Why Data Sanitization Across Remote Endpoints Matters

By: Neeraj Annachhatre | 11/9/2021 | 4 min read

The new Work-from-Anywhere environment is here to stay. For organizations, this work style shifts in-person work toward fully remote work or some sort of hybrid plan, while for employees, this has provided more flexibility. But from a security perspective, it’s important to consider the resulting increase in the number of endpoints operating off-network, making the jobs of IT and security administrators more difficult.

Of particular concern is the growing treasure trove of sensitive information, including personal, corporate (specifically intellectual property), and customer data that accumulates on an endpoint over time, heightening the organization’s overall data risk exposure. There may, of course, be legitimate reasons for employees to store sensitive files, but the residing data being stored is less secure than before due to the challenges associated with enforcing security policies across an off-network device environment. Absolute’s 2021 Endpoint Risk Report highlights some troubling statistics: 

  • 73% of devices contain sensitive data. The most culpable industries include financial services, professional services, and retail, at 81%, 81%, and 78% respectively. 
  • 17% of devices have 500+ instances of sensitive data. This represents a 10% gain over 2020. Again, financial services, professional services, and retail lead the way with 30%, 28%, and 23% respectively. 
  • 23% of devices with high levels of sensitive data have unhealthy encryption controls. 

Ensuring sensitive data is secure must be of paramount importance to any organization’s security practice, whether the goal is to build customer or client trust, comply with data regulations mandated through frameworks such as GDPR and HIPAA, or to simply prevent large scale incidents such as ransomware, which so often start at a vulnerable endpoint. Not doing so may lead to dire consequences, including penalties for compliance breaches or reputational damage impacting future business prospects.

Most organizations follow a few standard processes to ensure data risk exposure across their environment is below a reasonable threshold. These may include ensuring critical controls on the endpoint such as encryption and anti-malware are up and running, as well as erasing files as part of regular device decommissioning or when employees or contractors leave the organization. In an education setting, school districts may require that data be erased from 1:1 devices once they are reclaimed from students at the end of each school year. Furthermore, IT and security teams also need the ability to quickly respond to a situation of heightened risk whenever a vulnerable endpoint is lost or stolen to ensure sensitive data is not compromised.

As part of the Absolute 7.18 product release, we have made significant enhancements to our Device Wipe and File Delete capabilities, giving organizations the ability to streamline data sanitization across their devices. The new Device Wipe workflow allows Absolute administrators to securely wipe devices across a group of endpoints, regardless of the device’s encryption status. An IT admin may, for example, need to wipe a group of 50 encrypted and unencrypted end-of-life devices as part of a yearly decommissioning process. Once the devices are selected through any custom device report, they can choose to initiate a Device Wipe request through the Absolute Console.

Device Wipe leverages two separate erasure methods – ‘Cryptographic Erase’ and a ‘Delete All’ function. Cryptographic Erase works on encrypted devices by replacing the device’s intermediate encryption key to ensure the data residing on the endpoint is irretrievable. Delete All, on the other hand, can function on both encrypted and unencrypted devices by deleting all non-operating system and user data. A user can then view the request’s status across the selected devices and access a certificate of sanitization or erasure log once the action is completed successfully. This is particularly helpful to use as proof during internal or external audits.

If users just need to delete a specific file or directory instead of wiping an entire drive, they can achieve this through Absolute’s File Delete action. As it does for Device Wipe, this release also includes an updated experience for File Delete, simplifying the process for users to select devices, select specific files they would like to delete, and to run the action. In addition, they can choose to delete files across devices in bulk by uploading a file containing a set of device names. Once the request is completed, users can access an erasure log, proving that the action was executed successfully.

 

A key differentiator for both Device Wipe and File Delete is that both actions leverage erasure methods that comply with the National Institute for Standards and Technology (NIST) Special Publication 800-88, which outlines best practices in media sanitization. Both the Device Wipe and File Delete actions are available through Absolute Control™ or Absolute Resilience™ .

To learn more about these and other capabilities available with the Absolute 7.18 release, check out the release landing page and release notes

 

 

Financial Services