[Faccus] [Sec-wg] Hard drive degausser

Colin Bell colin.bell at uwaterloo.ca
Tue Jan 31 13:25:44 EST 2012

Comments below.

On 2012-01-31, at 12:09 PM, Robyn Landers wrote:

>> As for RAID, unless that drive was from a single array using RAID 1, the 
>> data on it shouldn't be readable by another system, RAID or non-RAID.
> I dunno.  RAID-5 stripes chunks of files across the disks.
> If someone is going to do block by block raw extraction
> off a former RAID disk they get their hands on, they could get
> the occasional hunk of a file that has Policy 8 "Confidential" data.
> Do I think it is a meaningful risk?  No.   But I'm concerned about
> where this policy seems to be leading.

My initial message where I specified 'Confidential' information was to encapsulate 'Restricted' and 'Highly Restricted' information (w/ handling as dictated in Policy 8).  The statements do not necessarily apply to ALL 'Confidential' information… applying statements to specific information (not clearly 'Restricted' or 'Highly Restricted') is left as an exercise for Information Stewards as it is their responsibility.

There is no way, in general, to specify how to handle information that sits in the grey area that is 'Confidential' (supplied in confidence) but not 'Restricted' or 'Highly Restricted.'  As Jason said, it gets complicated in storage environments that are 'mixed usage.'  My statement to, "encrypt all 'Confidential' information", is a hard + fast (+ easy) approach to remove any doubt.  If all the information is encrypted you've got nothing to worry about. 

"Do I think it is a meaningful risk?  No." <-- Unfortunately, as many of us are acting as an Information Custodians, deciding on the level of risk that is acceptable is NOT our responsibility.  Yes, we inform the Stewards from an operational perspective about the costs of maintaining 'physical and logical controls'… but the decision about acceptable risk is not ours to make.

"""  From uWaterloo Policy 8
Information Steward
An Information Steward is responsible for the following:

• Applying a security classification to information using the classification scheme defined in this policy.
• Determining the risk tolerance to threats that affect information security.

This is not a policy-- it is a simple rule that people in Carlo's position could apply in the future.  If you want to avoid questions w.r.t. returning drives for warranty service, encrypt them.  Also note, "we are still evaluating this situation."  :-)

As Matt suggested (and through Jason), we will ask other institutions.  As Jason also said, this is a discussion that should be elevated to higher levels (UCIST/CTSC).  The policies of these various firms (and their contractual obligations to us) will be the deciding factor in how we deal with drives and warranty service.  IST-ISS will work to clarify all of this going forward.

For now, I'll reiterate, if you want to avoid any questions regarding information on dead hard drives simply encrypt any "Confidential" information.  This isn't a policy statement-- it is a factual statement.  "Encrypt all the things" and you'll have no concerns.  Can't "encrypt all the things?"-- then the applicable Information Steward will have some decisions to make (and some risks to assume).

Hope that helps clarify where I was coming from.

Colin Bell, Systems Integration Specialist, IST
Information Security Services, University of Waterloo
+1-519-888-4567 x31245 / colin.bell at uwaterloo.ca

More information about the Faccus mailing list