As discussed in an earlier piece, data should be treated as a valuable currency. But there is another aspect to data handling that needs to be considered: data as a liability. Having your data fall into the wrong hands can be incredibly damaging to you and your team, which is all the more reason to have a sound and secure data destruction policy for the last mile.
The Time Value of Data
Unlike a brick of gold, or cold, hard cash, there may come a day where you want to destroy your data. There are many honest reasons for that, including regular maintenance of your systems, legal rules or the data becoming obsolete. Obsolete to you, anyway; remember, another person might want it. That’s another reason why destruction is such an important piece of data handling.
So let’s start with some things you, as a person, can do to help ensure data is properly destroyed. Then, we’ll look at some larger enterprise solutions. Broadly speaking, the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) breaks the proper disposal of electronic devices into three groups: deleting data, overwriting and destruction.
Encryption from the Get Go
Encryption isn’t necessarily data destruction, but it’s a darn good fail-safe out of the gate. It will also make things easier in case something goes wrong in the actual destruction process. And, it’s something everyone can do. It’s simple, and should be done as a default, which is why we’re starting off with it. For best practices, look to NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices) and FIPS 140-2 (Security Requirements for Cryptographic Modules). If you’re in the government space or industries, such as financial or health services, you should definitely know FIPS 140-2.
Overwriting is Your Friend
Again, this tactic is not really a form of secure data destruction on its own, but it is a helpful practice that should be part of any good data destruction policy. Since data can be recovered, make that process hard. The gold standard here is the Department of Defense’s wipe standard, known through its formal name as DoD 5220.22-M. Think of it as the rules for data shredding, summing up how to re-write those zeroes and ones so they can’t be recovered.
The “three-pass” overwrite rule goes like this:
- Pass one: Write a 0 and verify.
- Pass two: Write a 1 and verify.
- Pass three: Write a random character and verify.
This should cover most business needs, but if you want overkill, the ‘seven-pass’ overwrite rule starts the same as the ‘three-pass’ rule. Pass four is another random character, and then repeat passes one through three. Don’t forget to undergo a verification step at the end of whichever pass rule you use.
Degaussing: Breaking that Magnetic Connection
We’re now getting into the real destruction zone. These tactics may require some support from your employer. A degaussing tool is one of the best methods for secure destruction, but there is a caveat here: degaussing applies only to magnetic drives. Solid-state drives (SSD), where particle size matters immensely, have their own procedures we’ll discuss later.
Unlike SSD, those things that spin — hard drives and tapes — have something in common: magnetic fields. Those itsy bitsy magnetic pieces, and how they are arranged, is what allows for immense amounts of binary information to be stored. Here’s the catch: those pieces need to be kept in a specific order, hence the magnetic field. Get rid of the magnetic bond, or blast the storage with a high-intensity magnetic field, and your ability to arrange those tiny pieces goes bye bye. The drive is basically inoperable and it is impossible to retrieve the data.
You could purchase commercial magnetic degaussers and degaussing tools. If you are in the market for one, the National Security Agency/Central Security Service (NSA/CSS) has made a list of reputable and approved products available online.
Guarantee Data Destruction With Physical Obliteration
Degaussing is great, but does nothing for SSD. Therefore, if you really want to ensure your data is destroyed, you need to obliterate it. When it comes to SSD, this is pretty much your only solution. But you should also do similar for magnetic and optical media if you want to ensure you have all your bases covered.
There are two best practices gold standards here that should be followed: NIST Special Publication 800-88 (Guidelines for Media Sanitization) and the NSA/CSS Policy Statement 9-12 (NSA/CSS Storage Device Sanitization). Both these documents describe, in detail, the procedures and exact specifications for data destruction, down to the millimeter and cutting angles.
To get a sense of the level of destruction we are talking about, these are some of the types of procedures discussed:
- Chopping, pulverizing and wet pulping
If you want to go full paranoia, remember that heat matters. If you’re not satisfied with degaussing and shredding, welcome to smelting. Find out what metals are in the storage device and what their Curie point is (the point where a metal loses all its magnetic properties). We’re talking some serious heat here, anywhere from 400 to 1,200 degrees Celsius. Do not do this at home!
Cover Yourself: Get Proof of Data Destruction
Proper record keeping can be a lifesaver when it comes to liability reduction. Third-party providers, often referred to as information technology asset disposition (ITAD) businesses, offer secure data destruction services. But be sure the ones you use offer a certificate of destruction and other crucial evidence that the destruction has occurred. Also, be conscious of their environmental practices.
Things to look for:
- Their legal compliance
- Certificates or logs of secure transport, handling, tracking and storage
- Photo or video evidence of destruction
Think chain of custody here. If you need to comply with legal and regulatory standards, make sure you have all the documents that detail your due diligence. Know which regulations apply to you.
Data Destruction Bonus Round: Cleaning the Cloud
With the increasing use of the cloud to store data, remember two things. If you have destroyed your own storage, but a copy of the data is still in the cloud, you haven’t completely destroyed the data. And, you don’t own the physical infrastructure where your data is hosted.
Where you store your data ultimately is a business and risk tolerance decision that impacts your cybersecurity resilience. That means when you’re picking your cloud service provider, make sure they meet your data destruction standards also. It is completely within your rights to ask what sort of deletion, overwriting and data destruction policies and standards they use, including in which jurisdiction your data will be hosted.
In closing, don’t forget about that last mile of secure data destruction and storage decommissioning in the data handling life cycle. You don’t want to get everything else right and stumble before the finish line.