Best Practices for the Destruction of Digital Data
As we can see from this thread, there are many different opinions about what is the best means to eliminate legacy data. Yet, none cite any active standard or recognized best practice, and all are subjective to what the writer has experienced. So, why are there such varying views on the best practice for the destruction of Digital data? This is due to the mass of confusing guidance out in the wild. Between potentially biased vendor claims, outdated standards, often half baked and potentially dangerous personal opinions, it is clear that there is a general misunderstanding about the proper means to assure that data is properly purged,
So, how does one determine what are the true best practices for Data Destruction? This is not as simple as it may seem. With a lack of common criteria, many look to reference reliable guidance that is published by an authoritative source that presents practice pertinent to the users specific needs. Although this may sound pretty straight forward, it in not always as simple as it appears.
Considering the often referenced US DoD 5220M guidance, the methods prescribed are out dated, and if anyone bothers to read the 2006 amendment, it will be noted that the DoD refers readers to build their policies on information provided by the National institute for Standards and Technology, in their special report 800-88. SP800-88 is a good start for those looking to define their sanitization policy. As a document containing guidance from government, private and academic sources, The information presented arms the reader with qualified reference for the establishment of data sanitization specific to the users own environment.
Like cars or food, no one method can be deemed the right way to sanitize data. What I mean by this is that depending on the nature of the contents of the users drive, and their regulatory obligations to protect this data, the means to handle a device can vary from simply repurposing the device within a department, the use of clear based overwrite software, or the need to purge on site and physically destroy the drive using technology that reduces the media surface to particulate no larger than 1/250th of an inch. It is entirely subjective to the data classification and determining the method necessary to sanitize data of that specific security level.
Looking at the common techniques available we can see that there are 3 levels of sanitization (as referenced by the NIST) these being CLEAR, PURGE and DESTROY. Each having different levels of effectiveness and handling issues.
CLEAR is typically conducted by overwriting the data storage regions of the drive with sequences of obfuscating data. This can be patterns of like or random data, or many passes with varying patterns, as is prescribed in DoD5220. As a Clear technology, the contents of the drive ARE subject to recovery by laboratory or forensic effort. Likewise, as software is often incapable of accessing Protected Service Areas (PSA) of the drive, information will be often left in the Host Protected Area, and in G-List sectors.
PURGE based technologies include Secure Erase and Degaussing. Degaussing is hte practice of exposing the media surface to sufficient levels of magnetic energy to achieve coercion of the individual data bits. This practice although effective when properly conducted does have a few concerns. Specifically, the fact that as drives increase in capacity, the energy required for effective coercion increases. As such, the means to degauss a current production high capacity drive will require a device upward of $50,000 USD that may not be best suited for use in a common office. Add to this the fact that this is a connectionless technology, and that the electromechanical components are often deactivated before the media surface is effectively sanitized, and the means to validate proper sanitization becomes a very complicated and costly process. Effectively, the operator of the degausser should be trained and aware of hte capabilities of the machine, so that only devices that the degausser can effectively purge are processed.
Secure Erase is a standards based purge technology that is embedded in all ATA compliant devices produced from 2001 onward. Developed at the University of California San Diego's Center for Magnetic Recording Research in conjunction with 6 major drive manufacturers, and with the guidance of the NSA, SE is a command based process that purges data from all storage regions of hte media surface including PSA information (HPA, G-LIST and DCO). This technology is the most effective means to purge data from a drive short of physical destruction. As an added bonus, the device is reusable at the end of the process. Recognized by most governments as an effective data purge technology, and the need to find green alternatives to eWaste production the use of SE is becoming a more popular option for most.
SE is not without issues, As a command based process, many BIOS and system vendors have inhibited SE from being communicated to the drive. This is as a cautionary measure to assure that no malware or virus code invokes SE and eliminates the users data in the blink of an eye. Accordingly, due to these concerns, the commercial application of SE as software has not become a reality. Accordingly, the most effective means to launch SE is through the use of purpose built appliances such as that manufactured by Ensconce Data Technology of Portsmouth New Hampshire (www.deadondemand.com ). In an appliance model, SE is not limited by host incompatibilities, and the SE process is assured to purge all media surface data storage regions. Currently, the EDT Digital Shredder is contracted for procurement (on standing offer) by Canadian Federal Government clients for the next 3 years; and is in use by a wide range of government, banking and enterprise clients worldwide.
PHYSICAL DESTRUCTION seems like a quick and easy means to assure data loss, but like the other technologies, it has it's share of issues as well. Aside from the potential for personal harm when doing it yourself, professionally contracted services need to be evaluated as well. In environments where high level classified data is handled, often the sanitization policy will dictate that the device is processed using a means that assures that the data will not be recovered ever, by any means. Sounds simple... well perhaps not..... if the device is to be shredded, the media surface must be ground to a screen size of no larger than 1/250th of an inch. This is a diameter slightly smaller than a complete data block, the smallest recoverable particle of data. Smeltering at a proper facility will surely accomplish this, but not all contractors offer such services.
As effective physical destruction is not readily available at most offices, contracted services for off-site destruction are often engaged. However, handing off unprotected storage hardware to a contractor, or their carrier poses a very significant liability for the owner of the data. The potential for the loss of the storage asset in the hands of a third party should be a very serious concern. Should a device go missing from a delivery, it will be the asset owner making the mandatory disclosure, not the carrier of the contractor... How often does this occur? More often than might be expected. One need only go to attrition.org and download their DLDOS database for a current list of third party and owner based data loss events.
For a current list of physical destruction recommendations ranging from relaibel to half baked, one need only go to youtube and search on the topic. The array of schemes presented is astounding.
Now a bit about me, I am a partner at Converge Net, a Canadian service provider that specializes in the delivery of secure efficient distributed networks. Our clients range from large enterprise to government. In an effort to aid our clients in establishing reliable security policy I had collected all available guidance from academic, gov, and industry sources and with the collaboration of a variety of industry experts, I had co-authored a guide titled 'The Best Practices for the Destruction of Digital Data' along with Dr. Gordon Hughes of the UCSD CMRR. This 55 page guide includes references to current and valid practice, and provides the concepts and references necessary for the development and justification of effective sanitization practice by security professionals, using practice that is suitable for specific security levels.
I welcome anyone interested in this guide to contact me at firstname.lastname@example.org for a personal copy at no cost. Likewise, presentations on The paper are available on request.
Sorry for the wordy post.... I am just passionate about the topic.