“Our role is to help companies be more strategic about the data they migrate from on-prem to the cloud, and we help businesses securely dispose of ROT data they no longer need to keep for legal, regulatory, or financial reasons.”
Hi, welcome to our Interview Series. Please tell us a little bit about your role and responsibilities at Blancco.
I’m chief technology officer at Blancco, which provides data erasure and mobile lifecycle solutions. This includes solutions for IT asset disposition service providers and enterprise companies, including those in highly regulated industries. My primary goal is to guide the strategic development and launch of highly efficient, trustworthy B2B software solutions that help customers eliminate data completely and thoroughly, no matter where it lives. It’s a role that allows me to stay in close collaboration with stakeholders, including the executive team, board of directors, and customers, as well as sales and marketing teams, to continually improve on our products, and communicate their value throughout the company and to potential customers.
CIOs are increasingly looking at real-time solutions to manage data retention and data disposal. Could you please tell us the biggest challenges in IT data lifecycle management?
That’s a great question. While the worst of the pandemic is behind us, I believe one of the biggest challenges in data lifecycle management is Covid 19-related. Enterprises are dealing with the after effects of the global pandemic and its impact on their IT infrastructures. The world changed in March 2020, and many businesses immediately went to a remote working model. Three years later, and organizations are thinking about what the return to normal might look like. They’re either considering going back to a pre-pandemic 9-5 office model or whether they want to continue to provide employees with the flexibility of a hybrid approach, splitting their time between the home office and the corporate office.
But from an IT asset and data lifecycle perspective, remote work raises concerns around device chain of custody, remote management, and the level of data security on those devices that are in the home — possibly being shared among family members. A good remote work IT policy also includes instituting user access controls on corporate devices being used at home, including “lock mode” so the device can’t be accessed if it’s been sitting unattended.
If an employee should leave the company, or no longer needs the laptop used at home, then what? Whether the used device is going back to the office to be recycled or reused, the chain of custody must be managed, and data erasure completed remotely before it’s dropped at the post office or into a FedEx box. These are basic IT management processes that can be set and monitored remotely.
How does Blancco accelerate cloud adoption in the healthcare and financial services industries?
There has certainly been an acceleration towards cloud adoption for several reasons, including the new remote workforce I mentioned previously. Two other big drivers of cloud migration include the inherent security of the major cloud provider platforms from AWS, Microsoft Azure, and Google Cloud Platform, as well as the lower cost of storing data in the cloud versus on-prem. At Blancco, it is our goal to partner with our customers to help them understand the data security implications of cloud adoption.
One thing is certain, the mass migration to the cloud predicted some years ago is well on its way and then some. This squares with our recent research report which found that 51% of the 1800 IT professionals working in financial services and healthcare we surveyed now host all data in the cloud.
Even though storing data in the cloud is more affordable, the fact is, 70-80% of corporate data is redundant, obsolete or trivial (ROT), which means businesses are holding onto data they not only don’t need, but that increases their data attack surface and sets them up for greater liability should they experience a breach.
Blancco’s role is to help companies be more strategic about the data they migrate from on-prem to the cloud. And we help businesses securely dispose of ROT data they no longer need to keep for legal, regulatory, or financial reasons. Classifying data prior to cloud migration is even more imperative for healthcare and financial services organizations because they operate in two of the most heavily regulated industries.
Once the classification process is complete, companies can destroy the data that’s deemed ROT and lessen their cloud data storage needs. After the right data is migrated, they can decommission the servers that stored the original data and that is now redundant. We make sure companies are supported throughout the migration process and educated on how to securely eradicate ROT data, as well as the data that’s left behind.
Please tell us more about managing EOL data on-premises and in cloud. How would accessing your report help CIOs achieve data security?
Managing data on-prem can appear to be simpler and more direct than in the cloud because of its proximity. With the cloud, the user no longer owns or maintains the infrastructure. While the cloud offers efficiencies at collecting and serving up data rapidly to users all over the world, it also presents data governance challenges when it comes to destroying data effectively and compliantly, and then generating certified proof of erasure.
The mass adoption of the cloud means organizations are having to change how they ascertain what end-of-life (EOL) data is, bringing with it uncertainty. Whether corporate data is on-prem or in the cloud, the data is still owned and managed by the organization and those policies must guide how EOL data is handled. No matter where it resides, the first step to managing EOL data is the discovery and data classification process that will identify the data that’s most important to the organization or that is ROT and no longer important.
Major cloud providers, whether it be AWS, Microsoft Azure, or Google, offer data security, encryption, etc., which is a plus. But it’s important CIOs ask their cloud providers to issue and manage a corroborated erasure trail. A true, verified erasure should be accompanied by a tamper-proof, audit-ready certificate of erasure to the cloud user so that they can prove compliance with data protection regulations.
So again, it’s a little bit different when you’re managing data on-prem and the IT team can perform the data sanitization and identify the drives and servers being sanitized. This disconnect was reflected in our recent survey, when respondents were asked about their cloud provider and its approach to EOL data: 60% of respondents said that their cloud provider handles EOL data for them; however, about 35% said they don’t trust their cloud provider to appropriately manage EOL data on their behalf.
Your advice to every CIO in the modern times on how to optimize their data management/EOL data security environments:
In the past, CIOs and enterprise companies had a mindset to just keep all data, whether it was created by the organization, or ingested from other sources. This “keep it all” mindset was born of the premise that the data might have value in the future. Much of this came out of the big data era where data could be interrogated to find more insights about the business and use it to make strategic decisions. As artificial intelligence continues to mature, that temptation is still there. However, once the data is analyzed, you should have a much better idea about what’s important to the organization, and what isn’t.
I would challenge CIOs to really understand the extent of the data that they’re collecting and to think about establishing a true data lifecycle management program. This includes establishing policies on how to handle data at the end of its useful life. There’s a good reason for this: more data equals a bigger attack surface, a larger surface to monitor, and greater points of vulnerability. There’s a couple of other reasons to rethink the data lifecycle: the more data you store in the cloud the more expensive it will be. Finally, there’s a real environmental cost to storing data in the cloud. Take what’s happening in Ireland for example. It’s estimated that by 2030, 30% of Ireland’s entire energy consumption will be from data centers.
I recommend truly understanding the data you’re storing and if you haven’t yet, think about risk-focused data lifecycle policies and how to action them. Do the work to classify the databy gleaning insights and adding metadata tags to certain types of data. Then take the nextstep of performing data sanitization to eradicate what’s no longer needed. These steps will foster improved cyber hygiene and a far more sustainable approach to data management.
Your favorite customer case study that you would like to share with our readers:
One case study that illustrates the importance of secure data erasure is a U.S. bank that was fined $60 million by the U.S Office of the Controller of Currency in October 2020 for improperly disposing of personal data. Then, just last year, the same bank was fined an additional $35 million for failing to properly dispose of devices containing customer personally identifiable information (PII). The bank used a moving company to move the devices – which contained the PII of 15 million customers – out of their data center. However, some of these devices were then sold on a third-party auction website without going through the proper data sanitization processes, which put private customer information at risk of being stolen and sold on the dark web.
These fines confirm that today’s consumer privacy regulations have teeth and are being enforced. U.S. privacy regulations– including CPRA in California –stem from the GDPR, which the EU made law in 2018. In 2021, GDPR regulators fined companies more than $1.3 billion, up from $0.179 billion in 2020. It’s clear that companies worldwide must take data protection seriously or they could face the potential for hefty fines. Bottom line: there’s no more slipping under the radar; non-compliance with data privacy regulations is a risk companies should not wager especially those in highly regulated industries.
Our report provides helpful information on data sanitization best practices that may be useful to CIOs who are creating data, as well as security and data privacy compliance policies. The report discusses permanent data removal and how it goes far beyond just deleting files, which simply removes the pointers to a file, folder, or location. To ensure that data is completely removed, data must be securely overwritten to a given industry standard and must also include verification and certification that the erasure has been successful.
We’re currently working with this bank to help them meet regulatory compliance through adherence to information lifecycle management (ILM) best practices, which includes the data sanitization of used IT assets at end-of-life. While companies may check all the boxes when it comes to data privacy compliance, compliance does not equal security as the bank case study illustrates. Cutting corners is not an option when it comes to data and IT assets at end of life.
If invited, would you like to be part of a podcast episode on CX and B2B SaaS?
Thanks for the opportunity to speak with you on this important topic. I’d be happy to join you on your podcast, looking forward to it!
Thank you, Russ! That was fun and we hope to see you back on cioinfluence.com soon.
[To participate in our interview series, please write to us at firstname.lastname@example.org]
As chief technology officer at Blancco Technology Group, Russ Ernst is responsible for defining, driving, and executing product strategy across the entire Blancco data erasure, device diagnostics, and mobile lifecycle solutions suite. Russ is a regular speaker at IT and data security industry conferences, where he addresses data lifecycle management, end-of-life IT management, and data sanitization best practices.
Blancco Technology Group, a carbon-neutral supplier, provides organizations with secure, compliant, and automated solutions that accelerate the transition to the circular economy. Each year, tens of millions of Blancco erasures allow top-tier organizations to protect end-of-life data against unauthorized access, safely redeploy data storage assets, and firmly comply with increased data protection and privacy requirements. Our precise device diagnostics help move used IT assets confidently into the circular economy, enabling enterprises, IT asset disposition (ITAD) vendors and recyclers, and mobile industry stakeholders to operate more sustainably.