Data security means keeping data out of the wrong hands. This is especially important when storage media is no longer usable and needs to be decommissioned. The data must be truly destroyed, for both security and compliance. 

The trouble is ‘deleting’ data doesn’t really delete data. It’s still possible to extract data from a device that has been deleted, re-formatted and even damaged physically. The highest form of data destruction makes it unreadable on the device, then destroys the device. But, how do you make data truly unreadable? 

What is Data Destruction? 

The amount of data enterprises manage and secure is growing fast. The problem also grows because of procrastination born of cheap storage and overworked staff. This is bad security and bad compliance. 

Forget deleting and reformatting. Deleting merely frees up the space taken by the deleted files for use by other data. The ‘deleted’ files can be easily recovered until those spaces are overwritten. Reformatting simply deletes the entire drive or partition. Overwriting, or wiping, replaces old data with new, arbitrary data. And, it’s better than deleting. But, it might miss some data. 

The best method for making data unreadable is degaussing, which exposes magnetic storage devices (hard drives, magnetic tape, floppy disks, etc.) to a high-intensity magnetic field of alternating amplitude. Degaussing not only erases data, but also destroys the device. 

Degaussing creates two problems. First, it’s not effective for solid state drives (SSDs). Second, degaussing is unverifiable. Because the drive is ruined, the deletion of data cannot be confirmed.  Additionally, wiping could be incomplete, and degaussing can’t be verified.

Good data deletion calls for destruction. 

Let’s Get Physical

The best general practice for end-of-life data destruction calls for degaussing magnetic media, wiping solid state media and physically destroying each with the appropriate shredder. 

Many companies use the same process for destroying hard drives and SSDs. This is a mistake. Degaussing doesn’t work on SSDs. Do not rely on hard disk shredders, which can leave SSD chips readable. National Security Agency (NSA) internal policy demands SSD bits to be reduced to 2 mm or less.

Time For a New Data Destruction Policy

Every organization needs a clear decommissioning policy. The policy should be carried out by someone experienced in end-of-life decommissioning of digital assets and should not be foisted on already over-tasked IT generalists.

If any of this work is outsourced to an information technology asset disposition (ITAD) service, it’s important to thoroughly vet whomever is involved in the chain of custody. In-house or outsourced, your decommissioning policy should prescribe the following: 

  • Detailed IT asset inventory
  • Thorough logging of the entire decommissioning process
  • A comprehensive backup of stored data
  • A process of disconnection of the device — subnets, firewalls, networks and power
  • Degaussing of all magnetic media
  • Wiping of all solid state media
  • Physical destruction of all media
  • Recorded proof of the destruction
  • Requirements for cloud providers and their data destruction policies
  • Responsible recycling of destroyed storage media materials

Crush… but Verify

Know the regulations relevant to you, such as Europe’s General Data Protection Regulation (GDPR), California’s California Consumer Protection Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the NSA’s rules. These policies around the handling of classified data and other regulations mandate true data destruction policies and practices for consumer, financial or government data. And, the fines are hefty. 

The deep end of the data destruction pool is data sanitization, which combines absolute and irrevocable destruction of data and tamper-proof verification. Highly regulated industries require sanitization and this work has to be carried out by experienced specialists. 

But whatever your process and whoever does it, the end result should include certificates of sanitization, documentation of a clear audit trail and satisfaction of regulatory compliance in writing.

In a nutshell, fully destroy data on decommissioned media for security, and verify it all for compliance. 

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read