August 17, 2020 By Mike Elgan 3 min read

Data security means keeping data out of the wrong hands. This is especially important when storage media is no longer usable and needs to be decommissioned. The data must be truly destroyed, for both security and compliance. 

The trouble is ‘deleting’ data doesn’t really delete data. It’s still possible to extract data from a device that has been deleted, re-formatted and even damaged physically. The highest form of data destruction makes it unreadable on the device, then destroys the device. But, how do you make data truly unreadable? 

What is Data Destruction? 

The amount of data enterprises manage and secure is growing fast. The problem also grows because of procrastination born of cheap storage and overworked staff. This is bad security and bad compliance. 

Forget deleting and reformatting. Deleting merely frees up the space taken by the deleted files for use by other data. The ‘deleted’ files can be easily recovered until those spaces are overwritten. Reformatting simply deletes the entire drive or partition. Overwriting, or wiping, replaces old data with new, arbitrary data. And, it’s better than deleting. But, it might miss some data. 

The best method for making data unreadable is degaussing, which exposes magnetic storage devices (hard drives, magnetic tape, floppy disks, etc.) to a high-intensity magnetic field of alternating amplitude. Degaussing not only erases data, but also destroys the device. 

Degaussing creates two problems. First, it’s not effective for solid state drives (SSDs). Second, degaussing is unverifiable. Because the drive is ruined, the deletion of data cannot be confirmed.  Additionally, wiping could be incomplete, and degaussing can’t be verified.

Good data deletion calls for destruction. 

Let’s Get Physical

The best general practice for end-of-life data destruction calls for degaussing magnetic media, wiping solid state media and physically destroying each with the appropriate shredder. 

Many companies use the same process for destroying hard drives and SSDs. This is a mistake. Degaussing doesn’t work on SSDs. Do not rely on hard disk shredders, which can leave SSD chips readable. National Security Agency (NSA) internal policy demands SSD bits to be reduced to 2 mm or less.

Time For a New Data Destruction Policy

Every organization needs a clear decommissioning policy. The policy should be carried out by someone experienced in end-of-life decommissioning of digital assets and should not be foisted on already over-tasked IT generalists.

If any of this work is outsourced to an information technology asset disposition (ITAD) service, it’s important to thoroughly vet whomever is involved in the chain of custody. In-house or outsourced, your decommissioning policy should prescribe the following: 

  • Detailed IT asset inventory
  • Thorough logging of the entire decommissioning process
  • A comprehensive backup of stored data
  • A process of disconnection of the device — subnets, firewalls, networks and power
  • Degaussing of all magnetic media
  • Wiping of all solid state media
  • Physical destruction of all media
  • Recorded proof of the destruction
  • Requirements for cloud providers and their data destruction policies
  • Responsible recycling of destroyed storage media materials

Crush… but Verify

Know the regulations relevant to you, such as Europe’s General Data Protection Regulation (GDPR), California’s California Consumer Protection Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the NSA’s rules. These policies around the handling of classified data and other regulations mandate true data destruction policies and practices for consumer, financial or government data. And, the fines are hefty. 

The deep end of the data destruction pool is data sanitization, which combines absolute and irrevocable destruction of data and tamper-proof verification. Highly regulated industries require sanitization and this work has to be carried out by experienced specialists. 

But whatever your process and whoever does it, the end result should include certificates of sanitization, documentation of a clear audit trail and satisfaction of regulatory compliance in writing.

In a nutshell, fully destroy data on decommissioned media for security, and verify it all for compliance. 

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today