Every business works with data stored on tapes, hard disks and other electronic media devices. In most cases, it’s only accessible by authorized parties - but that doesn’t mean it’s fully secure. There is the potential for the data to escape and these breaches can result in hefty fines and more importantly damage to your organization’s reputation.
Handling data properly at the end of a device’s life is paramount to avoiding this. So what are the main considerations for the safe disposal of data?
- Clearing and purging
- Data and regulatory considerations
- Hard drive destruction
- SSD concerns
- Maintaining your records
1. Clearing and purging
Clearing and purging are two procedures specifically associated with NIST 800-88 standards you can use to ensure IT assets can be safely disposed of in regards to their data content:
- Clearing prevents other users from recovering data using software and overwriting.
- Purging prevents other users from recovering data using specialized laboratory techniques.
Clearing usually involves overwriting the hard drive. Purging is the same but includes executing internal hard drive commands - known as firmware-based erasure.
Overwriting data is a commonplace method of ensuring security while disposing of data, but it isn't a full guarantee.
However, without ‘state of the art’ methods for data recovery, clearing is enough to keep data inaccessible. In some cases, concerning incredibly sensitive data, purging is the only method of choice, which will render data inaccessible even when using advanced recovery techniques.
2. Data and regulatory considerations
When disposing of data, have you considered what type of data it is? Personal Identifiable Information (PII) is one of the most critical types. It can include bank account details or healthcare information, which can be incredibly compromising for individuals if it falls into the wrong hands.
The type of data you’re trying to dispose of, be it PII or something even more confidential, will influence the disposal method you use. Most data types only need an overwrite for the asset to be deemed safe for disposition.
Exceptionally sensitive data may require something more like physical destruction. In either case, these scenarios are covered by the US National Institute for Standards and Technology Cybersecurity Framework. NIST 800-88 Rev. 1 addresses the Clear method of data sanitization by stating:
For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state-of-the-art laboratory techniques are applied to attempt to retrieve the data.
Overwriting works by writing ones and zeros onto all sectors that exist within the device. When it comes to regulatory compliance within data destruction, you need to be assured your clearing or purging has been done accurately and completely. This means your process should verify and certify data has been overwritten.
Overall, the type of data you’re disposing of and the regulations that apply to you will help determine the most appropriate method of disposal.
3. Hard drive destruction
Another option is physically destroying media storage devices. Data can be destroyed in the following methods:
Degaussing is where an electromagnetic pulse of 9000 Oersteds (a magnetic field strength) is applied to the drive. This is almost twice the level of the coercivity of today’s drives so all information is effectively erased from the storage device. This also means the hard drive is made completely inoperable and can’t be reused. Note that this process does not work on SSDs.
Puncturing is a very physical process of destruction. Drives are placed into a machine and are punctured with multiple pins, annihilating the data contained within. Once this process is complete, the drive is left full of holes. Again, after this, drives are completely unable to be reused. This process is often leveraged for SSD drives that have multiple chips inside that are punctured during this process.
Similar to puncturing, shredding is where hard drives are physically shredded. Shredding can be used for many storage devices, from spindle drives to SSD drives, USBs, SIM cards and SD cards. The leftover waste can then be recycled. Shred sizes can vary based on your organization’s requirements.
Destruction is a safe and reliable way of destroying data and is a process should be carried out by a trusted professional who can verify and provide certification that the data has been properly destroyed and disposed of.
4. SSD concerns
As laptops became more popular and widespread, so too did solid-state drives (SSDs). These differ from conventional hard drives in that their data is stored upon interconnected flash-memory chips, in contrast to the magnetic coating which stores data in hard drives. Now, for your average storage devices, a single overwrite pass will prevent data from being recoverable.
However, with SSDs, this is a little tricker. Degaussing doesn’t work as SSDs don’t store data magnetically. SSDs also contain non-addressable overprovisioning areas where data can be left behind even when overwritten. This means a singular overwriting pass might not work and must include specialized commands tools so the overwrite reaches all sectors.
While overwriting is usually done to reuse the storage device, multiple passes cause problems. If multiple passes are needed, this can cause premature wear to the SSD, shortening its lifespan.This consideration is all about remembering that not every data disposal method works for every disposal device. You have to match the method to the media type.
5. Maintaining your records
During any data disposal, you need to maintain records of decommissioning, wiping or destruction for compliance purposes. As a part of that, you need to ensure you do not have any assets that have been misplaced either before or after disposal. This happened in a breach which made the news recently, where drives were misplaced before disposal. Consequently, the brand in question is facing multiple lawsuits and substantial fines.
It is paramount to maintain proper records of who's responsible for decommissioning or disposing of data and where the assets are within the disposal process. Working with an organization that offers an experienced data destruction service can help you in this process, accurately managing and securing your obsolete assets.
Ensuring safe data destruction
There’s a lot to consider when it comes to disposing of your data. Is it confidential? Where does it reside? Are you looking to reuse assets after sanitization? What media types are there to consider? At TES, we are here to help you both answer your questions and remain compliant with data privacy laws. To learn more about data destruction and what we can do to help, get in touch with TES today.