The Fundamentals of Data Security: Security Issues

by | Dec 10, 2019 | About ACE Recycling, Data Security, Environmental Issues Explained

Over the past several years, it seems we hear about data being breached more and more.  When we hear of large institutions being hacked it is concerning knowing our personal information may be in the hands of someone with bad intentions.  Data security is important, not only to large businesses, but more and more it is at the forefront of the average person’s mind. With more of our lives being documented and conducted online this can be alarming. As consumers, we give out our information digitally multiple times a day, in ways we can’t even imagine.  The truth is, the little computer you carry around in your pocket is digitally tracking your every move.  Aside from the “hidden” information gathering there are many things we do, usually for conveniece, that expose us.  If someone were to pick up you phone right now, could they click a button and get into your social media accounts? Your bank account?  If you store your passwords, this is very much a reality.

That being said, your data matters.  Whether you are a corporation with proprietary information or a mom with pictures of your kids on your hard drive, it all carries equal weight in your world.  ACE Recycling understands this because we have proprietary information and pictures of our kids on our hard drives.  We get it.  This is why information security is our number one priority.  We also understand that all of this talk about overwriting data and data erasure methods may be difficult to understand.  The goal of this article is to explain what data wiping is and the standards that guide it.

The Industry of Data Security

The industry ACE Recycling is in is called IT Asset Disposition (ITAD). This industry is created around removing data securely, which makes sense considering all the data out there that would rock the world if it got out (think CIA).  More recently, it has become central to the idea of a circular economy with its focus on information security and data erasure allowing disk drives to be re-used without a data breach.  Ensuring toxic materials are disposed of properly, materials are recycled for reuse to reduce the need to extract more is all part of ITAD.

Environmental Impact

Like most things, electronic disposal and creation is a multi-faceted issue with enough information to write a book on.  Electronics contain many toxic materials, such as arsenic, mercury, and lead. They also contain elements that are not necessarily harmful, but the environmental and human cost of the extraction of these natural resources is steep.  Additionally, many of the materials that go into our electronics are rare.  Three of particular importance are cobalt, neodymium, and dysprosium. The latter are rare earth minerals. These are minerals found sporadically within the Earth instead of being found in large seams like coal or copper. Consequently, they are difficult to find, extract, and in limited quantities.  With the pace of mining these materials accelerating as demand for electronics increases, they become rarer and rarer.  By re-using the elements in current electronics and the various components within them, fewer of these elements are being pulled from the Earth.  Thus, reducing the impact on the environment and the people that live in the area.

The Human Impact

Cobalt is of particular concern because of the widespread exploitation of the people and the mines’ natural environment. Cobalt is used for various electronics and is a conflict mineral (or conflict resource).  A conflict mineral is a natural resource extracted in a conflict zone that is mined and sold to perpetuate the fighting. The Democratic Republic of the Congo (DRC) harbors ⅔ of the world’s cobalt. Many mines in the DRC are small and unregulated, where child labor is widespread. What’s more, the political and ethnic dynamics of the region have resulted in violent armed conflict. This conflict is mostly financially supported by the mining and sale of cobalt.  For every new electronic device we buy, we are, in some way supporting militant groups and child labor.

In addition to this human cost, there is an environmental cost in creating new electronics.  Ten tons of carbon dioxide is emitted into the atmosphere to produce 1 ton of laptops.  By 2040, carbon emissions from the production of electronics will reach 14% of total worldwide emissions. There is 100 times more gold in a ton of mobile devices than in a ton of gold ore.  Extending the life of electronics or harvesting the resources from them is far more sustainable than the current system. Not to mention, it has a more significant economic benefit than throwing them away.

Data Security Laws and Standards

Several data protection laws are in place at the Federal level.  The Health Information Portability and Accountability Act (HIPAA) protects your health information, while The Family Educational Rights and Privacy Act (FERPA) protects student education records. The Wiretap Act and the Electronic Communication Privacy Act (ECPA) protect your communications (electronic or on “landlines”).  Each state has laws in place to protect data at the individual and business levels as well. In addition to statutes, The Department of Defense, the National Security Agency, the U.S. National Institute of Standards and Technology (NIST), and various other institutions directly concerned with data security have data destruction standards and policies. However, the go-to industry standard for data erasure is the NIST report Guidelines for Media Sanitization SP 800-88 Rev. 1. This document is written for, and to, the business owner.

Techniques for Data Sanitization/Wiping

Media sanitization/data erasure/data wiping are all the same names for the process of making data on a device unable to be retrieved. The NIST report defines three categories of sanitization: Clear, Purge, and Destroy.  Clearing data is “logical techniques applied to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques.” Simply put, restoring your device to factory settings or using on-device standard Read and Write commands would constitute clearing your data.  These techniques can be applied by the average consumer, perhaps with a little help. Purging is “physical or logical techniques that render the Target Data recovery infeasible using state of the art laboratory techniques.” Purging data is what ACE Recycling does through a process explained below. Destroy “renders the Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for the storage of data.”  Physical destruction is the result here, removing the device from circulation.

Data Security Sanitization Techniques

What Wiping Data Means

Imagine a book.  Now imagine erasing every word from the book and writing over the pages with random letters.  If you think of the data stored on a hard drive like the pages of that book, you get an idea of data erasure. The hard drive is “overwritten” with random 0s (computer language). One overwriting pass “hinders recovery of data even if state-of-the-art laboratory techniques are applied to attempt to retrieve the data”.  The number of passes has become unnecessary with the inclusion of a “verify pass.” The verify pass scans for verification of data removal by selecting random places on the device to “check” for overwriting. According to the National Security Agency, data wiped using these standards is “permanently destroyed as to make any type of forensic data recovery impossible.”  Complete data erasure destroys all data, including operating systems. Your hard drive is never booted. Thus, there is no access to data during the wiping process.

ACE Recycling’s Data Security Standard

ACE Recycling adheres to the data destruction standards set in the U.S. National Institute of Standards and Technology (NIST) report Guidelines for Media Sanitization 800.88. We use a one-pass overwrite with complete disk verification, completed using the latest version of Active@ KillDisk. This verification comes in the form of a serialized printout of devices subject to the sanitization process. According to the NIST report, “verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality.”   In addition to the software verifying the sufficient wipe of your data, we check ourselves. ACE Recycling takes a random sampling of the disk drives that have gone through the sanitization process. This three-tier system ensures data security, giving our customers peace of mind while keeping the device in circulation.

ACE Recycling Certified Data Destruction for Data Security

Which Data Security Path is Best for your Organization?

The best way to answer this is to consider the confidentiality level of the information on the device.  In general, if the device is leaving the organization’s control, as it would be if you have ACE Recycling disposition it for you, it should be purged and validated.  Both of which ACE Recycling does. According to the NIST report, Clear should only be an option if the device is remaining within the organization. However, we have many individuals that factory re-set a cell phone brought to us for recycling.  This would be an example of “Clearing” data.  Data wiping offers an alternative to physical destruction, allowing the hard drive to remain in circulation, reducing electronic waste and carbon emissions. The NIST report clearly states that “organizations should consider environmental factors” when disposing of electronic waste. For most companies, purge “may be more appropriate than Destroy when factoring in environmental concerns…”

When to DESTROY

In general, destroy is an option only if the drive is not functioning or physically cannot go through the purge process. According to the NIST report, “The application of Destructive techniques may be the only option when media fails…other clear or purge techniques cannot be effectively applied…or when verification of Clear or Purge methods fails”.  ACE Recycling adheres to this statement. Purge and Destroy achieve the same outcome concerning information security. The main difference is the hard drive is taken out of the circular model when destroyed. In a genuine circular economy, items would be reused, refurbished, repaired, or reduced in consumption before the last resort of destruction.

ACE Recycling is committed to the security of your data and a circular economy. The NIST Report outlines a path to achieve both. With a focus on reusing as many materials as possible, we help lower technology costs, reduce environmental impacts, and make technology accessible to all.

More Information:

On Conflict Minerals-

http://conflictminerals.org/

https://www.youtube.com/watch?v=aF-sJgcoY20

https://enoughproject.org/special-topics/progress-and-challenges-conflict-minerals-facts-dodd-frank-1502

Data Erasure-

https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf

https://web.archive.org/web/20160320074045/https://www.nsa.gov/ia/_files/government/MDG/NSA_CSS_Storage_Device_Declassification_Manual.pdf

0 Comments

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.