The in-depth guide to data destruction
- — 07 February, 2012 02:21
A key part of any information security strategy is disposing of data once it's no longer needed. Failure to do so can lead to serious breaches of data-protection and privacy policies, compliance problems and added costs.
When it comes to selecting ways to destroy data, organizations have a short menu. There are basically three options: overwriting, which is covering up old data with information; degaussing, which erases the magnetic field of the storage media; and physical destruction, which employs techniques such as disk shredding. Each of these techniques has benefits and drawbacks, experts say.
Some organizations use more than one method. For example, microprocessor maker Intel uses all three, "depending on what we're trying to do and for what purpose," says Malcolm Harkins, CISO and vice president of the IT group.
[Also read Why information must be destroyed by Ben Rothke]
The data destruction market hasn't changed much in the past few years, says Ben Rothke, an information security professional with extensive experience in data destruction. "If there is any trend, it is that more firms are aware of the importance of data destruction," Rothke says.
Still, some organizations, particularly smaller ones, need more education about data destruction, according to Jay Heiser, an analyst at research firm Gartner. "We consider this a very important topic, but it is not one that Gartner clients spend a lot of time asking us about," Heiser says.
"Enterprise clients generally have a pretty good idea of how to deal with this; the practices have been relatively consistent over a period of years, and it doesn't generate a good deal of attention."
Unfortunately, Heiser says, there are still many small-to-midsize businesses that haven't fully thought through the risks of undestroyed data.
There are also persistent questions among all types of companies about how to handle data that's in the hands of cloud computing providers.
"The concern that I am most often asked about by Gartner clients involves the treatment of data on the part of service vendors, especially software as a service [SaaS]," Heiser says.
While a traditionally outsourced data center provider will typically commit to destroying data at the end of a contract and confirm this destruction in writing, that type of policy is rare to nonexistent for SaaS, Heiser says.
"Although the storage architecture of most SaaS services probably means that data from former customers will quickly be written over and soon become virtually impossible to recover, there's no good way to know if this is the case," he says. "The SaaS market also has little or no convention surrounding the treatment of former client data on backup media."
Cloud services will likely increasingly shape how data destruction is perceived and performed in the coming years, says Ariel Silverstone, vice president and CISO at online travel services provider Expedia.
"With the massive herd heading toward cloud, most vestigial physical destruction remnants are being killed off," Silverstone says. "In other words, logical destruction, for all but truly classified data, is further entrenched as the norm. The problem is not destruction as much as it is discovery of the data. How do we find the data that we need to destroy?"
As for on-premise data, organizations need to consider several factors before choosing a method of destruction, says Jeff Misrahi, an independent information security consultant and former CISO.
The first is the time spent on data destruction. For example, is this something the company does a lot, or does it have a lot of disks to go though?
The second is cost. Can the company afford to destroy disks or do they need to be reused, and can it afford specialized destruction hardware?
Finally, think about validation and certification. Is data destruction a regulatory compliance requirement? How will you prove to regulators or auditors that you have met the requirements?
Here's a look at some of the advantages and disadvantages of the three main methods of data destruction.
One of the most common ways to address data remanence—the residual representation of data that remains on storage media after attempts erase it—is to overwrite the media with new data.
Because overwriting can be done by software and can be used selectively on part or all of a storage medium, it's a relatively easy, low-cost option for some applications, experts say.
Among the biggest advantages of this method, Rothke says, is that a single pass is adequate for data removal, as long as all data storage regions are addressed.
Software can also be configured to clear specific data, files, partitions or just the free space on storage media. Overwriting erases all remnants of deleted data to maintain security, Rothke says, and it's an environmentally friendly option.
On the downside, Rothke notes, it takes a long time to overwrite an entire high-capacity drive. This process might not be able to sanitize data from inaccessible regions such as host-protected areas. In addition, there is no security protection during the erasure process, and it is subject to intentional or accidental parameter changes. Overwriting might require a separate license for every hard drive, and the process is ineffective without good quality assurance processes.
Another factor to consider is that overwriting works only when the storage media is not damaged and is still writable, says Vivian Tero, program director for governance, risk and compliance infrastructure at research firm IDC (a sister company to CSO's publisher).
"Media degradation will render this [method] ineffective," Tero says. Nor will overwriting work on disks with advanced storage-management features, she says. "For example, the use of RAID means that data is written to multiple locations for fault tolerance, which means that remnants of the data are scattered in the enterprise storage architecture," Tero says.
Security practitioners point out that while overwriting is cost effective, it's not free. "Overwriting is definitely cheaper [than other methods], but you still have to have the headcount to manage it, so there are costs there," Harkins says.
By following standards created by the Department of Defense and the National Institute of Standards and Technology, "you can be pretty sure the [overwritten] data will be unreadable and unusable," Harkins says. "There are studies I've seen where people will prove that they can find stuff on drives that are overwritten. But I think if you follow the standards you greatly minimize the likelihood that that would be case."
Still, Harkins says, overwriting is by no means foolproof. There are areas where errors might occur and the data might not be fully overwritten. "In the wrong hands, someone might still be able to recover the data," he says.
Degaussing is the removal or reduction of the magnetic field of a storage disk or drive. It's done using a device called a degausser, which is specifically designed for the medium being erased.
When applied to magnetic storage media such as hard disks, magnetic tape or floppy disks, the process of degaussing can quickly and effectively purge an entire storage medium.
A key advantage to degaussing is that it makes data completely unrecoverable, making this method of destruction particularly appealing for dealing with highly sensitive data.
On the negative side, Rothke says, strong degausser products can be expensive and heavy, and they can have especially strong electromagnetic fields that can produce collateral damage to vulnerable equipment nearby.
In addition, degaussing can create irreversible damage to hard drives. It destroys the special servo control data on the drive, which is meant to be permanently embedded. Once the servo is damaged, the drive is unusable.
"Degaussing makes data unrecoverable, but it can damage certain media types so that they are no longer usable," Harkins says. "So if you're reusing [those media] this may not be the right method."
Once disks are rendered inoperable by degaussing, manufacturers may not be able to fix drives or honor replacement warranties and service contracts, Tero says.
There's also the issue of securing media during the process of degaussing. "If there are strict requirements that prevent exit of failed and decommissioned media from the data center, then the organization must assign physical space in the data center to secure the media and equipment for the disk eradication" process, Tero says.
The effectiveness of degaussing can depend on the density of drives, Harkins says. "We encountered that issue three or four years ago with hard drives in laptops," he says.
"Because of [technology] changes in hard drives and the size of them, we found that some of the degaussing capabilities [were] diminishing over time."
How effective the method is also depends on the people doing the degaussing. "If people make mistakes, then your control gets diminished," Harkins says. "Let's say the person responsible for degaussing drives was supposed to do it for 15 minutes, but they have to go to lunch so put it in for five minutes instead. You could have breakdowns like that." But he concedes that all three methods are susceptible to human error.
Organizations can physically destroy data in a number of ways, such as disk shredding, melting or any other method that renders physical storage media unusable and unreadable.
One of the biggest advantages of this method is that it provides the highest assurance of absolute destruction of the data. There's no likelihood that someone will be able to reconstruct or recover the data from a disk or drive that's been physically destroyed.
On the down side, physical destruction can be a costly way to get rid of data, given the high capital expenses involved.
"Physical destruction [is] an expensive and not a fiscally sustainable long-term strategy," Tero says. "The approach also contravenes an organization's green and sustainability programs."
[Also see the video Data breaches spark hard drive shredding boom]
But Intel has found that physical destruction is an efficient method of getting rid of data when transporting storage media for degaussing is not practical or secure.
For example, when the company needed to wipe data from thousands of drives in multiple locations, its choices were to either degauss at multiple sites, which would have been costly, or ship the drives to a single location, which would have been risky if the drives got into the wrong hands.
The company ended up stockpiling thousands of old drives while pondering how to destroy them in a way that was not prohibitively expensive but that still resulted in the complete destruction of the data. Intel had been working with scrap contractors that melt down and reclaim precious metals, and someone came up with idea of having them melt down the hard drives and recycle the metal.
"There was no cost impact to the IT budget, and it was also green because the metals were getting recycled," Harkins says.
However, Harkins points out that the effectiveness of physical destruction methods depends on how much of the medium was actually destroyed. "I might still worry about drilling holes in a hard drive," which might render the drive unusable but not destroy the data that's left in unaffected spaces, he says.