Hard drive retention

It’s a story that has been repeated many times:   You buy a shiny new storage system….. and it is beautiful.

Then…  a disk fails, which takes just the tiniest bit of shine off.

No problem you declare!  You place a service call and the disk is replaced.   So far so good.

But then as the vendor service representative is walking out the door, it suddenly occurs to you…  hey, that person is taking away the failed disk.  Doesn’t that disk have my data on it?

Good question!

The short answer is that unless you have purchased self encrypting drives or are encrypting your data prior to writing it, then that failed drive will almost certainly contain some readable data.   How readable will depend on the product.   If the disk contains  de-duplicated compressed data, it would present a great (but I suppose not insurmountable)  challenge to any would be data snooper.  But a failed disk removed from a standard RAID array, would contain data in sequential chunks (that are perhaps 256 KB in size).  Whether that would be useful is another question.

So what to do?

First up, every responsible vendor takes great pains to ensure failed hard drives are not simply thrown in the dumpster or sold in job lots.   As Railcorp in Australia found out the hard way (when they started selling off the media they had in the lost and found department) not controlling media with client data is a very bad idea.   Instead responsible vendors usually return failed drives either to the original manufacturer (to get a warranty rebate) or to a reutilization center (either their own, or a third-party).   In either case, there is a financial benefit to them to do this.  The shipment will be done in a secure fashion and any disk drive that can be repaired will be thoroughly wiped.  If not it will be securely destroyed.   Again, all the major vendors should be able to produce a policy document explaining how this is done.   For the majority of clients out there, I personally think this is good enough.

But what if you don’t think this is good enough?   What if your data is way too sensitive to take any risks?

Simple answer:   Keep the failed disks.

A quick Google search came up with lots of easy to find programs from most major storage vendors.  Just search for something like disk retention service (retention is the key word here).   Here are some examples:

The only fly in the ointment is that these services are generally not free…  and if you realize this only after the first drive has failed, you may find yourself negotiating with your vendor on price, well after the main purchase is complete.   The only exception I have found so far is that IBM Australia lets you retain failed drives for free, provided the machine is covered by a Service Pac.

Of course maybe you knew this already and have always retained failed drives, but now your store-room is slowly filling with failed disks.  Now what?  Well I do not suggest you do this, but I sure laughed while watching it (sorry if there is an advertisement before-hand):

Instead Google search for secure hard disk shredding or secure hard disk recycling. Examples I found in Australia very quickly ( I have not contacted or dealt with either of these) included this one and this one.   I am sure there are plenty of choices out there.

Advertisements

About Anthony Vandewerdt

I am an IT Professional who lives and works in Melbourne Australia. This blog is totally my own work. It does not represent the views of any corporation. Constructive and useful comments are very very welcome.
This entry was posted in advice, IBM, IBM Storage, SAN and tagged , , , , , , , . Bookmark the permalink.

6 Responses to Hard drive retention

  1. Loved the video, very funny take on a serious issue

  2. Paul Sorrentino says:

    Any idea what NetApp’s policy is?

  3. Fabian says:

    “it would present a great (but I suppose not insurmountable) challenge to any would be data snooper.”
    Anthony, I seem to recall “obfuscate” being a significant word here ;-)

    • I cannot imagine any of the of the normal data recovery players being able to do much with dedup/copmpressed data without knowing both what device it came from and what the software architecture of that device is. Is it possible? Of course. Is it likely? No, the data would be very close to garbage on first pass.

  4. Have the same question with Paul.. any NetApp’s alternative?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s