Light Dark
August 17, 2020 By Mike Elgan 3 min read
Data Protection
Risk Management

Data security means keeping data out of the wrong hands. This is especially important when storage media is no longer usable and needs to be decommissioned. The data must be truly destroyed, for both security and compliance. 

The trouble is ‘deleting’ data doesn’t really delete data. It’s still possible to extract data from a device that has been deleted, re-formatted and even damaged physically. The highest form of data destruction makes it unreadable on the device, then destroys the device. But, how do you make data truly unreadable? 

What is Data Destruction? 

The amount of data enterprises manage and secure is growing fast. The problem also grows because of procrastination born of cheap storage and overworked staff. This is bad security and bad compliance. 

Forget deleting and reformatting. Deleting merely frees up the space taken by the deleted files for use by other data. The ‘deleted’ files can be easily recovered until those spaces are overwritten. Reformatting simply deletes the entire drive or partition. Overwriting, or wiping, replaces old data with new, arbitrary data. And, it’s better than deleting. But, it might miss some data. 

The best method for making data unreadable is degaussing, which exposes magnetic storage devices (hard drives, magnetic tape, floppy disks, etc.) to a high-intensity magnetic field of alternating amplitude. Degaussing not only erases data, but also destroys the device. 

Degaussing creates two problems. First, it’s not effective for solid state drives (SSDs). Second, degaussing is unverifiable. Because the drive is ruined, the deletion of data cannot be confirmed.  Additionally, wiping could be incomplete, and degaussing can’t be verified.

Good data deletion calls for destruction. 

Let’s Get Physical

The best general practice for end-of-life data destruction calls for degaussing magnetic media, wiping solid state media and physically destroying each with the appropriate shredder. 

Many companies use the same process for destroying hard drives and SSDs. This is a mistake. Degaussing doesn’t work on SSDs. Do not rely on hard disk shredders, which can leave SSD chips readable. National Security Agency (NSA) internal policy demands SSD bits to be reduced to 2 mm or less.

Time For a New Data Destruction Policy

Every organization needs a clear decommissioning policy. The policy should be carried out by someone experienced in end-of-life decommissioning of digital assets and should not be foisted on already over-tasked IT generalists.

If any of this work is outsourced to an information technology asset disposition (ITAD) service, it’s important to thoroughly vet whomever is involved in the chain of custody. In-house or outsourced, your decommissioning policy should prescribe the following: 

  • Detailed IT asset inventory
  • Thorough logging of the entire decommissioning process
  • A comprehensive backup of stored data
  • A process of disconnection of the device — subnets, firewalls, networks and power
  • Degaussing of all magnetic media
  • Wiping of all solid state media
  • Physical destruction of all media
  • Recorded proof of the destruction
  • Requirements for cloud providers and their data destruction policies
  • Responsible recycling of destroyed storage media materials

Crush… but Verify

Know the regulations relevant to you, such as Europe’s General Data Protection Regulation (GDPR), California’s California Consumer Protection Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the NSA’s rules. These policies around the handling of classified data and other regulations mandate true data destruction policies and practices for consumer, financial or government data. And, the fines are hefty. 

The deep end of the data destruction pool is data sanitization, which combines absolute and irrevocable destruction of data and tamper-proof verification. Highly regulated industries require sanitization and this work has to be carried out by experienced specialists. 

But whatever your process and whoever does it, the end result should include certificates of sanitization, documentation of a clear audit trail and satisfaction of regulatory compliance in writing.

In a nutshell, fully destroy data on decommissioned media for security, and verify it all for compliance. 

 |  |  | 
Mike Elgan

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature