A Green Slate

The destruction of sensitive information on hard drives intended for disposal or refurbishment is an ongoing concern, as too much information is stored in too many places, and the proliferation of high-profile data breaches continues. According to the National Association of Information Destruction (NAID), Phoenix, top executives from 300 firms ranked the security of company records as one of their top five critical issues.

At the same time, more companies are also concerned about their environmental footprints, leading them to consider donation or reuse of IT assets they might once have considered obsolete. Still other organizations lease their computer equipment. Both of these scenarios require a method to securely remove confidential data that does not physically destroy drives.

For recyclers and refurbishers looking to attract customers that are security-minded or focused on going green, approved and certified data erasure can present a safe and easily administered option for hard drive sanitization that outperforms standard wiping utilities. When compared with other methods of data destruction, certified data erasure has many benefits, which are described here. Also discussed are some of the primary objections to data erasure.

Environmentally Responsible. For many companies and their stakeholders, green has become much more than a buzzword, and electronics recycling and refurbishing are means of achieving corporate sustainability goals. Studies indicate that the life cycle energy use of a computer is dominated by production (81 percent) as opposed to operation (19 percent), meaning that extending its usable life span by reselling or upgrading is a valid approach to reducing energy impact, as well as other environmental factors associated with manufacturing and disposal.

Certified data erasure is designed to offer a secure alternative to physical destruction for companies looking to reduce their carbon footprint by extending the life cycle of their IT assets through sale or donation. Also, data erasure can provide information required to determine an asset’s fitness for reuse, leaving vendors the more lucrative option of remarketing the asset rather than selling its constituent materials as scrap.

Security Through Full-Disc Sanitization. Modern hard drives have hidden and locked areas that potentially include remapped sectors, which standard data wiping freeware and less sophisticated overwriting tools cannot access or erase. Unlike these utilities, certified data erasure software does not rely on the computer operating system to define a disc, but instead communicates with a disc on the bit level so that all data are destroyed. In essence, other utilities may report full success, though the entire disc has not been accessed, giving a false sense of security that all data has been wiped.

Full Disclosure and Reporting. Unlike physical destruction, certified data erasure software provides detailed reporting about a disc’s sanitization status. Reports contain information that includes the erasure date, hard drive serial number, specifics about the PC or disc, technician name and results/errors concerning the erasure process. This software also provides users with a validation certificate if the overwriting procedure was successfully completed.

While certified data erasure software accesses the entire drive, it may encounter bad sectors that it cannot overwrite. In this case, the software discloses the number of such sectors encountered and notes that the erasure was incomplete, allowing the administrator to take further action.

When erasing a number of discs, especially high-mileage ones, bad sectors are often encountered, resulting in an incomplete erasure. Depending on a firm’s policy and risk tolerance, some organizations may opt to refurbish a disc with only a few bad sectors, while others may choose physical destruction in such cases. For electronics recyclers, identifying the healthy discs offers potential revenue from remarketing, along with a reduction in electronic scrap.

Ability to Meet Standards, Address Regulations. Throughout the past few years, companies have become more sensitive to computer information security issues. Exposure of sensitive financial and medical data, as well as high-profile leaks of consumer credit and debit card data, have resulted in regulations like HIPAA (Health Information Portability and Accountability Act), SOX (Sarbanes-Oxley) and Payment Card Industry Data Security Standard (PCI DSS), to name a few.

In addition, many government and industry standards exist for the software-based overwriting process itself. Key factors in meeting these standards are the overwriting pattern, the number of times the data is overwritten and the verification process, all of which vary depending on the standard involved. For example, Department of Defense standards have referred to seven or three overwriting rounds in the past, while the current National Institute of Standards and Technology recommendation is a single pass. Also, many standards require a method to verify that all data have been removed from the entire drive as well a view of the overwrite pattern. A data erasure tool should address as many of these standards as possible and provide a validation certificate indicating such.

Data erasure reports provide companies and vendors with an audit trail that ensures compliance with all major government and industry standards. These records are important to customers who must address such requirements.

Higher Productivity with Broad Hardware Support. Instead of erasing discs one by one as with some sanitization methods, data erasure can be easily deployed to target multiple networked PCs, raising personnel productivity. Linux-based data erasure tools can be most effective because they work on a broader range of network hardware, such as high-end server and storage area network (SAN) environments with Serial ATA, Serial Attached SCSI (SAS) and Fiber Channel discs and remapped sectors. Also, with certified data erasure software, there is no need for personnel to reformat discs back to 512 size before erasing data, because this software operates directly with larger sector sizes.

Improved Asset Management. The ability to verify healthy assets with data erasure appeals to cost-conscious organizations wishing to reuse or extend the lives of their IT investments. In addition, many companies tend to lose track of retired IT assets and, more importantly, the data they contain. By using the reporting capability of data erasure software when a computer is retired, organizations can keep track of the discs they have sanitized. This also protects the discs on equipment slated for a recycling facility, should that be the next step.

Many companies, however, do not have data erasure software and so rely on their vendors for audit trails. However, many industry analysts advocate that discs be wiped by the company itself as well as by the service provider.

By and large, the benefits of data erasure far outweigh any negative aspects. However, there are some companies who rely solely on physical destruction of their retired or damaged IT assets and are not receptive to any additional fees for a data erasure service or the cost of licensing data erasure software. Still, many companies, especially those concerned with regulatory compliance, find they want physical destruction only after obtaining the audit trail and report that certified data erasure provides.

Though fast compared with other disc wiping utilities, certified data erasure is slower than physical destruction, as it takes longer to overwrite the discs as opposed to degauss and destroy them. Still, because multiple PCs can be wiped at once with data erasure software, disc sanitization processing efficiency is greatly improved.

Some companies who want complete data erasure may be concerned by the fact that not all hard drives can be completely overwritten because of bad sectors, as described previously. However, bytes residing on inaccessible bad sectors are, in practice, protected against all exposure except that posed by exclusive technologies found only at highly certified laboratories. Customers should, therefore, feel confident that their data is secure, if this is within their organizations’ risk tolerance.

Ultimately, companies must choose their risk tolerance with regard to data exposure in today’s increasingly complicated security landscape. Vendors must educate customers that the cost for data erasure is minimal, especially given that data breaches cost a company $5 million on average, not to mention damage to corporate reputation and failure to comply with the growing number of regulations. As companies become more aware of the benefits of data erasure, vendors will capitalize on easily administered tools that can capture new revenue streams.