As discussed in an earlier piece, data should be treated as a valuable currency. But there is another aspect to data handling that needs to be considered: data as a liability. Having your data fall into the wrong hands can be incredibly damaging to you and your team, which is all the more reason to have a sound and secure data destruction policy for the last mile.

The Time Value of Data

Unlike a brick of gold, or cold, hard cash, there may come a day where you want to destroy your data. There are many honest reasons for that, including regular maintenance of your systems, legal rules or the data becoming obsolete. Obsolete to you, anyway; remember, another person might want it. That’s another reason why destruction is such an important piece of data handling.

So let’s start with some things you, as a person, can do to help ensure data is properly destroyed. Then, we’ll look at some larger enterprise solutions. Broadly speaking, the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) breaks the proper disposal of electronic devices into three groups: deleting data, overwriting and destruction.

Encryption from the Get Go

Encryption isn’t necessarily data destruction, but it’s a darn good fail-safe out of the gate. It will also make things easier in case something goes wrong in the actual destruction process. And, it’s something everyone can do. It’s simple, and should be done as a default, which is why we’re starting off with it. For best practices, look to NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices) and FIPS 140-2 (Security Requirements for Cryptographic Modules). If you’re in the government space or industries, such as financial or health services, you should definitely know FIPS 140-2.

Overwriting is Your Friend

Again, this tactic is not really a form of secure data destruction on its own, but it is a helpful practice that should be part of any good data destruction policy. Since data can be recovered, make that process hard. The gold standard here is the Department of Defense’s wipe standard, known through its formal name as DoD 5220.22-M. Think of it as the rules for data shredding, summing up how to re-write those zeroes and ones so they can’t be recovered. 

 The “three-pass” overwrite rule goes like this:

  • Pass one: Write a 0 and verify.
  • Pass two: Write a 1 and verify.
  • Pass three: Write a random character and verify.

This should cover most business needs, but if you want overkill, the ‘seven-pass’ overwrite rule starts the same as the ‘three-pass’ rule. Pass four is another random character, and then repeat passes one through three. Don’t forget to undergo a verification step at the end of whichever pass rule you use.

Degaussing: Breaking that Magnetic Connection

We’re now getting into the real destruction zone. These tactics may require some support from your employer. A degaussing tool is one of the best methods for secure destruction, but there is a caveat here: degaussing applies only to magnetic drives. Solid-state drives (SSD), where particle size matters immensely, have their own procedures we’ll discuss later.

Unlike SSD, those things that spin — hard drives and tapes — have something in common: magnetic fields. Those itsy bitsy magnetic pieces, and how they are arranged, is what allows for immense amounts of binary information to be stored. Here’s the catch: those pieces need to be kept in a specific order, hence the magnetic field. Get rid of the magnetic bond, or blast the storage with a high-intensity magnetic field, and your ability to arrange those tiny pieces goes bye bye. The drive is basically inoperable and it is impossible to retrieve the data.

You could purchase commercial magnetic degaussers and degaussing tools. If you are in the market for one, the National Security Agency/Central Security Service (NSA/CSS) has made a list of reputable and approved products available online.

Guarantee Data Destruction With Physical Obliteration 

Degaussing is great, but does nothing for SSD. Therefore, if you really want to ensure your data is destroyed, you need to obliterate it. When it comes to SSD, this is pretty much your only solution. But you should also do similar for magnetic and optical media if you want to ensure you have all your bases covered.

There are two best practices gold standards here that should be followed: NIST Special Publication 800-88 (Guidelines for Media Sanitization) and the NSA/CSS Policy Statement 9-12 (NSA/CSS Storage Device Sanitization). Both these documents describe, in detail, the procedures and exact specifications for data destruction, down to the millimeter and cutting angles. 

To get a sense of the level of destruction we are talking about, these are some of the types of procedures discussed:

  • Incineration
  • Embossing/knurling
  • Disintegration
  • Shredding
  • Cutting
  • Burning
  • Chopping, pulverizing and wet pulping

If you want to go full paranoia, remember that heat matters. If you’re not satisfied with degaussing and shredding, welcome to smelting. Find out what metals are in the storage device and what their Curie point is (the point where a metal loses all its magnetic properties). We’re talking some serious heat here, anywhere from 400 to 1,200 degrees Celsius. Do not do this at home!

Cover Yourself: Get Proof of Data Destruction

Proper record keeping can be a lifesaver when it comes to liability reduction. Third-party providers, often referred to as information technology asset disposition (ITAD) businesses, offer secure data destruction services. But be sure the ones you use offer a certificate of destruction and other crucial evidence that the destruction has occurred. Also, be conscious of their environmental practices.

Things to look for:

  • Their legal compliance
  • Certificates or logs of secure transport, handling, tracking and storage
  • Photo or video evidence of destruction

Think chain of custody here. If you need to comply with legal and regulatory standards, make sure you have all the documents that detail your due diligence. Know which regulations apply to you.

Data Destruction Bonus Round: Cleaning the Cloud

With the increasing use of the cloud to store data, remember two things. If you have destroyed your own storage, but a copy of the data is still in the cloud, you haven’t completely destroyed the data. And, you don’t own the physical infrastructure where your data is hosted.

Where you store your data ultimately is a business and risk tolerance decision that impacts your cybersecurity resilience. That means when you’re picking your cloud service provider, make sure they meet your data destruction standards also. It is completely within your rights to ask what sort of deletion, overwriting and data destruction policies and standards they use, including in which jurisdiction your data will be hosted.

In closing, don’t forget about that last mile of secure data destruction and storage decommissioning in the data handling life cycle. You don’t want to get everything else right and stumble before the finish line.

More from Data Protection

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read