Intelligent Lifecycle Solutions
Saturday, 17 October 2015
It's not about the erasure, it's about the data about the data erasure - well almost
It amazes me that after the best part of 20 years erasing data I still meet people who don't "get" the importance of data erasure. Technically it's not difficult but it must be absolute. Like a climber’s rope; few will marvel at the structure and make up of a rope but you sure as hell don’t want it to fail and even if it does you want a fail-safe.
The founder and ex-CEO of Blancco Kim Väisänen once said, "It's not about the erasure, it's about the data about the data erasure". At the time especially coming from Kim it slapped me round the face. There are dozens of tools which can send a simple known command to a drive. The key is to prove the device has done what you have told it to and then proving that with a traceable output which confirms that something was completed, by whom, when, what and where. The traceability is as such at least as important as the function.
Kim Väisänen also once said to me “a fool with a tool, is still a fool”. He meant that even if you develop the very best tool to do a job in the hands of a human being mistakes will always be made. I once toured a large ITAD in West Chicago. The IT chap showed me the erasure line which used CD’s and stickers. I asked “what happens if you make a mistake” and he answered “we don’t”. He and his team are the first perfect human beings I have ever met. They really shouldn’t be erasing hard disks but should have applied their skills to open heart surgery perhaps.
So using a tool to erase is the simple part in that technically it’s not very challenging. Traceability and proof and preventing on-sale if there has been a mistake are far more challenging. Capturing the unique details of the hard disk drive and parent device is a part of this. Recording the operator, date and time and what has been undertaken is another, however far more important are the fail-safes.
What happens when the power fails or the fire alarm goes off half way through? What happens when somebody makes a mistake and puts the label on saying the drive is safe when it is not? This is especially a risk when an operator is doing boring repetitive tasks.
It’s more complicated than simple reporting. The business process needs to check and inspect that the drive and device are safe before allowing the on-sale or shipment of either the hard disk or the parent device. In real terms this is far greater a risk then either the tool used or the number or patterns of overwrites. Joe going on his lunch break or replying to a text message from his girlfriend rather than this tool, or that is a greater real world challenge.
Sending a command to a drive is simple. Ensuring 100% human accuracy requires systematic fail-safes. I agree that erasure is just one part of the data-lifecycle however it is an important one. Think of all the money spend on retention of data and protection of data such as encryption. Destruction is the end of the data-life cycle and in the future we will need to prove that this has been successfully completed.
Labels:
blancco,
data breach,
data erasure,
data lifecycle,
data recovery,
data security,
personal computer,
personal data,
residual data
Monday, 14 September 2015
Too busy to think Data
This week we failed to help a friend in need. He'd left a single copy of those everso valuable baby photos on his Laptop and failed to back it up. I really feel for him. Despite a platter change and a huge amount of effort it was too late. Technically it's possible to recover data from mechanically damaged platters but sadly baby photos don't justify the cost.
These days we have free Cloud services thrown at us from multiple providers however most corporations quite rightly prevent or block them as they can lead to uncontrolled business data leaking in to private cloud space. It's easy to do if not controlled.
In the past we have found extremely sensitive data on discarded "home computers". I remember the launch sequence of a missile system being one! One can imagine an under pressure worker bringing home some important work to finish off over night, probably on an uncontrolled USB stick and copying it on to his home PC. That's two uncontrolled copies before we consider factors such as the cloud.
In my friend's example however it's the opposite. He works for a company who manage their data very carefully. Whilst he's obviously been able to copy his personal data to the device it's excluded from his normal business data and so it's not backed up. All hard disks will fail at some point so this is a time bomb.
My point is that due to human nature we fail to consider the implications of our data actions. We just assume it will be there when we need it and not there when we need it gone. But this is very often not the case and is always a rash assumption.
Just like a warehousing error is very often in fact two errors; 1) where something should be and 2) where it actually is... we have the same consideration with data. We must consider BOTH where we want data to be and where we do not want data to be.
What The Cloud does is enables the data to be in a dozen places at once without us thinking about it. Yet that's exactly what we need to do. Think about it.
Labels:
back up,
cloud,
data recovery,
data security,
personal computer,
personal data,
residual data,
smart phone,
tablet
Tuesday, 1 July 2014
Data Data Every Where
You’d have to be comatose not to notice the massive increase
and proliferation of data devices. Those
of you who know me know I am a huge fan of the Glastonbury Festival. Even at Glastonbury this year you could see
crowds of people drudging through the mud glued to the screen of their smart-phone. EE cleverly deployed 4G WiFi cows painted in
their branding to connect up 250,000 festival goes and workers. It didn’t work. I could see telecom masts on each hillside, we
had 4G WiFi cows and yet I still couldn’t effectively get online.
This was of course due to the insatiable demand of the
consumer for more data, more devices – “we need more power Scotty”. Well, the
shift has moved from processing power to pure volume of data. From the device to the data-centre of course. The other power needed was of the 5 volt DC
type and EE had another cleaver idea – a swap out charging cell for your
phone. Neat idea but AGAIN – hugely oversubscribed
and they couldn’t recharge them fast enough.
So, what I observed was a huge number of avid music fans in
a very muddy field all struggling with their addiction… no, not that, their
addiction to data. This is a huge change
in just a few years. We are addicted to
our data-fix and yet there is something really strange. We don’t have a clue and don’t really seem to
care where our data actually is. We just
push it out in to the cloud and expect it to be there and safe for when we
require it.
It’s a small wonder the heavens opened twice over the
weekend with an electrical storm which stopped the festival for 40 minutes. I think it was all the data and the cloud just
couldn’t cope and this caused the storm.
It simply has to let go of some of that energy.
But seriously; who is keeping track? Why don’t we care? How
can it be managed if we don’t really know or care where our data is held? We seem to go through a huge change sometimes
called growth, then realise we didn’t consider the consequences and then catch
up trying to put things right after the event.
It’s a massive technology change and social change and yet we take the
security and even location of data for granted.
Labels:
data security,
Glastonbury,
ipad,
iphone,
personal computer,
personal data,
policy,
residual data,
smart phone,
tablet
Monday, 14 April 2014
Typical Blogger P**s Poor Performance
Oh,
what a fail! It cannot be January since my last post. I have fallen
in to that age old trap of starting off so well and then letting time slip away
beneath me.
I
apologise! However, SO much has been
happening. Those who follow my
micro-blog tweets (What? You don’t! https://twitter.com/iLifecycle)
will have seen a lot of it.
As
a business it’s been a pronominal start to 2014. What a great time to be growing a business.
We completed a huge network infrastructure deal with a major OEM in March. It sucked up a huge amount of time and
resources but was delivery without hitch a full 8 days early and under budget. I am extremely proud of my team for this achievement.
We
also secured a major hard drive recovery project utilising a truly unique
technical process which I would dearly love to tell you about but I can’t. Again our technical team have done a fantastic
job.
Outside; the ICO have reported that data breaches have doubled in half a year. The Target databreach just goes on and on and on. Possibly costing
Target up to $18Bn… yes Bn. We have also
seen Experian the trusted custodian of our personal credit data embroiled in a scandal
where they allegedly sold sensitive data to criminals.
Barclays fell afoul of a cleaver but simple breach where persons pretending to be IT
staff attached a wireless KVM to a branch PC and then sat back watching
everything that was going on on the screen from a safe distance.
Aviva staff appeared to have sold accident data to unscrupulous operators and a Pregnancy advice charity were finned £200k for failing to secure registered user data on
their web site.
Perhaps
even more important than the plethora of data breaches is the European
Parliament voting to adopt its draught version of a reformed data protection Directive. MEPs also increased the fines to be imposed
on firms that break the rules to up to €100m or 5% of global turnover.
In
my opinion this changes the data protection landscape for ever. In the late 1990’s and early naughties I
worked through the changes and impact of the Waste Electrical and Electronic
Equipment Directive (WEEE Directive). I
actually think this will have a larger and more profound affect.
The
Directives are issued to all 28 European members as an instruction to go away
and put in place laws and regulations as set out in the directive. This means we end up with 28 differing interpretations
of the directive all implemented at different times however the core principles
are maintained… or should be.
Ministers
broadly supported the principle that non-European companies when offering goods
and services to European consumers, will have to apply the EU data protection
law in full. The next meeting of Justice Ministers on the data protection
reform will take place in June 2014.
OK; so this will have an impact similar to Sarbanes Oxley did to business who do business
with the USA. If you wish to do business
with the EU you will have to comply. This
will be huge. Watch this space (I promise it will be updated in a timely manner from now one)!!
Labels:
Avia,
CIO,
CTO,
data breach,
data mining,
data security,
Experian,
personal data,
phone recycling,
policy,
residual data,
Target
Wednesday, 29 January 2014
BYOD – Bring you own Databreach
I have worked closely with companies who have quite relaxed
policies on BYOD (Bring your own Device).
They liked the idea that if an employee wants an iPhone, this was OK,
as long as they paid for it. Personally;
I blame Ryanair. People are always telling me what a clever business Ryanair
is. They even charge their employees for
training and uniforms.
I’ll resist the Ryanair tangent for fear of this turning in
to a customer service rant and I have strong views on business culture. My point, however, is a simple one. A BYOD device is another device on your
network. It’s a MAC address with a set
of permissions. Allowing a BYOD access
to a network or allowing access to your corporate email system can be little different
from allowing an uncontrolled device to connect up remotely to your business critical
data.
Socially it is expected. It might be small and hugely featured but it’s easily lost
and exposes the weak underbelly of your whole business system. In short; it’s a disaster waiting to
happen. Your BYOD is possibly linked to
a cloud service such as Dropbox or iCloud.
It’s a high resolution camera which might be used to photograph that
White Board so you can write up the notes later.
Remember James Bond with his mini cameras in the classic Bond
movies? Well now we all carry one. Ours are better actually as they don’t need
developing and they transmit and sync our images almost instantaneously to the
cloud whilst our phone is in our pocket.
Now let’s look at email.
I know of situations where member’s of staff have had both personal and
work email accounts on the same BYOD. This
enabled them to forward work email to their home account (with attachments) with
no record on the business exchange server other than the email had been read! This is a security haemorrhage point and
nobody really seem that bothered.
Of course you will be thinking that the Cloud services,
email policy and even the camera could be controlled in a switched-on company. You are probably right and of course they
should be. My point is really one of
attitude.
We all carry these devices with Gigabytes of data on them in
and then out of our business worlds.
They soak up data and information about our habits and movements and
they record highly sensitive data.
BYOD need to be controlled – just like any other business critical
device. Ownership actually complicates
the situation. They need to be controlled,
audited and the risk assessed. Staff
need to be trained. Ownership of the
data needs to be considered with great care and attention. Policies need to be written, implemented and
measured. People need to be
trained. BYOD is not a panacea to cheap
technology infrastructure. BYOD could
become your worst nightmare.
Lastly; what happens when the employee leaves? Is the demarcation
of personal data and business data a clear one? – probably not. If their personal iPhone has been linked to
their home PC (and it probably will have been) then you don’t just have the challenge
of you data being on one device but probably many. Not only that but you probably have no idea
where your business data is.
By its very nature BYOD puts your data in an uncontrolled environment. Phones and tablets are lost and stolen in
huge numbers every day. On average a
London taxi has a phone left it in once every day! The disposal of data and devices upon leaving
the business is an HR minefield and a risk most businesses haven’t even
considered.
Bring you own device? - Bring your own Databreach!
Labels:
bring your own device,
BYOD,
CIO,
CTO,
data breach,
data security,
ipad,
iphone,
personal computer,
personal data,
phone recycling,
policy,
refurbishment,
residual data,
smart phone,
tablet
Monday, 20 January 2014
A Fictional Data Breach Scenario
In 20 years in the technology industry, I have yet to find a
business who has their data under control.
It’s a really tough challenge! It
slips through your fingers like water due to human nature. It’s human nature to take a path of least
resistance to achieve an objective especially when you add pressure to a
circumstance.
I’m going to give a fictional circumstance to a data breach
which is in the public domain but a data breach which I commented on at the time. In May 2009; a disk bought on eBay contained
details of test launch routines for the THAAD (Terminal High Altitude Area
Defence) ground to air missile defence system. The same disk also held
information belonging to the system’s manufacturer, Lockheed Martin, including
blueprints of facilities and personal data on workers, including social
security numbers.
Based on other information found on the disk it was probable
that an employee or supplier or perhaps a consultant took valuable highly confidential
data home and worked on his or her home computer. He (for brevity) might have even deleted local
copies although he probably forgot. He
certainly failed to securely erase data which in the wrong hands could be invaluable.
We’re going to call him John in my fictional scenario. John is under a huge amount of pressure. He’s consulting for his aerospace client having been bought in to cover the sudden sickness of a key member of a program team. This is a bit of a stroke of luck for John as he’s been without a contract for a few months.
At home John is a family man but he has pressure from this
side of his life too. Financial pressure
has been building up. His wife has been
working longer hours to try to cover the shortfall. This has meant John has been helping with the
kids and the school run.
John’s in that horrible stage of a new contract where he
doesn’t know all the team and he needs to build relationships. He’s completed his induction but the pressure
is now on full to catch up for the lost time.
The project didn’t plan for the key man sickness and its John’s job to
catch up.
Today John has to get home on time as his wife’s at work but he must also complete an urgent report. Frustratingly John’s not got his new work laptop yet. He’s getting in to the office as early as he can but today he must leave on time for child care. His new boss and the person who decides his future needs the report “on his desk at 8am, without fail”.
John can’t win. He
can’t leave his children and he can fail in his new job. The pressure is unbearable. His only option is to pull out of his briefcase
a USB flash drive. He plugs it in and tries
to copy the files. Frustratingly his aerospace client has disabled the USB
ports. Then he has a brainwave. He logs on the webmail of his personal
consulting business. Hotmail and Gmail
are blocked but his consulting domain works.
He emails his work to himself, presses send and then logs off. John rushes to collect his kids.
At home John cooks his kids their diner, puts them in front
of an x-box and settles down to his evening’s work. It’s half 12 at night by the time john
finishes. He emails the work back to the office and goes to bed.
Two years later his home PC is upgraded and he recycles the
old one at a local civil amenities site.
The hard drive along with the memory are scavenged by a temporary
employee at the site and are sold on eBay for a few extra dollars.
This scenario is made up but I hope it makes you think just
a little. How waterproof (dataproof?)
are your processes and procedures? Have
you tested for leaks? Do you record and
track when data is accessed and copied?
Is your “bring you own device” (BYOD) policy and control in place?
Confidential data is like water. It finds a way if it’s not contained.
Labels:
BTOD,
data breach,
data security,
personal computer,
personal data,
residual data,
smart phone,
tablet
Tuesday, 10 December 2013
"Data-Safe"
Recently I have heard the term "data-safe" from a number of sources and companies with regard to residual data security. It started me reminiscing about the first time I heard the term used. Now; I am not claiming to be the first to use it or to have invented it in this context however it is a term I have promoted.
I first heard the term in about 1995 when the then Operations Manager at TAM used it in a meeting. Derek Wood was ex-military. He made a really important point. The control of data was similar to the control of munitions in the Army and with the business equivalent of a huge explosion should it ever go wrong.
The military use terms such as "make safe" and they confirm a device is safe habitually before it is passed from one person to another. This chain of custody is also used in the control of data. The metaphor is a strong one and this is perhaps why the term has spread and stuck.
The explosive consequences of a data loss or data breach are huge but well publicised not least of which on this blog. It could be considered an explosion. A damaged brand, a compromised database, a million customers to notify all would be explosions in the world of most CTO's.
Would we carelessly discard an explosive device? They have a habit of sitting undiscovered for years at a time waiting to be made-safe or possibly to explode, the only difference being luck. Perhaps we should treat all data with the same consideration of consequences that the army use for munitions. Or await a big bang.
I first heard the term in about 1995 when the then Operations Manager at TAM used it in a meeting. Derek Wood was ex-military. He made a really important point. The control of data was similar to the control of munitions in the Army and with the business equivalent of a huge explosion should it ever go wrong.
The military use terms such as "make safe" and they confirm a device is safe habitually before it is passed from one person to another. This chain of custody is also used in the control of data. The metaphor is a strong one and this is perhaps why the term has spread and stuck.
The explosive consequences of a data loss or data breach are huge but well publicised not least of which on this blog. It could be considered an explosion. A damaged brand, a compromised database, a million customers to notify all would be explosions in the world of most CTO's.
Would we carelessly discard an explosive device? They have a habit of sitting undiscovered for years at a time waiting to be made-safe or possibly to explode, the only difference being luck. Perhaps we should treat all data with the same consideration of consequences that the army use for munitions. Or await a big bang.
Labels:
CTO,
data breach,
data security,
personal computer,
personal data,
residual data
Subscribe to:
Posts (Atom)