A Clean Slate

The destruction of sensitive information on hard drives intended for disposal or refurbishment is an ongoing concern, as too much information is stored in too many places, and the proliferation of high-profile data breaches continues. According to the National Association for Information Destruction (NAID), Phoenix, top executives from 300 firms ranked the security of company records as one of their top five critical issues.

At the same time, more companies also are concerned about their environmental footprints, leading them to consider donation or reuse of IT assets they might once have considered obsolete. Still, other organizations lease their computer equipment. Both of these scenarios require a way to securely remove confidential data that does not physically destroy drives.

For recyclers and refurbishers looking to attract customers that are security-minded or focused on going green, approved and certified data erasure can present a safe and easily administered option for disk sanitization that outperforms standard disk wiping utilities. When compared with other methods of data destruction, certified data erasure has many benefits, which are described here. Also discussed are some of the primary objections to data erasure.

Environmentally responsible. For many companies and their stakeholders, green has become much more than a buzzword, and electronics recycling and refurbishing are a means to achieve corporate sustainability goals. Studies indicate that the life cycle energy use of a computer is dominated by production (81 percent) as opposed to operation (19 percent), meaning that extending its usable life by reselling or upgrading the equipment is a valid approach to reducing the energy impact as well as other environmental burdens associated with manufacturing and disposal.

Certified data erasure is designed to offer a secure alternative to physical destruction for companies looking to reduce their carbon footprint by extending the life cycle of their IT assets or by selling or donating those assets. Also, data erasure can provide information required to determine an asset’s fitness for reuse, leaving recyclers the more lucrative option of remarketing the asset as opposed to selling its constituent materials as scrap.

Security through full-disk sanitization. Modern hard drives have hidden and locked areas that potentially include remapped sectors, which standard data wiping freeware and less sophisticated overwriting tools cannot access or erase. Unlike these less-effective utilities, certified data erasure software does not rely on the computer operating system to define a disk, but instead communicates with a disk on the bit level so that all data are destroyed. In essence, other utilities may report full success, though the entire disk has not been accessed, giving a false sense of security that all data has been wiped.

Full disclosure and reporting. Unlike physical destruction, certified data erasure software provides detailed reporting about a disk’s sanitization status. Reports contain information that includes the erasure date, hard drive serial number, specifics about the PC or disk, technician name and results/errors concerning the erasure process. This software also provides users with a validation certificate if the overwriting procedure was successfully completed.

While certified data erasure software accesses the entire drive, it may encounter bad sectors that it cannot overwrite. In this case, the software discloses the number of such sectors encountered and notes that the erasure was incomplete, allowing the administrator to take further action.

When erasing a number of disks, especially high-mileage ones, bad sectors are often encountered, resulting in an incomplete erasure. Depending on a firm’s policy and risk tolerance, some organizations may opt to refurbish a disk with only a few bad sectors, while others may choose physical destruction in such cases. For electronics recyclers, identifying the healthy disks offers potential revenue from remarketing, along with a reduction in electronic scrap.

Ability to meet standards, address regulations. Throughout the past few years, companies have become more sensitive to computer information security issues. Exposure of sensitive financial and medical data, as well as high-profile leaks of consumer credit and debit card data, have resulted in regulations like HIPAA (Health Information Portability and Accountability Act), SOX (Sarbanes-Oxley) and Payment Card Industry Data Security Standard (PCI DSS), to name a few.

In addition, many government and industry standards exist for the software-based overwriting process itself. Key factors in meeting these standards are the overwriting pattern, the number of times the data is overwritten and the verification process, all of which vary depending on the standard involved. For example, Department of Defense standards have in the past referred to seven or three overwriting rounds, while the current National Institute of Standards and Technology recommendation is a single pass. Also, many standards require a method to verify that all data have been removed from the entire drive as well as a view of the overwrite pattern. A data erasure tool should address as many of these standards as possible and provide a validation certificate indicating such.

Higher productivity with broad hardware support. Instead of erasing disks one by one as with some sanitization methods, data erasure can be easily deployed to target multiple networked PCs, raising personnel productivity. Linux-based data erasure tools can be most effective because they work on a broader range of network hardware, such as high-end server and storage area network (SAN) environments with Serial ATA, SCSI Serial Attached SCSI (SAS) and Fiber Channel disks and remapped sectors. Also, with certified data erasure software, there is no need for personnel to reformat disks back to 512 size before erasing data, because this software operates directly with larger sector sizes.

Improved asset management. The ability to verify healthy assets with data erasure appeals to cost-conscious organizations wishing to reuse or extend the lives of their IT investments. In addition, many companies tend to lose track of retired IT assets and, more importantly, the data they contain.

By using the reporting capability of data erasure software when a computer is retired, organizations can keep track of the disks they have sanitized. This also protects the disks on equipment slated for a recycling facility, should that be the next step.

Many companies, however, do not have data erasure software and, therefore, rely on their electronics recycler to provide for audit trails. However, many industry analysts advocate that disks be wiped both by the company itself as well as by the recycler.

By and large, the benefits of data erasure far outweigh any negative aspects. However, there are some companies who rely solely on physical destruction of their retired or damaged IT assets and are not receptive to any additional fees for a data erasure service or the cost of licensing data erasure software. Still, many companies, especially those concerned with regulatory compliance, find they want physical destruction only after obtaining the audit trail and report that certified data erasure provides.

Though fast compared with other disk wiping utilities, certified data erasure is slower than physical destruction, as it takes longer to overwrite the disks as opposed to degaussing and destroying them. Still, because multiple PCs can be wiped at once with data erasure software, disk sanitization processing efficiency is greatly improved.

Some companies who want complete data erasure may be concerned by the fact that not all disks can be completely overwritten because of bad sectors, as described previously. However, bytes residing on inaccessible bad sectors are, in practice, protected against all exposure except that posed by exclusive technologies found only at highly certified laboratories. Customers should therefore feel confident that their data is secure, if this is within their organizations’ risk tolerance.

Ultimately, companies must choose their risk tolerance with regard to data exposure in today’s increasingly complicated security landscape.

Recyclers must educate customers that the cost for data erasure is minimal, especially given that data breaches cost a company $5 million on average, not to mention damage to corporate reputation and failure to comply with the growing number of regulations. As companies become more aware of the potential benefits of data erasure, recyclers will capitalize on easily administered tools that can help them to capture new revenue streams.