Cloud services, recycled hard drives leak critical data; IT doesn't notice

Up to half of hard drives hold residual data from previous users, even drives installed in clouds

A British study showing two thirds of used hard drives available on the open market contain enough personal data to allow the previous owner's identity to be stolen isn't just a warning to be careful about what hardware you throw away.

It's a warning to be careful what you leave behind on someone else's hard drives when you switch cloud providers or even move around virtual servers and storage within an existing cloud.

A study published this week recounts the findings of Britain's Information Commissioner's Office (ICO) which investigated the "dirty disk" problem by ordering 200 hard drives, 20 flash drives and 10 cell phones from a range of web sites.

Using ordinary file-access software, not specialized PC forensics, the ICO was able to recover 34,000 files with personal or business data. Only 38 percent of the flash and hard drives had been wiped effectively; 14 percent contained data but were unreadable. Thirty-seven percent held non-personal information and 11 percent held the mother lode for identity thieves – enough personal data to steal the identity of the unit's previous owners.

Four machines held extensive personnel and business data on clients and employees, including health records and financial data.

Another British study, conducted by the Cyber Security Research Institute and published in September, 2011, corroborates the findings of the ICO study, but on a much larger scale.

Researchers examined thousands of hard drives during the decade before the report, finding the percent of drives containing residual data after being resold had dropped from 80 percent to only 30 percent.

Almost all are unencrypted and unprotected. Collectively they represent more than 95.6 million gigabytes of data lost from computer hard drives during the 10-year course of the study.

Data left on cell phones amounted to 90 million gigabytes of lost data per year, of which 4.5 million gigabytes were sensitive data including emails and contact details.

For corporate IT those figures amount only to a warning to scrub disks more carefully before recycling or reselling PCs.

Most companies are moving part of their IT operations into the cloud, however, in the form of software as a service (SaaS) apps such as Salesforce.com or Google Docs, or in the form of readymade servers and data centers from cloud infrastructure providers such as Rackspace, Amazon or Microsoft.

Those are the services that can pose a problem, because they put many clients on the same set of hardware, relying on encryption and virtualization software to keep one client's virtual data center from overlapping with another.

Virtual servers are not supposed to be able to see the underlying operating system, let alone the hardware.

Many companies insist on being able to access the hardware running their apps or data, however, to help ensure security, performance and usage policies can be kept within their own guidelines.

Those servers, virtual storage and other resources may be dedicated to that one client alone, to avoid putting another client on hardware whose security is controlled by a different client.

The hardware itself is almost never new, however. They're servers or storage that has been used as real servers, or hosts for as many as 16 virtual servers at a time.

Each of those servers and each client who passed through the system could leave sensitive data behind if the cloud provider and the client aren't both careful.

Worse even than the possibility that "Deleted" doesn't mean "securely erased" is the risk of giving away secure certificates or tokens contained in virtual-server containers that could be passed from one department or company to another by users who believe them to be only templates, not individually identified and authenticated servers.

Even cloud providers who are conscientious about erasing data between users can be flummoxed by conflicts or software errors that simply mark data "deleted" rather than actually deleting it.

At Slicehost, which is now owned by Rackspace, more than the usual amount of remnant data was caused by a security flaw in the underlying operating system.

To fix the flaw and get rid of the remnant data, Slicehost had to ask clients to migrate to different servers – a process that carries its own risk that disks or data will become corrupt during the move.

Little of the data could be found without forensic tools, Slicehost told customers, and none of it had been found to have been recovered and reused by unauthorized clients.

The data did expose the clients who owned it to the risk of loss through no fault of their own, in a way they could not anticipate or even investigate, because they weren't authorized to use forensic tools on those servers to check whether they were clean.

Encrypting data stored with a cloud provider can cause even more problems, because it can often show up as garbage data rather than the good stuff to providers that can't manage or decrypt it themselves.

Remnant data is rarely discussed by cloud users or providers, or even security specialists.

It continues to be a small but consistent problem in any organization that recycles servers or PCs at the end of their normal lifecycles.

The only way to be really sure no one will be able to read data from a disk you're abandoning – according to the roughly half a million security specialists who've told me this during interviews over the past few years – is to encrypt it, delete it, wipe the drive, scrub the drive with drive-scrubbing software, scrub the drive with sandpaper, sand and steel wool and then drill holes in different places on each disk before shredding them or throwing them away in separate recycling bins.

If that seems excessive, or just too much work, I've found the easiest way to make data on a hard drive completely inaccessible and unrecoverable is to put data on the disk that are vitally important to something time sensitive and fail to back the data up to any other devices as your deadlines approach and stress rises.

Just before you hit Save, Print or There, Now it Won't Explode, all the data will mysteriously disappear, never to be found again.

Especially after the explosion.

Good luck.

And keep your head down.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies