acm-header
Sign In

Communications of the ACM

ACM News

Out with the Old


View as: Print Mobile App Share:
A hard disk drive, before and after shredding.

Some IT departments see no alternative to physically destroying devices to maintain data security. The increasingly polymorphous corporate IT environment has many organizations struggling with data security.

Credit: Info World

Before the city of Columbus, Ohio, signed a contract with a data disposition vendor, the city's income-tax administrator Melinda Frank used to have her employees bring in goggles and power drills to destroy their old hard drives in a conference room.

While few organizations may go to such extremes, many IT managers can likely sympathize with that impulse. In an age of smartphones, "bring your own" device policies and cloud computing services, many organizations are struggling to keep tabs on sensitive data in an increasingly polymorphous IT environment.

Making matters more complicated, a slew of new laws and regulations have sprung up in recent years, creating a perfect storm of technological and regulatory changes that are rapidly making data disposition one of the thorniest challenges in the modern IT world.

"It's an ever-changing area," says Rob Schafer, an analyst at Gartner Group who covers IT asset disposition.

By one estimate, there are now more than 100,000 international laws and regulations affecting data retention, many of them still evolving and often in conflict with each other.

Some industries, notably healthcare and finance, operate under even stricter regulatory requirements. The Health Insurance Portability and Accountability Act (HIPAA) regulations for protecting patient data are becoming more stringent, while new financial regulations like Sarbanes-Oxley and the Dodd-Frank Wall Street Reform Act have far-reaching implications for data security that some firms are only beginning to understand.

"IT managers at most large US companies are vaguely aware that there are laws and regulations governing disposition, but relatively few understand the volume, complexity and risk associated with those laws," says Lorrie Luellig, an Arizona-based lawyer who specializes in data disposition.

Luellig estimates that the regulations affecting a Global 1000 company will change at a rate of about 20% per year. "The biggest challenge is not merely understanding the laws, but truly understanding how those laws apply to information within the organization. If you can't apply the law to the data, then you can't dispose of it in a defensible way."

The sheer complexity of the problem spurs many companies just to keep everything by default. Yet that strategy has its costs, especially as companies struggle to manage data stored on an ever-growing array of devices.

"The new news is the revolution in mobility," says Schafer. "The challenge is that you’ve got devices that increasingly have corporate data on them."

The growing use of personal devices at work may bring enormous benefits in terms of equipment costs and employee satisfaction, but what happens when an employee's personal device gets lost or discarded? The presence of confidential information on a discarded smartphone in a garbage dump may present a real potential legal liability for the employer.

To mitigate such risks, some companies are turning to Mobile Device Management (MDM) software, an emerging set of tools for securing and monitoring data stored on both employer-owned and personal smartphones, tablets, and other devices.

MDM software typically involves installing a small client app on the employee's device to "containerize" part of the device for employer data. A central IT department can then manage company data independently of personal information on the same device and, if necessary, wipe that data remotely if the device is lost, stolen or otherwise taken out of commission.

The Open Mobile Alliance (OMA) has published an open standard called OMA Device Management, a set of platform-independent specifications for managing mobile devices.

Even devices that seem to have been wiped clean may still carry recoverable data, however. More and more devices—like the Apple Macbook Air—feature solid-state drives (SSDs), which are more difficult to wipe than traditional hard drives. The flash memory systems that make SSDs so durable also make it difficult for traditional data erasure programs to erase every block of data completely.

The National Institute of Standards and Technology (NIST) is currently working on a new set of guidelines for data destruction on SSDs.

To mitigate the risks of flawed data destruction, Schafer recommends that companies rely on professional asset disposition vendors. Specifically, he suggests making sure that the vendor is NIST-compliant in their operating procedures, and fully certified on the environmental side as well.

Smaller companies that cannot afford a professional asset disposition vendor may want to look into the options offered by companies like Best Buy and Staples, both of which collect and dispose of used IT equipment free of charge.

Given the wide range of potential risks and regulations at play, there is no one solution to asset disposition that will work for every organization. While the circumstances may be changing rapidly, many veteran IT managers are familiar with the underlying tension between system control and user freedom.

"The challenge looks and feels different, but it is really the problem companies have been facing for decades now," says Luellig. "The portability of the information just adds a new wrinkle to an old problem."

Alex Wright is a writer and information architect based in Brooklyn, NY.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account