[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] The fine art of data destruction


By Michele Hope  
Network World (US)
12 April 2007

Peggy Jones, a business manager for the information-management team at 
the College of Southern Maryland, was asked recently to help dispose of 
what she now estimates were about 1,200 old backup tapes and cassettes 
her IT organization had been storing in a relatively well-fortified 
walk-in vault.

The issue of what to do with the old tapes came to a head when 
renovation was scheduled for the building where the vault resided. "We 
had already moved to another backup system. So, these old tapes didn't 
work in our current system anyway. Now it was just old data we needed to 
figure out how to dispose of properly," Jones says.

Her research led her to Data Killers, a media-destruction and 
computer-recycling firm in Maryland that could shred tapes and hard 
drives securely , and provide a certificate affirming their destruction. 
It would even let you stay and watch the shredding process, if you 
wanted. Then the media's "remains" would be delivered to a smelter for 
melting and recycling its various metals.

With its 6,600-pound shredder, Data Killers is able to take just about 
any storage medium, such as the college's tapes, and turn it into 
particles the size of a thumbnail, owner Elizabeth Wilmot says.

Jones and a co-worker soon found themselves loading the tapes into the 
back of one of the college's vehicles and driving to Data Killers. After 
spending what Jones recalls was "a little more than an hour" watching 
the shredding, they were able to report back that the deed had been 

Setting policy is the first step

Enterprises such as the College of Southern Maryland can face high 
stakes when they recycle, donate or throw away end-of-life IT assets.

Amid mounting legislation and a steady flow of horror stories -- about 
identity theft , lost tapes, stolen credit-card data, and the unintended 
exposure of private data after used hard drives, cell phones and PDAs 
are sold on eBay -- it behooves companies to protect sensitive or 
government-regulated personal information throughout its life cycle.

Experts maintain that, just as it is developed for data in flight and 
data at rest, policy should be developed for end-stage data disposal or 
data destruction. Randy Kahn, owner of Kahn Consulting, says data 
destruction and disposal can be viewed as part of a larger 
corporate-governance commitment to proper information management.

Kahn, a lawyer and author of Privacy Nation and Information Nation, 
advises companies about issues related to information management , 
compliance and technology.

"Proper information management impacts the entire life cycle of 
information, from making sure employees understand policy surrounding 
how to manage the creation and storage of that information to how to 
properly dispose of it at the end of its useful life."

Steps in the right direction are developing a media-sanitization or 
data-destruction policy, making an effort to educate users about it and 
selectively testing or auditing the policy's effectiveness.

Policies about data destruction often deal with organizations' decisions 
about how best to dispose of IT assets they are replacing or retiring, 
according to Jon Oltsik, an analyst at Enterprise Strategy Group (ESG). 
He also sees this type of policy applied to archived data that has 
passed its required retention date.

"As it stands right now, in many corporations, data destruction is on an 
ad-hoc and as-needed basis," says Robert J. Hansen, a voting systems 
security expert and security researcher at the University of Iowa. "That 
just doesn't cut it. You need to think about this in advance before it 
becomes an issue." Hansen maintains a blog on software engineering 
topics that includes his own "Ten Commandments of Data Destruction." 
Creating a policy for data destruction ranks high on his list.

Yet many IT organizations wait until they need to do their own spring 
cleaning before they decide what to do with data on older storage media 
that usually have been sitting around a while gathering dust, Data 
Killers' Wilmot says. "A lot of times, the first call we get is that 
they have several thousand tapes, and they don't know what to do with 
them," she says. "It's a lot like spring cleaning at first . . . then 
they tell us they'll be better about this in the future, destroying the 
media on more of a regular basis like quarterly or biannually."

Pulverize, then liquefy

Fauquier Bank maintains a strict policy about protecting and restricting 
access to its sensitive bank and customer records, says Josh Brown, 
director of security for the Warrenton, Va., bank. Yet even here, a 
detailed data-destruction policy and schedules have had to evolve for 
what Brown estimates now amounts to about 30 hard drives per year.

After several computers were upgraded last year, the bank began looking 
at whether to donate the old computers that then were taking up a good 
amount of storage space. As a precaution, the bank's previous IT manager 
decided to remove and store the old hard drives separately, to avoid 
potentially proprietary data falling into the wrong hands. Brown 
believed that just overwriting or wiping the hard drives didn't go far 
enough to guard against the risk of exposing the bank's data.

Already accustomed to the bank's use of a weekly, on-site 
document-shredding service, Brown liked the idea of reformatting the 
hard drives, then driving to a local company himself to have them 
shredded. That way, he could ensure a solid chain of custody between 
leaving the building and getting the drives shredded. "Now, when it 
leaves here, it's pulverized, then it's liquefied," he explained, noting 
that as a bank, he thinks it makes sense to take a few extra steps.

Data-destruction services also offer customers the option to view their 
media's destruction remotely, and ship double-locked "storm cases" to 
protect remote customers' media in transit to their facility. Wilmot 
says this is a popular option, but the local bank and college both 
preferred to deliver the media themselves.

Without a trace

There are a number of methods for destroying data, each with pros and 
cons. People may dispute the benefits of one method over another, but 
most agree on one thing: Using simple deletion or disk-formatting 
commands is not enough to destroy data unequivocally. These methods 
leave too many traces of data behind. With simple utilities, it is easy 
to recover files deleted from the file system. It's a lot like tearing 
out a book's table of contents but leaving the rest of the book behind.

Beyond the obvious deletion functions, you start getting into secure 
deletion, the act of clearing, overwriting, wiping or "scrubbing" the 
data once or many times with a string of 1s and 0s. In the middle of the 
spectrum are devices, such as degaussers, that purge data from a variety 
of media. At the far end of the spectrum is what Hansen refers to in his 
blog as utter annihilation. This is where you get into the more visceral 
acts of shredding, pulverizing, incinerating or melting the media.

Hansen maintains that heating a hard drive past the Curie point (the 
point at which metal loses its magnetic properties) and melting it into 
slag are the only sure ways never to recover what once was on there.

Jesse Kornblum, a computer forensics researcher with ManTech SMA, isn't 
so sure you have to go to quite that length to render data immune to 
most random attackers.

Kornblum, who spent a good deal of his former life trying to uncover 
computer data for various criminal investigations, maintains that a 
single software overwriting often will suffice. "In general, one pass or 
one wipe is sufficient to frustrate any ordinary forensic analysis that 
might take place from outside of the hard drive," he says. "Now, you 
have to get someone to crack open the drive and look at it with a 
[magnetic force] microscope. That can cost hundreds of dollars."

If you want to be really sure the data is destroyed, Kornblum says 
melting the drive down to slag may be the best (albeit somewhat costly) 
way to do it. Asked to view data destruction from the eyes of a bank 
customer with personal bank data, Kornblum admits he'd feel a lot better 
knowing his bank was melting down the drives it no longer needed. 
"That's just in case someone who knew what they were doing could 
reassemble it," he says.

How far is far enough?

Picking one data-destruction method over another usually comes down to 
how far the organization believes it needs to go to destroy data to 
comply with applicable legislation or corporate policy. As Kornblum puts 
it, "It's always a question of how valuable is the information on the 
drive, and how hard do you think someone would work to get it?"

Unfortunately, most legislation does not offer specific guidance in this 
area. The majority of today's data-privacy and -protection laws 
prescribe taking proper data-destruction measures, without indicating 
the process or technology a company should use, Kahn says. Many laws 
indicate something to the effect that data should be destroyed so as to 
render the data unable to be read or accessed successfully.

General guidelines -- such as the broad wording found in such 
regulations as the Sarbanes-Oxley Act -- prompt organizations to look 
elsewhere for guidance on the specific processes or technologies they 
should use to destroy data or sanitize the media on which it's stored.

Not surprisingly, detailed guidelines for media sanitization and 
disposal can be found in the government sector, including the early U.S. 
Department of Defense drafts of Standard DoD 5220.22-M. These include a 
clearing and sanitization matrix and guidelines for destroying every 
kind of data from classified or top-secret to unclassified.

This standard often is referred to by overwriting-software vendors , a 
few of whom may claim to be "DoD-certified" or "DoD-compliant." (A 2005 
version of the matrix is available from the Web site of the Defense 
Security Service Office of the Designated Approving Authority.)

Peter Adler, a lawyer and information security expert who heads the 
Adler InfoSec & Privacy Group, has conducted detailed research on secure 
media disposal. He cites two leading information security standards with 
specific guidelines for media disposal and sanitization: ISO 17799 and 
the National Institute of Standards and Technology (NIST) Special 
Publication 800-88, titled "Guidelines for Media Sanitization."

Now interim director of privacy and cybersecurity policy at Maryland's 
Montgomery College, Adler often helps organizations assess security risk 
and develops specific policies for them to follow. Based on his 
research, Adler developed a procedural model to help organizations 
determine whether data or media should be cleared or purged, or 
physically destroyed.

Like the guidance offered in the NIST publication, much of the model 
depends on whether the data or media will be reused or will be leaving 
the organization's control. There's just one caveat: The model assumes 
an organization first can identify and categorize the data stored on 
specific media into one of four different classes: nonsensitive 
information, business-sensitive information, legally protected 
information and classification not known.

The only challenge to this assumption happens when some media have been 
lying around for so long it's difficult to know exactly what type of 
data resides on them. This was the case at the College of Southern 
Maryland. "Since we didn't really know what was on [the tapes], we 
treated it all as confidential," Jones says.

Don't mash it, hash it

Another option is to encrypt files or whole volumes of data earlier in 
their life cycle, before the media on which they are stored need to be 
retired, or are upgraded or donated.

While experts say that encryption doesn't necessarily absolve companies 
of their obligation to destroy highly sensitive data or media, 
encrypting the data may offer something of a legal safe harbor for 
companies trying to obey many privacy regulations.

The University of Iowa's Hansen is not a great fan of scrubbing or 
overwriting, which he equates to "locking the barn up after the horse is 
already out." On the other hand, storing data in encrypted format on a 
drive partition might let you avoid scrubbing the drive: "When someone 
tries to recover data, they first have to find the data. If all they see 
on the drive is noise, that's a pretty effective deterrent. It's 
definitely a counterforensic technique," he says.

If a corporation could maintain an employee's encryption key for the 
disk, it could access the data if the employee leaves the company. When 
the company no longer wants to use the disk, it just "forgets" or 
destroys the disk, Hansen says.

ESG's Oltsik also sees encryption as possibly the easiest way to, in 
effect, destroy data. He sees the emerging area of digital rights 
management as also offering some interesting solutions.

In the age of movable data -- roaming laptops, USB flash drives, PDAs 
and smart phones -- encryption may well be the answer, Oltsik maintains: 
"Moving forward, that's how we'll deal with all this data mobility, 
because you can't take physical possession of every device and just 
destroy it. There are too many devices, with more coming in the future."

Subscribe to InfoSec News