Green politics, once a minority interest, has become
part of mainstream political and business life.Supermarketscompete on how much
recycled plastic they use in their bags, and sell increasing
quantities of organic food. IT may not have been greatly affected
so far, but it soon will be.
On the big green issue - global warming - European Union
countries and some US states have established carbon-trading
schemes, granting or selling tradeable permits to generate
greenhouse gases. Such schemes started by focusing on the biggest
emitters such as power companies, but some technology-focused firms
are already tackling the issue.
In July, BT won environmental campaigner Al Gore's Business in
the Community Company of the Year Award, partly for reducing its
carbon emissions by 60% since 1996. And big IT firms such as
IBM, HP, Sun and
Google are implementing major green schemes.
Analyst firm Gartner calculates that the IT and communication
sector is responsible for 2% of global carbon dioxide emissions -
the same amount as aviation, an industry reviled by
environmentalists.
In May, Gartner predicted that 50% of medium and large IT
organisations in western Europe will declare a green imperative by
the end of next year. This will happen as a result of financial,
legislative and risk-related pressures as well as environmental
ones, although fewer than 20% outside the region will do
likewise.
Emerging green threats to security
Simon Mingay, a research vice-president for Gartner, says some
companies may inadvertently risk giving away information in an
effort to report their progress on environmental issues. "If you
look at organisations such as BT and
Ericsson, which are doing a good job on disclosure, they are
putting a lot of information about operations out there," Mingay
says.
"Your PR people will want to get as much out as they can, but I
think there are some security-related issues around that." Precise
electricity consumption figures could provide rivals with clues to
what kind of equipment is in use, for example, "It is a balancing
act," Mingay says.
A better-known set of security dangers arises from recycling
schemes for computer equipment, an environmental measure already
undertaken by many organisations. In addition to recycling
constituent parts, such kit is often donated to charities or
schools.
Retailer
Marks & Spencer recycles its computer equipment through
RDC, a subsidiary of Computacenter, which uses data-eradication
products approved by CESG, the UK government's national authority
for information assurance. "None go to landfill," says a Marks
& Spencer spokesperson.
The risks of computer recycling are well known. Data must be
removed before the hardware is reused. Computer Aid International,
a London-based charity, has sent 90,000 recycled computers to the
developing world over the past decade. It normally uses software to
wipe information through its partnership with Finnish software firm
Blancco, which is CESG approved.
"We prefer wiping intensively, with destruction of the hard
drive as a back-up," says Tony Roberts, chief executive and founder
of Computer Aid
International. He says that some organisations avoid the issue
by saving sensitive data on servers rather than on local
drives.
Roberts says his organisation often deals with security concerns
by inviting donors to see the recycling process themselves. The
charity also has liability insurance and offers compliance with the
European Commission directive on
Waste Electrical and Electronic Equipment.
"The City of London police has been here, the Treasury has been
here, and subsequently we have computers from those and many other
organisations," he says, with other clients including insurer Aviva
and financial services firm Investec.
"All equipment leaving the force is sanitised," says Gary
Brailsford, head of information management for London police. "This
involves the use of a software tool that ensures the total
destruction of all data on hard drives. All other equipment
settings are restored to factory defaults."
But some prefer physical destruction of all hard drives. "You
put them in a bench press and drive a steel spike through them,"
says Alex van Someren, chief executive of Cambridge-based
encryption supplier nCipher.
"There is no process you can do that totally eradicates the
data. I do not allow the data to leave the building." The firm does
donate equipment to Cambridge University's computer laboratory and
local charities, but only after fitting new hard drives to
machines.
Alternative ways of recycling
Andy Clark, head of forensics for security consultancy firm
Detica, says there are other options. Hard drives can be recycled
internally, and if organisations track and restrict what is dealt
with by each computer, they may find only some are handling
sensitive data. However, "For the ones that are most sensitive,
there is no better way than physical destruction," Clark says.
Whatever the choice, Clark says a scrupulously followed process
is essential. "You need to get a production line so you can
validate you have done it all the way," he says, adding that
sending a couple of wiped machines to an external firm for checking
is a good idea.
Do things go wrong with computer recycling? "Yes, and it is
normally because it has been done with the best intentions, as a
local initiative," Clark says. "Because green issues are on
people's minds, and rightly so, they take the initiative and
recycle them without knowing what is going on."
So it is best to establish a proper process for recycling before
staff start doing it anyway, and this should include all hardware
that holds data, including mobile devices such as Blackberries,
servers and printers.
Paper recycling also has security risks, and sending paper to
landfill sites creates similar dangers. The answer is to combine
recycling with secure destruction.
In June, Oxfordshire law firm Henmans hired local shredding
specialist Allshred to clear out more than eight tonnes of obsolete
records from a basement office. Allshred parked a truck outside the
office that shredded the files and stored the fragments, allowing
the firm to witness the process.
"There are examples where they have material that has been used
in a court case, and there is an obligation on them for destruction
of the material," says Ian MacKay, managing director of
Allshred.
"There is a growing recognition among some of the smaller
companies that, while in the past they cleared the archive of
accounts more than seven years old by putting them on the bonfire,
it is not the right thing to do, both for regulatory and
environmental reasons," MacKay says.
After shredding, Allshred takes paper fragments to recycling
centres, where they are baled and processed into household
tissues.
David Potter, Detica's senior fraud and risk expert, says a
system of protective marking is important in helping staff
recognise what needs to be recycled securely. The UK government has
a multi-tier system - also used for computerised documents - but
even just a single category of "commercial in confidence" is
useful, Potter says. This can involve printing the sensitive
documents on one colour of paper and non-sensitive ones on
another.
However, Potter says that such a scheme is little help if
documents are printed on central printers, leading staff to leave
material lying around. This problem can be eased by printers that
produce documents only when a user types in a personal
identification number.
Furthermore, the "one-way" bins supplied by Allshred and others
to collect confidential paper waste are useful, but only if
properly managed. "I have seen situations where people have sealed
bins, but the key is left at reception, freely accessible to all,"
he says. "I have seen bins that are so stuffed there are things
sticking out you can reach in and pull it out."
Ken Munro, managing director of penetration testing firm
SecureTest, has encountered similar situations, providing
opportunities for staff and thieves.
There is more for IT security to consider on the environmental
front than just recycling, however. Mingay says restrictions on
power supplies, partly caused by environmentally driven campaigns
against new power stations, have implications for business
continuity.
"Particularly in the south-east and London, we have a big
problem with power consumption and reliability of supply," Mingay
says. In the UK, 26% of SunGard Availability Services' disaster
recovery invocations last year resulted from power-related
disruption, compared with 7% in 2005.
Power reliability problems are also found in the developing
world, but have become common in developed parts of the world
including California.
The usual solutions to the problem of unreliable power supplies
are themselves environmentally messy: standby generators tend to
run on diesel, and the batteries used within uninterruptible power
supply equipment usually contain lead-acid. Fuel cells, which can
run on bottled hydrogen, are a potentially cleaner alternative.
In June, Winton Capital Management, a futures and hedge fund
firm, installed the first commercial fuel cell in Britain used to
protect computer systems, following an installation last year by
the supplier, UPS Systems, at its own headquarters in Hungerford.
Winton's installation is able to provide a maximum of 30Kw of
power, and uses an underground hydrogen storage facility.
Hydrogen fuel cells are virtually silent and produce only water
as a by-product, so they do not need noise protection and exhaust
vents - a significant benefit for organisations in big cities.
Producing hydrogen in the first place requires power, although this
can come from renewable sources.
"It is a new technology, gradually working its way in," says
Steve Barrett, editor of Fuel Cells Bulletin. "It has been in the
research and development stage for a very long time, and is just
breaking through as a commercial proposition - it is still going to
be more expensive than the incumbent technology."
Implications of green taxation
So far, government attempts to reduce individuals' carbon
footprints have been fairly crude, such as flat taxes on fuel and
airline tickets, and many of these measures predate any
environmental justification.
But some politicians are championing sophisticated methods such
as individual carbon accounts. Under these, citizens would receive
a carbon ration, although they could buy or sell units as
necessary.
In December last year, then UK environment secretary David
Miliband told the Guardian that every citizen could receive a
"carbon credit card", probably covering food, utility bills and
travel, within five years - although this remains a feasibility
study proposal rather than solid policy.
Apart from practical objections, such as how this system would
prevent Britons buying a green Eurostar train ticket to Paris then
escaping their carbon rations by flying from Charles de Gaulle
airport, the nature of Miliband's comments concerned some. "There
would be significant implications, as it would provide a lot of
information on your lifestyle," Mingay says. "Would it raise
privacy questions? Absolutely."
Gus Hosein, a senior fellow at human rights organisation Privacy
International, says that a central database of personal carbon
spending would effectively be a map of everything you do in your
life, providing the state with information on everyone's movements
and activities. "This will need the trust of the population," he
says. "It can be seen as a new type of taxation, and unless it is
seen as equitable and trustworthy, it is not going to fly."
He sees similar dangers with other environmental schemes
championed by the UK government, such as tracking individual
vehicle journeys for congestion charging, measuring each collection
of households' non-recycled rubbish to charge by weight - an idea
dubbed "bin brother" by some newspapers - and intelligent
electricity meters, which provide indications of how many people
live in a property and when they are in. Guarding such data, much
of which could be of use to criminals, would present a significant
security challenge.
Matt Prescott, director of the
Royal Society for the
Encouragement of Arts' CarbonLimited project, says it is
possible to construct such schemes without building giant
databases.
Its preferred model for carbon trading would involve the
government establishing a framework, but each individual choosing
which organisation handled his or her account, such as banks,
energy companies or housing providers, or storing credits on a
smartcard rather than on remote databases. "This is something
people would decide for themselves," Prescott says.
● This article originally appeared on
www.infosecurity-magazine.com