• Home

  • Documents

  • Erasure Method for Mobile Devices - Understanding the Options by Type of Device - IT Asset...
3
1/21/2016 Erasure Method for Mobile Devices Understanding the Options by Type of Device IT Asset Knowledgebase http://itak.iaitam.org/erasuremethodformobiledevicesunderstandingtheoptionsbytypeofdevice/ 1/3 Erasure Method for Mobile Devices – Understanding the Options by Type of Device in Disposal Management April 26, 2015 By Ryan Laber & Steve Manalac, Arrow Value Recovery The proliferation of smartphones and tablets within the enterprise is prompting many asset managers and other IT professionals to examine their data destruction strategy. According to a recent Gartner report, by 2017 the majority of endpoint data breaches will shift from personal computing to smartphones and tablets. Of those breaches, 75% will come from mobile application misconfiguration. This will challenge the reliance on remote, applicationbased erasure strategies used by many today. Selecting the right data destruction approach depends on your organization’s aversion to risk, the technology you deploy and the resources at your disposal. In this article, we’ll offer key considerations that should inform your decisionmaking and assist in the pursuit of the best solution for your enterprise. Evaluating Risk Levels Risk assessment methods offered by the National Institute of Standards and Technology (NIST) have not changed in recent years, but data erasure recommendations for mobile devices have received a needed revision. For those unfamiliar with the risk categories identified by NIST, a review of Special Publication 80053, Security and Privacy Controls for Federal Information Systems and Organizations, will offer data categorization based on the impact of its breach. The risk categories assigned by a risk level of low, medium and high can be leveraged in policy making throughout the management and disposal of databearing assets. Erasure methodologies have recently been updated with the completion of the first revision to NIST 80088, Guidelines for Media Sanitization. Published in December 2014, this revision includes protocols for mobile devices and offers organizations technical criteria for erasure utilities. Since the technique applied to mobile devices is different from standard magnetic overwriting to hard drives, enterprises should consider incorporating the specifications into policies, documentation, contracts and training for both internal use and that of vendors. Destruction Methods Due to the lack of standardization between mobile devices, what may seem a standard approach to erasure can render significantly different results. For example, hardresetting an iOS device cryptographically removes keys that decipher data. But for Android devices, a hard reset may only reset settings and leave user data readable. Mobile device management (MDM) vendors, encryption, hardresetting, cloudbased application hosting and devicelocking each have their strengths and weaknesses. Adding to the complexity are Bring Your Own Device (BYOD) policies and user environments that allow differing operating systems with dozens of version releases. When selecting a destruction method, it’s worthwhile to understand what happens to the device with each approach. Reset Settings This feature will return all device settings back to the factory defaults but retain all user data. Settings include wallpaper, ringtones, fonts and other user preferences. Any information recorded to the unit, such as photos, texts and emails, will remain. This approach does not typically destroy user data. Hard Reset The term “hard reset” is not strictly interchangeable among the various operating systems. For Apple devices, the “Erase All Content and Settings” option implements a cryptographic erase that overwrites

Erasure Method for Mobile Devices - Understanding the Options by Type of Device - IT Asset Knowledgebase

Embed Size (px)

DESCRIPTION

Erasure Method for Mobile Devices - Understanding the Options by Type of Device

Citation preview

Page 1: Erasure Method for Mobile Devices - Understanding the Options by Type of Device - IT Asset Knowledgebase

1/21/2016 Erasure Method for Mobile Devices ­ Understanding the Options by Type of Device ­ IT Asset Knowledgebase

http://itak.iaitam.org/erasure­method­for­mobile­devices­understanding­the­options­by­type­of­device/ 1/3

Erasure Method for Mobile Devices – Understandingthe Options by Type of Devicein Disposal Management  April 26, 2015

By Ryan Laber & Steve Manalac, Arrow Value Recovery

The proliferation of smartphones and tablets within the enterprise is prompting many asset managers and otherIT professionals to examine their data destruction strategy.  According to a recent Gartner report, by 2017 themajority of end­point data breaches will shift from personal computing to smartphones and tablets. Of thosebreaches, 75% will come from mobile application misconfiguration.  This will challenge the reliance on remote,application­based erasure strategies used by many today.

Selecting the right data destruction approach depends on your organization’s aversion to risk, the technology youdeploy and the resources at your disposal.  In this article, we’ll offer key considerations that should inform yourdecision­making and assist in the pursuit of the best solution for your enterprise.

Evaluating Risk Levels

Risk assessment methods offered by the National Institute of Standards and Technology (NIST) have not changedin recent years, but data erasure recommendations for mobile devices have received a needed revision.  For thoseunfamiliar with the risk categories identified by NIST, a review of Special Publication 800­53, Security and PrivacyControls for Federal Information Systems and Organizations, will offer data categorization based on the impact ofits breach.  The risk categories assigned by a risk level of low, medium and high can be leveraged in policy­making throughout the management and disposal of data­bearing assets.

Erasure methodologies have recently been updated with the completion of the first revision to NIST 800­88,Guidelines for Media Sanitization.  Published in December 2014, this revision includes protocols for mobile devicesand offers organizations technical criteria for erasure utilities.  Since the technique applied to mobile devices isdifferent from standard magnetic overwriting to hard drives, enterprises should consider incorporating thespecifications into policies, documentation, contracts and training for both internal use and that of vendors.

Destruction Methods

Due to the lack of standardization between mobile devices, what may seem a standard approach to erasure canrender significantly different results.  For example, hard­resetting an iOS device cryptographically removes keysthat decipher data.  But for Android devices, a hard reset may only reset settings and leave user data readable. Mobile device management (MDM) vendors, encryption, hard­resetting, cloud­based application hosting anddevice­locking each have their strengths and weaknesses.    Adding to the complexity are Bring Your Own Device(BYOD) policies and user environments that allow differing operating systems with dozens of version releases. When selecting a destruction method, it’s worthwhile to understand what happens to the device with eachapproach.

Reset Settings

This feature will return all device settings back to the factory defaults but retain all user data.  Settings includewallpaper, ringtones, fonts and other user preferences.  Any information recorded to the unit, such as photos,texts and emails, will remain. This approach does not typically destroy user data.

Hard Reset

The term “hard reset” is not strictly interchangeable among the various operating systems.

For Apple devices, the “Erase All Content and Settings” option implements a cryptographic erase that overwrites

http://itak.iaitam.org/disposal-management/
Page 2: Erasure Method for Mobile Devices - Understanding the Options by Type of Device - IT Asset Knowledgebase

1/21/2016 Erasure Method for Mobile Devices ­ Understanding the Options by Type of Device ­ IT Asset Knowledgebase

http://itak.iaitam.org/erasure­method­for­mobile­devices­understanding­the­options­by­type­of­device/ 2/3

the encryption key with a new one and forces the device to download and install the latest firmware.  Althoughthe data remains on the device, it’s encrypted.  Third­party tools may be used to overwrite addressable areas forfurther security.

For BlackBerry devices, the “Security Wipe” option overwrites all user data.  Additionally, if “ContentProtection/Encryption” is enabled, the device performs a scrub of the BlackBerry device memory.

For Android devices, the “Factory Data Reset” option typically resets all settings and removes all file pointers.  Thedata is not usually overwritten.  While later versions of the Android operating system support encryption, some donot enable it by default.  The dozens of makes and models that carry the Android O/S make systematic encryptionand erasure difficult to implement consistently.  Some independent data erasure utilities have dedicatedengineering teams to design software that can address each make and model, but careful screening should beundertaken to ensure each of your device types have been researched properly.

For Windows devices, the “Reset Your Phone” option clears all settings and overwrites user data.  Most Windowsdevices cannot be encrypted natively on the device.  Like Android, there are different manufacturers, each withdifferent limitations and capabilities, which makes the results of this reset dependent on the device.

It’s also worth noting that each of these methods requires the device to complete the reset process.  Commonissues include insufficient battery life, poor connectivity for firmware updates, competing third­party applicationsand user error.

MDM and EMM

MDM and enterprise mobility management (EMM) are terms given to the general administration of mobile phonesand tablets, including business software applications and security policies. MDM is now considered a part of theoverall EMM environment. To manage data, an application is downloaded to the device that installs policies andprofiles that are managed by a central server. A common service of the EMM is “containerization” of confidentialdata. The container records information using an encryption key that, once removed, makes the recovery of datavery difficult. Savvy users may find methods to store data outside the container, and policies should be designedto limit this activity.

Device Lock

As mobile device theft grows, locking features have risen in popularity.  The most common is the “Find MyiPhone” (FMiP) security feature from Apple.  It enables users to identify the location of their mobile device in theevent that it is lost or stolen.  FMiP also gives one the ability to remotely erase the device, prompt an alternatephone number to contact if lost, and make an audible sound if lost in your home or office.  The feature uses GPS,Wi­Fi and carrier data to identify the location and perform remote actions.  It is integrated into iOS 7 and 8 andcan be turned off or on.  If enabled, the user can log in to the iCloud website via any device to track and issuecommands. If FMiP is enabled, it cannot be unlocked for use without the original password.  Not only does thispose a deterrent to theft, but it also significantly impacts the unit’s secondary market value.

Connectivity Considerations

Since mobile devices can maintain cellular and Wi­Fi connectivity, they carry additional risks during disposal.

Activation Check

Occasionally devices are retired with a service plan that remains active.  This most commonly occurs on tabletswhose cellular connection is managed by a corporate office versus a smartphone line which typically transfers to auser’s new phone.  Until the service is canceled, organizations may pay for unused lines.  An activation check, bythe organization or its disposition provider, can catch these active lines so they may be terminated.

Cloud Sync

Page 3: Erasure Method for Mobile Devices - Understanding the Options by Type of Device - IT Asset Knowledgebase

1/21/2016 Erasure Method for Mobile Devices ­ Understanding the Options by Type of Device ­ IT Asset Knowledgebase

http://itak.iaitam.org/erasure­method­for­mobile­devices­understanding­the­options­by­type­of­device/ 3/3

Many devices are enabled with a cloud­syncing feature that backs up user data.  If the cloud­sync profile is notremoved from the device, data may be pushed back onto the unit after its retirement.  When sync profiles havenot been terminated, these devices pose a data security risk even if erasure has been attempted.

An Auditable, Documented Process

Much like other data­bearing technology, mobile device disposition should follow an auditable, documentedprocess of data destruction.  There are far too many stories of employees leaving retired devices unattended,stolen equipment or inappropriate trashing of hardware by disreputable vendors.  Either your staff needs to followa process of risk assessment, method selection and documentation, or your disposition vendor should becontracted to do so.


T1: Erasure Codes for Storage Applicationsssiewert/a490dmis_doc/papers/Erasure-C… · 1 T1: Erasure Codes for Storage Applications James S. Plank Associate Professor Department of

T1: Erasure Codes for Storage Applicationsssiewert/a490dmis_doc/papers/Erasure-C… · 1 T1: Erasure Codes for Storage Applications James S. Plank Associate Professor Department of

Documents
CaliVita Knowledgebase romanian version

CaliVita Knowledgebase romanian version

Education
Knowledgebase Issue9 Lq

Knowledgebase Issue9 Lq

Documents
Mike Rosen - Erasure

Mike Rosen - Erasure

Documents
Efficient Erasure Correting Codes

Efficient Erasure Correting Codes

Documents
Sedimentary Stuctures Knowledgebase

Sedimentary Stuctures Knowledgebase

Documents
The Phenoscape Knowledgebase

The Phenoscape Knowledgebase

Education
Addition, Erasure, and Adaptation: Interventions in the ...vidyadehejia.com/wp...Davis-Addition-Erasure-2010.pdfAddition, Erasure, and Adaptation: Interventions in the Rock-Cut Monuments

Addition, Erasure, and Adaptation: Interventions in the ...vidyadehejia.com/wp...Davis-Addition-Erasure-2010.pdfAddition, Erasure, and Adaptation: Interventions in the Rock-Cut Monuments

Documents
CaliVita KnowledgeBase presentation

CaliVita KnowledgeBase presentation

Education
Reactome a pathways knowledgebase

Reactome a pathways knowledgebase

Documents
PHP Knowledgebase

PHP Knowledgebase

Documents
Introduction To Knowledgebase

Introduction To Knowledgebase

Documents
CaliVita Knowledgebase polish verson

CaliVita Knowledgebase polish verson

Education
Quick Faq - Erasure Coding

Quick Faq - Erasure Coding

Data & Analytics
Electrostatic Precipitator KnowledgeBase

Electrostatic Precipitator KnowledgeBase

Documents
ERASURE CODING AND CACHE TIERING - SNIA · – OpenStack, CloudStack, Nebula, Ganeti, Proxmox ... ERASURE CODING OBJECT REPLICATED POOL CEPH STORAGE CLUSTER ERASURE CODED POOL CEPH

ERASURE CODING AND CACHE TIERING - SNIA · – OpenStack, CloudStack, Nebula, Ganeti, Proxmox ... ERASURE CODING OBJECT REPLICATED POOL CEPH STORAGE CLUSTER ERASURE CODED POOL CEPH

Documents
Extracting knowledgebase from text

Extracting knowledgebase from text

Data & Analytics
Heather L. Johnson . Erasure

Heather L. Johnson . Erasure

Documents
KnowledgeBase Article 2069

KnowledgeBase Article 2069

Documents
Knowledgebase Installation Faq

Knowledgebase Installation Faq

Documents
Building Research Information Knowledgebase

Building Research Information Knowledgebase

Documents
CaliVita Knowledgebase serbian version

CaliVita Knowledgebase serbian version

Education
Erasure codes fast 2012

Erasure codes fast 2012

Documents
Erasure Coding and Tiering

Erasure Coding and Tiering

Technology
“The Erasure of Traces"

“The Erasure of Traces"

Documents
Erasure Always Sheet Music

Erasure Always Sheet Music

Documents
iProClass Protein Knowledgebase

iProClass Protein Knowledgebase

Documents
Erasure in Art - Destructio

Erasure in Art - Destructio

Documents
Owl Intranet Knowledgebase

Owl Intranet Knowledgebase

Documents
Ag Leader Technology Knowledgebase

Ag Leader Technology Knowledgebase

Documents