It was like a scene from a heist movie. The planning, the technical execution, the sheer nerve of it. Steve Mellings, CEO and founder of ADISA, the Asset Disposal & Information Security Alliance, describes how a spate of recent break-ins to supposedly secure facilities in the U.K. reframed his perspective on the physical protection of data-sensitive sites.
“We were called in to review this series of break-ins and discovered the capability of the threat adversaries was something I’d previously joked about as being more James Bond than a genuine threat,” Mellings remarks. “They cut holes in the roof, removed walls, and they hacked security systems, which allowed them to gain initial entry. This experience has chastened us and led to a complete re-think of what physical security really means in the ITAD sector.”
How should businesses respond to such audacious attacks on their properties? The answer is not to build higher walls, says Mellings, whose data security alliance administers a global standard for IT asset disposition (ITAD) providers that covers all aspects of the asset disposal process from chain of custody to media sanitization of products. Instead, it is to deploy more intelligent security.
” If someone is motivated enough and has the capabilities, they will get in. Rather we need to build layers of security in the same way we do with our network defense. If somebody is going to cut through your roof, where should your alarm sensors be? If they come through the wall, how will you detect the intrusion? Where are your passive infrared sensors and where’s your line of sight on the CCTV?”
The illegal breaking into secure commercial facilities may be the exception to the rule when it comes to modern-day threats to data protection. What is generally true, however, is that industry focus on data security has taken on renewed intensity in recent years. Concern over data breaches keep CIOs up at night, ransomware attacks are on an upward trajectory, and the cost of a data breach has reached an average of almost $4 million per incident, according to the most recent research from the Ponemon Institute.
Whether it’s your physical premises or your IT systems, every aspect of your organization needs protecting against the risk of a breach.
An Expanding Vision of Data Security
As technology advances, the expertise needed to keep up with the changes inevitably grows.
Mellings founded ADISA in 2010 in response to what he saw as a lack of business process in the disposal of end-of-life assets. Despite improvements in such areas as firewall protection and network security, the disposal of IT assets remained sorely overlooked.
“We looked at the approach toward asset disposal when a device was at its end of life and were surprised that businesses just seemed to ignore the risk and instead played very fast and loose with the physical removal of the asset,” he states.
The sector has matured greatly since that time, particularly in recent years. Companies are beginning to ask better questions of potential ITAD vendors about the secure handling of their data-bearing media.
“The industry is growing up, moving away from waste and scrap, talking about product and technology; and while, for many, they may not quite understand it fully, they are beginning to find their feet,” he says. “End-of-life asset disposal has always been a high-risk process due to the high volume of aggregated data involved, and yet the companies releasing their assets are just starting to ask the right questions.”
As the industry matures, it is separating into two distinct camps—those who understand technology, asset management, value recovery, and security compliance, and those who focus primarily on brokering and recycling. “An ITAD can do the brokering and recycling as well, of course, but I don’t think a straight recycler could do the asset management or the security piece.”
Mellings points to systemic changes in international markets—the sharp drop in commodity prices and a reduction in the proportion of metal in IT hardware, to name but two— that have made the brokering and recycling of end-of-life assets more challenging.
“After the financial crash of 2008, we saw businesses start holding on to their assets longer. The trigger points for refreshes have become less obvious, and the move to the cloud has led many businesses to reduce their IT infrastructure.”
Nowadays, as processing costs go up and metal prices remain depressed, it is significantly more difficult for ITAD companies to find sustainable revenue in collecting used equipment alone. At the same time, data generation is growing wildly and IT configurations are more complex than ever. Greater diversity of infrastructure requires organizations to seek out deeper expertise and a wider range of custom solutions.
“The landscape has completely changed when it comes to how technology is used to conduct business. There’s more governance about how business is to conduct itself, which means that data management and data protection are critical.”
Revising the Standard
The practice of IT asset disposition contains many risks, from asset mismanagement and insider theft to vehicles catching fire during transport. ADISA is in the process of revising and expanding its ITAD certification, which involves regular audits and unannounced on-site visits of its members, to comprehensively reflect changes to the fast-evolving landscape of IT procurement and disposition.
“For our new standard, we are writing an entirely new audit process to coincide with our UKAS approval in 2020,” Mellings says. “Our auditing will include far more regular but shorter and more intrusive audits. We’re going to pen test the physical perimeter of facilities, social engineer staff to see if we can gain information, and generally act as a threat adversary would. ADISA certification is going to mean much more than compliance with a written standard.”
He continues, “We’ve recently signed a partnership with U.S.-based trade body ASCDI to present our ITAD certification to the U.S. market. ASCDI was established in 1975 and so know the U.S. market fantastically well. Its members see the opportunity of ITAD as a service and view our certification as a benchmark of quality for that.”
At the same time, ADISA is doubling down on the work of its in-house lab and investigating a number of industry shibboleths regarding media sanitization and asset disposal.
“We’re researching why we are still wiping drives with three passes rather than one, for example. There’s no technical reason why you need to wipe a modern hard-disk drive three times. It’s this kind of thing that is costing the industry money.”
The ADISA lab is also looking to gauge the actual risk of data being injected into hidden areas within a hard drive—namely, the device configuration overlay (DCO) and the host protected area (HPA) —that may otherwise get missed during overwriting. And it is working on a project to determine the feasibility of recovering data from the shredded particles created during SSD destruction: Is the move to 2 millimeter shredding—which is more expensive to operate as the smaller shred size puts greater torque on the shredding teeth of the machinery— necessary if NAND chips are encrypted at the board level?
“All of these kinds of questions our lab is beginning to investigate and will be coming out with guidance,” Mellings says.
In addition to its ITAD certification, ADISA verifies individual product claims, including product claims testing conducted in its lab for vendor SSD and HDD wiping software.
Promoting Reuse for SSD
The principles of the circular economy and the practice of keeping IT equipment in operation for as long as possible are fast gaining traction around the world.
Industry consortia such as iNEMI have diligently been investigating ways of driving up the rate of closed-loop recycling and reuse for hard disk drives. For its part, ADISA claims to be the only standards group worldwide seriously looking at SSD for reuse.
Previous concerns over the ability to effectively wipe SSDs that led to solid state drives being destroyed rather than reused have long disappeared. Manufacturers worked hard to correct this vulnerability and NAND cells are now being encrypted at a hardware level, something ADISA has verified in its lab testing.
“Media destruction is, in my opinion, risk avoidance, not risk management,” says Mellings. “While there’s a time and a place for destruction, of course, I think that businesses should be promoting reuse wherever possible.”
Do Due Diligence on your ITAD Provider
Be wary about the claims that asset disposal firms make about their approaches to data erasure.
Companies tend to talk a good game when it comes to their certifications but are less confident about what these protocols mean in practice.
“For example, everybody claims compliance with NIST 800-88, but when we’ve inspected production facilities we don’t see that in place. They may be compliant with one part of the 800-88, but not the whole. I’ve had explanations such as ‘that’s just what the marketing team say,’ but when questioned it’s clear that many of these standards are just not fully understood.”
Too many companies hide behind standards, while avoiding the scrutiny of outside verification, according to Mellings.
“Many ITADs claim fantastic certifications and standards and are really trying to offer high quality services, but when you actually see them in operation they don’t have some of the basics in place. Customers don’t ask the right questions, and they don’t then verify that the service delivery does indeed meet the agreed specification.
“What we call ourselves at ADISA is an evidence-based certification body. With our ITAD audits, we get on site, we take samples, and we do forensics. We believe in, ‘Trust, then verify’,” he explains, citing the advice of security expert and former counterintelligence officer Jeffrey Dean.
Embracing the Future
Despite the constant changes, Mellings is very optimistic about the outlook for the IT asset disposal industry. He sees an evolving industry that is looking to step up to the complex and demanding challenges unfolding before it. He believes certified companies are eager to focus on the value of data as an asset and to embrace the challenge of becoming technologists in the sector. And he believes, through its revised and expanded certification, ADISA is well-positioned to help organizations and vendors set good practice standards in which the business of IT asset disposal and value recovery can flourish.
“Our value proposition is really about helping providers create a service that they can sell to their customers based on the assurance that the service is being assessed and tested constantly. This helps ensure they will protect their customers from the threat of data breach, regulatory action, potential litigation, and the potentially steep costs of a reactive investigation,” he concludes.
Learn more about ADISA and its global data security standard. For expert assistance with secure data wiping and asset recovery services, contact Horizon today.