Securing Storage: Complete Data Erasure on Storage Systems
by Leo Colborne - Senior VP for Global Customer Service, EMC - Thursday, 16 June 2005.
Most companies know how to implement security measures to protect existing data. However, the options for safely and securely removing data from a drive so it cannot be retrieved are not nearly as advanced. These common measures include one-pass overwrites, degaussing, physical destruction, and physically storing old drives.

  • One-pass overwrites: Replacing data stored on hard disk drives with a variable bit pattern of 1's and 0's that effectively renders the data unrecoverable. A single pass will successfully overwrite some of the data, but not all disk sectors are visible to overwrite applications. This can leave highly critical information perfectly intact. Multiple passes can yield better results, but the overwrite application must be sophisticated enough to locate and overwrite hidden and damaged sectors, as well as produce audit reports for compliance purposes.
  • Degaussing: Demagnetizing to remove all data. Degaussing can be effective, but it often leaves the disk drive unusable. This is not a good thing when a company intends to repurpose the drives. It is also not cost-effective to degauss large numbers of high capacity disks in storage systems.
  • Destruction: Physically crush and shred drives. This destruction is extremely effective in erasing data and can be therapeutic for a stressed-out IT professional. However, it is time consuming, costly, and impractical for retiring a large number of drives.
  • Storing old drives: Physically storing drives. Presumably drives are erased before being stored, but not necessarily. It has been estimated that 85% of business espionage crimes are inside jobs. So, this technique may make it easier for employees to access retired drives to commit these crimes. And physical storage does not meet most compliance regulations for erasure, nor does it protect a firm in the event of litigation.
Best Practices

The most efficient, cost-effective, and compliant method of erasing data is to completely overwrite the drive to render the data virtually unrecoverable, and to have the capacity to report the procedure. This is harder than it looks, especially with large and complex storage systems. Companies can assign service levels according to the relative importance of the data; with more overwrite passes for critical information. (Common overwrite levels go from three passes for noncritical data up to seven for the most sensitive information.) Once done, the professional service or erasure application should deliver an independent audit and written proof of service completion.

Observing best practices in data erasure has a number of benefits for security-conscious firms. Complete data erasure maximizes compliance measures by managing risk, ensures information in the life cycle disposal phase is really being disposed, enables that utilization and repurposing storage, and lets IT professionals sleep at night knowing they have secured important data on released storage assets.

Data Erasure Services

A number of hardware and software vendors provide data erasure services for the PC market, but storage systems are relatively ignored. Due to the sheer size and complexity of storage systems, efficient and complete data erasure is beyond the capabilities of the simpler methods. But managing the data life cycle from creation through deletion includes making sure that data has actually been disposed.

Storage system data erasure services can completely erase data on storage assets and prove they've done it. For example, EMC's non-host-based process completely overwrites proprietary and sensitive data, offers flexible overwrite passes and provides audit reports to meet compliance requirements. Any secure data erasure for storage systems should be able to handle the specific requirements of storage assets, be available from highly trusted professional services (for complete security and audit purposes), erase multiple disks and frames concurrently, have a flexible overwrite pattern for differing specifications, be delivered at the customer location to increase security and eliminate delays, and provide an independent audit and documentation of data erasure.

While firewalls and other security measures protect data on the front end of the storage life cycle, it is equally important to protect data at the back end. When it comes to returning, reselling, repurposing, trading, or swapping out storage assets, companies need secure and complete data erasure to meet corporate governance, industry specifications, and governmental mandates. Reliable and proven data erasure services dramatically reduce potential legal litigation due to uncontrolled distribution or viewing, avoid the physical destruction of perfectly good equipment, and address any security concerns. As a result, companies can safely sell or reuse storage equipment and ensure they have the audit trail necessary to meet corporate and industry conformance requirements. Most importantly, this will protect an organization's most valuable asset - its information.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th