I was at the local municipal dump the other day, throwing out all my rubbish. I like to keep my rubbish until all chance of it proving to be valuable has vanished. Sadly, that Hitachi laptop from the late nineties had to go, though that Cromemco from the late seventies remained secure from the crusher, for sentimental reasons. As I stood back to hurl the laptop into the municipal skip, with a muttered farewell to an old friend, the supervisor took it firmly from me and placed it reverentially in a portakabin with a lot of other IT equipment.
I wondered why. ‘Does this go for recycling in China to extract the gold?’ I asked
‘not worth it, mate, but the hard drives fetch a bit.’
It wasn’t until I was half way home that it hit me. There are no useful metals in a disk drive. Why would anyone want hard disks from old laptops? The most valuable thing would be the data. Somehow, one keeps passwords, browser history, personal accounts and all sorts of clues as to one’s identity, possibly even confidential information from work. So this is what we call ‘at-rest data leakage’. When old archived information is stored on a PC, network, or on a backup system, and left unused in storage, then it can be retrieved easily because it is out of sight, and out of mind, of the security experts.
It set me thinking. How efficient are we generally about ensuring that any redundant equipment with data on it can never subsequently be read after it is disposed? It always surprises me to meet people who are unaware that SQL Server files and backups can be read by anyone unless they are encrypted. We are lulled into a false sense of security by the fact that it is hard to circumvent the security system of a live database whereas it is easy to read the data files. The front door is locked and bolted, whereas the back door is flapping open. If you let working drives leave the building in a readable state, you’re unintentionally in the publishing business.