Drive Destruction vs. Data Erasure: Which Data Disposal Method is Most Secure?

Oct 31, 2019 Blog Article

Drives that have been used in a highly protected and confidential information system will need to be retired eventually, even if the data on those drives gets transferred to another storage device.

In this situation, making stored data permanently inaccessible will be critical during the decommissioning process. How do you make sure your highly sensitive data is completely destroyed at end-of life? We take a look at physical destruction methods such as shredding and degaussing, as well as secure data erasure.

Vivian Cullipher Vivian is a career writer and editor, having covered technology-related topics for government and B2B organizations since before LinkedIn and the iPhone. As Blancco’s communications and content manager, she supports the development of thought-leadership-based copy for web, social media, and other Blancco communication channels.

Decommissioning Drives with Confidential Data? Select the Right Data Disposal Method for Your Business

Drives that have been used in a highly protected and confidential information system will at some point need to be retired, even if the data on those drives gets transferred to another storage device. If you’re facing this situation, making stored data permanently inaccessible will be critical during the decommissioning process. Because even if the once-valuable data is completely obsolete or trivial to your organization now, it can still offer a goldmine for hackers and black market data brokers.

Whatever the catalyst for drive disposal, an organization risks data leakage if data can be found or reconstructed from discarded storage devices. That could lead to heavy fines from regulators and lawsuits by those affected, not to mention financial loss and reputational damage.

Three Types of Sanitization: Which Data Destruction Method Is Right for You?

Blancco defines data sanitization as the process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable—a definition in line with Gartner’s Hype Cycles. A device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will not ever be recovered.

According to Gartner, there are three methods to achieve data sanitization: physical destructioncryptographic erasure and data erasure.

We address the pros and cons of cryptographic erasure in our white paper, “The Crypto Erase Conundrum: What’s Your Organization’s Risk Tolerance?” But in an era where shredding drives and degaussing are often the “go to” methods of final drive destruction, how do you know the best sanitization method for your organization—and whether to choose between physical destruction or data erasure for your most sensitive information?

Determining How Much Data Protection You Need

If you’ve already determined that your data storage devices require the utmost in protection at end-of-life, feel free to jump to the end of the post for our recommendation on how to treat your storage devices at that time.

Otherwise, to determine how secure your data disposal processes need to be and whether to choose data erasure vs. physical destruction, consider the following:

Data Confidentiality and Impact

Data security rests on three fundamental objectives: Confidentiality, Integrity and Availability. Among other places, these are outlined in the U.S. document, Federal Information Processing Standards (FIPS) Publication 199, “Standards for Security Categorization of Federal Information and Information Systems (PDF).” Created in response to the Federal Information Security Management Act (FISMA) of 2002, this publication from the National Institute of Standards and Technology (NIST) weighs each of these three attributes according to risk of impact (low, moderate, high) when determining the amount of data protection needed.

For instance:

When it comes to end-of-life data protection, Confidentiality is the chief concern. This is particularly true when unauthorized data exposure could cause great financial loss, brand damage or other harm if made available to the wrong people.

Persistence of Data Sensitivity

Will the sensitivity of your data quickly age out? In other words, just because the data is sensitive now, will its value diminish quickly enough that it will soon be worthless to nearly everyone?

Or will the information you need to protect still be considered high-risk or highly confidential for months or years to come?

This can be important to consider as data recovery techniques advance and data recovery tools and skills become more commonplace. These factors may also influence whether you want to meet or exceed bare minimum regulation requirements.

For data that will remain sensitive or valuable for some time, you’ll want to know that you’ve successfully removed all data from devices and device fragments for both now and in the future.

Drive Final Destination

When it comes to high-risk data storage, moving devices from a more securely protected data environment to a lesser one is risky. The decision-making flow chart found in NIST’s Guidelines for Media Sanitization can be a big help in determining next steps (see our NIST Quick Guide for an overview of the chart).

Typically, even if the data on an old drive has been previously declared confidential, if it is to be reused within the same organization, the risk of data exposure to external parties is lower.

Even so, the drive must be thoroughly sanitized in a way that protects the data while preserving the life of the drive. This allows a drive previously used by say, the finance department, to be redistributed to a different department without fear of employee salaries and bank account information being exposed internally.

However, once drives leave the organization, the organization is no longer in control of any potential data access. Any residual data may be exposed long after the organization has relinquished it to other owners.

Determination and Capabilities of Your Adversary

The truth is, any of the three data sanitization procedures—data erasure, cryptographic erasure, physical destruction—can provide adequate data protection for most needs for most organizations if executed properly from the beginning to the end of the process.

Costs, environmental impact and the ability to reuse your devices will differ, of course. But for any enterprise especially concerned about protecting data at end-of-life, trouble occurs when any of these data disposal methods are executed incorrectly.

At that point, data sanitization remains incomplete and data is still recoverable by someone with adequate know how and the right tools. The value of your data, how much of a target your organization’s data may be and the capabilities of those who would benefit from your data must also be considered as you weigh your risk and choose your data disposal methods.

Subversive data access methods can be divided into two primary categories:

  1. A more basic approach (“ordinary means” according to NIST) that allows keyboard access via a standard hardware interface or
  2. A more advanced approach (“extraordinary means”) that uses forensic or laboratory techniques.

With the most notorious data access crimes committed by well-funded teams of malicious actors (rogue nation states, crime syndicates, etc.), advanced data recovery using extraordinary means can be a very real possibility if your data is valuable.

A Look at Physical Destruction

So how do you ensure that your highly sensitive data is undoubtedly, permanently and completely destroyed at end-of life?

The answer: Use a combination of physical destruction and secure data erasure for end-of-life drives that have stored your most confidential, high-risk data.

Effective and Ineffective Physical Destruction

Physical destruction is a valid data disposal option. But it’s unnervingly easy to take missteps that can put your data at risk.

Other Physical Destruction Risks

Whatever physical destruction method chosen, there are still other risks, even if the correct data disposal processes are followed precisely for each drive type.

For instance, in any physical destruction scenario, unless you have rock-solid chain of custody measures in place, you introduce risk of loss or theft simply by giving a third-party data destruction service access to your devices. Whether destruction is conducted at your facility with mobile shredders or degaussers, or transported to an IT asset disposal (ITAD) facility for ultimate physical destruction, there’s risk in relying on this method alone since there are many points of vulnerability.

In its Assured Service (Sanitisation) scheme (CAS-S), a scheme offered for companies wishing to provide sanitization services to owners of highly classified government data, the U.K.’s National Cyber Security Center cautions its agencies to ensure adequate protections along each aspect of the data destruction process. One way to do this is to carefully vet the vendors providing drive destruction services, from ensuring secure transit of drives, checking for adequate staff clearance, providing a clear audit trail of each device from receipt through sanitization and to disposal, ensuring that all equipment is in good working order and ensuring all staff is well trained in the correct drive destruction and verification processes.

Applying these practices when looking for a data destruction vendor will help ensure that you’ve minimized the chances of data being susceptible to breach and provided assurances that you are working with a reputable vendor that is highly expert in protecting your data.

Combining Physical Destruction with Secure Data Erasure

Physically destroying hard drives, computers, mobile devices and other storage devices is viscerally satisfying.

While there’s mental acknowledgement and objective verification of data erasure’s security and effectiveness without destroying the device itself, there’s something reassuring about seeing drives mangled beyond recognition. Because subpar physical destruction execution can leave data vulnerable, it’s still wise to first perform secure and complete data erasure on any device used for confidential data.

After devices have been erased, then you can safely reuse or destroy them without fearing human error, unintentional loss, or deliberate hacking.

Removing this confidential data can happen in live environments or be applied to hundreds or even thousands of drives onsite. This immediate, software-based data sanitization protect your data at decommissioning, reinforcing the chain of custody, and shielding your sensitive information through any transit or storage time because the data is simply no longer there.

One caution:

At an industry level, there are also faulty implementations of “wiping” data from hard drives: Overwriting may not reach all sectors (they may be hidden or damaged) or manufacturers’ built-in sanitization processes may not be implemented correctly.

Lesser attempts at removing data, such as reformatting or simply deleting files, are completely inappropriate for even slightly sensitive data since data is recovered fairly easily.

Just as care should be taken when selecting a drive destruction provider, it’s important to choose your data erasure solution carefully, and insist on both erasure verification and an audit-ready, tamper-proof report.

Blancco data erasure software has been tested, certified, approved, and recommended by 13+ governing bodies around the world. Our data erasure software erases to 25+ standards and provides certificates of erasure to meet security and regulatory compliance requirements. And, our patented SSD solution handles functionality differences across a myriad of SSD vendors.

So What is the Most Effective Method of Data Disposal?

We are confident that Blancco Data Erasure Solutions provide all you need for permanent, secure data sanitization, rendering your data completely unrecoverable. However, if your organization mandates or prefers physically destroying your old data storage devices, weigh your destruction methods and vendor options carefully. Then, use the points in this article to advocate adding data erasure as an extra layer of protection against future data access.

Not bound to physical destruction methods? See how much you could save by completely and irretrievably destroying data with secure data erasure.

Plug in the number of drives to be decommissioned our Data Erasure vs. Physical Destruction Calculator today.