Embed Size (px)
Citation preview
THE WORLD’S PREMIER SOLUTION FOR SANITIZING HARD DRIVES
PRIOR TO REPURPOSING OR DISPOSAL
DIGITALSHREDDERPRODUCT PRESENTATION
PARTNER LOGO
PARTNER CONTACT
INFORMATION
CURRENT STATE OF AFFAIRS
Civil and criminal penalties
Erosion of income and profits
Lost confidence of client base
Irreparable harm to reputation
Failure to properly sanitize hard drives has catastrophic consequences:
5.6 BillionHard Drive Productionfrom 2001 - 2011
600 MillionHard Drives Reachend of life in 2008
2 – 3 RefreshesCan occur during a hard drives lifecycle
One gigabyte of data on a hard drive
=
Approximately one dump truck of compacted paper
Well Publicized LawsHIPAA, FACTA, SOX, FISMAGramm-Leach-Bliley
Consequences of a BreachFines, Loss of License &Loss of Reputation
69% of Data Breach Costs Are the result of lost customer business
44% OF ALL DATA BREACHES RESULT FROM LOST OR STOLEN HARD DRIVES & LAPTOPS
CURRENT STATE OF AFFAIRS
COST OF DATA BREACH
Incident Response
Source: Ponemon Institute
free or discounted services
free credit checks for five years
lost business
notifications via email, letters, web, media, etc.
legal defense
criminal investigations
legal audit and accounting fees
call center expenses
public relations/communication
internal investigations
security consultants
Average cost per record compromised in 2007:
$202
Average cost per record compromised in 2007 by Third Party:
$238
INCIDENT RESPONSE ELEMENTS
THE HARD DRIVE EPIDEMIC
Mercury & PCB in electronic circuits
Rare earth magnets – platters are aluminum coated in iron oxide and other chemicals
Materials become toxic when incinerated in landfills
Proper sanitization of digital data is much more than a Best Practice Solution,
IT’S THE LAW.
Gramm-Leach-Bliley
Sarbanes-Oxley FACTA HIPAA FISMA FERPA RCRA
Financial Services Modernization Act
Public Company Accounting Reform & Investor
Protection Act
Fair and Accurate Credit Transaction Act
Health Insurance
Portability & Accountability
Act
Federal Information
Security Management
Act
Family Educational Rights and Privacy Act
Resource Conservation and Recovery
Act
Directors and Officers Penalty Per Violation
$10,000 Up to $1,000,000
Termination
Institution Penalty Per Violation
$100,000 Up to
$5,000,000 $11,000 $50,000 to $250,000
Agency Budget
Reduction
Loss of Federal Funding
Up to $27,500 Per Day Per
Violation
Years in Prison 5 to 12 Years Up to 20 Years 1 to 10 Years
FDIC Insurance
Terminated
Impact on Operations Cease and Desist
Congressional Review
Loss of License
Individual Civil Fines $1,000,000 Civil Action $25,000
Up to $200,000
InstitutionCivil Fines 1% of Assets
Varies Per Record
USA REGULATORY PENALTY MATRIX
SANITIZING DRIVES: MORE THAN JUST END OF LIFE
Storage transfers to a new user
Storage transfers to a new server
Maintenance Return at end of lease
BACK OFFICE COMPUTING:
Tech refresh or return at end of lease Upgrading to a new computer or higher
capacity drive Completion of a new project Cleaning a workstation for a new user Departure of an employee from an
organization Returning a hard drive under warranty Returning a computer under warranty Protection from unauthorized access A virus that is detected Attack from a hacker Employee turnover
INDIVIDUAL USER NOTEBOOKS AND WORKSTATIONS:
EVOLUTION OF A SOLUTION
In the late 1990’s, the international hard drive manufacturing community called a global summit to discuss the rapidly growing challenge of properly sanitizing hard drives.
ATTENDEES:
CHALLENGE:Develop a means of sanitizing hard drives beyond forensic reconstruction while retaining the ability to reuse the hard drive.
OUTCOME: The Hard Drive Industry collaborated with The Center for Magnetic Recording Research, under the direction of the US National Security Agency (NSA), to meet the challenge. They developed a sanitization standard called:SECURE ERASE
SOLUTION IS CONCEIVED: SECURE ERASE
SECURE ERASE
It is now part of the ATA Rev 4 Spec for all hard drives.
A destruction command that is embedded in the firmware of ATA hard drives including IDE, EIDA, PATA and SATA.
An atomic process - eradicates all user data beyond forensic reconstruction.
Up to 18 times faster than ineffective overwrite routines.
Compliant, certified standards based technology.
Implemented by global hard drive manufacturers in 2002.
Validated and certified by the International Security Community.
BIOS and Operating System developers blocked the ability to initiate Secure Erase.
In the absence of an enterprise level Secure Erase solution, billions were spent on products, processes and outsourced solutions that were not effective, scalable or failsafe.
METHODS THAT FALL SHORT
Let’s compare these methods to the
CRITICAL REQUIREMENTS most often requested by IT
Professionals.
Third Party Providers
Commercial Software
Degaussing Machines
Mechanical Destruction
1. Destroy data beyond forensic reconstruction.
2. Provide a single-point lifecycle solution that handles
all drives
3. Offer control of the process.
4. Deploy a scalable process providing corporate-wide
compliance.
5. Give user the ability to verify erasure– “trust but
verify.”
6. Imbed an automated certification process that
completes an audit process.
7. Provide a green solution that allows reformatting
and repurposing of hard drives for reuse or the
ability to recycle the drive intact.
MARKET FEEDBACK
Design input from IT Professionals and auditing firms during development
COMMERCIAL SOFTWARE
DESCRIPTION:
Replaces existing data with a set of random or repeating data
LIMITATIONS:
Does not delete data beyond forensic reconstruction
Lack of automated data logging, audit trails or certification labels
Single drive can take more than 24 hours
Ties up workstations for hours
Vulnerable to user manipulation
DEGAUSSING MACHINES
Disables hard drive by applying a strong magnetic field
Not a lifecycle management tool – end of life only
Unable to reuse drive, not a green solution
Not “office friendly”
Dangerous high level magnetic fields require special precautions
Destroys read/write head – can not confirm data is deleted
Lack of audit trail or certification labels
Requires constant re-calibrations to ensure proper functionality
DESCRIPTION: LIMITATIONS:
UNSAFE, INCONSISTENT, NOT CERTIFIABLE
MECHANICAL DESTRUCTION
Reduces hard drive into scrap metal or physically disables the media
Includes hammers, nail guns, belt sanders, and mechanical shredders
Not a lifecycle management tool – end of life only
Heavy, bulky and noisy equipment, not “office friendly”
Lack of automated data logging or audit trail
Unable to reuse the drive,Not a green solution, toxic hazards at shredding site and landfill
Encourages stockpiling of drives, a security risk
Not a scalable solution
DESCRIPTION: LIMITATIONS:
THIRD PARTY PROVIDERS
Third Party employs any of the previous methods
The service may be performed on-site, or require that the hard drives be transported to the service provider’s facility
Not a lifecycle management tool – end of life only
Loss of care, custody, and control
Storage problems exist between visits
Risk of loss during transit
High service and transportation costs
Retention of liability - a handoff does not absolve liability
Deploys any of the prior methods
DESCRIPTION: LIMITATIONS:
Carrying Handle
3 Drive Bays Personality Blocks
Printer
1
LED Indicators
Touch Screen
2 3
Height - 12”
Width - 8.5” Length - 13”
Weight – 15lbs
SOLUTION IS BORN: THE DIGITALSHREDDER
GREEN SOLUTION – ALLOWS REUSE OF HARD DRIVE AFTER CLEANSING!
USER FRIENDLY: NO KEYBOARD OR MOUSE
INTEGRATED SCREEN eliminates the need for keyboard and mouse, facilitates portability
Main Menu History
Administrative Login
Drive Operations
Sector Viewer
SECURED ACCESS: Password Protected
USER FRIENDLY: NO CABLES – NO CLUTTER
Quick and easy secure connections to various drive formats:
Current Support: All ATA drives including IDE, EIDE,
PATA and SATA - 2.5” and 3.5” (desktop & laptop drives)
Upcoming Support: SCSI, Fiber Channel, SAS, Major Flash
Media 3 Bays: multiple drives sanitized
simultaneously and independently Lock down enhances security
INSERT LOCK DOWN SANITIZE
OFF
GREEN
RED
ORANGE
Vacant bay, available for use
Drive is loaded and ready, but no operation is taking place, blinks green when process is completed
Process is being executed, bay is mechanically locked and password protected
Reformatting / imaging
LED INDICATORDRIVE STATUS
USER FRIENDLY: LED INDICATORS
BEST PRACTICES: AUTOMATED AUDIT TRAIL
PHYSICAL LABEL DIGITAL LOG
Completion of an erasure process results in the printed bar code label which includes the log entry information for the hard drive
Labels can be easily scanned for error-free, automated equipment tracking
All Digital Shredder activity is stored in the internal log file
Log file can be exported in CSV format using the USB port
Automated log tracks the following:
Operator’s name Date and time Hard drive serial
number Elapsed time Erasure process
Comparison of Data Destruction Methods
Critical RequirementsDigital
Shredder
Commercial Software
Degaussing
Machines
Mechanical
Destruction
Third Party
Provide a single-point solution that can be used during the entire hard drive lifecycle
YES Yes No No No
Eliminate data beyond forensic reconstruction YES No Uncertai
nUncerta
inUncert
ain
Maintain care, custody, & control throughout the process YES No No No No
Provide an automated certification process that completes aBest Practice audit trail
YES Uncertain No No No
Deploy a scalable process providing corporate-wide compliance
YES No No No Yes
Verify drive sanitization by sector – “trust but verify” YES Uncertai
n No No No
Provide a green solution that allows reformatting and repurposing of hard drives
YES Yes No No Uncertain
A CLEAR COMPETITIVE ADVANTAGE
USA GOVERNMENT COMPLIANCEThe Digital Shredder Secure Erase appliance meets and/or supports the following Department of Defense or Civilian Government guidelines concerning Information Security Practices: NSA Information Assurance Advisory – NO. IAA 2006-2004 in
Guidance to Designated Approving/Accrediting Authorities (DAA’s) regarding
the Use of Software Clearing for Downgrading of Hard Disks US Deputy Secretary of Defense Memo dated May 29, 2001;
Disposition of Unclassified DoD Computer Hard Drives, by
Paul Wolfowitz US National Computer Security Center (NCSC-TG-018); Rainbow Series
"Light Blue Book"
A Guide to Understanding Object Reuse in Trusted Systems US National Computer Security Center (NCSC-TG-025); Rainbow Series
"Forest Green Book" A Guide to Understanding Data Remanence in Automated
Information Systems US National Institute of Standards and Technology (NIST) SP 800-88
Guidelines for Media Sanitization National Institute of Standards and Technology (NIST) SP 800-14
Generally Accepted Principles and Practices for Securing
Information Technology Systems US Air Force System Security Instructions 5020 US Army AR380-19, AR25-1, AR25-2 US Navy Staff Office Publication (NAVSO P-5239-26) US Navy OPNAVINST 5239.1A
EDT’s VALIDATION PHASE: GOVERNMENT
Healthcare
Education
Legal
Financial
Service Providers
COMMERCIAL CUSTOMERS
Australian Department of Defence (Australian
Communications –
Electronic Security
Instruction ACSI33)
Royal Canadian Mounted Police Lead
Agency Publicatio
n B2-001
UK-HMG Infosec
Standard 5 {IS5} &
CESG Informatio
n Assurance Manuel S
United States National
Institute for Standards & Technology
Special Publication 800-
88
CLEAR
PURGE
DESTRUCTION
Commercial SoftwareLevel of security: protection against keyboard attack
Disintegration, Incineration, Pulverizing, or Melting Level of security: protection against laboratory attack
Secure Erase, DegaussersLevel of security: protection against laboratory attackSecure Erase is a high level of protection because you can validate the data is gone beyond forensic reconstruction & reuse the hard drive
GOVERNMENT COMPLIANCE
DIGITALSHREDDERThe World’s Premier Solution for Sanitizing Hard Drives Prior to Repurposing or Disposal.
