 Hello everyone and welcome to our next our first EDW session of the day called legislation labyrinth navigating global privacy laws along the asset life cycle which will be presented by Frederick Forslund, the vice president enterprise and cloud arranger solutions at Wonko. Audience members are needed during these sessions so please submit your questions in the Q&A window on the right-hand side of your screen and our speaker will respond to as many questions as possible at the end of the talk. Please know that there is a linked form at the bottom of the page titled EDW conference session survey. This is where you can submit session feedback and we encourage you to do so. If you can't see the slides we're going to be getting those updated shortly just keep hitting the refresh button and those will appear in the bottom of page. So let's begin our presentation now. Thank you and welcome Frederick. Thank you very much Shannon and very good pronunciation there on my name. As you can see from the background drop and here from my accent I am connecting from Sweden. So you have 40 minutes of Swedish accent to look forward to as we navigate today's topic. We'll make sure to break after 40 minutes and take any Q&A that might have come in. And the aim today is to make sure that you understand the basics of data sanitization. I'll position this in where we are today where we see new patterns in the way we work and handle our infrastructure. I will take that insight into sharing some innovation that we have seen in the marketplace over the last one-plus year and then we will end off with a very important topic and explain how sustainability relates to today's topic. So with that said let's dive in together and start by defining data sanitization. Data end of life is a good way of thinking about this topic. If we look at Gartner's definition it is about the process of completely removing all data. How can we achieve this? Why do we want to achieve it? We want to be compliant. We want to make sure we have audit trail that we have control over this topic. And how do we achieve it? Well we come to a crossroad basically. If we turn left on this crossroad we are actually destroying the storage media itself to protect the information. The other turning if we turn to the right we are using different software options. Cryptographic erasure, data erasure which is all part of software solutions in the market today. Where we can make sure that there's absolutely no data left. It's the same high level of security if you do a proper destruction as if you do a proper software process and that is how you achieve the data sanitization. So that's the definition I want you to stand on for the rest of the talk. And then a first question. How mature do we think that this topic or area is in the market today? Well from time to time we're testing this. How is the maturity? This is an example when we contacted different eBay sites with professional sellers selling hardware equipment where all sellers guaranteed that the equipment was free from data. And buying 159 drives combination of SSD and HDDs. Sensitive data was found on 66 of these and that was only using very quick software based analysis. 25 of those drives had personal identifiable information which means that depending on your jurisdiction you are in breach of data privacy laws. And as we know today those fines can be quite hefty. So the conclusion is that there's still a lot of immaturity in this segment of cyber security and data protection. Gartner is telling us that we have reached somewhere just over 30% and aiming towards 50% of market penetration within the next few years. So there's still a lot of work to do. So it's quite a big audience here today. All of you that are listening in please help me spread the awareness on this topic. It's absolutely critical that as many people as possible understand this area well especially the way we see legislation and requirements developing. So a quick storytelling from a news channel where they did a report on this where they went out and asked people if they thought that it was enough to reformat an old drive which could be the reason why we saw the eBay drives keeping information to the level that we just shared. They did a survey around this news report and concluded that two in three people believe that that is sufficient. When you have information from a seller that it has been reformatted it is easy to do a quick test. You take it to someone that can download a forensic software that can quickly scan the drive for any patterns and quickly put that into data that can be read. And from this quick news flash that they did they found compromising photos, passport information, very sensitive work files including blueprints and once again awareness, awareness, awareness about what is good and what is bad processes. The journalist concluded that you could use software override but also that you had the physical destruction options. And if we go into a little bit more detail there you have both degausing as well as physically destroying a drive. And let's talk a little bit more about that. First of all some summary statistics. When we did a survey amongst large global companies, more than 5,000 employees, a very big sample of companies around the world from large industry verticals were covered. 36% of everyone was using either formatting or inadequate free software that leaves data behind. Using some sort of destruction process but with complete lack of audit trail or control or maybe your own home baked overriding but not including any verification or testing that this had been done correctly. 4% had no methods in place at all. So the collective data tells us that over a third had no good processes in place. So that rhymes with the Gartner information that there's still a lot of work to do here. Usually the larger enterprises are the most educated here but there's still a lot of work left. So let's talk about physical destruction. What you see here is a sample of a degauser that is a huge magnet. If you put a drive inside it, it will issue a magnetic pulse that pulse will render any kind of magnetically stored data unreadable but it will also destroy the drive so you can't reuse it off the degausing. If you are using degausing you should be also collecting the serial numbers so that you have an audit trail and a track and you should never put an SSD drive in a degauser because what is the difference between SSD and HDD? Well, completely different storage technologies. So the SSD drive will actually maintain all data completely intact even after a degausing session. So make sure that you separate HDD and SSD when you are designing a good process. Physical destruction of drives if you do it according to requirements and recommendations from the NSA for example. In HDD you need to shred down to six millimeter size to be able to reach the highest level of security. An SSD, you need to grind it down or incinerate it down into two to three millimeter size to be a hundred percent certain that you cannot find pieces big enough that can contain significant data that can actually be quite easily recovered if you have access to a lab. So if you are physically destroying these are the standards that you need to reach. A short summary of what the software industry can provide today. Basically anything with a hard drive can be erased using software. But also the industry requirements have grown. I've been in the industry for 20 years and I've seen this from IBM compatible Windows desktops 20 plus years ago and today where you need to be able to target smartphones, tablets, laptops, desktop servers, storage equipment, very advanced drives that are used by high end storage solutions. You have to be able to go into virtual environments and target virtual machines. You have to be able to target logical volumes. You have to be able to go into the cloud and target data using certain erasure processes. You have to be able to look at SD cards and USB sticks. And most of all, doing an erasure process based on software. You should always make sure that you're getting an audit track and audit trail as well as a verification built into that software process. So that's 20 years of development in 20 seconds for you. And one thing that has really helped to advance this industry is that there's a number of different certifications and approvals available. Excuse me. That software companies and vendors can submit their solutions under and make sure that there are third party verifications that this security process is actually 100% removing information and creating a correct audit trade. So the availability for these kind of external tests and certifications have really advanced the industry to a more mature level. And if we go back to Gartner and try to see what has happened over the last five years, basically, Gartner is covering data sanitization in different technology hype cycles, data security hype cycle, data privacy hype cycle. And for everyone focusing in on the legislation labyrinth, the privacy hype cycle is really interesting to read. But the conclusion, as we see in 2015, they started covering data sanitization and that is actually been moving quite rapidly towards that slope where you get to maturity in the end. But the main conclusion from Gartner is that this is a C level requirement that you need to be able to have under control. So a C level requirement for all IT organizations. So as you are looking at your cybersecurity policies, talking about encryption, intrusion detection, data end of life through data sanitization is also one piece in that puzzle that you should plan to incorporate. So what have we seen on the regulation side of things? Well, when I got into this industry, there was one country in the world with the data privacy legislation. Today, we have a hundred plus. And since the launch of the GDPR in Europe in a couple of years ago, we have seen a global trend where there has been adoption rates around the world of very similar legislation. If you look at privacy legislation, basically there are two things one need to realize. You, as the data controller, need to take all the different safety measures and precautions to avoid data leaks. To make sure that there's not a data breach because of poor data management, because of poor asset management, for example, leaving data on a hard drive and losing control of that hard drive. But you also need to make sure that you have processes in place where there cannot be any misuse of personal data, i.e. that you are doing something with customers' data that you have not gotten their approval to do. So protecting the data and using it in the right way. Those are the two main pillars that privacy legislation around the world are resting on. In the US, we are seeing California taking the lead. The CCPA is something that comes up in a lot of different debates and different policy discussions over the last couple of years. We have seen enhancements to the CCPA being voted through. And we are seeing many other states following. So this is a strong trend also on state level. Another thing that we see on state level and that you should be aware of is that we have state-specific data disposal policies. And this is something that takes a little bit of time to get insight to and research. But this is important as you put your policies and processes together to make sure that you understand what is the state requirements on top of potentially industry requirements and federal requirements or global requirements if you're doing business in many different jurisdictions around the world. Let's move quickly to the leading guidelines. If you're interested in this topic, you want to understand how to protect data through data and online data sanitization. There is a leading document that is being referred to in the global arena as well as in North America. And this is something that you should write down and then Google NIST 800-88 revision one came out in December 2014 and have quickly become the go-to document for anything that has to do with data sanitization. So if you have a policy in your organization, referring to anything else like the Department of Defense Erasure Standard, that is something that has been around since the mid-90s. That means that you should revise policies. You should make sure to update and connect it to NIST 800-88 instead. There's a lot of good recommendations in this paper and it's a recommended read for anyone interested in this topic. In the NIST, you will find definitions of different security levels and how to deploy them within different enterprise use cases and processes. You will be able to read on different principles when it comes to secure processing of both magnetic storage as well as SSD storage. And that is probably the biggest claim to fame for the NIST that it covers that in great detail. There are several new initiatives going on in the marketplace. So I do believe that we will see updated publications that will have major impact and you will also find the ability that you can certify your organization towards new ISO standards that are in drafting stage and will come out in the market shortly. So keep an eye on standards. I can recommend the International Data Sanitization Consortium where I'm engaged myself, where we do a lot of work trying to monitor what's happening and sharing that insight to anyone that is interested. On top of that, if we just compare algorithms, we need to be aware of that the DOD, as we mentioned, was developed early on only for magnetic NIST, clear and purge for both magnetic and SSD and different methods for the underlying storage media. NIST clear gives a very high level of security, but for the highest level of security, we refer to what we call NIST purge. So these are good basic terminologies that are excellent to include in policy documents, for example. I've also collected a number of key use cases for you to consider when you try to identify how should our organization look at this topic for data protection? How should we analyze our processes when trying to fit with legislation and getting through that labyrinth of different requirements? And you need to look at customer demand. You need to keep track of your employee onboarding and departures. You need to have very good control of your asset life cycles, i.e. equipment end of life. Whenever you are migrating in or out of the cloud, that is an absolute key situation to monitor today. If you are running temporary data exercises like a disaster recovery exercise with live data testing of systems, you should make sure that you have sanitization at the end of those processes. And then we have data retention, data end of life. And if you're a global organization and you're struggling with keeping track of what are the different retention requirements on us as an organization around the world for different jurisdictions, for different functions within the company, HR, finance, etc. Do reach out to me afterwards. I can give you very good recommendations on specialized software as a service suppliers that have basically mapped all the legislation in the world looking for the correct data retention policies that you can map towards your own organizational needs. These are new initiatives and newborn companies, but with great value to add to any larger organization. So do reach out and I can point you in the right direction on how to solve that very complicated question. If you are a big organization, data retention policies. So from this summary picture into where are we sitting today? Well, most of you are still sitting in home offices just like myself. I'm in great company by my grandfather here on the wall behind me. He keeps me disciplined. But we need to be disciplined on how we handle data in our home offices as well. And being in the home office, we need to make sure that we're not putting ourselves out for social engineering attacks by posting pictures. We need to make sure that we are protecting the assets that we are using in that home office, and that we are connecting to our enterprise resources in the best possible way. So there's a lot to consider. And when we look around the world and find out about compliance pressure that you are feeling around the home office equation, etc. that has severely gone up. And we're all feeling that pain. But on the other hand, we've seen a lot of good innovation happening as well. There's also good guidelines. NIST have another guideline called 800-46 that can advise you on some security measures that are important for the homework situation. When we think about how we're using cloud services, we also start need to start thinking about how do we characterize our data? We need to think about what's ROT data, redundant obsolete trivial, should this data be sitting in a cloud infrastructure or on-prem? Or is it something that we should get rid of in a secure way? We need to think about our infrastructure management as we're moving to the clouds. Are we sitting with redundant infrastructure? And how are we processing that infrastructure? What happens when we have data spillage and we're using cloud services from the home office or from on-prem? Another thing that we need to start putting processes in place to be able to handle. So these are good things to consider as we find ourselves in what many refer to as the new norm of working. So what kind of innovation are we seeing here? Well, there's a lot of good examples. And when we talk about the specific topic of erasing data and achieving that data end of life, we have seen a lot of deployments of how can this be achieved remotely? How can we make sure to target desktops or servers that need to be replaced under a tech refresh program, for example? With skeleton crews, limited access to different areas, as well as scattered infrastructure, remote erasure processes have exploded during the last year. And what you should be aware of that, a year into this situation, there are now very standardized methods, good examples of how this can be done. And we see global organizations doing this, including hundreds of different countries where IT assets are sitting under centralized management. So key trend within the area, remote capabilities. I can give you one example from a hyperscaler. This is a hyperscaler in North America, where they had to decommission 4,000 servers overnight, but they did not have manpower in the data center. They could only do it through central remote connection. So they actually made sure that they clustered up and networked all the different servers that needed the tech refresh. And in less than 10 hours, they were able to erase 4,000 servers, lived up to the NISP 800 standard, and were able to collect erasure reports from around 24,000 drives in total, that is ready for external audit or internal audit, for example. So the scalability that we have seen evolve over the last 12 months have been remarkable. Another key trend that I would like to highlight for you is integration. So what do I mean by integration? Well, for example, if you are using ServiceNow as your platform for asset management, of course, you would prefer to run workflows within ServiceNow to include sanitization of a selected laptop or 100 desktops that are scheduled for replacement or any kind of use case that you might come across within your organization. Today, we see these implementations fully mature. Today, you can go on to ServiceNow marketplace, for example, and find ready packages for sanitization, utilizing the ServiceNow platform and easily integrate this into your existing routines and processes. So ServiceNow is one of those great examples. Another one that is growing quickly when it comes to asset management is Microsoft Intune or device management within the Microsoft ecosystem. And the same thing here. We see a number of large global organizations that are falling back on Intune to manage endpoints and include into that management platform also the capability of performing certified, auditable end of life sanitization. So ServiceNow Intune Splunk is another integration that we have seen a lot where you need to capture the audit trail into some sort of centralized IT security dashboard, for example. We see more and more of those sort of monitoring capabilities that are in hot demand. If we're stepping into the data center, just using your standardized tools from HP or Dell, iLO, iDRAC for managing your sort of server infrastructure and being able to implement sanitization workflows into those traditional server management platforms is also something that we have seen develop a lot over the last, actually a few years, but escalating over the last year. So all of those are really valuable and good integration examples. So what we have covered so far is trends, integration. We have seen how remote capabilities are important. And the driver there is very much legislation and increased awareness and putting data end of life and sanitization on the security agenda, the board agenda even. But in parallel to navigating that legal labyrinth and finding the right technical deployments, another global mega trend is sustainability. And I think just asking yourself, how are you working with sustainability? This last year or the last couple of years compared to 10 years ago, most organizations and officers are instantly responding that it's very big differences on how sustainability is being approached today. And one part of sustainability is, of course, green IT. This is just one example from a couple of years ago. And I'm afraid the trend is still going in the wrong direction where there's more and more e-waste. And we're talking about geese pyramids or thousands of e-full towers depending on where you have traveled and your favorite destination and where you want to do your parallels. But it's staggering amounts of e-waste that we are seeing. And one contributing factor here is that you're actually removing drives from systems and destroying drives to protect the data. And then when a system is left without drives, that system is less likely to be reused and extended in its life cycle, and is more likely to end up in some sort of e-waste scenario where you might lose control down the chain of custody or that asset is finally ending up. So there's a lot of work that needs to be done within this entire area of sustainability, but definitely within IT aspects. And if we're trying to summarize what we want to achieve with secure erasure and sanitizing an asset is of course that you can reuse it and resell it or securely go into recycling processes where also the hard drives can be recycled without any fear for data that previously has been on them. You can even earn carbon credits today. Carbon credits are being issued by different bodies in the marketplace when you can document reuse instead of destruction of equipment. You can use CSR programs with donation of equipment. So instead of destroying equipment, donating equipment when you know that you don't have to fear any kind of data leaks. So there's a lot to work on here. And once again, it needs cooperation within the organizations. Cyber security needs to cooperate with corporate governance, with IT operations, with finance to make sure that you can enable efficient asset lifecycle management from start to finish. Besides this, I also would like to highlight that we have seen an enormous influx of investment capital that is going towards ESG qualified companies. And ESG is environmental governance and social. And that means you have to be able to prove how you are performing within these different dimensions. And for most organizations that will include that you can provide data on green IT data on a reusable workstation solution, for example, and that you're not destroying IT equipment unnecessarily. So this is another mega trend that we have seen around the world that is definitely driving these technical questions up to strategic board level discussions. So to summarize what we have been through, we're just getting to our 40 minutes. If you should bring one comment with you from this session, use this quote from a CIO in a Fortune 100 company, no equipment leaves our site with data on it. And hopefully, during these 40 minutes, you have gained some insights in how to achieve that in a good way and still be in line with legislation as well as sustainability and finding out how best practices can serve you as an organization. So with that said, back to you, Shannon, to see if we have any questions from these different aspects of the presentation. Hi, Frederick. Thank you so much for this great presentation. And there's a lot of questions coming in. If you have questions for Frederick, please do submit them in the right hand side in the Q&A section there. So standing in here, how can we secure deletion of data in the cloud and prove it? That's a great question and a hot trend. So today, we, for example, we have a partnership with AWS. And with AWS, we have developed specific erasure solutions for data stored in the S3 cloud, in the EC2 cloud platform. So depending on how you're using your data in the cloud, if you're using AWS or Azure, there are a number of mature processes that can be deployed. And just as you're eluding to in your question, the key thing is to have an audit trail, how to prove it. So the audit trail is definitely there as a component in the process. And I would love to follow up afterwards and share more information on how this can be achieved. But it's definitely a hot topic. So very good first question. A lot. So the question is here, what is the biggest claim to fame? Biggest claim to fame within this industry is to make sure that there has never been any data leaks when you have applied a sanitization process. And I know that when we are keeping track internally, we have approximately quarter of a billion devices that have gone through our processes without any data leaks. So I think that is a good claim to fame. So how do you to cope with data, which by definition cannot be deleted? Are there guidelines for what should not be written? Yeah, so blockchain, blockchain is coming in this industry, but more from an audit trail perspective, i.e. how can we also add the blockchain values on how to keep track on what has been done, how to easily prove it by integrated into blockchain structures, for example, that is something that is being worked on already. When it comes to blockchain per definition, you should never issue anything that you don't want to share. I mean, that's the whole public domain around blockchain. So use it for audit trail and getting value from that. But then make sure that you do your information lifecycle analysis properly, and exclude any sensitive data data under legislation that shouldn't be shared from any kind of environment like that. So data information management and making sure that you are doing that analysis regularly and constantly, that is absolutely key. All right. So before removing data, what about backups? You have some experiences that you can share with that? Yes. So backups is always an aspect that needs a separate analysis. So when you're looking at your entire state of data, you need to analyze and understand how our backup routines being performed. How is that backup data stored? Is it on-prem? Is it in the cloud? And here we come into data retention again. If it's data under retention, real retention requirements, of course, you need to keep the data. But after a retention period, you should actively securely remove it. That's an important fact, because data can easily go from assets to liability. If you're not managing your retention periods, for example, in a good way. So once you've done that joint analysis, you will find different processes that can be applied, how to document that. And definitely you need to include your backup data state when looking at the bigger picture. Great question. And I think we have time for a couple more questions here. We've got about five minutes left. So what about SAP data, which is written in sequential and is the power of this database? Is it also erased to this format level? So actually, back in the days, we developed a logical data sanitization solution together with SAP to target specific use cases. Here we come into very detailed analysis where you need to look at, okay, which data can I target? How is that data stored? Is it block storage? Is it some sort of elastic storage? Is it in a database? And not all data can be targeted for a secure verifiable sanitization process that creates an audit rate. So sometimes you actually have to conclude that this is data that's sitting in a database environment. It cannot be targeted from external resources. So we need to create a lot of security measurements around how we are managing this database, for example. But you have to look at this case by case and go into as much detail as possible to conclude what you can do and what is not possible to do. I hope that helps. Indeed. And I don't see any additional question. Oh, here we go. One more. What is the standards we are following these days? So great question. Looking around the world, when it comes to actual technical standards and guidelines, the NIST 800-88 document that I referred to earlier is definitely a key resource. There will be new material coming shortly. I can also recommend there's a specific standard for storage security called ISO 27040. That is also a really good paper on how to implement storage security, including data sanitization. Other important standards to be aware of are different ISO certifications. ISO 27011, that nothing can leave your site, for example, without you sanitizing equipment before 27018, that you can't redeploy storage assets in between use cases and customers, for example, unless you have sanitized the logical space in between 27017, how to keep track of personal identifiable information. And then I would finally say it also depends on which industry you're in. If we in the financial industry, the PCI requirements are extremely important for how to process credit card information. If we're in the healthcare sector, super important to be aware of HIPAA. So look at your industry, look at ISO programs, look at industry initiatives, look at different NIST guidelines, and that will give you a very good overview of what you need to follow. And if you have data retention concerns, do get in touch and I'll give you some great advice on where to turn. I love it. Frederick, well, thank you so much for this wonderful presentation. We just want to note again that there is a linked form at the bottom of the page titled EW Conference Session Survey. This is where you can submit feedback for today's session. And that wraps us up. You're welcome to continue networking with other attendees within the SpotMe app as we take a quick break between sessions. We look forward to seeing you then. And if you'd like to connect with Frederick, feel free to find him under the speaker section in the SpotMe app. And he will continue to answer your questions there. And don't forget to check out the sponsor booth. Click out, check out the sponsor session in between while we're on break. And we'll see you again here shortly. Frederick, again, thank you so much. My pleasure. Thank you very much for attending and great questions and love to follow up if you have any follow-ups. Thank you very much. Over and out from Stockholm, Sweden. Bye for now.