It's not about the erasure, it's about the data about the data erasure - well almost

It amazes me that after the best part of 20 years erasing data I still meet people who don't "get" the importance of data erasure.  Technically it's not difficult but it must be absolute.  Like a climber’s rope; few will marvel at the structure and make up of a rope but you sure as hell don’t want it to fail and even if it does you want a fail-safe.  

The founder and ex-CEO of Blancco Kim Väisänen once said, "It's not about the erasure, it's about the data about the data erasure".  At the time especially coming from Kim it slapped me round the face.  There are dozens of tools which can send a simple known command to a drive.  The key is to prove the device has done what you have told it to and then proving that with a traceable output which confirms that something was completed, by whom, when, what and where.  The traceability is as such at least as important as the function.

Kim Väisänen also once said to me “a fool with a tool, is still a fool”.  He meant that even if you develop the very best tool to do a job in the hands of a human being mistakes will always be made.  I once toured a large ITAD in West Chicago.  The IT chap showed me the erasure line which used CD’s and stickers.  I asked “what happens if you make a mistake” and he answered “we don’t”.  He and his team are the first perfect human beings I have ever met.  They really shouldn’t be erasing hard disks but should have applied their skills to open heart surgery perhaps.

So using a tool to erase is the simple part in that technically it’s not very challenging.  Traceability and proof and preventing on-sale if there has been a mistake are far more challenging.  Capturing the unique details of the hard disk drive and parent device is a part of this.  Recording the operator, date and time and what has been undertaken is another, however far more important are the fail-safes.

What happens when the power fails or the fire alarm goes off half way through?  What happens when somebody makes a mistake and puts the label on saying the drive is safe when it is not? This is especially a risk when an operator is doing boring repetitive tasks. 

It’s more complicated than simple reporting. The business process needs to check and inspect that the drive and device are safe before allowing the on-sale or shipment of either the hard disk or the parent device.  In real terms this is far greater a risk then either the tool used or the number or patterns of overwrites. Joe going on his lunch break or replying to a text message from his girlfriend rather than this tool, or that is a greater real world challenge.


Sending a command to a drive is simple.  Ensuring 100% human accuracy requires systematic fail-safes.  I agree that erasure is just one part of the data-lifecycle however it is an important one.  Think of all the money spend on retention of data and protection of data such as encryption. Destruction is the end of the data-life cycle and in the future we will need to prove that this has been successfully completed.

Too busy to think Data

This week we failed to help a friend in need.  He'd left a single copy of those everso valuable baby photos on his Laptop and failed to back it up.  I really feel for him.  Despite a platter change and a huge amount of effort it was too late.  Technically it's possible to recover data from mechanically damaged platters but sadly baby photos don't justify the cost.

These days we have free Cloud services thrown at us from multiple providers however most corporations quite rightly prevent or block them as they can lead to uncontrolled business data leaking in to private cloud space.  It's easy to do if not controlled.

In the past we have found extremely sensitive data on discarded "home computers".  I remember the launch sequence of a missile system being one!  One can imagine an under pressure worker bringing home some important work to finish off over night, probably on an uncontrolled USB stick and copying it on to his home PC.  That's two uncontrolled copies before we consider factors such as the cloud.

In my friend's example however it's the opposite.  He works for a company who manage their data very carefully.  Whilst he's obviously been able to copy his personal data to the device it's excluded from his normal business data and so it's not backed up.  All hard disks will fail at some point so this is a time bomb. 

My point is that due to human nature we fail to consider the implications of our data actions.  We just assume it will be there when we need it and not there when we need it gone.  But this is very often not the case and is always a rash assumption. 

Just like a warehousing error is very often in fact two errors; 1) where something should be and 2) where it actually is... we have the same consideration with data.  We must consider BOTH where we want data to be and where we do not want data to be.

What The Cloud does is enables the data to be in a dozen places at once without us thinking about it.  Yet that's exactly what we need to do.  Think about it.

Data Data Every Where

You’d have to be comatose not to notice the massive increase and proliferation of data devices.  Those of you who know me know I am a huge fan of the Glastonbury Festival.  Even at Glastonbury this year you could see crowds of people drudging through the mud glued to the screen of their smart-phone.  EE cleverly deployed 4G WiFi cows painted in their branding to connect up 250,000 festival goes and workers.  It didn’t work.  I could see telecom masts on each hillside, we had 4G WiFi cows and yet I still couldn’t effectively get online.

This was of course due to the insatiable demand of the consumer for more data, more devices – “we need more power Scotty”. Well, the shift has moved from processing power to pure volume of data.  From the device to the data-centre of course.  The other power needed was of the 5 volt DC type and EE had another cleaver idea – a swap out charging cell for your phone.  Neat idea but AGAIN – hugely oversubscribed and they couldn’t recharge them fast enough.

So, what I observed was a huge number of avid music fans in a very muddy field all struggling with their addiction… no, not that, their addiction to data.  This is a huge change in just a few years.  We are addicted to our data-fix and yet there is something really strange.  We don’t have a clue and don’t really seem to care where our data actually is.  We just push it out in to the cloud and expect it to be there and safe for when we require it.

It’s a small wonder the heavens opened twice over the weekend with an electrical storm which stopped the festival for 40 minutes.  I think it was all the data and the cloud just couldn’t cope and this caused the storm.  It simply has to let go of some of that energy.

But seriously; who is keeping track? Why don’t we care? How can it be managed if we don’t really know or care where our data is held?  We seem to go through a huge change sometimes called growth, then realise we didn’t consider the consequences and then catch up trying to put things right after the event.  It’s a massive technology change and social change and yet we take the security and even location of data for granted.

Typical Blogger P**s Poor Performance

Oh, what a fail!  It cannot be January since my last post.  I have fallen in to that age old trap of starting off so well and then letting time slip away beneath me.

I apologise!  However, SO much has been happening.  Those who follow my micro-blog tweets (What? You don’t! https://twitter.com/iLifecycle) will have seen a lot of it.

As a business it’s been a pronominal start to 2014.  What a great time to be growing a business. We completed a huge network infrastructure deal with a major OEM in March.  It sucked up a huge amount of time and resources but was delivery without hitch a full 8 days early and under budget.  I am extremely proud of my team for this achievement.

We also secured a major hard drive recovery project utilising a truly unique technical process which I would dearly love to tell you about but I can’t.  Again our technical team have done a fantastic job. 

Outside; the ICO have reported that data breaches have doubled in half a year.  The Target databreach just goes on and on and on. Possibly costing Target up to $18Bn… yes Bn.  We have also seen Experian the trusted custodian of our personal credit data embroiled in a scandal where they allegedly sold sensitive data to criminals.

Barclays fell afoul of a cleaver but simple breach where persons pretending to be IT staff attached a wireless KVM to a branch PC and then sat back watching everything that was going on on the screen from a safe distance.

Aviva staff appeared to have sold accident data to unscrupulous operators and a Pregnancy advice charity were finned £200k for failing to secure registered user data on their web site.

Perhaps even more important than the plethora of data breaches is the European Parliament voting to adopt its draught version of a reformed data protection Directive.  MEPs also increased the fines to be imposed on firms that break the rules to up to €100m or 5% of global turnover.

In my opinion this changes the data protection landscape for ever.  In the late 1990’s and early naughties I worked through the changes and impact of the Waste Electrical and Electronic Equipment Directive (WEEE Directive).  I actually think this will have a larger and more profound affect.

The Directives are issued to all 28 European members as an instruction to go away and put in place laws and regulations as set out in the directive.  This means we end up with 28 differing interpretations of the directive all implemented at different times however the core principles are maintained… or should be.

Ministers broadly supported the principle that non-European companies when offering goods and services to European consumers, will have to apply the EU data protection law in full. The next meeting of Justice Ministers on the data protection reform will take place in June 2014.

OK; so this will have an impact similar to Sarbanes Oxley did to business who do business with the USA.  If you wish to do business with the EU you will have to comply.  This will be huge.  Watch this space (I promise it will be updated in a timely manner from now one)!!

BYOD – Bring you own Databreach

I have worked closely with companies who have quite relaxed policies on BYOD (Bring your own Device).  They liked the idea that if an employee wants an iPhone, this was OK, as long as they paid for it.  Personally; I blame Ryanair. People are always telling me what a clever business Ryanair is.  They even charge their employees for training and uniforms.

I’ll resist the Ryanair tangent for fear of this turning in to a customer service rant and I have strong views on business culture.  My point, however, is a simple one.  A BYOD device is another device on your network.  It’s a MAC address with a set of permissions.  Allowing a BYOD access to a network or allowing access to your corporate email system can be little different from allowing an uncontrolled device to connect up remotely to your business critical data.

Socially it is expected.  It might be small and hugely featured but it’s easily lost and exposes the weak underbelly of your whole business system.  In short; it’s a disaster waiting to happen.  Your BYOD is possibly linked to a cloud service such as Dropbox or iCloud.  It’s a high resolution camera which might be used to photograph that White Board so you can write up the notes later. 

Remember James Bond with his mini cameras in the classic Bond movies?  Well now we all carry one.  Ours are better actually as they don’t need developing and they transmit and sync our images almost instantaneously to the cloud whilst our phone is in our pocket.

Now let’s look at email.  I know of situations where member’s of staff have had both personal and work email accounts on the same BYOD.  This enabled them to forward work email to their home account (with attachments) with no record on the business exchange server other than the email had been read!  This is a security haemorrhage point and nobody really seem that bothered.

Of course you will be thinking that the Cloud services, email policy and even the camera could be controlled in a switched-on company.  You are probably right and of course they should be.  My point is really one of attitude.

We all carry these devices with Gigabytes of data on them in and then out of our business worlds.  They soak up data and information about our habits and movements and they record highly sensitive data. 

BYOD need to be controlled – just like any other business critical device.  Ownership actually complicates the situation.  They need to be controlled, audited and the risk assessed.  Staff need to be trained.  Ownership of the data needs to be considered with great care and attention.  Policies need to be written, implemented and measured.  People need to be trained.  BYOD is not a panacea to cheap technology infrastructure.  BYOD could become your worst nightmare.

Lastly; what happens when the employee leaves? Is the demarcation of personal data and business data a clear one? – probably not.  If their personal iPhone has been linked to their home PC (and it probably will have been) then you don’t just have the challenge of you data being on one device but probably many.  Not only that but you probably have no idea where your business data is.

By its very nature BYOD puts your data in an uncontrolled environment.  Phones and tablets are lost and stolen in huge numbers every day.  On average a London taxi has a phone left it in once every day!  The disposal of data and devices upon leaving the business is an HR minefield and a risk most businesses haven’t even considered. 

Bring you own device? - Bring your own Databreach!

A Fictional Data Breach Scenario

In 20 years in the technology industry, I have yet to find a business who has their data under control.  It’s a really tough challenge!  It slips through your fingers like water due to human nature.  It’s human nature to take a path of least resistance to achieve an objective especially when you add pressure to a circumstance.

I’m going to give a fictional circumstance to a data breach which is in the public domain but a data breach which I commented on at the time.  In May 2009; a disk bought on eBay contained details of test launch routines for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system. The same disk also held information belonging to the system’s manufacturer, Lockheed Martin, including blueprints of facilities and personal data on workers, including social security numbers.

Based on other information found on the disk it was probable that an employee or supplier or perhaps a consultant took valuable highly confidential data home and worked on his or her home computer.  He (for brevity) might have even deleted local copies although he probably forgot.  He certainly failed to securely erase data which in the wrong hands could be invaluable.

We’re going to call him John in my fictional scenario.  John is under a huge amount of pressure.  He’s consulting for his aerospace client having been bought in to cover the sudden sickness of a key member of a program team.  This is a bit of a stroke of luck for John as he’s been without a contract for a few months.

At home John is a family man but he has pressure from this side of his life too.  Financial pressure has been building up.  His wife has been working longer hours to try to cover the shortfall.  This has meant John has been helping with the kids and the school run.

John’s in that horrible stage of a new contract where he doesn’t know all the team and he needs to build relationships.  He’s completed his induction but the pressure is now on full to catch up for the lost time.  The project didn’t plan for the key man sickness and its John’s job to catch up.

Today John has to get home on time as his wife’s at work but he must also complete an urgent report.  Frustratingly John’s not got his new work laptop yet. He’s getting in to the office as early as he can but today he must leave on time for child care.  His new boss and the person who decides his future needs the report “on his desk at 8am, without fail”.

John can’t win.  He can’t leave his children and he can fail in his new job.  The pressure is unbearable.  His only option is to pull out of his briefcase a USB flash drive.  He plugs it in and tries to copy the files. Frustratingly his aerospace client has disabled the USB ports.  Then he has a brainwave.  He logs on the webmail of his personal consulting business.  Hotmail and Gmail are blocked but his consulting domain works.  He emails his work to himself, presses send and then logs off.  John rushes to collect his kids.

At home John cooks his kids their diner, puts them in front of an x-box and settles down to his evening’s work.  It’s half 12 at night by the time john finishes. He emails the work back to the office and goes to bed.

Two years later his home PC is upgraded and he recycles the old one at a local civil amenities site.  The hard drive along with the memory are scavenged by a temporary employee at the site and are sold on eBay for a few extra dollars.

This scenario is made up but I hope it makes you think just a little.  How waterproof (dataproof?) are your processes and procedures?  Have you tested for leaks?  Do you record and track when data is accessed and copied?  Is your “bring you own device” (BYOD) policy and control in place?

Confidential data is like water.  It finds a way if it’s not contained.

"Data-Safe"

Recently I have heard the term "data-safe" from a number of sources and companies with regard to residual data security.  It started me reminiscing about the first time I heard the term used.  Now; I am not claiming to be the first to use it or to have invented it in this context however it is a term I have promoted.

I first heard the term in about 1995 when the then Operations Manager at TAM used it in a meeting.  Derek Wood was ex-military.  He made a really important point.  The control of data was similar to the control of munitions in the Army and with the business equivalent of a huge explosion should it ever go wrong.  

The military use terms such as "make safe" and they confirm a device is safe habitually before it is passed from one person to another.  This chain of custody is also used in the control of data.  The metaphor is a strong one and this is perhaps why the term has spread and stuck.

The explosive consequences of a data loss or data breach are huge but well publicised not least of which on this blog. It could be considered an explosion.  A damaged brand, a compromised database, a million customers to notify all would be explosions in the world of most CTO's.

Would we carelessly discard an explosive device?   They have a habit of sitting undiscovered for years at a time waiting to be made-safe or possibly to explode, the only difference being luck. Perhaps we should treat all data with the same consideration of consequences that the army use for munitions. Or await a big bang.