Net Zeros and Ones E-Book

Table of Contents

Cover

Title Page

Foreword

Introduction

CHAPTER 1: End of Life for Data

1.1 Growth of Data

1.2 Managing Data

1.3 Data Loss

1.4 Encryption

1.5 Data Discovery

1.6 Regulations

1.7 Security

1.8 Legal Discovery

1.9 Data Sanitization

1.10 Ecological and Economic Considerations

1.11 Summary: Proactive Risk Reduction and Reactive End of Life

CHAPTER 2: Where Are We, and How Did We Get Here?

2.1 Digital Data Storage

2.2 Erasing Magnetic Media

2.3 History of Data Erasure

2.4 Summary

CHAPTER 3: Data Sanitization Technology

3.1 Shredding

3.2 Degaussing

3.3 Overwriting

3.4 Crypto-Erase

3.5 Erasing Solid-State Drives

3.6 Bad Blocks

3.7 Data Forensics

3.8 Summary

CHAPTER 4: Information Lifecycle Management

4.1 Information Lifecycle Management vs. Data Lifecycle Management

4.2 Information Lifecycle Management

4.3 Data Security Lifecycle

4.4 Data Hygiene

4.5 Data Sanitization

4.6 Summary

CHAPTER 5: Regulatory Requirements

5.1 Frameworks

5.2 Regulations

5.3 Standards

5.4 Summary

CHAPTER 6: New Standards

6.1 IEEE P2883 Draft Standard for Sanitizing Storage

6.2 Updated ISO/IEC CD 27040 Information Technology Security Techniques—Storage Security

6.3 Summary

Note

CHAPTER 7: Asset Lifecycle Management

7.1 Data Sanitization Program

7.2 Laptops and Desktops

7.3 Servers and Network Gear

7.4 Mobile Devices

7.5 Internet of Things: Unconventional Computing Devices

7.6 Automobiles

7.7 Summary

CHAPTER 8: Asset Disposition

8.1 Contracting and Managing Your ITAD

8.2 ITAD Operations

8.3 Sustainability and Green Tech

8.4 Contribution from R2

8.5 e-Stewards Standard for Responsible Recycling and Reuse of Electronic Equipment

8.6 i-SIGMA

8.7 FACTA

8.8 Summary

CHAPTER 9: Stories from the Field

9.1 3stepIT

9.2 TES – IT Lifecycle Solutions

9.3 Ingram Micro

9.4 Summary

CHAPTER 10: Data Center Operations

10.1 Return Material Allowances

10.2 NAS

10.3 Logical Drives

10.4 Rack-Mounted Hard Drives

10.5 Summary

CHAPTER 11: Sanitizing Files

11.1 Avoid Confusion with CDR

11.2 Erasing Files

11.3 When to Sanitize Files

11.4 Sanitizing Files

11.5 Summary

CHAPTER 12: Cloud Data Sanitization

12.1 User Responsibility vs. Cloud Provider Responsibility

12.2 Attacks Against Cloud Data

12.3 Cloud Encryption

12.4 Data Sanitization for the Cloud

12.5 Summary

CHAPTER 13: Data Sanitization and Information Lifecycle Management

13.1 The Data Sanitization Team

13.2 Identifying Data

13.3 Data Sanitization Policy

13.4 Summary

CHAPTER 14: How Not to Destroy Data

14.1 Drilling

14.2 Acids and Other Solvents

14.3 Heating

14.4 Incineration

14.5 Street Rollers

14.6 Ice Shaving Machines

CHAPTER 15: The Future of Data Sanitization

15.1 Advances in Solid-State Drives

15.2 Shingled Magnetic Recording

15.3 Thermally Assisted Magnetic Recording, Also Known as Heat-Assisted Magnetic Recording

15.4 Microwave-Assisted Magnetic Recording

15.5 DNA Data Storage

15.6 Holographic Storage

15.7 Quantum Storage

15.8 NVDIMM

15.9 Summary

Note

CHAPTER 16: Conclusion

APPENDIX: Enterprise Data Sanitization Policy

Introduction

Intended Audience

Purpose of Policy

General Data Hygiene and Data Retention

Data Spillage

Handling Files Classified as Confidential

Data Migration

End of Life for Classified Virtual Machines

On Customer's Demand

Seven Steps to Creating a Data Sanitization Process

Data Sanitization Defined

Physical Destruction

Degaussing

Pros and Cons of Physical Destruction

Cryptographic Erasure (Crypto-Erase)

Pros and Cons of Cryptographic Erasure

Data Erasure

Pros and Cons of Data Erasure

Equipment Details

Asset Lifecycle Procedures

Suggested Process, In Short

Create Contract Language for Third Parties

Data Erasure Procedures

General Requirements for Full Implementation

Procedure for Partners and Suppliers

Audit Trail Requirement

Policy Ownership

Mandatory Revisions

Roles and Responsibilities

Index

Copyright

About the Authors

End User License Agreement

Guide

Cover

Table of Contents

Title Page

Copyright

About the Authors

Foreword

Introduction

Begin Reading

Appendix: Enterprise Data Sanitization Policy

Index

End User License Agreement

Pages

iii

xv

xvi

xvii

xviii

xix

xx

xxi

xxii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

23

24

25

26

27

28

29

30

31

33

34

35

36

37

38

39

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

67

68

69

70

71

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

97

98

99

100

101

102

103

104

105

106

107

109

110

111

112

113

114

115

116

117

118

119

120

121

123

124

125

126

127

128

129

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

159

160

161

162

163

164

165

166

iv

v

167

Net Zeros and Ones

How Data Erasure Promotes Sustainability, Privacy, and Security

Foreword

I titled my book If It's Smart, It's Vulnerable (Wiley, 2022). I first mentioned this fact during one of my talks, and the phrase took on a life of its own. Eventually, it became known as the Hypponen law. When we add functionality and connectivity to everyday devices, they become smart. At the very same time, they become vulnerable and hackable.

This concerns me, because smart devices all contain data. Ensuring that that data does not fall into the wrong hands is the topic of Net Zeros and Ones. The right to data erasure here in Europe has been codified in many privacy regulations, including GDPR. But the topic of data sanitization extends well beyond privacy and the handling of personal information.

Security, as the authors point out, is primarily about protecting data from theft, corruption, or even destruction. The last we have seen in many widespread attacks, for example with NotPetya, a worm released on Ukraine by Russia's military. Thousands of organizations have had to deal with ransomware over the last five years. Pernicious criminal gangs have learned to monetize the value we see in our own data by denying us access to it. They encrypt it and demand millions for the decryption keys or to prevent the criminals from leaking the data.

I have spent my career working in cybersecurity. When I started working at the Finnish security company F-Secure in 1991, we did not use the term cyber. It was just IT security. The history of this industry is often compared to a cat-and-mouse game between attackers and defenders. I think that metaphor could be expanded: it's a cat-and-mouse game, but the defenders must react to new cats with fresh tactics every year.

When I started, the threat was from so-called hackers who would enjoy demonstrating their prowess in breaking into large organizations or writing malicious code that would spread from machine to machine over the rapidly expanding global Internet. We saw the rise of hacktivists who would target specific organizations in the name of a cause. Cybercriminals arose out of early methods of monetizing access to all these computers. They would commandeer a user's browser to engage in click fraud. They would use password brute-force attacks to steal money and data from online accounts. As the use of computers became ubiquitous and business and governments came to rely on them, state actors used the vulnerabilities in the way these systems were deployed to engage in cyber espionage. Finally, in 2013, Edward Snowden made us all aware of the deep information collection that intelligence agencies engage in, sometimes on a country's own citizens.

Today all of these classes of attackers operate simultaneously, and they continue to evolve their methods and tools. Meanwhile, the defenders scramble to stay at least even with the attackers but often fail, as evidenced by the constant breach and outage announcements we see in the media.

This book offers some small comfort in the fact that for a defender there is an end of the road, at least for one small component of the technology realm—that is when data reaches the end of its useful life. Effective data erasure means that it does not have to be protected by expensive stacks of security appliances in front of the data center. It does not have to be discovered and classified. Access controls are no longer required. Backup and recovery expenses are no more. Encryption, which is a temporal defense, is no longer needed. As computing power grows, it reduces the expense for an attacker who wants to crack encryption keys. Once data is irretrievably erased, it never has to be rekeyed and encrypted.

I mentioned privacy regulations, which are also covered in these pages. Most modern privacy regimes impose strict fines for not taking adequate, even “state-of-the-art” measures to prevent data from being exposed. GDPR Article 17 is titled “The Right to Erasure” and sets out how a data subject can demand that their data be removed from a service such as Google or Facebook. This adds to the benefit of a well-managed data erasure process. In addition to reducing the probability of accidental exposure or outright theft of data, it means the organization can respond to these demands and document that it has complied.

The third element covered in this book is the whole concept of sustainability and the new realm of environmental and social governance (ESG). It turns out that data erasure has its roots as a commercial industry here in Finland. See the story of my friend Kim Väisänen who created one of the primary tools for effective data erasure after his business partner was able to demonstrate how medical records were not properly deleted by local hospitals.

Smart devices, from PCs to tablets to phones to televisions, have a limited useful life. They become obsolete quickly as newer models are introduced. Not only are they expensive to purchase, but vast amounts of raw materials and energy go into manufacturing them. Gone are the days when the only concern with electronic waste was where to put it all.

Electronic waste poses many problems. There are components that can be harmful to soil and groundwater. If they are burned, they can pollute the air. If you are familiar with carbon calculations, you will not be surprised at the amount of carbon released into the atmosphere by the mining of the metals and the refining of the oil that goes into these devices. Then there is the energy expended in the massive factories that churn out the new devices. Add in the packaging, the transportation from the factory, and the delivery vehicles to get a device to your door and you are looking at considerable carbon costs.

An entire industry has arisen to extract value from used electronic gear. IT asset disposition (ITAD) facilities take in the old devices and fix them for resale if possible. If not, they can disassemble phones and laptops to save usable parts for the repair of other devices. An organization can contract with an ITAD to take its old computers and network gear and get the best price. This is money saved for the inevitable upgrade to its IT infrastructure. But what to do about all the data on those devices? This is where data erasure comes into play. ITADs have thrived by getting into the data erasure business. They provide the controls to ensure that all usable data is effectively sanitized from the devices they handle. It turns out that data erasure is a necessary and enabling factor in the reuse and recycling of electronic equipment.

The case is made that these three regimes where data erasure plays a part—privacy, security, and sustainability—justify a systematic data sanitization process. But the authors don't stop with stating their case. They offer guidance on how to fit data sanitization into your data lifecycle management processes.

While reading this book, you will learn all the means used to destroy data from steam rollers to magnetic fields to software. You will learn about the rapid increase in data densities in storage media and the issues that raises. Standards for erasure are evolving too. It turns out that denser storage requires fewer passes of ones and zeros to erase. Forensic analysis of the tracks on a hard drive to discern the ghost images of previous states is no longer easily done. In many ways, solid-state drives (SSD) are even easier to sanitize because they have built-in resets that can flip all the bits to a single state with one command.

The authors also do a good job of highlighting some of the issues with so called crypto-erase, which is the idea that if a hard drive or smartphone is fully encrypted, all you have to do is erase the encryption keys. But you still must check every device to ensure those keys are gone and all the data is encrypted. You can incorporate those checks in your audit practices as part of your data sanitization policy.

One of my favorite chapters contains the stories related by the pioneers of some of the largest ITADs in the world. They each created a healthy business recovering value from millions of used devices a year. They grew from extracting valuable metals from electronic gear to today's modern ITAD service that performs data erasure and fuels the circular economy.

Before the conclusion, the book wraps up with two fun chapters: Chapter 14, “How Not to Destroy Data,” and Chapter 15, “The Future of Data Sanitization.” Hammers, drills, and nail guns are some of the ways people attempt to make data unavailable. I applaud the awareness of the need to erase data forever but not with a system that means hard drives and computers end up in landfills. The future of data storage ranges from thermal and microwave assistance to decrease magnetic coercivity on a platter to DNA storage. The authors offer some ideas on how these future storage devices can be erased.

We are in a battle to protect data from abuse even while the amount of data in the world is growing every day. Spies seek data to discover another nations' intent. Cybercriminals seek to monetize stolen data. Insiders hope to exfiltrate data for their own use or to sell it. The defenders will continue to fight these battles, responding to every new attack by deploying more defenses. Data sanitization is an important tool to minimize the total data attack surface while also gaining compliance with privacy regulations and clawing back value from devices destined for the secondary market.

I encourage anyone who has responsibility for data lifecycle management as well as for securing that data to read this book. It may be the first time you are exposed to the concept of eliminating data at its end of life, or you may be one of the many people who manage data at large organizations. You may have just discovered that there is new regulation working its way through a legislature that is going to impact your business by imposing new controls on how you handle data. This book will prepare you for that day.

—Mikko Hyppönen is the chief research officer at WithSecure and has worked in computer security since 1991. His writing has appeared in the New York Times, Wired, and Scientific American. He has lectured at Oxford, Stanford, and Cambridge and has presented at conferences around the world including at TED in 2011. He is the author of If It's Smart, It's Vulnerable (Wiley, 2022).

Introduction

It has been 27 years since Kim Väisänen and his partner, both in Finland, purchased a hard drive online from a local medical center and discovered thousands of patient records on it. They sent their findings to a journalist who exposed the data leak. The two went on to create one of the first commercial services to reliably erase data from storage devices. Yet, even today, there are very large organizations that get caught disposing of storage media with little concern for the data that resides on them. Or, if they acknowledge the problem, they negligently send the hard drives to be physically shredded in special machines, missing out on the opportunity to do the right thing for both their bottom line and the environment.

In October 2022, ArsTechnica reported the following:

“Last month, the US Securities and Exchange Commission fined Morgan Stanley $35 million for an “astonishing” failure to protect customer data, after the bank's decommissioned servers and hard drives were sold on without being properly wiped by an inexperienced company it had contracted.”

https://arstechnica.com/information-technology/2022/10/why-big-tech-shreds-millions-of-storage-devices-it-could-reuse

There are more than 20,000 data centers around the world today. Many of them upgrade the storage media they use every three to five years as they wear out or as greater speeds and densities are introduced into new models. While many have data sanitization polices in place to completely wipe these devices before they leave the premises, many do not.

Microsoft Azure's practice is reported to be to physically shred hard drives in its 200+ data centers “to protect customer data.” The following is from the same ArsTechnica article:

“Microsoft says ‘we currently shred all [data-bearing devices] to ensure customer data privacy is maintained fully.'”

Also in October, the Financial Times ran a story about tens of thousands of devices being needlessly shredded. “From a data security perspective, you do not need to shred,” says Felice Alfieri, a European Commission official who co-authored a report about how to make data centers more sustainable and is promoting data deletion over device destruction.

So yes, Microsoft and others understand the privacy and security concerns covered in this book, but they completely miss the opportunity to safely sanitize storage to avoid shredding devices that end up as landfill or are incinerated—contributing to air pollution.

Sustainability is becoming a primary driver for using good data sanitization procedures. Certified IT asset disposition (ITAD) services started as a business that recovered valuable minerals—gold, silver, rare earths—from printed circuit boards. They have evolved, spurred by numerous regulations, into a service that extracts residual value from old equipment. They refurbish cell phones, laptops, and desktops for resale. Those devices that cannot be repaired are dissembled so their component parts can be used in the repair process. Thanks to customers who recognize the data security issues of sending their devices to a third party, ITADs started to offer data sanitization and tracking so that a customer would have a record of every device that had been sanitized. You will learn in Chapter 9 how three of the top ITADs in their respective regions have started to see their customers leverage responsible recycling as part of their environmental and social governance (ESG) programs. It is even possible to project what carbon/energy savings are created when a device is reused instead of being trashed.

There is growing momentum for data sanitization across all industries. This can be seen in new standards being written to expand on older standards. This book will bring you up-to-date on the standards for data sanitization and new standards being written. Keep in mind that where standards lead, regulations are not far behind. Rather than define proper practices in a new law or regulation, the creators often defer to the standards.

If you are just embarking on a data sanitization project, this book will guide you in creating a data sanitization policy that fits in with your information lifecycle policies. A suggested policy is included in the Appendix.

You would think that encrypting data at rest would be the final solution to the problem of data leaks. Modern encryption algorithms are breakable only (theoretically) by the major intelligence agencies. Yet, encryption fails all the time. A self-encrypting drive may be misconfigured when it is shipped so that encryption is not turned on. A factory reset on most phones is meant to destroy the encryption keys and render all the data unreadable. Yet, the phone may connect to a cloud backup and recover its own keys! The greatest benefit of so-called crypto-erase is that it is much faster than the logical erase procedures required to overwrite zeros and ones. The critical factor is to determine that the encryption keys have truly been erased and that the storage media is encrypted.

If you are a data center operator, you can extract tremendous value from a data sanitization program. Your data security policies may prevent you from taking advantage of hardware warranties, forcing you to pay for replacement hard drives instead of getting them replaced as part of a returned material allowance (RMA) program. If you erase those hard drives with an auditable, verifiable process, you can save significant expense.

RSAC, the organizers of the largest cybersecurity conference, estimate that there are three million cybersecurity professionals. All of them, regardless of their specialization in network, endpoint, identity, or cloud, are ultimately responsible for data security. Their task is to prevent data from being stolen by cybercriminals, spy agencies, or even malicious insiders. This book offers relief in a small but important way. At the end of data's useful life, it can be completely erased forever, removing the need to discover it, track it, and protect it. It changes the organization's task from “protect all data forever” to “protect all data for seven years,” or whatever the regulatory requirement dictates.

This book on data sanitization is meant to be a single resource to promote good privacy and security while providing a path to a more sustainable existence. Rather than slow the progression of technology, data sanitization provides a path to accelerate technology adoption while extracting value from older devices.

It is hard to estimate how many old devices clutter up the homes and storage closets of consumers and businesses. Just count how many old phones and laptops or tower computers you keep around. As sanitization methods, services, and tools become more widely available, these devices could at least be responsibly disposed of.

The speed at which data is being created and accumulated is starting to highlight the need for data management to curtail costs. Assigning an expiration date to data is one of the most impactful steps to reduce storage costs while complying with strict data retention regulations. The expiration date is the trigger to sanitize the data according to policy.

Perhaps this book will get into the hands of the engineers and scientists working on new ways to store and retrieve data. The hope is that they will take into consideration the data sanitization requirements, thus preventing a new wave of devices that pose a data security threat.

Sustainability has its part to play too. ESG regulations are requiring the “right to repair” and imposing new guidance on recycling. Both of these need data sanitization to be effective. Just as privacy regulations intersect with cybersecurity requirements, ESG touches on information technology practices. Thus, all three—privacy, security, and sustainability—have their part to play in driving data sanitization forward.

Use this book to guide your own data sanitization practices. If you are just starting out, you can use the information contained here to build a case to create a data sanitization policy and start implementing practices that ensure your data is responsibly disposed of on a regular schedule.

CHAPTER 1End of Life for Data

1.1

Growth of Data

1.2

Managing Data

1.2.1

Discovery

1.2.2

Classification

1.2.3

Risk

1.3

Data Loss

1.3.1

Accidenta

1.3.2

Theft

1.3.3

Dumpster Diving

1.4

Encryption

1.5

Data Discovery

1.6

Regulations

1.7

Security

1.8

Legal Discovery

1.9

Data Sanitization

1.10

Ecological and Economic Considerations

1.10.1

Ecological

1.10.2

Economic

1.11

Summary: Proactive Risk Reduction and Reactive End of Life

Data is like water. It seeps into everything and pours out of every process and device. Every single minute of every day, we create data. Even while we are sleeping, our bank, insurance company, mobile phone, or wristwatch is ticking away, creating records of transactions, our location, our heart rate, even our sleeping patterns. When we are awake, we are creating data in spreadsheets, documents, and every application we interact with online. This book is about finding and erasing data at the end of its useful life, no matter where it is hiding.

There are many reasons to erase data. Preserving privacy is one of them. Your personal records are yours and should not belong to Google or Facebook, even though those companies track your every move online and record it. What about all the data on an old cell phone or computer that you are selling online? How do you ensure everything is securely erased from those devices? Do you connect your phone to a rental car's infotainment system to play your favorite songs or make it easy to call a contact? How do you erase that data from the car when you return it? Do you know where all the logs of your activity are stored?

Security is another reason. The purpose of cybersecurity tools, from firewalls to analytics to endpoint protection, is to protect data. Data sanitization is the ultimate protection from theft, breach, or leakage of critical data.

In recent years, the ideas of sustainability and environmental and social governance (ESG) have led to another use case for data sanitization that is growing in importance. By certifiably removing all data from a device, it is now possible to funnel those devices into a circular economy where they can be refurbished, resold, and reused. The value extracted from used devices often pays for the processes to erase data from them and recycle those components that are beyond repair. The value returned to the owner helps reduce the total lifecycle cost of owning a cell phone or computer.

In addition to management of your personal data, this book is a guide to creating and executing a complete corporate data erasure program. If you are responsible for your company's data management, you already know about data retention policies, which may be different in every country your company operates in. A data retention policy implies that you have a process for destroying data at the end of its life. You certainly need to ensure that all data is completely destroyed when you dispose of outdated laptops, desktops, servers, network gear, storage arrays, magnetic tapes, and loose hard drives.

Data sanitization is the last and profoundly final step in a data protection plan. Throughout the life of data, the goal is to protect its confidentiality, integrity, and availability. When that data is no longer needed, the task is to irrevocably wipe it. This removes the need for confidentiality and integrity, and it is assuredly not available. This end of life for data is profound because it represents one of the only aspects of IT security that is truly final. The burden of deploying firewalls, intrusion prevention systems (IPSs), data leak prevention (DLP), access controls, authorizations, logging, auditing, and encryption is finally over, never to cross a chief information security officer's mind again. Gone are the risks of accidental exposure in the cloud, of a lost or stolen laptop or smartphone, of ransomware, of identity theft, and being in violation of regulations like the EU General Data Protection Regulation (GDPR) or the California Privacy Rights and Enforcement Act of 2020 (CPRA), which takes effect January 1, 2023.

In recent years, sustainability and ESG have come into play. Many large companies tout their targets for lowering carbon emissions and getting to a “net zero” carbon footprint. In a 2020 press release, Apple committed to become carbon neutral across its entire business, manufacturing supply chain, and product lifecycle by 2030. Data sanitization plays an important role here because reusing electronic equipment, be it desktops, laptops, cell phones, tablets, or office equipment, is a key way to reduce a carbon footprint. Companies can account for the carbon savings from a reused laptop that can offset the total carbon in terms of material, energy, and transportation that goes into creating a new one.

Data sanitization is the term used to define the organized and certified destruction of data. It could be for a full disk, either a hard drive with its spinning disks or silicon solid-state drives (SSDs). It could be for USB thumb drives, magnetic tapes, medical devices, network gear, an entire data center, a cloud image, or the device used to generate and store nuclear launch codes. Other terms used throughout this book are data erasure, wiping, destruction, or overwriting. As we will see, data sanitization is the specific term used when a program, driven by policy, is used to accomplish the complete removal of data from physical storage or memory with a documented procedure suitable for auditing.

Technologies used to accomplish data sanitization include overwriting with various schemes of 1s and 0s, resetting flash memory storage, erasing strong encryption keys, destruction by magnetic fields (degaussing), incinerating, and physical shredding. While drilling through a hard drive case and the enclosed platters is probably the most cited method for home use, there are machines available for mangling hard drives and pulverizing SSD cards called shredders.

When sanitizing data, there is a concept of provenance. Who controls the data as it passes out of use and is ultimately destroyed? If you send a hard drive or computer to an IT asset disposition (ITAD) facility for recycling, when do you get assurance the data cannot be recovered from the devices? In your own facility? When they are received at the ITAD? Before they are refurbished and sold as used? The National Security Agency (NSA), which is understandably the agency that is most aware of the value of lost or stolen data, uses a belt and suspender approach; it degausses devices before physically shredding them. What should you do? What are today's technology options to combine total security and circularity? These questions and more will be answered as you continue reading.

1.1 Growth of Data

If, as Marc Andreeson said in a 2011 Wall Street Journal op-ed, “software is eating the world,” then surely the world is being drowned in data. IDC estimates that what they call the global datasphere will grow from 33 zettabytes (ZB) in 2018 to 175 ZB by 2025. A zettabyte is 1,000 petabytes. A petabyte is 1,000 terabytes. Each terabyte is 1,000 gigabytes. YouTube alone contains 1.4 ZB of video. Think of the 1.3 million laptops and PCs sold every year. How much data is on the computers these are replacing? Think of the billions of smartphones in use around the world. How many photos and videos are being created every day? Think of the data being created every time you accept a cookie as you browse the web. The logs in each web server are recording your IP address and your session and, yes, the cookies that reside in your browser. Now think of the cloud—all the servers, data buckets, virtual machines, virtual private clouds (VPCs), containers, data lakes, and apps that are generating or storing data every second. Then contemplate the 20 billion Internet of Things (IoT) devices—cars, cameras, and industrial sensors—that are recording and storing data. On top of that are the logs of every single transaction, the network traffic recorded, the medical information, the movement of stock prices, and every bid and ask price.

While the value of a single datum may be minuscule, in aggregate, data miners are using so-called big data to extract intelligence from vast quantities of data stored in “data lakes.” The idea that data could be of value at some future date encourages governments and tech giants such as Google, Apple, Amazon, Twitter, and Facebook to store everything forever.

The cost of storage is plummeting. A storage device 50 years ago cost tens of thousands of dollars and had a capacity measured in single-digit megabytes. Today a hard drive in a storage array is typically multiple terabytes and costs less than $1,000.

1.2 Managing Data

Luckily, storage is not free. Cloud storage, while plummeting, still has a significant cost: $23/month for a terabyte in Amazon S3, for instance. That means data has to be managed. In addition to cost, the elements of data management include discovery, classification, and risk scoring. All data deemed critical should also be backed up and easy to recover if the original data is corrupted. Data backup creates more data, compounding the data management task.

1.2.1 Discovery

Data discovery is the first, and most difficult, task. There are many tools available for data discovery. The first task is to know where all of an organization's data resides. Servers, desktops, mobile devices, network attached storage (NAS), backup and recovery systems, tape archives, cloud storage, and thumb drives may be the physical location. But there are more places data resides such as the active memory in servers and desktops or cloud workloads. And of course, multiple third parties may have your data.

1.2.2 Classification

Once an organization's data is found, classification is required to determine the following:

Its importance to business operations. There is a difference between data collected from a remote temperature sensor and financial transactions, for instance.

The likelihood that the data will be of value to a competitor or cybercriminal.

Any regulatory compliance requirements.

The data retention timeframe for the data based on the laws of the country it resides in, and the regulations that the organization must comply with.

Whether the data is part of an ediscovery process initiated by a party to a lawsuit or a regulator and therefore on legal hold.

Intelligence agencies are known for their strict data classification policies. From For Official Use Only (FOUO) to Top Secret or Five Eyes Only (FEO), they tend to err on the side of over-classification.

Most organizations use laws and regulations to guide their data classification. They may include personally identifiable information (PII) such as name, email, address, national identity number, and health records. Other data that may fall under specific regulations:

Financial records

Credentials

Intellectual property

(The term personally identifiable information is being displaced by personal information