By Michele Hope
Network World (US)
12 April 2007
Peggy Jones, a business manager for the information-management team at
the College of Southern Maryland, was asked recently to help dispose of
what she now estimates were about 1,200 old backup tapes and cassettes
her IT organization had been storing in a relatively well-fortified
The issue of what to do with the old tapes came to a head when
renovation was scheduled for the building where the vault resided. "We
had already moved to another backup system. So, these old tapes didn't
work in our current system anyway. Now it was just old data we needed to
figure out how to dispose of properly," Jones says.
Her research led her to Data Killers, a media-destruction and
computer-recycling firm in Maryland that could shred tapes and hard
drives securely , and provide a certificate affirming their destruction.
It would even let you stay and watch the shredding process, if you
wanted. Then the media's "remains" would be delivered to a smelter for
melting and recycling its various metals.
With its 6,600-pound shredder, Data Killers is able to take just about
any storage medium, such as the college's tapes, and turn it into
particles the size of a thumbnail, owner Elizabeth Wilmot says.
Jones and a co-worker soon found themselves loading the tapes into the
back of one of the college's vehicles and driving to Data Killers. After
spending what Jones recalls was "a little more than an hour" watching
the shredding, they were able to report back that the deed had been
Setting policy is the first step
Enterprises such as the College of Southern Maryland can face high
stakes when they recycle, donate or throw away end-of-life IT assets.
Amid mounting legislation and a steady flow of horror stories -- about
identity theft , lost tapes, stolen credit-card data, and the unintended
exposure of private data after used hard drives, cell phones and PDAs
are sold on eBay -- it behooves companies to protect sensitive or
government-regulated personal information throughout its life cycle.
Experts maintain that, just as it is developed for data in flight and
data at rest, policy should be developed for end-stage data disposal or
data destruction. Randy Kahn, owner of Kahn Consulting, says data
destruction and disposal can be viewed as part of a larger
corporate-governance commitment to proper information management.
Kahn, a lawyer and author of Privacy Nation and Information Nation,
advises companies about issues related to information management ,
compliance and technology.
"Proper information management impacts the entire life cycle of
information, from making sure employees understand policy surrounding
how to manage the creation and storage of that information to how to
properly dispose of it at the end of its useful life."
Steps in the right direction are developing a media-sanitization or
data-destruction policy, making an effort to educate users about it and
selectively testing or auditing the policy's effectiveness.
Policies about data destruction often deal with organizations' decisions
about how best to dispose of IT assets they are replacing or retiring,
according to Jon Oltsik, an analyst at Enterprise Strategy Group (ESG).
He also sees this type of policy applied to archived data that has
passed its required retention date.
"As it stands right now, in many corporations, data destruction is on an
ad-hoc and as-needed basis," says Robert J. Hansen, a voting systems
security expert and security researcher at the University of Iowa. "That
just doesn't cut it. You need to think about this in advance before it
becomes an issue." Hansen maintains a blog on software engineering
topics that includes his own "Ten Commandments of Data Destruction."
Creating a policy for data destruction ranks high on his list.
Yet many IT organizations wait until they need to do their own spring
cleaning before they decide what to do with data on older storage media
that usually have been sitting around a while gathering dust, Data
Killers' Wilmot says. "A lot of times, the first call we get is that
they have several thousand tapes, and they don't know what to do with
them," she says. "It's a lot like spring cleaning at first . . . then
they tell us they'll be better about this in the future, destroying the
media on more of a regular basis like quarterly or biannually."
Pulverize, then liquefy
Fauquier Bank maintains a strict policy about protecting and restricting
access to its sensitive bank and customer records, says Josh Brown,
director of security for the Warrenton, Va., bank. Yet even here, a
detailed data-destruction policy and schedules have had to evolve for
what Brown estimates now amounts to about 30 hard drives per year.
After several computers were upgraded last year, the bank began looking
at whether to donate the old computers that then were taking up a good
amount of storage space. As a precaution, the bank's previous IT manager
decided to remove and store the old hard drives separately, to avoid
potentially proprietary data falling into the wrong hands. Brown
believed that just overwriting or wiping the hard drives didn't go far
enough to guard against the risk of exposing the bank's data.
Already accustomed to the bank's use of a weekly, on-site
document-shredding service, Brown liked the idea of reformatting the
hard drives, then driving to a local company himself to have them
shredded. That way, he could ensure a solid chain of custody between
leaving the building and getting the drives shredded. "Now, when it
leaves here, it's pulverized, then it's liquefied," he explained, noting
that as a bank, he thinks it makes sense to take a few extra steps.
Data-destruction services also offer customers the option to view their
media's destruction remotely, and ship double-locked "storm cases" to
protect remote customers' media in transit to their facility. Wilmot
says this is a popular option, but the local bank and college both
preferred to deliver the media themselves.
Without a trace
There are a number of methods for destroying data, each with pros and
cons. People may dispute the benefits of one method over another, but
most agree on one thing: Using simple deletion or disk-formatting
commands is not enough to destroy data unequivocally. These methods
leave too many traces of data behind. With simple utilities, it is easy
to recover files deleted from the file system. It's a lot like tearing
out a book's table of contents but leaving the rest of the book behind.
Beyond the obvious deletion functions, you start getting into secure
deletion, the act of clearing, overwriting, wiping or "scrubbing" the
data once or many times with a string of 1s and 0s. In the middle of the
spectrum are devices, such as degaussers, that purge data from a variety
of media. At the far end of the spectrum is what Hansen refers to in his
blog as utter annihilation. This is where you get into the more visceral
acts of shredding, pulverizing, incinerating or melting the media.
Hansen maintains that heating a hard drive past the Curie point (the
point at which metal loses its magnetic properties) and melting it into
slag are the only sure ways never to recover what once was on there.
Jesse Kornblum, a computer forensics researcher with ManTech SMA, isn't
so sure you have to go to quite that length to render data immune to
most random attackers.
Kornblum, who spent a good deal of his former life trying to uncover
computer data for various criminal investigations, maintains that a
single software overwriting often will suffice. "In general, one pass or
one wipe is sufficient to frustrate any ordinary forensic analysis that
might take place from outside of the hard drive," he says. "Now, you
have to get someone to crack open the drive and look at it with a
[magnetic force] microscope. That can cost hundreds of dollars."
If you want to be really sure the data is destroyed, Kornblum says
melting the drive down to slag may be the best (albeit somewhat costly)
way to do it. Asked to view data destruction from the eyes of a bank
customer with personal bank data, Kornblum admits he'd feel a lot better
knowing his bank was melting down the drives it no longer needed.
"That's just in case someone who knew what they were doing could
reassemble it," he says.
How far is far enough?
Picking one data-destruction method over another usually comes down to
how far the organization believes it needs to go to destroy data to
comply with applicable legislation or corporate policy. As Kornblum puts
it, "It's always a question of how valuable is the information on the
drive, and how hard do you think someone would work to get it?"
Unfortunately, most legislation does not offer specific guidance in this
area. The majority of today's data-privacy and -protection laws
prescribe taking proper data-destruction measures, without indicating
the process or technology a company should use, Kahn says. Many laws
indicate something to the effect that data should be destroyed so as to
render the data unable to be read or accessed successfully.
General guidelines -- such as the broad wording found in such
regulations as the Sarbanes-Oxley Act -- prompt organizations to look
elsewhere for guidance on the specific processes or technologies they
should use to destroy data or sanitize the media on which it's stored.
Not surprisingly, detailed guidelines for media sanitization and
disposal can be found in the government sector, including the early U.S.
Department of Defense drafts of Standard DoD 5220.22-M. These include a
clearing and sanitization matrix and guidelines for destroying every
kind of data from classified or top-secret to unclassified.
This standard often is referred to by overwriting-software vendors , a
few of whom may claim to be "DoD-certified" or "DoD-compliant." (A 2005
version of the matrix is available from the Web site of the Defense
Security Service Office of the Designated Approving Authority.)
Peter Adler, a lawyer and information security expert who heads the
Adler InfoSec & Privacy Group, has conducted detailed research on secure
media disposal. He cites two leading information security standards with
specific guidelines for media disposal and sanitization: ISO 17799 and
the National Institute of Standards and Technology (NIST) Special
Publication 800-88, titled "Guidelines for Media Sanitization."
Now interim director of privacy and cybersecurity policy at Maryland's
Montgomery College, Adler often helps organizations assess security risk
and develops specific policies for them to follow. Based on his
research, Adler developed a procedural model to help organizations
determine whether data or media should be cleared or purged, or
Like the guidance offered in the NIST publication, much of the model
depends on whether the data or media will be reused or will be leaving
the organization's control. There's just one caveat: The model assumes
an organization first can identify and categorize the data stored on
specific media into one of four different classes: nonsensitive
information, business-sensitive information, legally protected
information and classification not known.
The only challenge to this assumption happens when some media have been
lying around for so long it's difficult to know exactly what type of
data resides on them. This was the case at the College of Southern
Maryland. "Since we didn't really know what was on [the tapes], we
treated it all as confidential," Jones says.
Don't mash it, hash it
Another option is to encrypt files or whole volumes of data earlier in
their life cycle, before the media on which they are stored need to be
retired, or are upgraded or donated.
While experts say that encryption doesn't necessarily absolve companies
of their obligation to destroy highly sensitive data or media,
encrypting the data may offer something of a legal safe harbor for
companies trying to obey many privacy regulations.
The University of Iowa's Hansen is not a great fan of scrubbing or
overwriting, which he equates to "locking the barn up after the horse is
already out." On the other hand, storing data in encrypted format on a
drive partition might let you avoid scrubbing the drive: "When someone
tries to recover data, they first have to find the data. If all they see
on the drive is noise, that's a pretty effective deterrent. It's
definitely a counterforensic technique," he says.
If a corporation could maintain an employee's encryption key for the
disk, it could access the data if the employee leaves the company. When
the company no longer wants to use the disk, it just "forgets" or
destroys the disk, Hansen says.
ESG's Oltsik also sees encryption as possibly the easiest way to, in
effect, destroy data. He sees the emerging area of digital rights
management as also offering some interesting solutions.
In the age of movable data -- roaming laptops, USB flash drives, PDAs
and smart phones -- encryption may well be the answer, Oltsik maintains:
"Moving forward, that's how we'll deal with all this data mobility,
because you can't take physical possession of every device and just
destroy it. There are too many devices, with more coming in the future."
Subscribe to InfoSec News