The Proper Destruction of Data
Data (as non-random one and zero bits) are by necessity mated with physical storage media when at rest. That data becomes information when the bits can be interpreted for some useful purpose is all well and good, but information has a lifecycle in which its usefulness declines over time. Though plans for some information may have very long lifetimes (such as a permanent newspaper archive), but other information may have data retention periods that can be measured in weeks, months, or a number of years less than a decade.
Whenever its retention period ends, data should simply go away. There are numerous practical and strategic reasons why this is the case. From the perspective of the management of storage capacity, logical data deletion frees up storage capacity and eases management processes. But what happens if the information was sensitive or confidential? In many cases, unless overwritten with new data older data can most likely be recovered. That is unacceptable.
However, the end of the data retention period is not the only time that sensitive or confidential information may be exposed to unauthorized third parties. Say that an IT organization wishes to replace older disk drives with newer ones at the end of a lease period. Or a disk drive may have enough problems (such as bad blocks) that it needs to be returned for a replacement under warranty.
If the replacement is planned, then the data can be migrated to new physical media, a process that implies that the data is no longer available on the original media. But the actual data destruction has to be a conscious decision that involves more work than mere logical deletion. If the replacement is unplanned, say, due to the sudden mechanical failure of a hard disk drive (HDD), all the data remains as it was originally unless steps are taken
to destroy it.
to destroy it.
Data Destruction – Best Practices Meet Common Sense
But how should organizations go about the data destruction process? Until recently the National Industry Security Program (NISP) Operating Manual (DoD 5220.22-M) gave U.S. governmental
guidelines for “media sanitization,” which is the public sector term for data destruction.
But how should organizations go about the data destruction process? Until recently the National Industry Security Program (NISP) Operating Manual (DoD 5220.22-M) gave U.S. governmental
guidelines for “media sanitization,” which is the public sector term for data destruction.
However, the new “Guidelines for Media Sanitization” (NIST Special Publication 800-88) lists the recommendations (from the National Institute of Standards and Technology) that government agencies should follow.
While private organizations need not follow these guidelines, the recommendations are logical and straightforward. Although a large number of electronic storage media are covered including HDDs, mobile computing devices, and memory devices, the Publication does not (and recognizes that it cannot) identify all current and future devices. For example, Fibre Channel (FC) drives are notably absent. As a result, organizations need to follow the guidelines with both common sense and best practices.
The Publication describes three levels of media sanitization — clearing, purging, and destroying. Clearing is designed to prevent robust keyboard attacks. That is, the data must not be able to be retrieved from data, disk, or file recovery utilities by keystroke recovery efforts from standard input devices or more sophisticated data scavenging tools. Overwriting media with non-sensitive data is a recommended practice for clearing.
Purging is a process designed to protect data against a laboratory attack, where highly trained people and sophisticated signal processing equipment are used to recover data from media out of their normal operating environments, such as standalone Winchester
disk drives. Winchester drives, the solutions commonly used today, encapsulate the disk platters with the read/write mechanisms enclosed in a sealed unit.
disk drives. Winchester drives, the solutions commonly used today, encapsulate the disk platters with the read/write mechanisms enclosed in a sealed unit.
Purging ranks as the highest level of security that does not involve actual physical destruction of the media. That means that the hard drives can be reused with new data so the investment in the drives is protected. When drives have been removed from its normal operating environment, the Publication recommends that data be purged with a SecureErase command. Firmware-based SecureErase can be executed to destroy the data (and in the
process perform both the clear and purging functions) for most ATA drives over 15 GB that were manufactured after 2001
.
Another purging process, degaussing, uses a strong magnetic field to destroy data on magnetic media such as HDDs and tape. Naturally, degaussing cannot be used on optical media, such as CDs and DVDs. Degaussing a hard drive typically renders inoperative the firmware that manages drive processes. Thus the drive can no longer be used to read and write data even though it has not been physically destroyed.
process perform both the clear and purging functions) for most ATA drives over 15 GB that were manufactured after 2001
.
Another purging process, degaussing, uses a strong magnetic field to destroy data on magnetic media such as HDDs and tape. Naturally, degaussing cannot be used on optical media, such as CDs and DVDs. Degaussing a hard drive typically renders inoperative the firmware that manages drive processes. Thus the drive can no longer be used to read and write data even though it has not been physically destroyed.
Finally, destroying is a process typically reserved for circumstances where absolute destruction of data is required. In these cases, physical storage media is rendered beyond the point where any data could be recovered by either a keyboard or a laboratory attack, no matter how sophisticated. Disintegration, incineration, pulverization, and melting are processes that completely destroy the data along with the physical media.
Now clearing, purging, and destroying processes are implemented at the level of individual pieces of media rather than at the level of selected pieces of information, such as files. In cases of planned data destruction (unplanned data destruction, such as sending a hard disk back for unplanned warranty work, cannot be predicted), IT has to plan in advance to try and make sure that sensitive and confidential information is confined to as few pieces of media as possible. At the same time, IT should try to ensure that the end of a data retention period is as close to the same as possible for all the data on a given piece of media.
DestructData — Solutions for IT
Of course a number of software tools and hardware solutions (such as degaussing equipment) exist for helping IT cope with data destruction processes. One company at the forefront
of this emerging market (especially in light of all the attention to data security breaches) is DestructData, the exclusive distributor of products made by CPR Tools, an engineering company with deep expertise in data recovery and data destruction.
Of course a number of software tools and hardware solutions (such as degaussing equipment) exist for helping IT cope with data destruction processes. One company at the forefront
of this emerging market (especially in light of all the attention to data security breaches) is DestructData, the exclusive distributor of products made by CPR Tools, an engineering company with deep expertise in data recovery and data destruction.
DestructData’s Hammer is a portable standalone device that can be used to purge PATA/SATA hard drives using the NSA-developed SecureErase software (or a CPR Tools’ utility for drives that do not have SecureErase-enabled capability). The Hammer process includes both the verification that the data has been removed as well as an audit trail; information that may be required for organizational or legal reasons.
DestructData’s SCSI Hammer can direct connect and purge four hard drives at once or can connect to a disk array with up to 30 drives, simultaneously purging the drives without the need to remove them from the enclosure. Verification that the data has been erased and that an audit trail is produced allows the erased drives to be reused with fresh data.
Though the ability to erase Fibre Channel (FC) drives is conspicuously absent from the Hammer solution family, DestructData says that capability is on the horizon. DestructData also offers the DX-CD2 Data Destroyer. This device grinds the data layer on a CD-ROM to 250 microns, which leaves the data beyond forensic recovery. This approach is
superior to typical methods including dimpling, shredding, and disintegration which can leave 15% to 100% of digital data in recoverable form. Of course, the disc is no longer usable to store data, but hey, the plastic can be sold if there is enough of it.
superior to typical methods including dimpling, shredding, and disintegration which can leave 15% to 100% of digital data in recoverable form. Of course, the disc is no longer usable to store data, but hey, the plastic can be sold if there is enough of it.
DestructData also offers PSIClone, which is a standalone, hand-held data recovery lab for difficult to recover data. PSIClone is useful for forensic investigators and others can use its capabilities to recover good data that is damaged or appears to have been destroyed in accidents such as fire and flood, or head crash on a disk. However, PSIClone cannot recover
data purged with DestructData’s Hammer or SCSI Hammer.)
data purged with DestructData’s Hammer or SCSI Hammer.)
Summary
With all the hullabaloo about data breaches and the need to maintain data privacy coupled with overall compliance regulations as well as the need to dispose of data properly that meet the requirements of the Federal Rules of Civil Procedure, more and more attention is going to be paid to data destruction. Large companies with a lot of data devices where either the data or the media has reached its end of life will find the type of technology useful
as in-house capability. However, some of these companies as well as smaller businesses (and even individuals) may turn to third party service professionals to help them with media sanitization.
Because of that increase importance of performing media sanitization properly, devices from companies such as from DestructData are going to be considered very carefully. And DestructData makes products that meet the appropriate level of media sanitization — clearing, purging, or destroying — that is necessary.
With all the hullabaloo about data breaches and the need to maintain data privacy coupled with overall compliance regulations as well as the need to dispose of data properly that meet the requirements of the Federal Rules of Civil Procedure, more and more attention is going to be paid to data destruction. Large companies with a lot of data devices where either the data or the media has reached its end of life will find the type of technology useful
as in-house capability. However, some of these companies as well as smaller businesses (and even individuals) may turn to third party service professionals to help them with media sanitization.
Because of that increase importance of performing media sanitization properly, devices from companies such as from DestructData are going to be considered very carefully. And DestructData makes products that meet the appropriate level of media sanitization — clearing, purging, or destroying — that is necessary.
By David Hill, Mesabi Group
