Thursday, May 13, 2010

Shred Disk Drives

In his talk "Overlooking the Obvious - Security Blunders - Costs, Cutbacks & Catastrophes" to the Australian Computer Society in Canberra this evening, David Cook, Manager, SECAU Security Research Centre, recommended organisations shred disk drives before disposal. David cited research by Edith Cowan University and University of Glamorgan, indicating that one in six of the disk drives disposed of still contain easily recovered data. He argued that using a disk wiping program was not sufficient for sensitive corporate and government data: the hard disk drive should be reduced to dust to ensure the data is destroyed.

Yesterday, the Australian Government announced funding for the initial stages to implement a whole‑of‑government data centre strategy for the procurement of data centre facilities. Given the high risk of the loss of sensitive government data and the low cost of disk drives, perhaps the government should institute a policy that no disk drives will leave the data centres. Shredders could be installed at the data centres and security staff trained to destroy all surplus disk drives and other data devices.

David also mentioned very recent work (not yet ready for publication) which indicated that one in three mobile phones had easily read data on it. He pointed to Blackberry smart phones, which have a reputation for security, but where many users fail to turn on the security lock. Blackberries are in common use by government. Perhaps these should be configured so the security lock cannot be switched off.

David also expressed concern about some universities outsourcing their email to a "cloud" service, with it not clear where the data was held. He argued that new laws were needed to cover this and other privacy issues. However, existing laws would cover many privacy issues. As an example, universities are required to comply with codes, such as "The National Code of Practice for Registration Authorities and Providers of Education and Training to Overseas Students". Those universities which do not protect their students privacy can be delisted. Similarly, banking, insurance and medical data is protected under Australian law. In the case of state and federal government agencies, criminal penalties apply for the misuse of data.

No comments: