Data Destruction: The Final Step For Big Data
It’s no secret that these days, most organizations are up to their ears in Big Data–and most can’t get rid of it fast enough. (Just think tens of millions of computers, housing every piece of data imaginable, from credit card and band records, to healthcare information and blue prints, ripe for the picking in a veritable digital wasteland.)
Consequently, business intelligence and analytics, especially with the aim of conducting some type of information triage, is becoming a booming business as organizations madly scour their systems to shed their hard drives and servers of myriads of unusable data. Not surprisingly, a March 2012 IDC study indicated that Big Data technology services are expected to grow from $3.2 billion in 2010 to $16.9 billion in 2015, representing a compound annual growth rate of 40 percent, or about 7 times the that of the overall information and communications technology (ICT) market.
But where does all that data go when it’s no longer needed–especially if it isn’t encrypted or sanitized? The answer to that question is often more complicated than it might seem.
Guillaume Lovet, senior manager of Fortinet’s EMEA Threat Research and Response Center, said that many regions have some kind of industry standard that delineates guidelines for the disposal of sensitive data along with storage media. In the U.S., one of the most established standards is the National Industry Security Program (NISP) Operating Manual.
However, whether organizations actually adhere to those guidelines is another matter. And unfortunately, many don’t. Lovet cited studies in Australia (Valli, 2004) and the U.K (Jones, 2005) indicating that more than 90 percent of examined hard disks were discarded in an easily recoverable state, while in the U.S. organizations overwhelmingly failed to properly cleanse hard disks of data before their disposal. (Garfinker & Shelat, 2003).
In light of an IT security landscape replete with identity theft, targeted attacks and cyberespionage activities, such carelessness doesn’t bode well for the state of cybersecurity.
“As an example, in 2008, an Oklahoma City citizen bought a server at an auction; it turned out the computer used to belong to the Tax Commission of Oklahoma and still contained the intact, unencrypted Social Security numbers of 5,000 identifiable citizens,” Lovet said. “Given the current state of sophistication in Cyberwarfare (i.e. nation-state built worms crawling into Uranium enrichment plants and destroying the turbines - see Stuxnet) the example above is likely a tiny emerged part of the iceberg.”
Often organizations dismiss information that can’t immediately be linked to identify theft as inconsequential. However, the emergence of whistleblower sites such as WikiLeaks, not to mention a slew of hacker forums and humiliating shenanigans of global hacker collectives, have all but proven that data leaks of all kinds could have dire ramifications.
And no doubt, the consequences for negligence could be severe, ranging from disclosure of users’ personally identifying information to very calculated theft of classified data, source code, trade secrets or intellectual property. Yet while potentially destructive, this kind of data leak is one of the easiest to avoid, Lovet said.
There are, however, readily available solutions on the market to assist organizations inundated with data and bewildered as to how to dispose of it. Software solutions that completely overwrite the hard drive–not just delete files–are often sufficient to sanitize all sensitive information, while still salvaging the hard drive for future use. Users can also apply a technique known as degaussing, which essentially breaks down the magnetic field that bonds a hard drive’s bits and bytes, rendering the information useless. And when in doubt, individuals can ensure sensitive data will never be accessed, much less used, with actual physical destruction of a data storage device.
Meanwhile, it should be noted that adequately encrypting the data on hard drives will also make it impossible for illicit data retrieval. And looking ahead, that metaphoric “ounce of prevention” could be key in saving users costly hours of data destruction or time spent worrying that their most sensitive information has fallen into the wrong hands.