Upload
afcom
View
650
Download
0
Tags:
Embed Size (px)
Citation preview
This presentation was given during the Spring, 2012 Data Center World Conference and Expo. Contents contained are owned by AFCOM and Data Center World and can only be reused with the express permission of ACOM. Questions or for permission contact: [email protected].
Interested in data center security and disaster recovery?
Learn about the Security and DR track at theupcoming Fall 2012 Data Center World Conference at:
www.datacenterworld.com.
Bringing ‘Peace of Mind’ to IT Asset Retirement
•Reduce your Liability in 3 Areas:
– Environmental
– Data Privacy
– Reputation
Confidential – not for distribution without LifeSpan’s written consent.
Equipment Retirement -Issues
• E-waste is the fastest growing portion of the entire waste stream, growing two to three times faster than any other waste stream. It is the largest single source of lead in municipal solid waste (about 30%).
The United States faces a unique challenge regarding the disposal of obsolete computer equipment on a national and global scale.
Confidential – not for distribution without LifeSpan’s written consent.
Asset Retirement -Drivers
• Increased focus on asset management Mustmanage TCO
• Environmental liability / data security Detailedreporting and auditing
• Multiple locations, distributed IT equipment Complex and costly logistics
• Greater corporate and environmental regulations Increased scrutiny and accountability for tangible and intangible assets.
Confidential – not for distribution without LifeSpan’s written consent.Confidential – not for distribution without LifeSpan’s written consent.
IT Asset Management Process
Confidential – not for distribution without LifeSpan’s written consent.
Sources: Gartner, IDC
Requisition
Procurement
Beginning of lifecycle End of lifecycle
Rela
tive C
ost
Deployment
Maintenance
Retirement
Why Can’t We Just Throw it Away?
•All E-Waste types– Computers & Monitors– Printers & Peripherals- Complex Circuitry Items– Materials Toxic to the Envt.
•Lead•Mercury•Cadmium•Gallium Arsenide•Barium
Confidential – not for distribution without LifeSpan’s written consent.
Confidential – not for distribution without LifeSpan’s written consent.
Bringing Peace of Mind…
• Department of Commerce report estimated that in 2006, 50% - 70% of electronic waste was exported to developing countries
Environmental Risks
• Comprehensive Environmental Response Compensation and Liability Act (CERCLA)
– a.k.a. “Superfund”– Certificates of Recycling –”certification”– Deep Pockets Ruling
• State by State Regulations– What’s legal in one state is illegal in another
• A ‘Certificate of Recycling’ is meaningless
• Ask for Pollution Liability Insurance - $5 Million
Confidential – not for distribution without LifeSpan’s written consent.
Environmental Liability:
Confidential – not for distribution without LifeSpan’s written consent.
Confidential – not for distribution without LifeSpan’s written consent.
Credit Card Log File
Confidential – not for distribution without LifeSpan’s written consent.
Point of Sale Log File – Credit Card Numbers
Confidential – not for distribution without LifeSpan’s written consent.
Outlook – Outlook.pst
Confidential – not for distribution without LifeSpan’s written consent.
Accounting System – Social Security Number
Data Destruction DilemmaRevenue or Neutral/Cost
• Physical Data Destruction– Crushing – HDC– Shredding – Service / Equipment– Visual verification
• Sanitization– Single Pass, Triple Pass, 7 pass, 29
pass, zillion pass– DBAN– Active Killdisk– Ontrack – Data Erasure– Blancco
• DegaussingConfidential – not for distribution without LifeSpan’s written consent.
Degaussing
Confidential – not for distribution without LifeSpan’s written consent.
Profile Privacy Breaches• Identity Theft - On the rise
– 22.4 Million Sensitive Records Breached in 2011– Costs $53 Billion annually– Costs $4,800 per individual– Costs public companies – 5% stock value
•Sony•Epsilon•HealthNet
Confidential – not for distribution without LifeSpan’s written consent.
Confidential – not for distribution without LifeSpan’s written consent.
Bringing Peace of Mind to Data Privacy
• Look for a NAID Certified Service Provider
Confidential – not for distribution without LifeSpan’s written consent.
Considerations for Process Enhancements
• Chain of Custody– How long do drives sit around before destruction?– Where/How are they stored? – Can they accidentally be picked up for reuse?
• Quality Assurance on Sanitization– How are disks validated? (Every day, lot, each… never)– Forensics Software?
• Encase• RTT Toolkit
– Different types of interfaces – SCSI, FibreChannel
• MOST IMPORTANT: Process and Controls – Its Usually Human Error
Confidential – not for distribution without LifeSpan’s written consent.
Considerations for Process Enhancements
Where things go wrong:
Physical Destruction• No timely destruction - they sit around• Mistakened for wiped drives –so not crushed• Inadvertent reuse
Sanitization• Little or no QA/QC• False negatives from faulty hardware• Interfaces• Mistakened wipe drives
Confidential – not for distribution without LifeSpan’s written consent.
Considerations for Process EnhancementsNAID (Preliminary)
•Physical Destruction Process Outline:– IT, Surplus or Vendor Team removes
equipment from end user – transports and places in secure area
– Equipment is cataloged– Drive is removed and cataloged– Immediately crushed– Subsequent shredding for recycling
Confidential – not for distribution without LifeSpan’s written consent.
Considerations for Process EnhancementsNAID (Preliminary)
• Sanitization Process Outline– IT, Surplus, or Vendor Team removes equipment from end
user – transports and places in secure area– Equipment is cataloged
– System is sanitized– Forensics verification – manager, outside firm– Labeled
– Drive is removed and cataloged– System is sanitized– Forensics verification – manager, outside firm– Labeled
Confidential – not for distribution without LifeSpan’s written consent.
Solid State Hard Drive Technology
Confidential – not for distribution without LifeSpan’s written consent.
Solid State Hard Drives
• Reverse Engineered to mimic Magnetic Architecture
• Flash Translation Layer
• Lack of G-List
• In the race to go to market, SSD manufacturers were inconsistent in their adherence to the SATA standard.
• This has rendered wiping/sanitization software unable to perform a conclusive validation.
Confidential – not for distribution without LifeSpan’s written consent.
FTL
Magnetic HD
SSD HD
Are You Protected in the Event of aData Privacy Breach?
• Do they have sufficient insurance? $1M Errors & Ommissions
• Privacy Liability ($250,000)– Notification/Credit Monitoring– Public Relations Expenses
• Bodily Injury Coverage– For those who claim emotional distress & mental anguish
• Hammer Clause (for frivolous suits)
• You shouldn’t have to worry about if a claim will be paid
Confidential – not for distribution without LifeSpan’s written consent.
Data Privacy – Have You Considered…
• Digital Copy Machines contain Hard Drives– Capture image of every page copied
• High-end Printers contain Hard Drives
• Smartphones & Blackberries– Should be treated just as carefully as loose hard drives– Sanitize Data/Shred SIMM Card
Confidential – not for distribution without LifeSpan’s written consent.
Reputation Risk
• Many nationwide companies rely on smaller local recyclers, creating inconsistent practices on how materials are retired from region to region.
• Often “sham recyclers” simply cross dock and export E-waste to non OECD countries.
• Invariably, companies are unaware that their E-waste has not been legitimately broken down and recycled, but merely exported to countries that are unequipped to process it properly.
• Environmental watchdog groups are producing exposes in order to make an example out of abhorrent companies.
Confidential – not for distribution without LifeSpan’s written consent.
Free E-Waste “Recycling”
Confidential – not for distribution without LifeSpan’s written consent.
Source: Basel Action Network BAN.org
Environmental - Global “Recycling”
Confidential – not for distribution without LifeSpan’s written consent.
Hydrochloric / Nitric Acid Baths
Processing Residue along Lianjiang River
Source: Basel Action Network BAN.org
Reputation Liability:E-Waste ‘Sting’ Operations
Confidential – not for distribution without LifeSpan’s written consent.
60 Minutes Nov 9, 2008
Frontline, June 23 2009
Confidential – not for distribution without LifeSpan’s written consent.
Look for a Nationwide ‘Footprint’
Confidential – not for distribution without LifeSpan’s written consent.
Recycling
Recycling / Sorting
Sort / Audit
9/24/03
Asset Retirement Program– Elements to Consider
• Frequency
• Space
• Location
• Packing Resources
• Data Security
• Audit
• RecycleConfidential – not for distribution without LifeSpan’s written consent.
0 to 1 Pallets orE cycle Box
2 to 4 Pallets orE cycle Box
½ to Full Truckload
Single Location CampusCoastal, Regional,
National
Plenty of Resourcesto Pack
Need ResourcesSometimes
Packing materialsInside Removal
Plenty of ResourcesStrategic In-house
Do In-HouseNeed to Check
SW and/or PhysicalDestruction
Plenty of ResourcesStrategic In House
Do In-HouseNeed to Check
Barcode serial #sAsset tags
Transfer ownershipRecycle Domestic
Global Reman/ReuseNo Reuse
Domestic Only
1 time pickup once per year
QuarterlyWeekly Monthly
Asset Retirement Program – Development of Continuum
Confidential – not for distribution without LifeSpan’s written consent.
Asset Auditin
g
Serial N
umber
Asset Tag
Data
Destructio
n
Inside Pickup
Packing
Transportatio
n
Logistics Recycling
Reuse
Resale
Sample LifeSpan Service Programs
Bringing ‘Peace of Mind’ to IT Asset Retirement
•Reduce your Liability in 3 Areas:
– Environmental
– Data Privacy
– Reputation
Confidential – not for distribution without LifeSpan’s written consent.
This presentation was given during the Spring, 2012 Data Center World Conference and Expo. Contents contained are owned by AFCOM and Data Center World and can only be reused with the express permission of ACOM. Questions or for permission contact: [email protected].
Interested in data center security and disaster recovery?
Learn about the Security and DR track at theupcoming Fall 2012 Data Center World Conference at:
www.datacenterworld.com.