The boundary between personal and professional time, and between personal and professional devices is increasingly blurred. Personal devices are used for company purposes, and their content includes a heady mix of both personal and company data. Most of these devices are privately owned although a growing number are purchased for staff by the company.
But regardless of who owns the device, it is the company that is responsible for any company data held on the device; and it is the company that must take responsibility for the removal of that data prior to device disposal (for both security and data compliance purposes). This leads to both logistical and technical problems: ensuring that staff wipe their personal devices will be difficult to organize, while ensuring that mobile device solid state memory is completely clean is technically hard.
BlackBelt – which has just enhanced its data wiping product to include Apple and Android tablets – explains the difficulty. “Solid state memory uses a technique called wear leveling to maximize the life expectancy of the memory chips,” BlackBelt’s business development manager Ken Garner told Infosecurity. “It works by spreading the binary information (0s and 1s) randomly across all of the memory cells in the chip. This means that unlike on spinning disk memory, the location of the data on the user interface bears no relation to where it is stored on the drive, making traditional forms of deletion ineffective.”
Because of ‘wear leveling’, neither remote wipes nor factory resets are guaranteed to remove all of the data from memory. Apart from high-end forensic tools, used by law enforcement agencies but often publicly available, a low cost product called Wondershare, says Garner, “recovers just about everything after either a factor reset or a local (phone operating system) delete.”
Anecdotal evidence, he adds, suggests that “on some of the ‘underground’ sites where stolen data is traded, mobile devices such as smartphones and tablets are offered at prices that reflect the value of the data recovered rather than the device itself. Those with banking data for corporate accounts are the most highly valued, currently changing hands for US$500 plus.”
All of this demands that when an existing tablet is retired and replaced by a newer model, it is incumbent on the company to ensure that all data held on the device is adequately deleted. One problem, says Garner, is that, “Many data wiping solutions, more often than not, have been ‘re-purposed’ from data wiping solutions aimed at traditional hard disk drives;” and that simply doesn’t work on solid state memory. His own product, DataWipe, uses a three-stage process: firstly writing 0s in every memory cell, secondly writing 1s in every cell, and thirdly writing random 0s and 1s across every memory cell. The result, he claims, is guaranteed data erasure that can also provide audit, compliance and reporting data in industry standard XML that is easily exchanged with all of the major DLP, SIEM, policy management and mobile device management solutions – solving both the logistical and technical difficulties around tablet recycling.