Sunday, October 24, 2021

Securing Data on Your Old, Dead Servers

Anti-virus is running on every computer in the building. Sophisticated

intrusion detection and threat analysis systems keep you apprised of any

attempts to gain access to your network. Firewalls provide a robust

perimeter, and digital rights are managed so well that no employee has

managed to sneak a file or email to a friend at a newsblog.

You’re all set. Right?

Don’t be so sure.

Sitting in the company’s basement or perhaps at the far end of the server

room is a ticking time bomb — old dust-laden servers that you’re

planning on getting rid of ”someday”. Being off the network, these

machines are no longer wrapped in your security defenses. Anyone can

access what’s inside — read your valuable records, or walk out the front

door with a harddrive containing an only slightly dated version of your

customer database.

”The obvious danger in server disposal is security,” says Jon Collins,

principal analyst for Quocirca, a UK-based industry analyst firm. ”There

are various anecdotal examples of health records turning up on auctioned

or discarded computers.”

One of the biggest security errors that IT makes, in fact, is treating

server dinosaurs without respect. They’re old, the technology is dated,

the harddrives are tiny by today’s standards, and they just don’t look as

good as that new shiny model your VAR delivered the other day. It’s hard

not to unplug it, hook up its replacement and, as an afterthought, toss

the old stuff in a dimly lit corner.

Destroy Them

Once PC’s and servers start to pile up, accountability vanishes.

Equipment can disappear and no one will ever notice. Therefore, you have

to take care of the data inside those machines as a top priority. To do

that, there are several options, all of which boil down to destroying the

disks or erasing the information on them.

Industry analysts generally recommend physicall destroying the drives…

and thus, the data inside them. And don’t hand the job off to some

flunky. Make sure you know it’s been done — even if that means doing the

job yourself.

But how exactly do you go about doing that? Do you send the systems admin

out back with a hammer and a couple of drives? And how do you know that

he actually did it?

One of the keys to disposal is that it we’re talking about precise

technology and a cost of doing business. Leaving it to an overburdened IT

staff means you are paying a high hourly rate for what will probably be

basic work. It also opens the door to employees deciding to take the old

server home, or worse, selling it on eBay.

As a result, companies have sprung up offering equipment disposal

services to large businesses. These businesses include PCDisposal.com of

Kansas City, Recycling Inc. of Toronto, and Redemtech Inc. of Columbus,

Ohio. The good ones utilize EPA-compliant disposal and recycling

processes. This involves separating out the metals, shredding them and

recycling their parts. In some cases, they even will inventory all your

hardware and software prior to disposal and provide a certificate of

destruction. Such paperwork can be vital when it comes to annual audits,

financial statements, certainty of security, and complying with

government regulations on corporate information such as HIPAA and

Sarbanes Oxley.

Scrub Them

An alternate school of thought in server disposal is to scrub the data on

the drives — either internally or via a recycler.

Most third parties in this business boast of DOD-compliant practices.

That means the disk is overwritten at least six times. Like the futility

of trying to arrive at infinity, however, the various file wipers and

scrubbers on the market may not totally erase everything.

According to security expert Peter Gutman of the Department of Computer

Science at the University of Auckland, it is effectively impossible to

sanitize storage locations by simply overwriting them, no matter how many

overwrite passes are made or what data patterns are written. So even if

data has been thoroughly overwritten, you may still be able to recover

some of it as the magnetization patterns on the hard disk surface are

often still visible. It’s generally accepted, however, that 35 passes of

overwriting is as secure as it gets.

Regardless of their thoroughness, it is probably best for IT to use a

scrubbing utility of some kind as part of the de-install process prior to

handing the server over to a recycling company. Even if the servers do

end up littering the halls for several months, a six-pass overwrite will

afford a decent level of protection.

The plus side of scrubbing is that it opens the door to reselling the

computer. Many of the large recyclers offer this option as a means of

cutting disposal costs. Whereas it might cost $100 to securely get rid of

a server, scrubbing its data and having the recycler sell if for you can

cut the bill down as low as $20.

Interestingly, some of the big recycling firms that cater to the Fortune

1,000 successfully convince large companies that their sensitive data

will remain safe even when their servers are resold. They go to great

lengths to lock down the data before they put it in their trucks, then

offer certificates of data eradication. But for some clients, they still

have to destroy the disks due to the nature of the information inside.

Another option is to make disposal the problem of the OEM — he who sells

me new equipment must get rid of the old stuff securely. Such arrangement

can be built into the tender process. The HPs and Dells of this world,

for example, have programs in place to take care of aging gear.

But it can be very expensive to destroy every platter and discard every

piece of metal in the server. Many will decide to relegate such practices

only to ultra-sensitive information. For the rest, they will make do with

scrubbing and reselling in order to recoup costs.

On the other side of the coin, though, there are conditions where it may

be more expensive to scrub. If a server has little resale value, for

example, it is typically cheaper to have all the parts physically

destroyed or recycled.

And if you are using RAID, be very careful with drive scrubbers. Due to

the mechanics of RAID arrays, some scrub technology won’t work

thoroughly. The logical mapping processes employed in RAID can actually

prevent some sectors from being overwritten. It may be necessary to

remove each drive and scrub them individually.

Server Ghosts

Unfortunately, your old server ghosts can come back to haunt you.

Like every field, server recyclers cover the gamut from the

trustworthy to the downright shady. Going for the lowest bidder might

mean that your servers may end up dumped in a landfill in a third-world

country. As they contain hazardous materials — lead-acid batteries in

UPS, for example — someone might take the time to trace the serial

number back to you. That can become a serious future liability.

”You have to pay attention to the ultimate destination of the equipment

you are scrapping,” said Collins. ”That includes the possible sweatshop

implications of computer disposal.”

Similar articles

Latest Articles