the machine has been wiped. That saves them a ton of time.”

Data erasure products are not hard to come by, said Markku Willgren, president of Blancco’s U.S. division. “But erasure is just the first step,” he said. “You need to have proof of it if you are challenged. The audit trail is perhaps the vital component.”

With sensitive information now being created, stored and used digitally and with computers, servers and storage devices being regularly upgraded and replaced, ensuring that data is not accessible when computes leave the control of their original owners is a growing security problem. Deleting data or formatting a drive isn't adequate protection because that process merely removes index allocation tables and pointers to the data. That makes data harder to find, but it is still there and can be recovered by someone using forensics tools.

Degaussing, which uses strong magnetic fields to destroy data, is effective, but it destroys the drive, making the hardware worthless. It also can be labor intensive, because someone usually must remove the drives first.

Erasure is a third option. The term is something of a misnomer because data is not erased but overwritten with random bits. After a bit has been overwritten, it no longer is readable. The trick to making it effective is to ensure that every original bit is overwritten. Making a single pass over the drive is not enough, because the pattern of coverage on the overwrite might not exactly match the original pattern, leaving some original bits uncovered. The general standards for effective erasure call for three to seven overwrites, depending on the sensitivity of the data.

Another problem is that some sectors of a drive often are hidden from an operating system and BIOS, so a simple utility that gives a command to overwrite doesn't see those areas.

“We work much closer to the hardware in our R&D,” Willgren said, adding that the company works with manufacturers to ensure that the Blancco tool has access to hidden sectors.

The popularity of erasure over degaussing or physical destruction is growing, Willgren said.

“It’s becoming more standard because the drive is reusable afterward,” he said. “That is one of the big arguments for this. It is greener and more sustainable.”

Sustainability drew Santa Barbara County to erasure, but it was not always convenient.

“We had a process in place for surplussing equipment,” but it was centralized and created a choke point, Snyder said. “They had to power up every machine that came through and see if there was anything on it.” And there was no audit trail. “What it lacked was the ability to have good documentation through the life cycle.”

The Blancco tool eliminated the need to erase or check each computer with a centralized database in which the erasure is documented with the serial number and a digital fingerprint of the drive, which Willgren described as a death certificate.

The tool also is available as a download or bootable CD that can run on the computer that houses the drive, which eliminates the need to remove and install the drive on another platform for erasure. That also allows local departments to conduct erasures, helping to avoid choke points at a central location.

“There are fewer chances for things falling between the cracks,” Snyder said.

Each department has users authorized to do erasures. When someone boots the Blancco CD on a computer to be cleaned, the user authenticates with the central database before erasing data on the computer. Each department has an account that contains records of its equipment, and there is a central account that lets those disposing of surplus equipment view all records.

Customers can maintain their own database in-house with a management console, but Blancco also offers it as a hosted service, which Santa Barbara County opted for.

“It was cost effective to use their service as opposed to having our own server,” Snyder said.

The time required to fully overwrite a drive varies based on the size of the drive and speed of the computer. But as a rule of thumb, it takes about a minute to overwrite a gigabyte of memory three times. That can add up for a large drive, but the software can write over multiple drives at the same time to hasten the process, and it does not require oversight after it begins.

Santa Barbara County is using the PC and server editions of Blancco, which are the most popular. Willgren said interest is growing in the company's tool for cleaning storage devices. Blancco also offers programs for erasing mobile devices, such as smart phones, a market that he predicted will explode.

State and local governments are the most common government customers for Blancco, though the company has military and civilian users in the federal government. Some federal customers that require physical destruction of drives for disposal use Blancco to first erase the data and create an audit trail, Willgren said.

The company is pursuing an evaluation under the Common Criteria for security products.

“The lack of Common Criteria has been a roadblock to federal adoption,” Willgren said, although its use without the certification is not prohibited because no performance profile for such a tool has been developed. “We see a large potential in the federal government.”

NEXT STORY: WikiLeaks impels White House to order classified data security review

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.