Toronto Event- How to Protect Data Throughout Its Lifecycle

Blancco Proprietary & Confidential. Do Not Copy or Distribute. Copyright © 2017 Blancco Oy Ltd. All rights reserved.
Data Erasure Management:
How to Protect Data throughout its Lifecycle

Today’s Agenda
2
12.00 – 1.00 Registration
1.00 – 1.15 Official Welcome, Christopher Eeg
1.15 – 1.30 Canadian Market / Industry Overview, James Martens
1.30 – 2.15 Introduction to Data Erasure Management, Christopher Eeg
2.15 – 3.00 Break / Product Demonstrations, Omi Malzai
3.00 – 3.45 Active Erasure Solutions, Use Cases & What the Future
Holds, Fredrik Forslund
3.45 – 4.00 Closing Remarks / Q&A, Christopher Eeg
4.00 – 6.00 Networking Drinks / Product Demonstrations

Welcome!
Christopher Eeg,
Managing Director, Canada

Who you are
What your Co. Does
What You Do
Something Unique

Canadian Market Industry Overview
James Martens, Solutions Specialist

Blancco Proprietary & Confidential. Do Not Copy or Distribute. Copyright © 2017 Blancco Oy Ltd. All rights reserved. 6
• Terms and Definitions
• Policies and Standards
• Editable Policies and Templates
• Research Studies
• Whitepapers
https://www.datasanitization.org/

Rising Pressure
• Teams
– IT Security
– IT Audit and Compliance
– Risk Management
– Privacy
• Industries
– Healthcare and Finance
– Data Centers
– Government
– Managed Service Providers
– System Integrators

Industry Changes
• Consolidation of ITADs
• Massive increase in mobile phones processed
• Outsource of risk and operations to MSPs
• Increased virtualization
• Complexity of SANs
• Complexity of Policies and Regulations

Complicated landscape challenges
made easy
9
Complicated
environment
due to layers
of compliance
across a variety
of asset types
Data Erasure Management
During-Life Hardware + Data Erasure
End-of-Life Hardware + Data Erasure
Risk Management
Security Policies
Industry Specific Policies
Federal Legislation
International Legislation
During Life Data Erasure

Global & Regional Data Protection
Laws & Standards
Singapore fined an organization for not having
a Data Protection Officer.
Japan: Protection of Personal Information and
the Right to Erasure
PCI DSS, a Global Standard, requiring policies
and procedures to remove any stored data
Security Frameworks & Guidelines, including
NIST SP 800-88r1 & ISO 270001 sensitive
data be securely overwritten prior to disposal
or re-use
100+
Countries with
Data Protection Laws
1998
1
111
2018
Number of data-
protection laws:
EU General Data Protection
Regulation: Right to be Forgotten
27,000 new Data Protection Officers needed
FINES - Non-Compliance could result in up to 4%
of turnover OR €20 MM – whatever is GREATER!
ANY EU citizen can demand their records be
expunged – and the company must provide proof
The EU will adopt GDPR by May 2018
Regulations are here to stay – and
growing.
10

Mr. Daniel Therrien – Federal Privacy Commissioner
“I have further urged Parliamentarians to give serious consideration
to reviewing any gaps that may exist between Canadian privacy law
and European law, including differences in the enforcement powers of
data protection authorities and the right-to-be-forgotten, which is
included in the EUGDPR”
We’re trying to use 20th Century
tools to deal with 21st Century
privacy problems and it’s clear those
tools are increasingly insufficient

Protection of privacy and
personal data in the cloud
Security controls for
cloud computing
Right to be Forgotten and
to Erasure, May 2018
Increasing Regulatory and Policy
Pressure
12

ISO Security Standards
impacting all large organizations
Includes instructions on the following:
• Top management shall implement the information security
policy themselves.
• The policy must ensure that all relevant risks are addressed.
• Internal audits should regularly verify that all risks are
addressed and operational processes are in place.
“All items of equipment containing storage media shall be verified
to ensure that any sensitive data and licensed software has been
removed or securely overwritten prior to disposal or re-use”.

Introduction to Data Erasure Management
Christopher Eeg, Managing Director, Canada

#modernreality #AcrossAllPlatforms
#DifferentEra
WE LIVE IN AN ERA THAT DEMANDS
100% DATA PROTECTION
15

1990’s
A SHIFT IN TECHNOLOGY
16
TODAY
#ComplexDemands
SSD’s, NVMEs,
Hybrid Drives.

The amount of data you will be
responsible to secure continues
to rise…
17
2009 2010 2011 2012 2013 2014 2015 2016 2017
40,000
(Exabytes)
30,000
20,000
10,000
2018 2019 2020
Quantity of Data with Corporate Responsibility:
https://www.emc.com/collateral/analyst-reports/idc-the-digital-universe-in-2020.pdf

TECH SHIFT EXAMPLE -
SSD’s

A SHIFT IN LEGISLATION
#LegislativeChange #Mulit-layered
100+
Countries with
Data Protection Laws
1998
1 111
2018
# of data-protection
laws:

PRIVACY
Not Fear and Worry
WHAT PEOPLE
EXPECT HAS
CHANGED FOR
GOOD
#NewDemands #FailureIsNotAnOption
CONSTANT IMPROVEMENT
Not Complacency
ZERO BREACHES
Not Failed GAP Analysis
INDUSTRY BEST PRACTICES
Not Legacy Processes/Policies

Data sanitization needs to
become a bigger and more
urgent priority within the IT
security industry.
21
- Paul Henry, Information Security & Forensics Expert
#DoDataRight

GARTNER QUOTE
23
“Growing concerns about data privacy and
security, leakage, regulatory compliance, and the
ever-expanding capacity of storage media are
making robust data sanitization a core
competency for all IT organizations.”
Source: Gartner Hype Cycle for Storage Technologies, 2015

IT professionals don’t always know
right from wrong when it comes to
data security.
24
Believe files are
permanently gone
once they’ve emptied
the Recycle Bin on
their computers/
laptops.
Believe performing a
quick format or
reformatting an entire
drive permanently
erases data so it can
never be recovered.
Hit the ‘delete’ button
and/or drag files to
Recycle Bin on
computers/laptops to
get rid of files on a
regular basis –
ranging from 6-10
times a day to once
a week.

How Organizations Manage
End-of-Life Data Today
25
Insecure &
Recoverable
Data
Secure & Reliable
Secure &
Reliable

Suffer from
data breaches
mostly in:
SecurityScorecard, 2016 Financial Industry Cybersecurity Report
Publicly Disclosed Data Breaches
2015-2016
Servers Virtual
Machines
Desktop
Computers

200 used hard
disk drives
and SSDs
from eBay and
Craigslist
Type of information recovered
The Leftovers: A Data Recovery Study, Blancco, 2016

Financial Services:
Main target for data breaches
28
More than 10
percent of data
breaches were
financial services
organizations.
SecurityScorecard, 2016
Percentage of Major Data Breaches by Industry
April 2015 – June 2016
% of Total Companies Experienced Data Breaches during June 2015 to April 2016

There are two types of
companies: Those that
have been hacked, and
those that will be.”
29
– Robert Mueller, FBI Director, 2012
It is now imperative for businesses to focus on being proactive to minimize
the potentially devastating impact of a data breach or a compromise.

Summarize
• We know there is a demand for 100% Data
Protection driven by the Shifts we covered.
• We know IT Professionals don’t always get it right.
• We know its extremely challenging for InfoSec
• We know breaches are not industry specific. We are
all vulnerable but Finance Sector were highly
targeted.
• We know that all organizations have been hacked.
………so what are the consequences of all this?

22
Records
compromised
every second
The consequences are
steep – increasing the
importance of data erasure.
31
$6M CDN
average cost of
a data breach
$190 CDN
Per-record cost of a
data breach
Source: IBM, 2016

Companies meeting this shift head
on…..

Companies meeting this shift head
on…..
Environment
Canada

Data sanitization is the consistently
applied, disciplined process of reliably
and completely removing all data
from a read/write medium so that it can
no longer be read or recovered.
What is
Data Sanitization?
35
What methods
achieve it?
Data Sanitization
Physical
Destruction
Cryptographic
Erasure
Data
Erasure

• Highest form of securing
data within data sanitization
• Auditable reporting readily
available
• Supports environmental
initiatives
• Allows organizations to
retain the resale value of
the storage devices
• Timelier process than other
forms of data sanitization
• Policies and processes need
to be in place for all data
storage devices
Data Erasure
Data erasure is the software-
based method of securely
overwriting data from any
data storage device. By
overwriting the data on the
storage device, the data is
rendered unrecoverable and
achieves data sanitization.

Customer Demand
The Right to be Forgotten
allows EU citizens to request
removal of their data from
your system.
Employee Onboarding &
Departures
Protect against data
breaches at transition points
in your hardware’s chain of
custody and use.
Equipment End-of-Life
When a server, storage, device
or other IT asset is ready to be
reused, resold or discarded –
any data must be erased.
Data Migration
When data is moved from one
location to another, from an old
server to a new one, or virtual
machine to another – the original
data location must be erased.
Disaster Recovery Exercises
Following the successful
restoration of production
systems, any data left on the
recovery disks should be erased.
Data End-of-Life
When data is no longer needed
on any storage device, policies
can enforce the erasure of virtual
machines, files and folders with
automated routines within your
existing systems.
When to perform data erasure in the
enterprise.
37
Cloud Exit
When you are exiting a cloud
service or a managed services
provider is handling your data,
data erasure policies must still
be enforced to keep control
over the data.

Take a Layered Data Protection
Approach
38
• Most encryption is based on
drive encryption and is
unlocked when system is
being operated.
• Encryption key management is
always a challenge
• Executive travelers can also
be ordered to unlock
encryption on lap-tops when
crossing sensitive borders
In a layered approach to data security, attacks that are missed
by one defensive layer are defeated by another. Data erasure
represents a last line of defense in protecting your data.
Encryption is not enough:

A Holistic Approach to Data Lifecycle
Management
39
We recommend a holistic approach to help you meet data protection
standards and regulations by addressing your needs across the entire
data lifecycle.

Data Erasure Management – easily
manage a complete data erasure
strategy.
Centralized
Reporting
Flexible Deployment
for Global Visibility
Customized Reporting of
>250 Hardware Details
Compatible with
ALL Solutions
100% Tamper-Proof &
Certified Reporting
Traditional
Drive Erasure
Mobile
Device Erasure
Active Erasure
Mobile
Diagnostics
Asset Manager and
Drive Eraser
Mobile Device Eraser
File Eraser, Virtual
Machine Eraser,
LUN Eraser
Management Console
Data Eraser Management Console available On-Premise and Cloud Accessibility
40

Blancco Proprietary & Confidential. Do Not Copy or Distribute. Copyright © 2017 Blancco Oy Ltd. All rights reserved. 41
Old World
RECORDS
TextFiles or Spreadsheets
Decentralized, unsearchable.
SOFTWARE
- Multiple uncertified, out of date
solutions
- Legacy tools or no tools on
hand
DATA SETS
- None
#HOUSEINORDER
New World
RECORDS
- Digitally Signed, Tamper Proof
- Central Repository, Searchable
SOFTWARE
- Single, Certified, Industry Std.,
State of the Art, Enterprise
Solution
- Right tools for the right job
DATA SETS
- Failure rates, costs to org per
drive manufacturer, RMA savings
calculable,

Prove Compliance with
Auditors
According to the Cloud Security Alliance, falls to “…the provider to keep that data secure,
and when it is deleted, the provider should ensure (or be able to prove) that it is
permanently destroyed.”

The Polish Internal
Security AgencySwedish Armed
Forces
Common
Criteria
(ISO15408)
Netherlands
Comms
Security Agency
NATO
UK Comms Electronic
Security Group
German BSI
Certification
Sécurité
de Premier Niveau
USA Department
of DefenseTüV-SüD UK Defense INFOSEC
Norwegian National
Security Authority
Japan’s Refurb. IT
Equipment AssociationCzech NSA National Assoc. for
Information Destruction
UK Asset Disposal &
Information Security
Alliance
Netherlands
Comms
Security Agency
We have the certifications to
prove our solutions meet
highest standards.
43

Because the work is automated, we managed to
reduce the human error associated with manual
operations and release resources for other
document creation and in-house audits. I would
say that management of data deletion now
requires about a sixth of the man-hours that it
used to, so we have managed to improve
efficiency.”
– Hiroki Uno, Business Innovation Partner,
Samsung Japan

The Blancco Data Eraser solutions, coupled with their
consulting services, have become invaluable tools for
us to not only securely erase data from IT assets when
they reach end-of-life, but also to provide us with the
ongoing guidance and recommendations ….. One of
the most valuable components of Blancco’s offering is
the ability to receive digitally signed, tamper-proof
erasure reports. These certificates allow us to increase
visibility and monitoring of data erasures and provide
the necessary audit trail for regulatory compliance with
data protection laws and industry guidelines, such as
the Philippines National Privacy Act, PCI DSS and ISO
27001.”
– Anton Bonifacio, CISO, Globe Telecom

Time for a break!
Please take a moment to refresh yourselves!

Data Erasure Demonstrations
Omi Malzai, Technical Support Engineer,
Canada

DEMONSTRATION
• Erasure Options
• Local
• Remote
• Boot Options
• PXE
(Network)
• USB
• License Options
• BMC
• HASP
• Erasure
• iOS
• Android
• Diagnostics
• 40+
diagnostic
tests
• Hardware
Appliances
• Array Server
Eraser
• 12 Bay Drive
Enclosure

Active Erasure Solutions, Use Cases & What the Future Holds
Fredrik Forslund, Director, Cloud & Data Center Erasure Solutions

My Content- your choice!
50
• ISO and regulation in more detail, EUGDPR example
• Trends in the global industry
• Real use case examples – best practice

More on regulations and
standards
Image Credit: Unlocked/NeweggBlancco Proprietary & Confidential. Do Not Copy or Distribute. Copyright © 2018 Blancco Oy Ltd. All rights reserved.

Data Protection regulation and requirements
State / Local

Storage Security Needs
Evidence of Sanitization
53
Proof of sanitization takes on at
least two forms:
1. an audit log trail and
2. a certificate of sanitization
The controller shall have the
obligation to erase personal
data without undue delay

The Right to be Forgotten
54
• Data subject will have the right to obtain
from the controller the erasure of
personal data concerning him or her
• The controller shall have the obligation to
erase personal data without undue delay
• The controller shall take reasonable
steps, including technical measures, to
inform controllers of any links to, or copy
or replication of, of the data subject’s
personal data
Article 17 of the new regulation focuses
on the right to erasure.

Consequences are Steep
55
The greater of
€20 million or 4%
of global annual
turnover
Based on several factors:
 Whether the infringement was intentional or
negligent
 Whether the controller or processor took any
steps to mitigate the damage
 Technical and organizational measures that
had been implemented by the controller or
processor
 Prior infringements by the controller or
processor
 The degree of cooperation with the regulator
 The types of personal data involved
 The way the regulator found out about the
infringement

Protection of privacy and personal data in the
cloud - IMPLEMENTED in H2 2014
Includes:
• Cloud provider should enable the right to erase personal data.
• Cloud provider should securely erase any temporary files in
systems.
• Cloud provider should ensure that whenever data storage space
is re-assigned, previously residing data is not recoverable.
ISO Security Standards
impacting data centers and cloud providers

Newest ISO Recommendations 27040 for
storage security on how to erase and
when
Erase on logical and virtual level:
• “logical sanitization (see 6.8.1.3) should be
used to clear virtualized storage, especially
when the actual storage devices and media
cannot be determined.”
Also an addition to Encryption:
• “Sanitization of media at end-of-use situations
is recommended, even when using
encryption methods.”

A thorough documentation is required:
• Organizations should maintain a record of
sanitization activities to document what media
were sanitized, when, how they were sanitized,
and the final disposition of the media.
Often when an organization is suspected of losing
control of its information, it is because of inadequate
record keeping of media sanitization.
Proof of sanitization takes on at least two forms:
1. an audit log trail and
2. a certificate of sanitization.
Newest ISO Recommendations 27040 for storage
security on how to erase and when

Current Trends

Security vs. Operations
Efficient & clean
operations for end-of-life
Security & compliance
demands for data
across the entire
lifecycle.

Data Center Consolidation Stat
https://federaltechnologyinsider.com/data-center-optimization-initiative-consolidation-cloud/Blancco Proprietary & Confidential. Do Not Copy or Distribute. Copyright © 2018 Blancco Oy Ltd. All rights reserved.
OMB and Federal Information Technology Acquisition Reform Act
(FITARA) guidelines state we should expect 60% of non-tiered data centers
closed and 25% of tiered data centers consolidated by 2018.
60%
of non-tiered data
centers will close
25%
of tiered data centers
will consolidate

Gartner recently predicted that
by 2021, 50 percent of data
centers will use SSDs for
high-performance computing
and big data workloads – up
from less than 10 percent today.
SSD NVMes Become the
Interface for Enterprise
Drives
50%
of data centers will use
SSDs by 2021

Data Relocation Needs to be
Secure and Efficient
Gartner suggests that 70% of
data center migrations will
experience significant time delays
or even unplanned downtime,
largely due to improper planning.
70%
of data center migrations
will experience delays

Mitigate Risks Posed by Dark
Data
According to Veritas
Global Databerg
Report, 85% of
Stored Data Is Either
Dark or Redundant,
Obsolete, or Trivial
(ROT)

What are the Negatives
Associated with Hoarding
Data?
65
• Cost
• Compliance
• Increased attack surface
• Readiness to respond to customer request

Calculate Your Customers’ Cost Savings
66
Cost of Cloud Storage Vs. Data Erasure
350

67

68
Data
Retention!

What methods
achieve it?
Data Sanitization
Data
Erasure
Cryptographic
Erasure
Data
Destruction

To achieve data sanitization, these
methods must:
1. Degaussing
2. and/or Mechanical Shredders
3. Audit Report
1. Select a specific standard
2. Verify the overwriting methodology removed data
across the entire device
3. Produce tamper-proof certificate
1. Find and overwrite crypto keys and password
2. Verify the data encrypted and the previous key
unrecoverable
3. Produce a tamper-proof certificate
Physical
Destruction
Cryptographic
Erasure
Data
Erasure

71

Use Cases

Data Center Use Cases - Two
Dimensions
• Data migration
• Customer Exit- Cloud Exit
• VM life cycles
• Repurposing system storage
• Temporary data
• Data retention policies
Erase Data from an operational
environment
• Data Center decommissioning
• Tech refresh
• End of lease
• Return test systems
• Break fix (RMA)
Erase entire systems or servers
on drive level
• Break fix (RMA)
• Repurposing system storage
• Data Center decommissioning
73

Use case
Personal and confidential

Customer Infrastructure:
12 Data centers (Colo)
around the world
Mostly using leased HP
and Dell HW, but also
EMC and Oracle

Drives are pulled out of
servers when they fail.
Servers and drives were
piling up because of their
previous erasure
solution wasn’t working
well.
The old solution wasn’t
approved for SSDs either.
When the server lease
(2-3yr) ends, they are
disconnected and must
be erased before
returning.
The
problem:

Portable Blancco BMC / B5 PXE
server laptop
• Management Console
• Blancco 5 Server
• PXE boot server
• All preinstalled on a laptop
provided by Blancco
Professional Services
• 1-2 laptops per DC
1. Connect BMC laptop and
servers to same network
switch
2. Connect power
3. Connect KVM
4. PXE boot
5. Erase
6. Send reports
Solution:

1st day after delivering and
training the product:
The customer’s Data
Center Engineers started
erasing whole arrays of
servers using the BMC
laptop.
In this picture, the BMC/PXE laptop and the
network switch are moved around the DC on a
cart. The selected target servers were connected
to connected the same switch with the BMC
laptop. A KVM crash cart was used to monitor
and control the erasures.

Custom 3U
appliance for
loose drive erasure
• Based on 2U E2400 HW
• B5HW software
• Mounted to customer’s old
EPS rack
• Connected to Dell, EMC and
EPS SATA/SAS and FC disk
enclosures
1. Plug in the loose drives
2. Erase
3. Repeat
Hardware
Solution

Server decommissioning
example for a Fortune 50
company:
• 856 Servers
Decommissioned Overnight
• Each server had 6x1TB SATA
HDD. Total 5117 drives
• Erasure time was 5-8 hours.
Total time from start (boot
up) to finish (report
collection): 10 hours
• Erasure method was NIST
800-88 Clear 80

Best Practice:
Implement a scalable, automated
process to decrease time and
resources needed

Common challenge:
Sanitizing advanced media,
like NVMe SSDs

Challenges with SSD Erasure
86
Blancco Patented Solution
1. Freeze lock Removal
2. Proprietary Erasure Sequence
i. Combines SW overwrite and FW commands
3. Erasure Validation
i. Identifies malfunctions and preformed processes
SSD Challenges
• Freeze Locks
• Wear Leveling
• Data Compression
• Unreliable Firmware
Commands
• Corrupted Blocks
• Secure-Erase

Original Process:
• Failing HDDS hotswapped for new ones.
• Had 28 day SLA w/ Mft. & paying large
fines per drive as no way to ensure
erasure.
• Up to 85% of drives still functional. No
return req’d.
Improved process:
• 14 Blancco H/W appliances delivered to 14
DCs.
• Saves UBS $3 Million Euro annually in
fines.
Business case example loose drives (RMA/break fixes)
UBS Break-fix processes

ROI - RMAAnalysis on RMA savings from another Financial
Institution of similar size

Active Erasure:
Sanitization process
in a live environment

“As a Datacenter and Cloud solution provider, Telehouse is committed to
providing strong guaranty to its customer. We chose a software-based
data erasure process as irrefutable evidence that we comply with EU
regulation when erasing customer data.
More than a technical solution, the software erasure
process allows us to deliver TRUST to our customers. This
is the most valuable asset in our business field, on top of
providing strong evidence for our security certifications
like ISO 27001 or PCI DSS”.
– Benoît Mercier, Directeur ICT Solutions, Telehouse Europe

On
DemandErase VMs through
Command Line Interface
– manually performed
and/or scripted by the
administrator
VMware Hypervisor ESX and ESXi with
VMFS, versions 4, 5 and 6.

Logical Level Erasure:
for Unix and Windows Environments
92

File Level- Use Case
93
• Requirement
 Secure data erasure for customer exit
 Regulatory need to remove customer details using a certified solution
 Customer details on SMB shares, local & hosted email & paper
• How
 Discovery using standard MS Windows tools
 Blancco File Eraser erases mailboxes & files, “freespace” tool
 Secure report generated for every erasure performed
• Timeline
 Sales cycle approx. 2 weeks. Execution of project 2 days on site

Recovery of Virtual
Machines is an
established practice

Closing Remarks
Christopher Eeg,
Managing Director, Canada

Toronto Event- How to Protect Data Throughout Its Lifecycle

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Toronto Event- How to Protect Data Throughout Its Lifecycle

Similar to Toronto Event- How to Protect Data Throughout Its Lifecycle (20)

More from Blancco

More from Blancco (10)

Recently uploaded

Recently uploaded (20)

Toronto Event- How to Protect Data Throughout Its Lifecycle