Cloud storage, used hard drives pose threat from data residue
April 26, 2012, 3:34 PM – A British study showing two thirds of used hard drives available at the open market contain enough personal data to permit the former owner’s identity to be stolen is not just a warning to be cautious about what hardware you throw away.
It’s a warning to watch out what you allow behind on someone else’s hard drives while you switch cloud providers or perhaps move around virtual servers and storage within an existing cloud.
A study published this week recounts the findings of Britain’s Information Commissioner’s Office (ICO) which investigated the “dirty disk” problem by ordering 200 hard drives, 20 flash drives and 10 mobile phones from a number of sites.
Using ordinary file-access software, not specialized PC forensics, the ICO was ready to recover 34,000 files with personal or business data. Only 38 percent of the flash and difficult drives were wiped effectively; 14 percent contained data but were unreadable . Thirty-seven percent held non-personal information and 11 percent held the mum lode for identity thieves – enough personal data to steal the identity of the unit’s previous owners.
Four machines held extensive personnel and business data on clients and employees, including health records and monetary data.
Another British study, conducted by the Cyber Security Research Institute and published in September, 2011, corroborates the findings of the ICO study, but on a far larger scale.
Researchers examined thousands of hard drives in the course of the decade before the report, finding the percent of drives containing residual data after being resold had dropped from 80 percent to just 30 percent.
Almost all are unencrypted and unprotected. Collectively they represent greater than 95.6 million gigabytes of knowledge lost from computer hard drives in the course of the 10-year process the study.
Data left on cellphones amounted to 90 million gigabytes of lost data per year, of which 4.5 million gigabytes were sensitive data including emails and get in touch with details.
For corporate IT those figures amount only to a warning to wash disks more carefully before recycling or reselling PCs.
Most companies are moving portion of their IT operations into the cloud, however, within the kind of software as a service (SaaS) apps equivalent to Salesforce.com or Google Docs, or inside the kind of readymade servers and knowledge centers from cloud infrastructure providers inclusive of Rackspace, Amazon or Microsoft.
Those are the services which may pose a difficulty, because they put many purchasers at the same set of hardware, counting on encryption and virtualization software to maintain one client’s virtual data center from overlapping with another.
Virtual servers don’t seem to be purported to be capable to see the underlying operating system, not to mention the hardware.
Many companies insist on with the ability to access the hardware running their apps or data, however, to assist ensure security, performance and usage policies may be kept within their very own guidelines.
Those servers, virtual storage and other resources might be devoted to that one client alone, to bypass putting another client on hardware whose security is controlled by one other client.
The hardware itself is sort of never new, however. They’re servers or storage that have been used as real servers, or hosts for as many as 16 virtual servers at a time.
Each of these servers and every client who gone through the system could leave sensitive data behind if the cloud provider and the shopper aren’t both careful.
Worse even than the chance that “Deleted” does not imply “securely erased” is the danger of giving freely secure certificates or tokens contained in virtual-server containers which may be passed from one department or company to a different by users who believe them to be only templates, not individually identified and authenticated servers.
Even cloud providers who’re conscientious about erasing data between users may be flummoxed by conflicts or software errors that simply mark data “deleted” instead of actually deleting it.
To fix the flaw and put off the remnant data, Slicehost needed to ask clients emigrate to different servers – a process that carries its own risk that disks or data turns into corrupt through the move.
Little of the information can be found without forensic tools, Slicehost told customers, and none of it have been found to were recovered and reused by unauthorized clients.
The data did expose the clients who owned it to the danger of loss through no fault in their own, in a manner they might not anticipate or perhaps investigate, because they weren’t authorized to apply forensic tools on those servers to envision whether or not they were clean.
Encrypting data stored with a cloud provider may cause much more problems, since it can often take place as garbage data as opposed to the good things to providers that cannot manage or decrypt it themselves.
Remnant data isn’t discussed by cloud users or providers, or maybe security specialists.
It is still a small but consistent problem in any organization that recycles servers or PCs on the end in their normal lifecycles.
The only technique to be really sure nobody may be ready to read data from a disk you’re abandoning – consistent with the roughly half one million security specialists who’ve told me this during interviews during the last few years – is to encrypt it, delete it, wipe the drive, scrub the drive with drive-scrubbing software, scrub the drive with sandpaper, sand and steel wool after which drill holes elsewhere on each disk before shredding them or throwing them away in separate recycling bins.
If that seems excessive, or simply an excessive amount of work, I’ve found one of the simplest ways to make data on a difficult drive completely inaccessible and unrecoverable is to position data at the disk which might be extremely important to something time sensitive and fail to back the information as much as every other devices as your deadlines approach and stress rises.
Just before you hit Save, Print or There, Now it Won’t Explode, all of the data will mysteriously disappear, never to be found again.
Especially after the explosion.
And keep your head down.
Read more of Kevin Fogarty’s CoreIT blog and follow the most recent IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty . For the most recent IT news, analysis and the way-tos, follow ITworld on Twitter and Facebook .