According to McKinsey and Co., most companies over 1,000 employee’s store an average of 200TB of business information. If that data was being stored on 300GB drives, that would mean almost 700 hard drives carry the potential for sensitive information. As the business maintains their IT through service and upgrades, drives are discarded in the process. But what happens to that sensitive data? Is it actually gone?
SATA and SAS
SATA hard drives, commonly found on consumer systems, are fairly lucid to the devices that use them. So, overwriting the data with 0’s is a fairly effective method to destroy the data and maintain the resale value of the drive. However, SAS drives, trusted in enterprise systems, are often built into more complex arrays. The drives are virtualized into a singular RAID array to increase data reliability. If one drive fails, a parallel drive with the same mirrored data, picks up the slack. When overwriting the data with 0’s, the system is only able to erase the virtualized space constructed from the array. The RAID card managing the drives ‘hides’ some of the drive space from the system, it is partitioned to facilitate the array.
What it really means
Wipe certificates are commonly provided to assure clients the drives have been erased, and therefore no longer pose a risk for data breech and subsequent business loss.
When it comes to SAS drives on a RAID array, the erasure software can provide a data destruction certificate validating the wipe. However, it can only validate what the RAID card allows the software to see. So, sensitive business data can still be hidden in the RAID’s partitioned sector, even though you have an official certificate saying the drive is clear.
Maybe they would just need to use a server without a RAID card? The issue is, nearly all servers on the market today come with RAID technology, simply because it is the most secure way to store data, just not to destroy data. What makes the problem even worse, is SATA drives on employee desktops may carry their data and that of their respective clients. So a breech may affect a small percentage of the company’s whole operation. The SAS drives on the other hand, are generally used in centralized high density computing where data is stored in bulk. That hidden RAID partition may be carrying social security numbers for all employees and clients, companywide salaries, or proprietary technologies the company possesses.
Is your Erasure Vendor Protecting your Brand?
R2 certified data sanitization vendors are required to have a third party verify their erasure process. It may be best to request the results of the vendor’s third party test to ensure your data is safe. Just make sure the test includes both SATA and SAS drives, as different technologies are required to effectively erase them.