Easy question – how many drives does this server have?
If you counted six, you’d be wrong.
Imagine this scenario if you’ve been asked to decommission a server and you need to account for the drives in the machine as part of your internal process for handling data bearing devices or media. You’ve removed the drives from the front of the server, so you’re all set, right? You report back into your system of record that these drives have been removed and you send the device to your reseller or provider - then the reporting sent back to you shows that there was media still in the server, or even worse you find out from whomever purchased the unit that they found your data on the device. What gives?
Seeing Isn't Always Believing
While it’s easy to account for storage media and devices that are readily apparent and observable, the truth is that many devices contain data that you just can’t confirm the presence of without knowing it’s there. This can be especially challenging when a server or storage device is inside of a rack that’s fully cabled up and in the presence of other production servers, so you can’t pull it out to look for yourself prior to disposition. With the advent of smaller form factor drives such as M.2, EDSFF, mSATA and other flash media such as SD/MicroSD/CompactFlash etc., it’s becoming increasingly more common to find these smaller drives inside of devices as well, either attached to the motherboard, on a PCI-E expansion card, out of band management device, etc. Configurations and other data can also be contained in non-removable internal storage areas such as NVRAM. It’s no longer as easy as looking at the front of a machine to determine the storage devices held therein.
A Sage Customer Perspective
A Sage customer experienced this scenario recently - the drives from the front slots were removed by the client; however upon receipt at our processing center our technicians found a hidden drive inside of the unit and we inventoried and secured the drive through our NIST compliant erasure processes. Despite the client’s best efforts, their team failed to completely secure the server before it was removed from the location as per their Information Security team’s requirements, and doing so would have required disassembling the server and knowing where to look. Sage provided the client with photographic evidence of the drive and provided a Certified Data Erasure Report confirming the erasure was performed and successful. This entire event made for an eye-opening experience for our client and one that further demonstrates the value of a mature ITAD provider, skilled in technologies supported by the organization.
Is Your ITAD Provider Addressing These Scenarios?
When selecting an ITAD service provider, make sure to look for one that has the processes and procedural rigor to operate in scenarios like the one mentioned above, which include identifying and sanitizing the data on these devices. A mature provider will be one that knows about these “gotchas” and maintains a database of products including the product class, make, and model that recognizes when a device is data bearing, even when it isn’t immediately obvious (not all data sanitization is as cut-and-dry as erasing a hard drive!). Your provider should also perform additional validation by opening units to verify that there isn’t internal media inside a device that may be present but disconnected from a system board, which would be invisible to normal systematic processing of a device. We hope this guidance can help you to close gaps that might be present that would unknowingly open you to data leakage/breach risks.