Securing Data on Your Old, Dead Servers
You're all set. Right?
Don't be so sure.
Sitting in the company's basement or perhaps at the far end of the server room is a ticking time bomb -- old dust-laden servers that you're planning on getting rid of ''someday''. Being off the network, these machines are no longer wrapped in your security defenses. Anyone can access what's inside -- read your valuable records, or walk out the front door with a harddrive containing an only slightly dated version of your customer database.
''The obvious danger in server disposal is security,'' says Jon Collins, principal analyst for Quocirca, a UK-based industry analyst firm. ''There are various anecdotal examples of health records turning up on auctioned or discarded computers.''
One of the biggest security errors that IT makes, in fact, is treating server dinosaurs without respect. They're old, the technology is dated, the harddrives are tiny by today's standards, and they just don't look as good as that new shiny model your VAR delivered the other day. It's hard not to unplug it, hook up its replacement and, as an afterthought, toss the old stuff in a dimly lit corner.
Once PC's and servers start to pile up, accountability vanishes. Equipment can disappear and no one will ever notice. Therefore, you have to take care of the data inside those machines as a top priority. To do that, there are several options, all of which boil down to destroying the disks or erasing the information on them.
Industry analysts generally recommend physicall destroying the drives... and thus, the data inside them. And don't hand the job off to some flunky. Make sure you know it's been done -- even if that means doing the job yourself.
But how exactly do you go about doing that? Do you send the systems admin out back with a hammer and a couple of drives? And how do you know that he actually did it?
One of the keys to disposal is that it we're talking about precise technology and a cost of doing business. Leaving it to an overburdened IT staff means you are paying a high hourly rate for what will probably be basic work. It also opens the door to employees deciding to take the old server home, or worse, selling it on eBay.
As a result, companies have sprung up offering equipment disposal services to large businesses. These businesses include PCDisposal.com of Kansas City, Recycling Inc. of Toronto, and Redemtech Inc. of Columbus, Ohio. The good ones utilize EPA-compliant disposal and recycling processes. This involves separating out the metals, shredding them and recycling their parts. In some cases, they even will inventory all your hardware and software prior to disposal and provide a certificate of destruction. Such paperwork can be vital when it comes to annual audits, financial statements, certainty of security, and complying with government regulations on corporate information such as HIPAA and Sarbanes Oxley.
An alternate school of thought in server disposal is to scrub the data on the drives -- either internally or via a recycler.
Most third parties in this business boast of DOD-compliant practices. That means the disk is overwritten at least six times. Like the futility of trying to arrive at infinity, however, the various file wipers and scrubbers on the market may not totally erase everything.
According to security expert Peter Gutman of the Department of Computer Science at the University of Auckland, it is effectively impossible to sanitize storage locations by simply overwriting them, no matter how many overwrite passes are made or what data patterns are written. So even if data has been thoroughly overwritten, you may still be able to recover some of it as the magnetization patterns on the hard disk surface are often still visible. It's generally accepted, however, that 35 passes of overwriting is as secure as it gets.
Regardless of their thoroughness, it is probably best for IT to use a scrubbing utility of some kind as part of the de-install process prior to handing the server over to a recycling company. Even if the servers do end up littering the halls for several months, a six-pass overwrite will afford a decent level of protection.
The plus side of scrubbing is that it opens the door to reselling the computer. Many of the large recyclers offer this option as a means of cutting disposal costs. Whereas it might cost $100 to securely get rid of a server, scrubbing its data and having the recycler sell if for you can cut the bill down as low as $20.
Interestingly, some of the big recycling firms that cater to the Fortune 1,000 successfully convince large companies that their sensitive data will remain safe even when their servers are resold. They go to great lengths to lock down the data before they put it in their trucks, then offer certificates of data eradication. But for some clients, they still have to destroy the disks due to the nature of the information inside.
Another option is to make disposal the problem of the OEM -- he who sells me new equipment must get rid of the old stuff securely. Such arrangement can be built into the tender process. The HPs and Dells of this world, for example, have programs in place to take care of aging gear.
But it can be very expensive to destroy every platter and discard every piece of metal in the server. Many will decide to relegate such practices only to ultra-sensitive information. For the rest, they will make do with scrubbing and reselling in order to recoup costs.
On the other side of the coin, though, there are conditions where it may be more expensive to scrub. If a server has little resale value, for example, it is typically cheaper to have all the parts physically destroyed or recycled.
And if you are using RAID, be very careful with drive scrubbers. Due to the mechanics of RAID arrays, some scrub technology won't work thoroughly. The logical mapping processes employed in RAID can actually prevent some sectors from being overwritten. It may be necessary to remove each drive and scrub them individually.
Unfortunately, your old server ghosts can come back to haunt you.
Like every field, server recyclers cover the gamut from the trustworthy to the downright shady. Going for the lowest bidder might mean that your servers may end up dumped in a landfill in a third-world country. As they contain hazardous materials -- lead-acid batteries in UPS, for example -- someone might take the time to trace the serial number back to you. That can become a serious future liability.
''You have to pay attention to the ultimate destination of the equipment you are scrapping,'' said Collins. ''That includes the possible sweatshop implications of computer disposal.''