Until recently, the landscape of data center security was completely different. In fact, prior to Autumn of 2014, data security was pretty much the sole responsibility of the cloud service customer, while cloud service providers mainly stuck to their core responsibility of providing space, power and cooling for customers, steering clear of any responsibility over client or customer data. However, the introduction of ISO27018 profoundly changed the boundaries, and the responsibility for data security became shared between both cloud service customers and providers alike.

Yet although the boundaries of legal responsibility shifted, not a lot else has changed in the actual provision of data security. A huge focus is still placed on ‘gateway’ security, with physical or ‘end point’ security frequently an afterthought in comparison. Are cloud service providers being unduly complacent?

google crushed disk drives

Enter GDPR

The General Data Protection Regulations (GDPR) bring the potential to inflict punitive fines for any breach of data security, over and above any reputational damage that would ensue, in a public climate that is now much more savvy towards the threats to personal data.

The new landscape for data security management needs to be clearly understood. Where do the potential pitfalls lie? And where are the opportunities, if any, for competitive advantage?

To many users of cloud computing, cloud functionality seems almost magical compared to the baffling technical complexity of a data center. An intangible nebula in cyberspace is a more comforting prospect than the fallible reality of racks and racks of servers located in data centers around the world. One idea seems entirely abstract, while the other is completely real, and the difference between the two viewpoints works to everyone’s favor, providing peace of mind to customers and business opportunity for cloud providers. But is it possible that cloud service providers themselves have also indulged in this comforting idea, and have favored the virtual over the physical in their provision of data security?

The financial and business risk from cyber threats has always far exceeded that from physical data breaches - until now. The enforcement of GDPR from 25th of May 2018 will introduce massive penalties of up to four percent of global turnover, or €20 million, (whichever is the greater) for each data breach investigated and proven. These penalties will be incurred whether the data breach occurred in cyberspace, or from a physical drive, making physical data security a much higher-risk prospect than it once was, and forcing businesses to quickly reassess their security priorities.

Store, recycle, dispose or destroy?

The exponential increase in data creation coupled with the limited lifespan of servers and hard drives, means that a rising number of redundant and obsolete, yet data-laden, drives are accruing at data centers. Due to the high cost of individual disk destruction, drives can often remain in storage for years, exponentially increasing the risk of data leakage. As a result, the risk of a data breach from compromised hardware has greatly risen, just as the penalties for doing so have increased in tandem. The processes required for the safe and secure destruction of data and equipment have yet to keep up with the pace of expansion in many businesses.

Personal information data which has been protected online by a virtual ‘Fort Knox’ of cyber security measures, can later find itself sitting on a redundant drive in an unsecured room, awaiting collection and removal in open transport, to be disposed of at an undocumented location. This is evidently the new ‘weak link’ for data security, and it is physical, not virtual.

In some cases, drives containing sensitive data have been found on eBay, being ‘recycled’ and sold to third parties instead of being destroyed. The lack of set security procedures, proper accountability, and a clear audit trail in the ‘chain of custody’ process in regards to the disposal of IT assets, is nothing short of a potential disaster waiting to happen.

Keep your responsibility under your control

IT asset disposal is a specialist field, and most organizations employ a third-party service provider to undertake this work. However, the quality and reliability of these companies can vary greatly, as they still operate without a great deal of professional scrutiny. With the severity of GDPR and the potential for colossal financial penalties, devolving this responsibility to a business outside of your own control begins to require either a huge degree of trust, or blind faith and crossed fingers.

Even with a watertight ICO-compliant contract in place with a reputable IT asset disposal company, traditional methods of data-destruction are proving insufficient to provide 100 percent certainty that potentially sensitive data has been destroyed, particularly with Solid State Drives (SSDs). Neither magnetic degaussing systems or software overwriting can offer complete certainty that data has been removed, and both methods leave the hard drive physically intact, meaning the potential for data retrieval still remains.

Cryptographic erasing has become an increasingly popular method of securing data, but data encryption is inherently not data destruction. Encryption is an impenetrable vault for data right up until the moment someone discovers the key, after which complete access is granted. Encryption does not destroy data, it simply conceals it for a limited time, again offering no degree of certainty.

datraze eol it services
– EOL IT Services

Do not erase: destroy!

Increasingly, the only certain solution for guaranteed data destruction is the physical destruction of the asset itself via hard disk shredding. This is now proving to be the preferred choice for a number of super-secure or highly regulated industries, such as financial institutions, military and security agencies. 

Data center owners and managers should now be considering how they can provide extremely secure data asset destruction on-site. Having a solution on-site, located within the high-security section of a data center, will ensure that any data asset never leaves the secure area, even at the end of their functionality, thus maintaining the ‘bonded’ security seal. Reducing the number of links in the ‘chain of custody’ that could be exploited hugely reduces the risk of a catastrophic data breach.

The more links in the chain of custody, the more opportunities for failure. By controlling the process, and automatically documenting each stage of asset destruction with a secure and evidentiary process, such as biometric scanning, barcode scanning and video recording of the actual shredding process, a clear audit trail is created, providing additional levels of security and increased customer confidence.

Possessing a machine that provides this added level of security, presents data center owners and managers with the opportunity for a monetized ‘value-added’ service to offer customers. Data centers and Cloud service providers that can offer this new, upper echelon of data security will stand out from their competitors, will find it easier to maintain their annual security accreditations, and may also benefit from reductions in their premiums for cyber-insurance, due to the enhanced level of security.

Physical data security is an urgent and yet widely overlooked topic, that will gain in traction as the GDPR deadline approaches. Managing the secure destruction of data assets on-site will give data center owners and managers the peace of mind to know that they have taken control of the process, before a data breach takes control of their finances!

Daniel Smith is managing director of DataRaze