Disk Overwrite or Wipeout Best Practice

An online search shows majority of tools available for wiping out data on a disk points to a practice of 7 wipes. They believe that it is a US DoD requirement. Some of them support the Gutmann method of 35 wipes.

However, I could not find any documentation on US government website that indicates seven wipes. The US DoD 5220.22-M, “National Industrial Security Program Operating Manual that most online tools refers to does not have any requirements of number of wipe passes. However, I found a wiki page on Data Remanence that has enough citation and it contains the following –

“As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. Only degaussing  or physical destruction is acceptable for the latter.[4]

On the other hand, according to the 2006 NIST Special Publication 800-88 (p. 7): “Studies have shown that most of today’s media can be effectively cleared by one overwrite” and “for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged.”[1] An analysis by Wright et al. of recovery techniques, including magnetic force microscopy, also concludes that a single wipe is all that is required for modern drives. They point out that the long time required for multiple wipes “has created a situation where many organisations ignore the issue all together – resulting in data leaks and loss. “[5]Continue reading “Disk Overwrite or Wipeout Best Practice”

Saas as a Strategy

With all the bells and whistles from SaaS providers, should we adopt SaaS as a Strategy for our software application needs?

In my previous blog, I pointed out the difference between ASP and SaaS. However, it would help to step back a little and give some background. SaaS is a delivery model in which a commercial software vendor builds the software application, host it at an environment that it comfortable with and expose its services to its customers through web-based interfaces. The interface could be browser based or through web-services.

SaaS is one of the three types of cloud computing services available in the market today. Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) being the others.

Examples of SaaS include Salesforce.com CRM and Google Apps. http://www.saas-showplace.com gives a list of SaaS providers.

Unlike Application Service Provider (ASP)s, SaaS accommodates multiple tenants. The exposed services are common to all its users and is centrally managed, maintained and supported by the provider. Since the service is exposed through the web, it can be utilized by anyone across the globe. Once a user signs up with the provider, all services are available immediately and there is no wait for customization. An amateur user goes through the same training and orientation as an advanced user since the exposed service is the common to all type of users. The user is charged on a as-use basis instead of a fixed monthly charge.

Since the solution is centrally managed, the service level agreements (SLA) would be common to all and may not be flexible at all. Except for the data or information of the user, everything else belongs to the provider. So is the performance of the application too. User data or information is at a location of provider’s discretion and at their mercy. Since the software is built for SaaS model on the web, it may not be available to purchase from a retailer. This prevents the user to independently try out the software or host the software application elsewhere.

Since the software application is completely accessed over the web, it is also exposed to the threats that any other service on the web is exposed. Malicious code attacks and denial of service attacks are some to name.

User need to be concerned about the confidentiality and integrity of data or information that is passed on to the provider. This includes intellectual and confidential information. Sometimes part of the provider operation may be outsourced to another provider that the user may not be aware of. The provider need to ensure that user data or information should neither be accessed by unauthorized personnel nor by other users of the service.

User need to ensure that the data or information that they pass on to the provider is hosted in a compliant jurisdiction. Data originating from certain countries like China cannot be hosted in another country due to legal restrictions. Certain types of data, for example Personal Identifiable Information (PII), are subject to local regulations which prevent it to be hosted in another country. A good example is Canadian Privacy Regulation (PIPEDA). There are others subject to regulations such as HIPAA and GLBA.

User should ensure that there are proper security controls in place at the provider that is compliant with security policies and standards of the user. User should be given the right to audit and monitor the provider periodically.

There should be proper understanding of reporting any issues and their ownership of issues in case of a security incident. User should also consider what happens if the contract with the provider is terminated. Providers may not be able to give back the data in the same model that is expected by the user.

Before signing up with a provider, user may need to verify how resilient the provider is, their security posture, customer support, track record and reputation.

So can we sign up for SaaS? It all depends on the classification and business criticality of data or information that will be passed on to the SaaS provider. If we are subject to laws and regulations that prevent data leaving from our perimeter, then SaaS is not a solution. However, there are other types of information that can very well be managed by a SaaS provider and should be passed on to them so that we can reduce our operational cost.

Difference between SaaS and ASP

With cloud computing being the buzz word in the IT industry and SaaS being the early adopted model of the cloud computing world, people keep on asking what’s the difference between SaaS and ASP.

Saas is Software-as-a- Service and ASP is Application Service Provider.

Though some in the industry say SaaS is a subset of ASP and is one of the ASP delivery model, others say they are completely different.

Here is what I think from a user or customer’s perspective –


  1. Single-tenant approach
  2. Customized solution for each user
  3. User has authority on the solution hosted by the vendor and can demand the type of service required.
  4. User data could be hosted at any jurisdiction per user’s requirement
  5. SLA is unique to user
  6. Cost is based on user’s unique needs
  7. Monthly subscription on an as-used basis
  8. Borrowed (third party) software used
  9. User has the luxury to pull out of the ASP, buy the software from a third party retailer and host it somewhere else
  10. Once signed up, the vendor may take long time to customize
  11. Each user requires customized training and orientation which makes its usability cumbersome
  12. Solution need not be internet based


  1. Multi-tenant approach
  2. Same features and functionality to all users
  3. Solution is centrally managed, maintained and supported by provider. User is at the mercy of the provider and cannot demand any individual changes
  4. User data is hosted at a jurisdiction that the provider is comfortable
  5. Service Level Agreements (SLA) common to all
  6. Comparatively minimized cost than ASP
  7. Monthly subscription on an as-used basis
  8. Custom built software that is not available anywhere else is used
  9. User is unable to buy the software from a third party retailer and is limited to the SaaS vendor always
  10. Once signed up, the service is available immediately
  11. All users go through the same training and orientation making it easy to use
  12. Solution is always internet based

With all these sweet things that we hear about SaaS, should we look forward for “SaaS as a Strategy”? Not necessarily it depends on the type of application and the jurisdiction of the origin of data.