Zombie Data…Draining life byte by byte

By: Anshuman Singh, Director, Product Management of Application Security, Barracuda Networks

Technology in todays’ world is advancing at a phenomenal speed, not a single year passes without a new technological breakthrough – the next big thing! If one observes acutely, there is yet another phenomenon which is speeding up – the newer, bigger and more complex vulnerabilities challenging the IT security environments in every possible way - big and small. One may or may not be a fan of the horror genre of entertainment, but it is important for them to be aware that the zombies,  the undead data, have now attacked the technology world too. This is one of the biggest irreprehensible IT challenge in the coming days.

An organization might have disaster recovery mechanisms and a secure technical environment that’s protected against the threat of undead data destroying or corrupting the system, but is this threat already lurking hidden in your system? Zombie data is real and it’s taking up valuable resources and posing risks in your environment at a greater degree than you might imagine.

In the world of technology, zombies can take many avatars and the term might be employed in a number of references. It can be used to refer to a computer connected to the Internet that has been compromised or computer virus which can be used to carry out notorious activities under isolated direction. Most owners of these compromised computers are unaware that their system is being used for any such purposes; hence these computers are metaphorically compared to zombies.

In UNIX operating systems, a zombie is a ‘child’ program that was started by a ‘parent’ program but then abandoned by the parent.

Zombie data on the other hand, refers to enormous collections of data that lack purpose and insight and might cause a threat to the system. This information which usually has originated from former employees either has no business value or no valid reason to be still preserved but is being retained, backed-up, and maintained on corporate networks.

Most zombie data comes from files and file shares which IT organizations regularly discard of devices when employees leave. One area often causing organizations the biggest headache is PST files.

PST files – The Lurking Zombies

As soon as a user is no more retained on active directories, any PST files they had been using get technically ‘orphaned’ or ‘abandoned’ – i.e., they have no current owner and unless someone specifically deleted them – or even knew enough to – those PST files are still out there.

Data within a PST file is considered an organization record and is thus is subject to detection requirements, just like email.

These PST files have a tendency for data corruption, and due to their very limited recovery capability, the file corruption can result in permanent data loss.
However, the detached identity from any active users makes it very complex for organizations to securely classify and do away with these files that no longer ought to be serving any organization purposes.

Why Do These Zombie Files Recreate?

As soon as the IT staffs gets onto sorting out these zombies i.e. the abandoned PST files, it might appear as if they are self-recreating and multiplying, but the condition starts very unintentionally, say, an ex-employee of the organization used the PST files as a convenient filing system in Outlook during their tenure, and he hence backed them up onto a distinct place on his hard drive.  The IT personnel did a quick desktop backup and thus recreated both versions of that ex-employee’s PST files.  So when that employee left the company, he discarded a copy of his hard drive onto the corporate servers and continued to include this in backups as well.  His substitute was given a replica of the former employee’s mailbox information – and PSTs – so they could easily cope up on some existing projects on which the old employee had worked. And now suddenly, the company would have at least four copies of each PST that they were backing up.

Declare War on Zombie Data

Zombie data poses two separate problems.  The first issue is storage.  Even though companies may look at storage as “cheap” and inexpensive but it really isn’t when it comes to managing these unrequired yet ever-replicating zombie files

The second issue is less obvious, but is capable of posing a bigger threat.  Zombie PST files may factor in eDiscovery.  Legal queries typically specify the “who” and the timeframe and a few key terms; companies generally over-preserve to make sure nothing relevant gets permanently deleted.

The IT organization will be assigned with the task of finding any and all data that were suitable to the users being put on hold, and those more often than not, include ex-employees. So now all these zombie files need to be probed, which may seem like but is not an easy process. It is tedious and may turn up considerably more information that the company then needs to review and potentially produce – this is an expensive process.  

Survival Means Elimination of the Dead

Getting rid of zombie data can be fairly straightforward, if one acknowledges that they probably have such orphaned files in their system and they deploy the required technology tools to search and eliminate such data.  PST files are redundant when companies undertake modern archiving solutions; their contents become archives and are much more easily managed.

Products like Barracuda’s PST Enterprise were designed to tackle all of a company’s PST challenges, including those zombie files.  PST Enterprise deploys a lot of sequences to accurately classify the owners of orphaned or zombie PST files and sanction the IT team to migrate, manage, and eliminate them.  Often, the data has crossed the company’s retention scheme so far that it is only fair to simply delete that data – but only a product like PST Enterprise can probe these files on a broad, automated basis, and provide the content details mandatory to make retention decisions.

If companies are moving away from PST use, then a single pass at recognizing and eliminating zombie data will make sure that it never respawns.

For companies that may still continue to use PST files, tools like PST Enterprise need to become routine parts of their IT treatment programs, timely reviewing servers and file shares for PSTs which are abandoned or follow and taking the suitable action against the energy-sucking living dead before you have a fully propelled invasion on your hands.