Tips For Securely Deleting Data

Processor
www.processor.com
By William Van Winkle
Retrieved 8Nov10
Go to original article

Tips For Securely Deleting Data

Ensure Data Erasure & Compliance

Key Points

• With modern hard drives, a single pass with the Secure Erase command is sufficient to effectively wipe all data.

• Encryption can facilitate secure deletion, but this measure is only as strong as the keyword or phrase used to unlock the encryption.

• Establish data retention and deletion policies as a means to protect the organization from legal risks.

 

Most IT people understand the difference between data deletion and sanitizing. Deleting a file is essentially the same as erasing a table of contents entry in a book; the OS no longer knows where to find the information, but it’s all still intact. Casual overwriting with new data may still not eliminate the old information because new files may be written in smaller chunks that don’t overwrite the entire underlying file. Moreover, even when a file is entirely overwritten, old data may still be retrievable.

This is why sanitizing, commonly called “wiping” or “clearing,” has traditionally entailed conducting multiple overwrites with patterns of 0’s and 1’s. Each successive writing on a groove reduces the likelihood of those stray bits surviving intact. This is why security specs from the 1990s called for three or more overwrites in order to claim true erasure. The gold standard of these specs was the Department of Defense 5220.22-M, which also called for physical destruction of drives in cases where top secret information was present.

However, in 2001, the ANSI (American National Standards Institute; (www.ansi.org) added the SE (Secure Erase) command to the ATA drive interface protocols. SE is found in all drives of at least 15GB capacity made after that time. The command piggybacks onto the traditional format command and conducts a single on-track data erasure of the entire drive. Thanks to SE, in 2006, the NIST (National Institute of Standards and Technology; (www.nist.gov) finally proclaimed, “Studies have shown that most of today’s media can be effectively cleared and purged by one overwrite using current available sanitization technologies.” Whereas drive wiping in the ’90s might take hours, today it can be done in seconds.

Beyond Wiping

However, the mechanics of data wiping are only the beginning of a deletion discussion. The steps taken to erase data might be commensurate with the sensitivity of that data. For instance, when wiping might not be perceived as enough, some organizations might want to simply drill a couple of holes through the drive and its platters. Only a few laboratories in the world possess the tools needed to overcome such destruction, and the time/cost involved for retrieving such data would be prohibitive save for anything shy of many millions of dollars in return value.

Another increasingly popular approach to secure data deletion involves using encryption. Quite simply, if a drive implements full disk encryption, then an admin simply needs to delete the encryption key on the drive in order to render its contents into an undecipherable mess. Software tools allow admins to manage such deletion across an entire enterprise from a single console. Unfortunately, the strength of the encryption may not be the weak link in security here.

“Encryption is essentially a delay mechanism,” says Hugh Thompson, program committee chair of the RSA Conference (www.rsaconference.com). “If I want to break into an encrypted drive, it’s less a matter of how good is the encryption and more about how good is the chosen key. The problem comes down to average users. If my key is my first name or something like that, then it defeats the purpose of the encryption. So how do you get people to choose good keys? That’s why the physical disposal issue remains important.”

Many enterprises recognize that “dumpster diving” in its various forms remains a security risk. Companies can’t simply throw out drives. The responsible course is to recycle drives, either for materials or for sale into the second-hand market, but this requires a lot of hours in hands-on media wiping and/or drive destruction. Good tech recyclers will detail and document how they go about wiping drives that arrive for recycling. They will often charge for this service, but the total cost of disposal may well be lower than handling the disposal of drives in-house.

NIST offers this flowchart for helping to decide whether to securely delete certain information from an organization.

(SOURCE: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY; “GUIDELINES FOR MEDIA SANITATION”; SEPTEMBER 2006.)

Create Policies

Realistically, most data breaches don’t come from swiping data off of wiped (or even casually deleted) drives. According to the 2010 Verizon Data Breach Investigations Report, only 15% of all breaches involved physical attacks. Sean Regan, director of product marketing for Symantec’s Information Management Group (www.symantec.com), feels that legal liability is the true root of data remanence and deletion. If a company receives notice that it is under investigation, it’s obligated to institute “legal hold,” meaning that nothing with any possible relevance to the investigation can be deleted. The prospect of legal hold arising someday has led many enterprises to simply keep everything, just in case.

“Companies just made information and kept it on backup tapes,” says Symantec’s Regan. “Well, backup was designed for full recovery. But companies started keeping their backup tapes longer than 30 days because they thought, ‘Well, if we have an investigation, we’re going to need to find and pull this stuff.’ That is a huge problem, because now you have all of the smoking guns, all of the email, “good and bad”, piled on these tapes with no good way to search it and very little visibility into what’s even on the tapes. So companies are sitting on land mines and smoking guns with these tapes. I’ve talked to companies with up to 800,000 tapes, and they don’t even know what’s on them.”

Regan advises companies to have three things in place in order to navigate the problem of accumulating data and effective deletion. First, delete by default. Companies need deletion policies, and three to five years seems to fit most SMEs. Second, have a legal hold switch. Legal hold trumps deletion policies, so there must be a way for companies to suspend deletion upon receiving a legal notice. Finally, become efficient with e-discovery. If a business is sitting on terabytes of data, there must be a way to find desired information, if only to then securely delete it. Regan states that this is increasingly impossible without an archiving strategy. Data meant to be kept should pour into a centralized archive where it can be easily managed. Everything else should get quickly and securely flushed in accordance with company policies.

The trick here is realizing true centralization, especially in a time when workers’ personal computing devices are increasingly creeping into business usage. The risk of having people be more productive and always accessible is that they’re handling more kinds of data in ever more places.

“Hygiene practices are tricky on machines you don’t control,” says RSA Conference’s Thompson. “If you are accessing sensitive corporate data, make sure it is on a machine that can’t be easily intercepted by someone else. Even if it’s a personal device, it’s important to use things like full disk encryption. If you’re accessing your private email from a public machine, like a kiosk, realize that remnants get left behind. So educate employees about risks so that they can make better choices in day-to-day access.”

by William Van Winkle

Shopping Cart
Scroll to Top