Approaches to data destruction in the enterprise data center vary widely. So, what are the steps your company should take when planning to wipe drives?
From HDD and SSD to memory cards and networking equipment, your data center is awash with data. But what happens when it’s time to retire the hardware—how can you securely destroy the data without opening up your company to the risk of a breach?
Here are seven steps to take when planning for the data destruction of your storage media.
1 Identify the Data
First, determine which data-bearing equipment needs wiping. Perhaps you have a number of storage servers ready for retiring.
Ascertain exactly which equipment associated with the server, including networking gear, to wipe. Use your hardware management database to cross check the details and ensure nothing is overlooked.
For data that needs preserving, ensure copies and backups are made before wiping the hardware as per your company’s protocol.
2 Select the Method
When you think of data destruction, it’s easy to conjure up images of the shredder or crusher. But data destruction isn’t the same as physical destruction.
Nor should physical destruction be your first consideration. Physically destroying the equipment not only robs the hardware of future use, it wrecks its recoverable value. Each year, companies destroy billions of dollars of residual value in retiring data center equipment.
Neither is it good for the planet. According to UN projections, the world is on track to produce almost 75 million tons of e-waste by 2030.
“Destroying drives to protect data is a symptom of legacy thinking,” says Stephen Buckler, chief operating officer at Horizon Technology.
Consult with your ITAD provider and explore options for secure reuse before resorting to the mercy of the shredder.
3 Know your Software
Have no fear. The best overwriting software available today will reliably sanitize your media, both hard drive and solid state.
As always, though, the devil is in the detail. Ask your contractor about the software it uses and the certifications it has to back up its claims. Then do your own research. Just because a company flashes the right credentials doesn’t mean its software is up to snuff.
You can’t be too careful with your company’s data—one data breach is one too many.
4 How Many Passes?
How to decide on the appropriate number of passes for overwriting data?
The reality is that one pass—done with the right pattern and the right software—should do the trick, provided you verify the wipe afterward. While it’s tempting to insist on numerous passes, extra wipes mean extra time and cost.
Of course, for compliance purposes there may be cases where additional passes make sense. Talk with your ITAD specialist about what is truly necessary without putting security at risk or incurring liability.
Cryptographic Erasure
For a discussion of cryptographic erasure, see the relevant section in our companion piece
A Guide To Secure Data Sanitization In The Data Center
5 Decide on Physical Destruction
As mentioned, physical destruction of the media is a step to be taken only after exploring all options for secure reuse.
But if you do opt for the crusher, work with your ITAD vendor to craft the optimal approach.
Degaussing
Degaussing—applying a strong magnetic field to the storage media—is an effective way of destroying the data on hard disk drives and tape.
Much depends, however, on the strength and reliability of the degaussing machine used for the job.
To ensure the data has been properly destroyed, it’s necessary to apply the magnetic field at the right strength for the right amount of time. A machine is only as good as its operator.
While degaussing the data will kill the drive by erasing the start-up files and rendering the device inoperable, you must still take steps to verify that all data has been removed.
Shredding
Once a drive is degaussed, it’s good practice to shred it. Ensure that the shredded drive will be disposed of properly, in compliance with industry standards such as R2 and eStewards.
Other options for physical destruction include crushing and disintegration. Ask your contractor about different methods of destruction for your media.
6 Ensuring Verification
It’s impossible to overstate the importance of verifying that your wiped media is truly free of all data, including any “hidden” areas on the drive.
“You must insist on verification,” says Horizon’s Buckler. “Ask your contractor about the robustness of their process for verification. At Horizon we use a separate software to scan the drive for data after the wipe.”
As NIST advises, verification should be followed by the issuance of certificates of data destruction.
NIST Guidelines for Media Sanitization: Special Publication 800-88
Upon embarking on a sanitization project, organizations should ensure
- the personnel undertaking the sanitizing are competent and trained on the relevant equipment
- the equipment is properly calibrated and subject to proper maintenance procedures
- the data to be sanitized has actually been sanitized
7 Onsite or Offsite?
How will your drives and other data-bearing equipment get to the processing facility securely?
Simply hearing that your drives will be kept safe in transit doesn’t cut it. Insist on clear, comprehensive details about the chain of custody.
In some cases, it may make more sense to perform the sanitization onsite, meaning that only wiped drives leave your data center. As the CIO, you may require this anyway.
Explore all options with your ITAD partner.
The Case for Refurbishing
Supported by advances in information security and data sanitization practices, the U.S. market for recertified and refurbished enterprise drives continues to grow.
- Developing nations, attracted by the prospect of accessing high-quality technology at lower price points, continue to form the primary market for refurbished units.
- Mature data center markets—such as the European Union and the United States—require refurbished equipment to support legacy installations.
- Demand for low cap drives—in the 500GB to 2TB range— has proven surprisingly resilient even as the drive makers market their higher capacity devices, up to 20TB these days.
Drives are getting more powerful, more sophisticated, and represent a greater investment per unit. It’s little surprise that their reuse is on the rise.
The Horizon Difference
Your drives won’t securely dispose of themselves. With 25 years’ experience handling enterprise storage media and enjoying deep relationships with the major drive makers, Horizon Technology is the safe pair of hands when it comes to your data-bearing assets.
Related Resources
- https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=914529
- https://www.horizontechnology.com/news/raising-the-standard-on-data-security-adisa-and-the-changing-landscape-of-data-protection
- https://adisarc.com/wp-content/uploads/2020/04/Digital-Recording-Methods-for-Computer-Hard-Drives.pdf
- https://www.horizontechnology.com/wp-content/uploads/2019/09/White-Paper-CFOs-Guide-To-IT-Asset-Recovery.pdf
- https://adisarc.com/wp-content/uploads/2020/04/SSHD-Paper.pdf
