Security Shredding News Continued from previous page past would have been deemed to have insufficient specifications. Now that storage is in the cloud, those devices are more than suitable. Install a new operating system, upgrade some components, and reuse it. Reuse is the highest form of recycling.” Daoud agrees this is a possibility. “The secondhand [electronics] industry has been used to selling according to the capability of the device,” he notes. “As needs drop, people won’t need to spend so much on a complex device.” Third, electronics processors can look at this as an opportunity to change their business model to one that’s service-based instead of product-based, Levine says. In the past, he explains, electronics processors often provided services such as IT asset tracking, data destruction, and logistics to companies free in return for receiving their retired equipment. Companies still need those services, he points out, even when they have less equipment to retire. “So some firms are charging a service fee, and I expect that trend to increase in the future.” One concern that might slow the cloud-computing trend, Alcorn says, is data security. “Edward Snowden’s revelations caused a lot of people to question the use of anonymous data sources and storage,” he says. “This might be a counterweight to the overall trend, [and] not just in the U.S. market.” Companies moving toward cloud-based systems “might consider, ‘Are we confident that our data will be protected?’”
Trend 3: Solid-state drives
N
otice how small and light tablets and laptops have gotten? One reason is that they no longer have a hard disk for data storage. Instead, they have a solid-state drive, also called flash memory. This storage medium offers advantages over the spinning hard disk in addition to size and weight: It can access items in memory faster, and it’s almost impervious to damage. But devices with SSD memory can be a challenge for refurbishers. The primary concern is data erasure. Some techniques used to verifiably erase magnetic storage media such as computer hard disks don’t work for SSD. A report published in 2011 by researchers from the University of California, San Diego, found that SSD manufacturers’ built-in sanitization commands were only completely successful in four out of their 12 tests. Even then, there was no way to verify erasure had taken place. The National Association for Information
Destruction (Phoenix) plans to conduct similar research, says CEO Bob Johnson. SSD technology is evolving quickly, however, as are the technologies and processes for data erasure. NAID believes it is possible to fully erase, or sanitize, SSD devices and validate that erasure has taken place, Johnson says. But it might not be as simple as erasing a hard disk. Previous efforts that attempted to remove data from cell phones but leave the operating system intact were “inherently risky,” he says, because the devices were not designed to allow targeted data removal. Also, SSD devices that are fully populated with data behave differently when being sanitized than devices with only partially full memory. “It’s much more difficult to [determine] whether or not your system did erase everything, or did it simply move [the data] elsewhere on the drive?” Johnson says. But forensic techniques can determine to what extent data remains on SSD-containing devices, he says. NAID is in the process of beta-testing an add-on to its certification for data sanitization that would specify a company is certified to sanitize SSD devices, he adds. Businesses concerned about data security might still insist their electronics processor destroy SSD-containing devices rather than refurbish and resell them— with the processor losing anywhere from half to 90 percent of their value in the process. “You’re always going to find someone who says you can’t be totally sure,” Levine says. Regency uses a three-pass overwrite method, which it can verify to ensure the data have been erased, says Julius Hess, Regency vice president. That meets the standards of the U.S. Department of Defense (Washington, D.C.) and the National Institute of Standards and Technology (Gaithersburg, Md.) as well as those of R2/RIOS™ certification, Hess and Levine say. “However, should a company still have concerns with regard to that method of data erasure, mechanical destruction—shredding—is always an option,” Levine adds. Certification can reassure customers that your processes are routinely evaluated on whether they meet current standards for data destruction. Both the R2 standard and the e-Stewards® standard for certification specify data destruction techniques must meet the requirements of NIST’s Special Publication 800-88, Guidelines for Media Sanitation, and/or the requirements of local, state, and national laws. R2 also specifies that a company that holds NAID’s Certification for Sanitization Operations meets that requirement.
Continued on page 6
www.shred-tech.com
Info Request #157
Security Shredding News. January-March 2015
5