November 19, 2020 By George Platsis 4 min read

As discussed in an earlier piece, data should be treated as a valuable currency. But there is another aspect to data handling that needs to be considered: data as a liability. Having your data fall into the wrong hands can be incredibly damaging to you and your team, which is all the more reason to have a sound and secure data destruction policy for the last mile.

The Time Value of Data

Unlike a brick of gold, or cold, hard cash, there may come a day where you want to destroy your data. There are many honest reasons for that, including regular maintenance of your systems, legal rules or the data becoming obsolete. Obsolete to you, anyway; remember, another person might want it. That’s another reason why destruction is such an important piece of data handling.

So let’s start with some things you, as a person, can do to help ensure data is properly destroyed. Then, we’ll look at some larger enterprise solutions. Broadly speaking, the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) breaks the proper disposal of electronic devices into three groups: deleting data, overwriting and destruction.

Encryption from the Get Go

Encryption isn’t necessarily data destruction, but it’s a darn good fail-safe out of the gate. It will also make things easier in case something goes wrong in the actual destruction process. And, it’s something everyone can do. It’s simple, and should be done as a default, which is why we’re starting off with it. For best practices, look to NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices) and FIPS 140-2 (Security Requirements for Cryptographic Modules). If you’re in the government space or industries, such as financial or health services, you should definitely know FIPS 140-2.

Overwriting is Your Friend

Again, this tactic is not really a form of secure data destruction on its own, but it is a helpful practice that should be part of any good data destruction policy. Since data can be recovered, make that process hard. The gold standard here is the Department of Defense’s wipe standard, known through its formal name as DoD 5220.22-M. Think of it as the rules for data shredding, summing up how to re-write those zeroes and ones so they can’t be recovered. 

 The “three-pass” overwrite rule goes like this:

  • Pass one: Write a 0 and verify.
  • Pass two: Write a 1 and verify.
  • Pass three: Write a random character and verify.

This should cover most business needs, but if you want overkill, the ‘seven-pass’ overwrite rule starts the same as the ‘three-pass’ rule. Pass four is another random character, and then repeat passes one through three. Don’t forget to undergo a verification step at the end of whichever pass rule you use.

Degaussing: Breaking that Magnetic Connection

We’re now getting into the real destruction zone. These tactics may require some support from your employer. A degaussing tool is one of the best methods for secure destruction, but there is a caveat here: degaussing applies only to magnetic drives. Solid-state drives (SSD), where particle size matters immensely, have their own procedures we’ll discuss later.

Unlike SSD, those things that spin — hard drives and tapes — have something in common: magnetic fields. Those itsy bitsy magnetic pieces, and how they are arranged, is what allows for immense amounts of binary information to be stored. Here’s the catch: those pieces need to be kept in a specific order, hence the magnetic field. Get rid of the magnetic bond, or blast the storage with a high-intensity magnetic field, and your ability to arrange those tiny pieces goes bye bye. The drive is basically inoperable and it is impossible to retrieve the data.

You could purchase commercial magnetic degaussers and degaussing tools. If you are in the market for one, the National Security Agency/Central Security Service (NSA/CSS) has made a list of reputable and approved products available online.

Guarantee Data Destruction With Physical Obliteration 

Degaussing is great, but does nothing for SSD. Therefore, if you really want to ensure your data is destroyed, you need to obliterate it. When it comes to SSD, this is pretty much your only solution. But you should also do similar for magnetic and optical media if you want to ensure you have all your bases covered.

There are two best practices gold standards here that should be followed: NIST Special Publication 800-88 (Guidelines for Media Sanitization) and the NSA/CSS Policy Statement 9-12 (NSA/CSS Storage Device Sanitization). Both these documents describe, in detail, the procedures and exact specifications for data destruction, down to the millimeter and cutting angles. 

To get a sense of the level of destruction we are talking about, these are some of the types of procedures discussed:

  • Incineration
  • Embossing/knurling
  • Disintegration
  • Shredding
  • Cutting
  • Burning
  • Chopping, pulverizing and wet pulping

If you want to go full paranoia, remember that heat matters. If you’re not satisfied with degaussing and shredding, welcome to smelting. Find out what metals are in the storage device and what their Curie point is (the point where a metal loses all its magnetic properties). We’re talking some serious heat here, anywhere from 400 to 1,200 degrees Celsius. Do not do this at home!

Cover Yourself: Get Proof of Data Destruction

Proper record keeping can be a lifesaver when it comes to liability reduction. Third-party providers, often referred to as information technology asset disposition (ITAD) businesses, offer secure data destruction services. But be sure the ones you use offer a certificate of destruction and other crucial evidence that the destruction has occurred. Also, be conscious of their environmental practices.

Things to look for:

  • Their legal compliance
  • Certificates or logs of secure transport, handling, tracking and storage
  • Photo or video evidence of destruction

Think chain of custody here. If you need to comply with legal and regulatory standards, make sure you have all the documents that detail your due diligence. Know which regulations apply to you.

Data Destruction Bonus Round: Cleaning the Cloud

With the increasing use of the cloud to store data, remember two things. If you have destroyed your own storage, but a copy of the data is still in the cloud, you haven’t completely destroyed the data. And, you don’t own the physical infrastructure where your data is hosted.

Where you store your data ultimately is a business and risk tolerance decision that impacts your cybersecurity resilience. That means when you’re picking your cloud service provider, make sure they meet your data destruction standards also. It is completely within your rights to ask what sort of deletion, overwriting and data destruction policies and standards they use, including in which jurisdiction your data will be hosted.

In closing, don’t forget about that last mile of secure data destruction and storage decommissioning in the data handling life cycle. You don’t want to get everything else right and stumble before the finish line.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today