Millions of usable hard drives are destroyed every year
Millions of storage devices are being shredded each year, even though they could be reused. "You don't need an engineering degree to understand that's a bad thing," says Jonmichael Hands.
He is the secretary and treasurer of the Circular Drive Initiative (CDI), a partnership of technology companies promoting the secure reuse of storage hardware. He also works at Chia Network, which provides a blockchain technology.
Chia Network could easily reuse storage devices that large data centres have decided they no longer need. In 2021, the company approached IT Asset Disposition (ITAD) firms, who dispose of old technology for businesses that no longer need it. The answer came back: "Sorry, we have to shred old drives."
"What do you mean, you destroy them?" says Mr Hands, relating the story. "Just erase the data, and then sell them! They said the customers wouldn't let them do that. One ITAD provider said they were shredding five million drives for a single customer."
Storage devices are typically sold with a five-year warranty, and large data centres retire them when the warranty expires. Drives that store less sensitive data are spared, but the CDI estimates that 90% of hard drives are destroyed when they are removed.
The reason? "The cloud service providers we spoke to said security, but what they actually meant was risk management," says Mr Hands. "They have a zero-risk policy. It can't be one in a million drives, one in 10 million drives, one in 100 million drives that leaks. It has to be zero."
The irony is that shredding devices is relatively risky today. The latest drives have 500,000 tracks of data per square inch. A sophisticated data recovery person could take a piece as small as 3mm and read the data off it, Mr Hands says.
Last year, the IEEE Standards Association approved its Standard for Sanitizing Storage. It describes three methods for removing data from devices, a process known as sanitisation.
The least secure method is "clear". All the data is deleted, but it could be recovered using specialist tools. It's good enough if you want to reuse the drive within your company.
The most extreme method is to destroy the drives through melting or incineration. Data can never be recovered, and nor can the drive or its materials.
Between the two sits a secure option for re-use: purging. When the drive is purged, data recovery is unfeasible using state-of-the-art tools and techniques.
There are several ways a drive can be purged. Hard drives can be overwritten with new patterns of data, for example, which can then be checked to make sure the original data has gone. With today's storage capacities, it can take a day or two.
By comparison a cryptographic erase takes just a couple of seconds. Many modern drives have built-in encryption, so that the data on them can only be read if you have the encryption key. If that key is deleted, all the data is scrambled. It's still there, but it's impossible to read. The drive is safe to resell.
It's important to have a decommissioning process that secures the devices, though. ESET bought some second-hand core routers, the type used in corporate networks. Only five out of 18 routers had been wiped properly. The rest contained information about the network, applications or customers that could be valuable to hackers. All had enough data to identify the original owners.
One of the routers had been sent to an e-waste disposal company, who had apparently sold it on without removing the data. ESET contacted the original owner. "They were very shocked," says Mr Anscombe. "Companies should sanitise devices themselves as best as they can, even if they're using a sanitisation and e-waste company."
Mr Anscombe recommends companies test the process of sanitising devices while they're still under support. If anything is unclear, help is available from the manufacturer then. He also suggests saving all documentation needed for the process in case the manufacturer removes it from their website.
Before sanitisation, Mr Anscombe says companies should make and store a back-up of the device. If any data does leak, it's easier to understand then what has been lost.
Finally, companies should make it easy for people to report security leaks. Mr Anscombe says it was hard to notify companies of what they had found on their old routers.
How can companies be sure the data has gone from a device? "Give it to a security researcher and ask them what they can find," says Mr Anscombe. "A lot of cyber-security teams will have someone who understands how to take the lid off and see if the device was fully sanitised."
By knowing how to clean the data from devices, companies can send them for reuse or recycling with confidence. "The days of the 'take-make-waste' linear economy need to be over," says Seagate's Ms Zuckerman.
Comments