If your hard drive fails and you don’t have up-to-date, functioning backups, you call in the data recovery experts. It’s kind of like sending your drive in for emergency surgery—down to the sterile environment the engineers have to operate in. Chances are, your drive is dead for good, but it might be possible to give your data a new lease on life.
On February 16th I received an invitation to interview Bay Area data recovery company DriveSavers, accompanied by a press release announcing their introduction of industry standards for data recovery. I’ve written about DriveSavers and their Museum of Bizarre Disk-asters in the past, and happily took the opportunity to interview Chief Information Security Officer Michael Hall on February 19th, 2009.
While the issue of “securing data, even during data recovery,” to quote the first message I got from Margie Schaffner at BLASTmedia, is certainly an important one, I knew that my readers would want to hear about more than just industry standards, so I put out a call on LinkedIn for questions to ask Michael. I organized the questions into four basic categories and consolidated the ones that overlapped.
Note: I have edited Michael’s responses (which I recorded) just slightly, mostly to make them more appropriate for the written form of this blog. In some cases, where he provided the answer to a later question earlier in the discussion, I have relocated what he said. I sent him a draft of this post to check for accuracy before releasing it, and a few responses have been filled in or corrected through those e-mail discussions.
Questions About DriveSavers
What differentiates you from Ontrack Data Recovery? Both companies have nearly identical taglines of being the world leader in data recovery services. (Note: when I asked the question, I expanded it to include competitors in general. When Michael answered the question, Michelle Taylor, Director of Communications at DriveSavers, edited it slightly, so the style of the response is more formal than the rest of Michael’s answers.)
The primary difference between us and any other data recovery company is our certified secure environment and unparalleled customer service. We adhere to very strict and stringent government security protocols, and we are also certified SAS 70 Type II compliant. We have the fastest standard service available and we meet those turnaround times about 99% of the time. Our actual facility has certified ISO 5, 6 & 7 cleanrooms, expert engineers and advanced technologies which enable us to maximize the success of every data recovery. We defend and protect our customers’ information from security breaches here. No one else is going to be able to hack into our network and gain access to our customers’ information. I’m not sure what Ontrack’s network infrastructure is like; I know that what differentiates us from all other data recovery companies is that we adhere to very high security standards and we have met or exceeded all those standards and we have certifications to prove it: they’re available for viewing on the website.
What determines your prices?
It’s based upon the capacity of the device itself and the turnaround time that the customer is requesting. We have a number of different options there. We have what we call the economy 5-7 day turnaround; we have a standard service, which is a 2-3 day turnaround; and we also offer priority service, which is an immediate turnaround. That means an engineer is going to be dedicated to that job from the time it hits our facility until it’s completed, to expedite the recovery process for them and get the dataset in their hands as quickly as we possibly can. So it’s basically capacity and how quick they want their data.
How are you going to make data recovery affordable for the average Joe or Jane who didn’t make a backup? (To which Sallie adds: how much slack do we want to cut people who don’t make backups?)
What we see with individuals and small businesses is that they almost never have an on-site IT person. They have a consultant who comes in and configures their backup, or their network topology, or their security, or their entire infrastructure. They put it in place, tell people how to use it, and then they walk away. They don’t come back and periodically check things. What we see more than anything is that when something’s been configured as a backup, no one’s ever taken the time to actually validate the configuration by doing a test restore to another device or checking the integrity of the data. What we see oftentimes is that whoever put the backup program in place, it worked fine for what the customer had at that point in time, but say they go from a simple database program to a SQL server, or they change their e-mail program to an Exchange server. Those files are open files; they’re constantly changing.
When they established their backup system initially, they didn’t have to worry about open files. So now they’re doing backups with open files, but they don’t have “backup an open file” option in their backup program. So they’re backing up an Exchange server and they’re backing up everything except the two open files that they need. The same thing holds true with SQL. You can back up the entire SQL directory—except for the database. And then they have some sort of natural disaster—hardware failure or an earthquake or a power surge—and their hardware goes down. They think they’re fine until they try to do a restore, and then they realize that the whole system was configured incorrectly.
We see innumerable data recoveries that come to us because of that same scenario right there.
How do you know when the cost of recovering data is greater than the value of the data?
That’s something you have to determine yourself. The easiest way to look at it is, how long will it take you to re-create the data yourself manually? How many man-hours is that going to take? How many temps will you have to get all the paper trail that you’ve got back into electronic format—if you have a paper trail at all? How much are you willing to pay to keep your business running?
Are you hiring?
Not at the moment.
An Ounce of Prevention…
Isn’t prevention (e.g. Business Continuity Planning) a better investment than data recovery?
A Business Continuity Plan is imperative to any business, no matter how small or large. You have to have contingencies in place and have a pre-set plan: “If this happens I can do that. If that happens, I can do this.” That’s part and parcel of doing business. Is it more important to do that than pay for data recovery after the fact? Absolutely. If your Business Continuity Plan is written properly and it’s comprehensive and inclusive, you’ll probably never need to use us. Why wouldn’t you be proactive on the front end to take care of that. What we see, though, is even with Business Continuity Plans, there’s that 2% you can’t account for. Natural disasters. Simultaneous catastrophic hardware of the main device and the backup device. There are corporations that have us at the very bottom of their Business Continuity Plan. If all this does not work, here’s your last stop, and it’s a data recovery company.
What are you doing to integrate a “prevention” mode so that people can do encrypted, compressed off-site backups via the Internet (automatic of course), so that data recovery is more easily accomplished should it ever be needed?
We don’t offer offsite backup solutions for customers, but we are huge proponents of customers having that in place, and we can point people to different companies that handle that kind of program. We’re not going to offer it. Our primary focus is only on data recovery.
The Data Recovery Process
What is the most common reason for needing data recovery services?
About 80% of what we see is electromechanical failure. The reason we have the museum of Bizarre Disk-Asters is that it’s an unbelievably great visual representation of what can happen. But 98% of the time, that’s not what happens. You don’t have a fire, you don’t have a flood. A hard drive is a mechanical device. It’s not a question of whether it’s going to fail—it’s when it’s going to fail. A hard drive has a Mean Time to Failure rate attached to it; that’s the life expectancy for the device. 98% of the time either the drive dies on its own, or it’s been fried in a power surge. That will cause your drive to fail a whole lot quicker than being run over by a bus.
What kind of data is hardest to recover?
That’s a very open question. We work on all platforms. Any operating system. Any type of electronic device. Our rule of thumb is, if you can write a 1 and 0 to it, we’ll take it off of it. Some are more difficult than others, but I don’t know that I could definitively say “This is the hardest thing to recover.” Sometimes the hardest things to confirm [recovery of] are proprietary software applications that have been written specifically to a type of business or to an individual, where they’re not off-the-shelf applications that we can easily access and figure out. When we have situations like that, we try to work with the person who wrote the application or the customer to gain access to the application in order to confirm the data set for them.
What percentage of the time do you have success with recovery?
We have an overall success rate, but I’m not sure what it is.
The website says “the highest in the industry,” but doesn’t give any numbers. A later e-mail discussion with Michelle Taylor produced the following answer:
One of the most telling reasons we know we have the highest data recovery rate in the industry is that the majority of the drives we see at DriveSavers have visible signs of previous data recovery attempts. In some cases, these attempts have caused so much damage that the data is unrecoverable. But, in most cases we are able to retrieve data that others could not.
What state is the data in when you recover it? For instance, if you recover a Word document, do you get the whole thing? Paragraphs? Sentences?
Our intentions are to get the dataset back to the user in the state it was when they were using it. Sometimes that’s not physically possible. Usually that occurs when there’s damage on the device itself that renders a portion of it completely inaccessible. If the data has been physically scraped off the platter and it’s just dust in the bottom of the drive, we’re not going to get that back—no one is. Our rule of thumb is to get back the original data set in its original form.
What’s your opinion of online backup systems (like Carbonite) and how difficult is it to resurrect information if one is backed up in that manner?
Most online backup companies have step by step instructions for restoring the backup set back to the customers system. It is a good idea to test the procedure ahead of time so that you know exactly what is required on your end to complete the restoration.
And how easy is it for DriveSavers to recover data if the online backup service suffers a loss?
If an on-line backup service needs to use our services we still have the ability to recover the data. Usually they will be utilizing a raid configuration to store data. We have an enterprise division that is dedicated to performing data recovery on multi drive raid systems.
Is it easier or harder to recover data from the new solid-state disks in netbooks and laptops than from traditional hard drives?
Any time a new technology comes out, we spend a tremendous amount of R & D on it to make sure that we can recover information from solid-state devices, and we are able to do it.
Data Recovery Standards
Security standards are nice; do they map to an ISO standard?
Since this information was on both the press release and the DriveSavers website, it didn’t seem necessary to ask it again. The standards, and the certifications, fall into several categories:
There have been numerous cases of recovered data being sold or released without the owner’s consent. You have other cases of Geek Squad employees making private copies of sensitive information when they repair hardware for a customer. How do companies like DriveSavers talk to this? “Trust me” only goes so far.
All the certifications mean you don’t have to take their word for it. In fact, the page listing them is entitled “Demand Proof.” In addition, according to Michael, “We perform background checks on all our employees. They have to sign a security policy; we have everything in place to inhibit that from happening. Only certified cleared engineers have access to the customers’ information. We hire the most qualified and credible people.”
Explain the standards for the SOHO user who doesn’t understand what those certifications mean:
An ISO-certified cleanroom increases the chances of a good recovery, because we’re not introducing any kind of foreign objects to the media as we’re going through the recovery process. So you’re going to maximize your bet right off the bat. Secondarily, we’re in compliance with the international technology control audits. We have everything in place to ensure that integrity of their data is not compromised while it’s at our facility. We monitor our facility and our network 24/7. We’re certified to handle any type of encryption recoveries and we have the manufacturer authorizations to be able to work on the devices themselves.
For an individual customer or small-business user, even though it’s your individual drive, you have to bear in mind that even though it’s your personal drive, there’s a high likelihood that there’s information on that drive that you don’t want shared. How many people use an accounting program? If you’re using Quicken or QuickBooks or any program of that type, your credit information is on that program. Your bank account numbers are in that program.
If you’ve set up your computer properly, it shouldn’t be able to be hacked at your house, but if you send it off-site, who do you trust, and why? Anybody can say they have a cleanroom; can they show you the certification? Anybody can say they have a secure network; can they show you the certification?
Here’s another classic example. How do other data recovery companies handle recycling customers’ drives? How many times have you seen something in the news about “I bought this drive on eBay and it had another person’s information on it when I got it.” If a customer sends us a hard drive and it is completely physically done, it’s of no value to them, it’s out of warranty from the manufacturer, and they don’t want it anymore, and they tell us to recycle it, we’re going to physically degauss the hard drive with a Department of Defense-approved degausser to render it 100% inaccessible before we recycle it.
That’s as opposed to throwing a whole bunch of drives in a pile and taking them to a recycling center. Those drives get bought in bulk and then sold on eBay.
The security criteria and protocols that we have in place are just as important when dealing with individuals as with corporations. You hear of innumerable instances of laptops with 50,000 social security numbers getting stolen. If mine was on that laptop, I would be upset. But at the same time, my social security number is on my hard drive, and it wouldn’t matter if it was one of 50,000 or one of one. A lot of people have a file that shows their passwords, or their PIN number for their ATM machine.
Special thanks to everyone on LinkedIn who provided these great questions.
Even though SAS 70 type II compliance is a step in right direction, In my opinion, a comprehensive security is ISO 27001 certification, where Information Security Management Systems (ISMS) is improved utilizing Deming PDCA model.
“Only certified cleared engineers have access to customers’ information” Without putting some sort of monitoring/auditing control on engineer it will be pretty hard to know that customer data has not yet left the building.
Great catch on the question – that was the direction I thought the answer would go. Cleanrooms are essential, but a comprehensive security policy also helps when dealing with 3rd party information.
I have directed my customers to DriveSavers. They were able to help out several of my customers over the last few years.