Decommissioning Drives with Confidential Data? Select the Right Data Disposal Method for Your Business
Drives that have been used in a highly protected and confidential information system will at some point need to be retired, even if the data on those drives gets transferred to another storage device. If you’re facing this situation, making stored data permanently inaccessible will be critical during the decommissioning process. Because even if the once-valuable data is completely obsolete or trivial to your organization now, it can still offer a goldmine for hackers and black market data brokers.
Whatever the catalyst for drive disposal, an organization risks data leakage if data can be found or reconstructed from discarded storage devices. That could lead to heavy fines from regulators and lawsuits by those affected, not to mention financial loss and reputational damage.
Three Types of Sanitization
Blancco defines data sanitization as the process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable—a definition in line with Gartner’s 2019 Hype Cycles. A device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will not ever be recovered.
According to Gartner, there are three methods to achieve data sanitization: physical destruction, cryptographic erasure and data erasure.
We address the pros and cons of cryptographic erasure in our white paper, “The Crypto Erase Conundrum: What’s Your Organization’s Risk Tolerance?” But in an era where shredding drives and degaussing are often the “go to” methods of final drive destruction, how do you know the best sanitization method for your organization—and whether to choose between physical destruction or data erasure for your most sensitive information?
Determining How Much Data Protection You Need
If you’ve already determined that your data storage devices require the utmost in protection at end-of-life, feel free to jump to the end of the post for our recommendation on how to treat your storage devices at that time.
Otherwise, to determine how secure your data disposal processes need to be and whether to choose data erasure vs. physical destruction, consider the following:
- Data Confidentiality and Impact
- Persistence of Data Sensitivity
- Drive Final Destination
- Determination and Capabilities of Your Adversary
Data Confidentiality and Impact
Data security rests on three fundamental objectives: Confidentiality, Integrity and Availability. Among other places, these are outlined in the U.S. document, Federal Information Processing Standards (FIPS) Publication 199, “Standards for Security Categorization of Federal Information and Information Systems (PDF).” Created in response to the Federal Information Security Management Act (FISMA) of 2002, this publication from the National Institute of Standards and Technology (NIST) weighs each of these three attributes according to risk of impact (low, moderate, high) when determining the amount of data protection needed.
- If sensitive data is accessed inappropriately, does this breach of Confidentiality have a low, moderate or high level of impact to the organization or its stakeholders?
- If the data is falsified, used to misdirect users to imposter websites, somehow destroyed or the Integrity of the data is otherwise compromised, what is the level of harm that could result?
- In the cases of websites going down or denial of service attacks, what is the level of impact when data Availability no longer exists?
When it comes to end-of-life data protection, Confidentiality is the chief concern. This is particularly true when unauthorized data exposure could cause great financial loss, brand damage or other harm if made available to the wrong people.
Persistence of Data Sensitivity
Will the sensitivity of your data quickly age out? In other words, just because the data is sensitive now, will its value diminish quickly enough that it will soon be worthless to nearly everyone? Or will the information you need to protect still be considered high-risk or highly confidential for months or years to come? This can be important to consider as data recovery techniques advance and data recovery tools and skills become more commonplace. These factors may also influence whether you want to meet or exceed bare minimum regulation requirements. For data that will remain sensitive or valuable for some time, you’ll want to know that you’ve successfully removed all data from devices and device fragments for both now and in the future.
Drive Final Destination
When it comes to high-risk data storage, moving devices from a more securely protected data environment to a lesser one is risky. The decision-making flow chart found in NIST’s Guidelines for Media Sanitization can be a big help in determining next steps (see our NIST Quick Guide for an overview of the chart).
Typically, even if the data on an old drive has been previously declared confidential, if it is to be reused within the same organization, the risk of data exposure to external parties is lower. Even so, the drive must be thoroughly sanitized in a way that protects the data while preserving the life of the drive. This allows a drive previously used by say, the finance department, to be re-distributed to a different department without fear of employee salaries and bank account information being exposed internally.
However, once drives leave the organization, the organization is no longer in control of any potential data access. Any residual data may be exposed long after the organization has relinquished it to other owners.
Determination and Capabilities of Your Adversary
The truth is, any of the three data sanitization procedures—data erasure, cryptographic erasure, physical destruction—can provide adequate data protection for most needs for most organizations if executed properly from the beginning to the end of the process. Costs, environmental impact and the ability to reuse your devices will differ, of course. But for any enterprise especially concerned about protecting data at end-of-life, trouble occurs when any of these data disposal methods are executed incorrectly.
At that point, data sanitization remains incomplete and data is still recoverable by someone with adequate know how and the right tools. The value of your data, how much of a target your organization’s data may be and the capabilities of those who would benefit from your data must also be considered as you weigh your risk and choose your data disposal methods.
Subversive data access methods can be divided into two primary categories: 1) A more basic approach (“ordinary means” according to NIST) that allows keyboard access via a standard hardware interface or 2) A more advanced approach (“extraordinary means”) that uses forensic or laboratory techniques. With the most notorious data access crimes committed by well-funded teams of malicious actors (rogue nation states, crime syndicates, etc.), advanced data recovery using extraordinary means can be a very real possibility if your data is valuable.
A Look at Physical Destruction
So how do you ensure that your highly sensitive data is undoubtedly, permanently and completely destroyed at end-of life?
The answer: Use a combination of physical destruction and secure data erasure for end-of-life drives that have stored your most confidential, high-risk data.
Effective and Ineffective Physical Destruction
Physical destruction is a valid data disposal option. But it’s unnervingly easy to take missteps that can put your data at risk.
- Degaussing – Intended to demagnetize hard disk drives (HDDs), degaussing doesn’t apply to solid-state drives (SSDs)—at all. So, if you send a batch of drives for degaussing assuming they’re all HDDs, you may unwittingly send several SSDs (or hybrid drives with SSD components) laden with sensitive information. When finally disposed of or recycled, the SSDs will still have all their original data. What’s more, not all degaussing machines are adequate to the task of demagnetizing all HDDs. If using this method at all, we recommend checking for degaussers approved by your region’s security authorities (e.g., the NSA publishes NSA/CSS Evaluated Products List for Magnetic Degaussers)—and being diligent about separating drive types. Note that even with approved degaussers, additional destructive methods are often recommended to achieve true sanitization.
- Shredding, Grinding, Pulverizing – While HDD destruction can be accomplished with larger shred sizes, drive destruction machines must be adequate to break apart the incredibly small but data dense chips within SSDs. The U.K.’s National Cyber Security Centre advocates a particle size of 6mm, while the U.S.’s National Security Agency advocates an even smaller shred size of no larger than 2mm—the size of the edge of a U.S. nickel. The data density of SSD chips means that larger pieces could harbor readable, accessible data. Even with hard disk drives, the NSA maintains the 2mm maximum shred size before disks can be considered sanitized. For all drive types, the idea is to shred small enough so that recreating the data from fragments would be impossible. Additional security comes from mixing the particles with those of other drives.
Other Physical Destruction Risks
Whatever physical destruction method chosen, there are still other risks, even if the correct data disposal processes are followed precisely for each drive type.
For instance, in any physical destruction scenario, unless you have rock-solid chain of custody measures in place, you introduce risk of loss or theft simply by giving a third-party data destruction service access to your devices. Whether destruction is conducted at your facility with mobile shredders or degaussers, or transported to an IT asset disposal (ITAD) facility for ultimate physical destruction, there’s risk in relying on this method alone since there are many points of vulnerability.
In its Assured Service (Sanitisation) scheme (CAS-S), a scheme offered for companies wishing to provide sanitization services to owners of highly classified government data, the U.K.’s National Cyber Security Center cautions its agencies to ensure adequate protections along each aspect of the data destruction process. One way to do this is to carefully vet the vendors providing drive destruction services, from ensuring secure transit of drives, checking for adequate staff clearance, providing a clear audit trail of each device from receipt through sanitization and to disposal, ensuring that all equipment is in good working order and ensuring all staff is well trained in the correct drive destruction and verification processes.
Applying these practices when looking for a data destruction vendor will help ensure that you’ve minimized the chances of data being susceptible to breach and provided assurances that you are working with a reputable vendor that is highly expert in protecting your data (consider starting with a Blancco partner).
Combining Physical Destruction with Secure Data Erasure
Physically destroying hard drives, computers, mobile devices and other storage devices is viscerally satisfying. While there’s mental acknowledgement and objective verification of data erasure’s security and effectiveness, there’s something reassuring about seeing drives mangled beyond recognition. But, as you can see, in many circumstances, data may still be recoverable. For these reasons, it’s wise to consider first performing secure and complete data erasure on any device used for confidential data. Removing confidential data can happen in live environments or be applied to hundreds or even thousands of drives onsite. With a thorough chain of custody process in place, secure data erasure can also happen at your ITAD’s facility. After devices have been erased, then you can safely destroy them without fearing human error, unintentional loss or deliberate hacking.
One caution: At an industry level, there are also faulty implementations of “wiping” data from hard drives: Overwriting may not reach all sectors (they may be hidden or damaged) or manufacturers’ built-in sanitization processes may not be implemented correctly. Lesser attempts at removing data, such as reformatting or simply deleting files, are completely inappropriate for even slightly sensitive data since data is recovered fairly easily.
Just as care should be taken when selecting a drive destruction provider, it’s important to choose your data erasure solution carefully.
Blancco data erasure software has been tested, certified, approved and recommended by 15+ governing bodies around the world. Our data erasure software erases to 25+ standards and provides tamper-proof reports to meet security and regulatory compliance requirements. And, our patented SSD solution handles functionality differences across a myriad of SSD vendors.
So What is the Most Effective Method of Data Disposal?
We are confident that Blancco Data Erasure Solutions provide all you need for permanent, secure data sanitization, rendering your data completely unrecoverable. However, if your organization mandates or prefers physically destroying your old data storage devices, weigh your destruction methods and vendor options carefully. Then, use the points in this article to advocate adding data erasure as an extra layer of protection against future data access.
Not bound to physical destruction methods? See how much you could save by completely and irretrievably destroying data with secure data erasure.
Plug in the number of drives to be decommissioned our Data Erasure vs. Physical Destruction Calculator today.