http://www.guardianedge.com/

Full Disk Encryption & IT Asset Disposition: Protecting Data During the PC Disposal Process A GuardianEdge White Paper 4/7/2006 The information contained in this document represents the current view of GuardianEdge Technologies Inc. on the issues discussed as of the date of publication. Because GuardianEdge must respond to changing market conditions, the information contained in this document should not be interpreted to be a commitment on the part of GuardianEdge, and GuardianEdge cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. GuardianEdge makes no warranties, express or implied, in this document. 2003-2006 GuardianEdge Technologies Inc. All rights reserved. Printed in the United States of America. Other product or company names mentioned herein may be the trademarks of their respective owners and, if so, they are hereby acknowledged. GuardianEdge Technologies 475 Brannan Street, Suite 400 San Francisco, Calif. 94107 USA Phone: (415) 683-2200 Toll Free: (800) 440-0419 Fax: (415) 683-2349 http://www.guardianedge.com/

Table of Contents Introduction... 3 IT Asset Disposition: A Risk-based Approach... 4 The risk of data exposure... 4 Data sanitization... 7 Types of data sanitization... 7 Data clearing... 8 The need for stronger security... 8 Securing the Chain of Custody... 9 The solution: Encrypt sensitive data before disposing of IT assets... 9 Conclusion... 11 About GuardianEdge Technologies Inc... 12 Full disk encryption software from GuardianEdge... 12 References... 13 2

IT asset disposition is a sub-process of IT asset lifecycle management. IT asset disposition is also relevant to information lifecycle management due to the presence of sensitive and proprietary information on corporate PCs. Full disk encryption is a valuable security measure for both IT asset and information lifecycle management, and is particularly useful for securing data on PCs that are slated for resale, donation, recycling or destruction. Introduction The average lifespan of a corporate PC can be measured in a few short years. As technology advances and business conditions change, organizations must deal with a constant stream of IT assets that are no longer needed to support existing work activities. Consequently, PC disposal and other forms of IT asset disposition are a necessary part of day-to-day operations for most organizations. Unfortunately, the process of unloading obsolete or unneeded equipment is laden with risk. Computer hard drives often contain sensitive corporate or consumer information that could easily land in the wrong hands if the disposal process is mishandled. Cleansing that information is a complex, costly and laborious task that is prone to error. As a result, most organizations rely on external service providers to handle activities such as data sanitization and PC disposal. However, transferring ownership of an IT asset does not absolve an organization of its responsibility to protect the security and privacy of information stored on that asset. Many regulations, HIPAA and GLBA in particular, set strict guidelines for appropriate destruction of records containing protected health or financial information. Therefore, organizations need to focus on securing the so-called chain of custody when unloading old equipment in order to minimize the risk of data exposure during the process and to demonstrate regulatory compliance to auditors and government officials. Encryption is a powerful security measure for safeguarding the chain of custody during the PC disposal process. By encrypting a computer hard drive before transferring custody to an external service provider, organizations can protect the integrity of data during and after the asset transfer. Furthermore, encryption can be used to render data irrevocably inaccessible, even in instances where data sanitization is not entirely effective. This White Paper discusses full disk encryption as a technical safeguard for secure PC disposal and data sanitization, examining how and when to use encryption for securing and documenting the chain of custody. 3

IT Asset Disposition: A Risk-based Approach IT asset disposition is the process of dealing with equipment that is no longer needed to support existing work activities 1. In general, there are four options for IT asset disposition available to an enterprise organization: Resale Donation Recycling Disposal In the past, many organizations have taken a cost-based approach to IT asset transfer. However, recent changes in the regulatory environment have driven corporate and governmental organizations to shift their focus from minimizing cost to minimizing risk. There are two primary areas of risk associated with the disposition of an IT asset: the risk posed by the presence of toxic materials used to make computer equipment, and the risk posed by the presence of sensitive information stored on that equipment. This White Paper focuses on the risk of data exposure during the IT asset disposition process, and the ways in which organizations can manage that risk in a secure and cost-effective manner by utilizing full disk encryption software. The risk of data exposure The hard drives of most corporate computers are ripe with sensitive information. Some of that information may be intellectual property, which an organization will naturally wish to keep confidential; some of that data may be personally identifiable consumer information in the form of electronic personal records. In the latter case, organizations governed by regulations such as HIPAA and GLBA have a legal obligation to protect consumer data throughout the information lifecycle, from data entry to data disposition. In general, the risk of data exposure begins the moment an organization transfers custody of a retired computer to an external entity. Once that transfer of custody has taken place, the organization is no longer in physical possession of the equipment and therefore no longer in control of the data stored on that device. However, transfer of custody does not absolve an organization of its responsibility to protect the security and privacy of non-public consumer information. Liability for data protection is not typically part of an equipment title transfer. Furthermore, several pieces of legislation state that the protection of data is the responsibility of the party that inputs, 1 Gartner Research, Creating a Process for PC Disposal 4

uses and maintains the data, not the party that owns the compromised equipment. The table below highlights a few of the laws that require organizations to practice secure disposal of covered information. Table 1: Key US Federal Legislation Governing Disposal of Sensitive Information Law Covered entities General requirements FACTA Any person who maintains or otherwise possesses consumer information for a business purpose Covered entities must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. 2 GLBA Financial institutions Covered entities must implement administrative, technical and physical safeguards for disposing of customer information 3 HIPAA Healthcare organizations Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. 4 Risks associated with resale and donation Computer equipment that is less than 18 months old is a candidate for potential resale, although the proceeds from selling retired equipment are minimal. Many organizations choose to sell old equipment to their employees, while others find local resellers or operate under lease agreements that allow them to return equipment to the original manufacturer. In most cases, the organization has little or no control over where the equipment will end up or who will have access to it. 2 Federal Trade Commission, Disposal of Consumer Report Information and Records; Final Rule 3 Federal Trade Commission, Standards for Safeguarding Customer Information; Final Rule 4 Department of Health & Human Services, HIPAA: Final Privacy Rule 5

The eventual owner of the retired equipment may be able to gain access to residual information once stored on the device, even when an organization has deleted that information. In a recent study on forensics 5 and data recovery, researchers procured 158 used hard drives on the secondary market and found that only 9% of those drives had been properly sanitized. The quality and quantity of the data that the researchers recovered suggests that some (or most) organizations are not doing enough to protect sensitive information when they choose to remarket retired equipment. Donation is similar to resale in that the organization usually has no idea where the equipment will end up. Organizations often choose donation for philanthropic reasons, but from a more pragmatic perspective, donation centers are more permissive than resellers in terms of the quality and age of the equipment they are willing to accept. Unfortunately, some of these charitable donations end up in the trash heaps of third-world nations such as Nigeria. A report from the Basel Action Network 6 claims that most of the computer equipment donated to places like Nigeria is completely unusable. However, the same report also contains an audit of information recovered from the hard drives of these supposedly unusable computers; some of that information was of a sensitive and proprietary nature, and most of the equipment was traceable to its original owner. Risks associated with recycling and disposal Dumpster diving has long been the most common method of procuring consumer records for illegal purposes, and consumer information has become a particularly valuable target for would-be identity thieves. Competitors may also be wading through piles of electronic waste for intellectual property, and a disreputable PC recycler or disposal service may scour the hard drives themselves in search of information they can sell for profit. Even in cases where a hard drive is slated for total destruction, the data stored within that drive is potentially vulnerable to exposure in transit to the destruction facility. Consequently, there is a need to irrevocably and irreversibly render data unreadable to eliminate the risk of data exposure during the IT asset disposition process. 5 Garfinkel and Shelat, "Remembrance of Data Passed: A Study of Disk Sanitization Practices". 6 Basel Action Network, Digital Dump: Exporting Reuse and Abuse to Africa. 10/24/2005 6

Data sanitization Data sanitization is a necessary component of the IT asset disposition process. There are several techniques for sanitizing data, all of which completely and irrevocably eliminate information from computer hard drives and other types of electronic storage media. Data sanitization is an effective way to protect data from exposure during IT asset transfer, but the current techniques for sanitizing data are prohibitively costly and laborious. As a result, organizations typically choose to outsource the task to an external service provider. Types of data sanitization Although there is no uniform standard for sanitizing data, the Department of Defense (DOD) defines several techniques for data sanitization that are acceptable under the requirements set forth in DOD directive 5220.22-M 7. This directive is part of a larger volume, the National Industrial Security Operating Manual (NISPOM), which the CIA, Department of Energy and several other agencies are required to follow. Degaussing Degaussing is a technique that magnetically erases data from any type of magnetic media. Although degaussing is effective, it is powerful enough to damage the surrounding electronics hardware, thereby permanently disabling both the data and the device it is stored on. In addition, degaussing can be prohibitively expensive for organizations that deal with high volumes of computer equipment because it requires purchase of degaussing product, frequent product testing and a skilled user. Overwriting Overwriting is less destructive than degaussing, but it must be performed in a highly specific manner in order to effectively cleanse all data. The DOD standard prescribes a process of three overwrite patterns; a pattern (e.g., 0101 0101), its complement (e.g., 1010 1010), and then another pattern (e.g., 0110 1001). There are many commercial products that meet this DOD standard, and several vendors provide managed services for overwriting hard drive data. As with degaussing, overwriting to the DOD standard is generally effective but prohibitively expensive for most organizations. The process of overwriting a hard drive is labor-intensive and can often cost more than a new drive; thus it is usually only appropriate for instances in which a computer is slated for disposal. 7 NISPOM document available from the Defense Security Service s Web site 7

Total destruction As the term suggests, this technique involves the complete and total destruction of the hard drive. Disintegrating, incinerating, pulverizing, shredding and melting the hard drive are all acceptable methods of total destruction. Total destruction is the most effective way to sanitize data, and it is the method prescribed under DOD 5015.2, which pertains to classified information. However, the equipment needed for this activity is far too expensive and otherwise unfeasible for most organizations to own and operate. Data clearing Data clearing refers to reversible methods of deleting data. While data clearing is adequate for preventing data exposure and achieving regulatory compliance, it is unfortunately a common practice. This is largely due to the fact that data clearing is less expensive and more convenient than more rigorous techniques such as degaussing. Furthermore, data clearing involves tasks that most large organizations can perform inhouse, without the expense and added risk of contracting an external service provider. The Windows Recycling Bin The Recycling Bin in the Windows operating system is easily the most common, and most ineffective, way to delete data. There are literally hundreds of low-cost software products on the market that can effectively and consistently recover data deleted using the Recycling Bin. Reformatting the hard drive Reformatting a hard drive to delete data stored within is a laborious, time-consuming and ineffective technique. There are nearly as many products for recovering data from a reformatting drive, and several studies have demonstrated the ease with which data can be harvested from hard drives purchased through secondary markets. The need for stronger security Data sanitization is an effective means of rendering data unrecoverable, but an external service provider usually performs this task off-site. Data clearing can be performed onsite by internal personnel, but it is not an effective means of rendering data unrecoverable. Therefore, data stored on a computer hard drive that is slated for disposal or other means of disposition will almost always leave an organization s custody in an insecure state. It is during the transfer of custody that data is most vulnerable to exposure. In order to eliminate this vulnerability, organizations need a way to secure and control the chain of custody over their data, not just their equipment, during IT asset disposition. 8

Securing the Chain of Custody The chain of custody is a concept in jurisprudence that applies to the handling of evidence and its integrity 8. In the context of IT asset disposition, the chain of custody represents a process for tracking the movement of an asset from retirement through its final disposition. In order to be effective, the chain of custody must include information documenting each person who handled the asset, the date and time it was touched, and for what purpose. The chain of custody is related to the Rule of Possession 9 in that whoever has custody of an IT asset may also gain possession of the data stored on that asset. It is important for organizations to secure the chain of custody not only for equipment, but also for the data stored on that equipment. Therefore, an appropriate solution must enable organizations to control and document access to data stored on hard drives and other storage media. The solution: Encrypt sensitive data before disposing of IT assets Encryption is the best way to protect electronic data that is subject to theft or exposure. While access controls and perimeter defenses are somewhat effective measures for protecting data in a secure location, encryption is the best way to protect data that travels outside the corporate perimeter. Today, encryption technology is used to protect two basic types of information: data in motion (or data in transit) and data at rest (or stored data). While network encryption is a ubiquitous technology, it only protects data in transit, leaving a significant source of vulnerability unchecked. To protect information assets where they reside, organizations must employ data encryption software to secure data at rest. Encrypting data at rest: why file-based encryption is not enough There are two major approaches to encrypting data at rest: file encryption and media encryption. File encryption comes in many forms, from encrypted directories (file vaults) to encrypted file systems and even encryption based on filetype. None of these measures, however, can provide an adequate security when an IT asset is transferred to the custody of an external entity. The primary reason for this is that file-level encryption products only protect against socalled online or power-on attacks 10. Technologies such as Microsoft Encrypting File 8 Source: Wikipedia 9 See Securius newsletter article, Defeating the Rule of Possession. 10 For the purposes of this White Paper, online refers to a state in which that the operating system has loaded and the Login screen is displayed (or a user has already logged in). Conversely, offline refers to a computer that has been shut down or is in hibernation mode. 9

System (EFS), for example, do not protect system files and are vulnerable to attack from readily available password-cracking utilities that circumvent the default security mechanisms in Windows operating system. The vulnerability of the Windows operating system has made it an appealing attack vector for hackers and malicious software program, which often employ offline or power-off attacks to expose core system keys 11 that enable secured data compromise. Even unused file space can be a source of vulnerability 12. As a result, file-level encryption is not an appropriate solution for securing the chain of custody during IT asset disposition. Full disk encryption: the only true way to secure computer hard drives Full disk encryption is the most effective way to protect data stored on computer hard drives. Software solutions, such as the Encryption Plus Hard Disk or Encryption Anywhere Hard Disk products from GuardianEdge Technologies, encrypt all data on a computer hard drive, including application files, unused disk space and the operating system itself. With full disk encryption software installed, all users must authenticate themselves before Windows even loads. By adopting a full disk encryption solution, organizations gain the ability to: Control access to all data stored on a hard drive, as well as to the host PC itself Block attack vectors left unchecked by file-level encryption and perimeter-based security measures such as firewalls [??? Not when the computer is on and the user has authenticated] Prevent stored data from being compromised, even in the event that the host computer is lost or stolen Full disk encryption is thus a powerful measure for securing the chain of custody during IT asset disposition. By encrypting a computer hard drive before transferring custody to an external service provider, organizations can prevent data exposure, even if the assets are stolen or lost during the disposition process or if the service provider does not effectively sanitize the data. 11 Specifically, these attacks expose the Global System Key, referred to as the SYSKEY, which is a Windows key that is used to derive other keys to secure global system secrets. 12 Unused file space, if not protected, enables an attacker to load another operating system onto the hard drive, from which they can attack the original operating system or bypass it entirely. 10

Conclusion Cost-based approaches to IT asset disposition are no longer appropriate for enterprise organizations. Data forensics and recovery methods have become cheaper and more sophisticated, and the regulatory environment is more demanding than ever when it comes to data security. As Gartner Research points out, failure to sanitize data residing on end-of-life PCs is the most expensive element of IT asset disposition 13. Consequently, organizations are shifting their focus towards mitigating risk when reselling, donating, storing and disposing of obsolete and excess equipment. Sanitizing sensitive data is the most effective way to mitigate the security risks associated with IT asset transfer. However, the paradox of data sanitization is that end-of-life computers are almost always transferred to the custody of an external entity in an insecure state. Effective techniques for deleting data too costly to perform internally, while cheaper techniques that can be performed in-house are not secure. As a result, current processes for data sanitization are inherently insecure, leaving data vulnerable to exposure at critical points in the chain of custody. Full disk encryption is a secure, cost-effective and underutilized method for preventing data exposures throughout the chain of custody. As a security measure, encrypting the hard drive of a retired PC ensures that only authorized individuals can access data stored on that computer, even if it is sold to new owners through secondary markets. Full-disk encryption is even more critical for hard drives that contain classified data and are subject to total destruction because it prevents data exposure even if the host computer is lost or stolen en route to its final destination. Ideally, organizations should use full disk encryption to secure IT assets and sensitive data throughout their lifecycles, from deployment to disposition. By treating full disk encryption as a component of the information and IT asset lifecycle management, organizations can ensure that data security is already in place when it comes time to retire an old PC. This approach increases the return on investment (ROI) for full disk encryption while lowering the total cost of ownership (TCO) for IT assets and simplifying compliance with data security regulations. 13 Gartner Research, PC Disposal Cost Update 2005: Mitigating Risks 11

About GuardianEdge Technologies Inc. GuardianEdge Technologies is a market leader in reducing the cost and complexity of enterprise data security. Customers around the world depend on GuardianEdge solutions to protect sensitive and proprietary information, to ensure compliance with rules for safeguarding privacy, and to enable secure enterprise mobility. Headquartered in San Francisco, California, GuardianEdge Technologies has served an installed base of over a million active users for more than 10 years, at leading global corporate and governmental organizations, including Lockheed Martin Corp., Deutsche Bank AG and Humana Inc. Full disk encryption software from GuardianEdge Encryption Plus Hard Disk Used by leading corporate and governmental organizations around the world, Encryption Plus Hard Disk delivers full-volume encryption at the lowest total cost of ownership available. Simple to administer, deploy, maintain and use, Encryption Plus Hard Disk controls access to the Windows operating system and encrypts every sector of a computer hard drive, including temp files, system files and unused disk space. Encryption Anywhere Hard Disk Encryption Anywhere Hard Disk is the most effective way to protect data on corporate laptop and desktop PCs. Combining the award-winning encryption capabilities of Encryption Plus Hard Disk with the enterprise manageability of the Encryption Anywhere Data Protection Platform, Encryption Anywhere Hard Disk helps organizations bring security, manageability and trust to their mobile workforce. For more information, contact a GuardianEdge representative or visit our Web site today at www.guardianedge.com. 12

References 1. Frances O Brien and Meike Escherich, PC Disposal Cost Update 2005: Mitigating Risks. November 30, 2005. Gartner Research document ID #G00134319 2. Seth Ross, Defeating the Rule of Possession. Securius Newsletter, Volume 6, Number 1. January 25, 2005. http://www.securius.com/newsletters/defeating_the_rule_of_possession.html 3. Simson L. Garfinkel and Abhi Shelat, "Remembrance of Data Passed: A Study of Disk Sanitization Practices," IEEE Security & Privacy, Volume 1, Number 1, 2003, pp. 17-28. http://www.computer.org/portal/site/security/menuitem.6f7b2414551cb84651286 b108bcd45f3/index.jsp?&pname=security_level1_article&thecat=1015&path=s ecurity/v3n2&file=garfinkel.xml&;jsessionid=gspyybq8dt3qqc0cpbthq1lm GvjLLG9wyrCLyQn2pJTdWfnDTJJQ!1521709317 4. Frances O Brien, Creating a Process for PC Disposal. February 6, 2006. Gartner Research document ID #G00137169. 5. Wikipedia article, Chain of Custody. http://en.wikipedia.org/wiki/chain_of_custody 6. Department of Defense, National Industrial Security Program Operating Manual. January 1995. http://www.dss.mil/isec/nispom_0195.pdf 7. Department of Defense, Design Criteria for Electronic Records Management Software Applications. June 19, 2002. http://www.dtic.mil/whs/directives/corres/pdf/50152std_061902/p50152s.pdf 8. Frances O Brien and Leslie Fiering, Management Update: Protect Privacy and Data Security With Data Sanitization. December 1, 2004. Gartner Research document ID #G00125180. 13

9. Frances O Brien, IT Asset Management Conference Survey Results: IT Asset Disposition. November 30, 2005. Gartner Research Document ID #G00135187. 10. Basel Action Network, Digital Dump: Exporting Reuse and Abuse to Africa. October 24, 2005. http://www.ban.org/banreports/10-24-05/index.htm 11. Jack Heine, Risks Associated With IT Hardware Asset Transfer. January 3, 2006. Gartner Research document ID #G00136774. 12. Federal Trade Commission, Disposal of Consumer Report Information and Records; Final Rule. November 24, 2004. http://www.steptoe.com/publications/356d.pdf 13. Federal Trade Commission, Standards for Safeguarding Customer Information; Final Rule. May 23, 2002. http://www.ftc.gov/////os/2002/05/67fr36585.pdf 14. Department of Health & Human Services, HIPAA: Final Privacy Rule. http://www.hhs.gov/ocr/regtext.html 14