Managing and Automating Data Erasure for Mobile Devices: STRATEGIES FOR RECYCLERS AND IT ASSET DISPOSAL SPECIALISTS

Transcription

1 Managing and Automating Data Erasure for Mobile Devices: STRATEGIES FOR RECYCLERS AND IT ASSET DISPOSAL SPECIALISTS Blancco White Paper Published 14 February 2013

2 Introduction Advanced mobile devices like smartphones and laptops are quickly becoming indispensable tools in today s workplace, making employees both happier and more productive in their jobs. Seventy-seven percent of all companies are now providing smartphones to some employees according to a recent survey of companies in the United States (US) and Europe.1 Also, the bring your own device (BYOD) revolution is re-shaping the business landscape, with IDC predicting that more than half of business smartphones shipped in 2013 will be employee-owned.2 An estimated 1.2 billion smartphones and tablets will be shipped this year, according to Gartner, who also predicts that by 2016, two-thirds of the mobile workforce will own a smartphone.3 All of these mobile devices add up to trillions of gigabytes of memory much of which may eventually contain sensitive corporate, customer or employee data. Even when security is addressed, data threats from mobile devices are most often thought of in terms of malware, phishing, Improper decommissioning of used devices, is often an afterthought yet a very real security risk for businesses that an IT asset disposal (ITAD) specialist or mobile device recycler can mitigate with the right technology. and spyware attacks. Improper decommissioning of used devices, which may present an even bigger security issue, is often an afterthought yet a very real security risk for businesses that an IT asset disposal (ITAD) specialist or mobile device recycler can mitigate with the right technology. Businesses need to fully understand the importance of developing a robust security policy for mobile devices that addresses secure decommissioning in the event a smartphone or tablet is disposed, reassigned or sent for recycling. To support this mobile device policy, adhere to increasing regulatory requirements for asset disposal, and achieve complete security for mobile devices, they should implement approved erasure products that provide verifiable proof of data removal and find a reputable IT asset disposal (ITAD) partner or mobile device recycler who uses such software. Backed by the knowledge and the right technology or technology provider, IT asset managers can implement policies that secure data on both business devices and BYODs. 2

3 Table of contents Introduction...2 Drivers for erasing mobile devices...4 Small devices, big risks... 4 Regulatory concerns... 5 Technology mitigates data breach risks...6 Advanced data erasure with detailed reporting... 7 Chain-of-custody and erasure timing... 8 Efficient, high-volume erasure for mobile devices... 8 Broad platform support... 9 Fast, robust erasure supports mobile device security...9 References

4 Drivers for erasing mobile devices In addition to the proliferation of mobile devices entering the workplace both corporate issued and BYODs there are other factors driving the need for a mobile device policy that includes secure data erasure. Businesses and recyclers should be aware of the risks associated with improper disposal, as well as the increasing number of regulatory requirements for protecting data. Small devices, big risks With more computing power than Apollo 11 when it placed man on the moon, mobile devices hold a wealth of information despite their small size, with some smartphones and tablets having internal memory up to 64 GB. As these memory rich devices become smarter, helping people become more productive in both work and personal tasks, they are more likely to contain s, customer data, passwords and other sensitive information that could lead to data breaches if disposed of without first erasing the information. As the pace of technology refreshes for mobile devices escalates, so does the opportunity for data breaches. Research shows that personal and business data from smartphones and tablets does make its way to the secondhand market a threat that ITADs and mobile device recyclers with advanced data erasure technology can eliminate. For example, a 2008 survey found that one in five mobile communications devices in the recycled market still held sensitive information,4 while recent informal surveys have seen numbers as high as 60% to 99%.5,6 Alarmingly, 81% of respondents in a UK survey claimed to have wiped their mobile phone prior to selling them, with six in 10 confident the information was removed.7 Most of those claiming to wipe their phones had done so manually, leaving data retrievable. 4

5 Regulatory concerns The repercussions of a data breach from a tablet or smartphone are just as severe as if it originated from a server or laptop. Not only does a business or organization risk its corporate reputation, it can also incur industry specific regulatory fines like those for revealing credit card and other personal customer data under the Payment Card Industry Data Security Standard (PCI DSS) or protected personal health information (PHI) under HIPAA in the United States. Businesses, for example, can modify smartphones to become a credit card terminal. Also, some studies show that 80% of US doctors now use smartphones and medical applications in their daily practice.8 In February 2012, the Obama Administration in the US introduced the Consumer Privacy Bill of Rights, which provides a model of how to enable ongoing innovation in new information technologies while offering strong privacy protection, including a requirement for data deletion. While the US does not have a comprehensive privacy and data protection law, 46 states have enacted legislation requiring notification of security breaches involving personal information. Although each law varies slightly, many of them impose civil and criminal sanctions for failure to comply. Meanwhile, in Europe, changes in data protection have been proposed that revisit rules from the 1995 European Union (EU) Data Protection Directive. An existing draft of these updates is under review by all EU member states. European Network and Information Security Agency (ENISA) has specifically recognized that improper decommissioning of smartphones without a full data wipe poses one of the highest risks to information safety. In it are requirements for deletion of online data and use of auditable procedures for companies processing personal data, as well as encouragement for the use of certified tools and processes. Sanctions for violations of these new requirements are predicted to range from 250,000 euros up to 0.5% of global annual turnover for lesser offenses and 1 million euros up to 2% of turnover for more serious ones. In addition, the European Network and Information Security Agency (ENISA) has specifically recognized that improper decommissioning of smartphones without a full data wipe poses one of the highest risks to information safety, yet those devices are not subject to many of the erasure processes now in place for used hard drives.9 This is especially troubling in light of analyst predictions that more than 100 million mobile phones per year are now recycled.10 5

6 Technology mitigates data breach risks Given the serious potential for data breaches, ITADs, recyclers and businesses need access to a failsafe method for removing all information from the internal and external memory of mobile devices before they are reused, recycled, stored or destroyed. This goes beyond simply destroying the SIM card to include erasure of internal memory and external memory cards, which are not as easily accessible. Also, physically destroying a mobile device leaves open the possibility of data recovery from fragmented digital media, while presenting an environmental predicament. Many users may assume that resetting a smartphone back to factory defaults will destroy data in its internal memory, but in most cases the data actually still exists. Although a novice may find the data difficult to recover, a skilled hacker or computer forensic expert could access it. Tamperproof and verifiable reporting is an essential part of compliance, regulatory and legal auditing requirements; without it, a business cannot be assured its data is completely secure. One method of removing data is with software that overwrites the device s memory. Some manufacturer applications use this technique, but these apps do not provide a critical element a verifiable report with electronic serial numbers and other hardware details that prove the data is gone, which is necessary for regulatory compliance and a risk-free resale or reuse of the device. In addition, these apps only work with the particular device s operating system and are manually executed. 6

7 Advanced data erasure with detailed reporting Approved, advanced data erasure is a type of overwriting software with numerous security, technical and productivity advantages. Not only can it remove all data from a mobile device, it provides a detailed report as proof. This tamperproof and verifiable reporting is an essential part of compliance, regulatory and legal auditing requirements; without it, a business or recycler is not assured that data is completely secure. Comprehensive erasure reports provide critical information for auditing, resale and security purposes, including condition of the hardware, relevant serial numbers and asset tags, software details for license harvesting, and how and by whom the erasure was done. Because of its advanced functionality, data erasure offers numerous other advantages. For example, advanced data erasure technology adheres to overwriting standards like HMG Infosec and DoD M, which are required for data removal by many governments and some industries. As of yet, however, there have been no mutually common erasure standards specifically defined for all smartphones. Data erasure technology adheres to overwriting standards like HMG Infosec and DoD M, which are required for data removal by many governments and some industries. Currently, NIST is in the process of updating its guidelines for erasing both smartphones and solid state disks (SSDs). In addition, a global industry group known as the Device Renewal Forum (DRF) and its member companies are working to establish a single certification process for testing and certifying renewed smartphones, feature phones, USB modems and other wireless devices to ensure they meet rigorous product quality and performance standards. A portion of the DRF guidelines will address a secure data sanitization process that ensures privacy and data removal from renewed mobile devices. Members of this group include suppliers, recyclers and distributors of mobile devices; wireless carriers; testing laboratories; technology providers like those for advanced data erasure software; and other interested parties. 7

8 Also, businesses and recyclers should look for an advanced data erasure tool that is approved as effective in sanitizing data by an internationally recognized thirdparty testing agency like TÜV SÜD. Such an approval provides an ITAD and its customers with an extra level of assurance that all data has been wiped from mobile devices. ITADs can benefit from additional erasure units that report back to the central console. For example, four units would allow a single operator to erase over 1,000 smartphones each day. Chain-of-custody and erasure timing While choosing the correct technology for removing all data from mobile devices is important, the timing is equally critical. When a business wants to sell, donate or reassign a smartphone or tablet, it should use advanced data erasure to remove the information before the device leaves the business premises, as IAITAM best practices recommend.11 To do so, the organization s internal IT staff can run the erasure software. Alternatively, the company can turn to a mobile device recycler with on-site services for approved data erasure, or one that supports secure transport of the mobile devices to their facility for approved erasure. The IT staff or asset manager can then match the serialized erasure report with the inventory to create an audit trail that proves all data has been cleared. Efficient, high-volume erasure for mobile devices Another important feature of advanced data erasure software is that it allows operators to automate and execute the erasure process for multiple mobile devices from a normal desktop a key productivity benefit for ITADs and mobile device recyclers. The automatic erasure process can be set up in just a few minutes and is highly efficient, allowing a single operator to erase hundreds of smartphones of various platforms per day. The erasure software also automatically sends the erasure reports to a central console, supporting a more productive IT staff and operations for businesses and recyclers, with a detailed report for auditing and regulatory purposes. ITADs can benefit from additional erasure units that report back to the central console. For example, four units would allow a single operator to erase over 1,000 smartphones each day. This allows ITADs to dedicate a part of their smartphone handling process solely to erasure, giving more quality assurance to their customers. 8

9 Broad platform support In addition to its efficiency, advanced data erasure software can detect and simultaneously erase data from different types of smartphone and tablet platforms because it communicates directly with their operating systems. These devices range from ios to Nokia Symbian, Android, Windows Mobile, and Blackberry. This platform flexibility is increasingly important as varying types of personal devices make their way into the workplace and on to ITADs, requiring different erasure processes. Platform overwriting requirements Apple ios Android BlackBerry Nokia Symbian Windows Mobile iphone and ipad devices are encrypted and therefore do not require overwriting of all user data areas. However, the encryption key must be overwritten to make user data unreadable. Devices require overwriting of user data areas. A simple factory reset and/or reformat is not secure and the data can be quite easily recovered. BlackBerries require removal of their IT policies, as well as overwriting of user data areas. Devices require overwriting of user data areas. Factory resetting is not sufficient. Devices require overwriting of user data areas. Factory resetting is not sufficient. Fast, robust erasure supports mobile device security With advanced data erasure, ITADs and recyclers can play a major role in helping companies execute a secure mobile device policy that requires erasure of smartphones and tablets prior to disposal, reuse or remarketing. Using third-party tested and approved data erasure software, ITADs can help customers meet increasing regulatory requirements for asset disposal, as well as avoid costly data breaches, fines and other negative repercussions. By conforming to technology standards and certifications or approvals, this software provides peace of mind that no data is left behind prior to resale or reassignment. Advanced data erasure is a practical choice for recyclers and ITADs that want to secure data without a time consuming manual process and achieve efficient, costeffective operations. Its automated reports are not only important for customers, but also provide device details necessary for their remarketing and sale. In addition to efficiency, the flexibility to erase large numbers of mobile devices of various platforms from a centralized management console provides a powerful view of overall device recycling operations. The information contained in this document represents the current view of Blancco Oy Ltd on the issues discussed as of the date of publication. Because of changing market conditions, Blancco cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. Blancco makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Blancco. 9

10 References 1 IDC, IDC Benchmark Study Examines Enterprise Mobile Device Policies, 04 June 2012, 2 Blackberry, Employee-owned Smartphones: Seize the Opportunity, White paper 3 TechCrunch.com, Gartner: 1.2 Billion Smartphones, Tablets To Be Bought Worldwide In 2013; 821 Million This Year: 70% Of Total Device Sales, 6 November 2012, tablets-to-be-bought-worldwide-in million-this-year-70-of-total-device-sales/ 4 Business Week, The Recycled Cell-Phone Trap, 3 November PC World, Your Old Smartphone s Data Can Come Back to Haunt You, 10 July Dark Reading, Old Smartphones Leave Tons of Data for Digital Dumpster Divers, 15 December data-for-digital-dumpster-divers.html 7 CPPGroup plc, Second Hand Mobiles Contain Personal Data, 22 March 2011, 8 Healthcare Technology Online, Bracing For Healthcare s Mobile Explosion, 6 January Code=Welcome&templateCode=EnhancedStandard&user= &source=nl:32854\ 9 ENISA, top-ten-smartphone-risks?searchterm=top+ten+smartphone+ 10 ABI Research, Recycled Handset Shipments to Exceed 100 Million Units in 2012, 20 December International Association of Information Technology Asset Managers (IAITAM) Note: Portions of this white paper appeared in the February 2012 issue of ITAK magazine published by the International Association of Information Technology Asset Managers (IAITAM). 10

11 For further information, please visit Blancco U.S Roswell Road, Suite 302 Marietta GA 30062, UNITED STATES Tel. (770) Fax. (770)