While the ability to clearly establish what data end-of-life really means is still a challenge for most companies, uncontrolled data growth has resulted in corporate policies regarding data storage and retention. Most policies have been driven or imposed by legislation and regulations such as HIPAA, the Sarbanes-Oxley Act and other federal and state compliance requirements.
To that effect, most of the attention has been given to issues around data that must be retained for obvious reasons such as the direct impact of retention on cost of storage. Because of that, it is often assumed that once data has been marked for disposal, it no longer requires much attention and, as a result, the actual deletion process itself is sometimes loosely defined. But when data copies, data backups or archives are deleted, are they really gone?
When it comes to paper records, running documents through a shredder usually does the trick. Because electronic records are not physical, it is often (falsely) assumed that a simple file deletion operation is the equivalent to shredding a paper copy -- after all, once data is deleted, it is typically no longer readily accessible by the operating system or application that created it. However, data deletion isn't sufficient. In simple terms, deleting a file only marks the space (or blocks) it occupies as usable. Until the blocks are actually overwritten, the data is still there and can be retrieved. In fact, the disk space occupied by deleted files must be overwritten with other data several times before the entirety of the files are deemed irretrievable (minimum of seven times as per the U.S. Federal government's guidelines).
In many cases, disk or tape media is reused to store more data; therefore, data deletion typically does not constitute much of an issue. However, when leased IT assets such as servers or disk arrays must be returned, when obsolete systems are replaced or when storage media has reached end-of-life, special care must be taken to ensure that any data once stored is irretrievable. This process is known as hard drive sanitization, and in some cases requires storage media destruction. It is often tempting for staff to innocently collect hard drives from decommissioned computer equipment for home use and this has lead to embarrassing situations and PR nightmares for some high-profile companies in the past because hard drives containing confidential data resurfaced in the wrong place at the wrong time.
The problem often starts with a lack of clearly defined policies around data destruction. Servers or disks are decommissioned without much thought being given to whether or not data is still accessible. There are a number of ways to dispose of data, including media destruction, disk degaussing and automated multiple data overwrites with random byte patterns.
Media destruction is fairly common for media that has reached end of life, such as tape or to dispose of optical media that can't be overwritten. There actually are shredders for tape and optical media -- and even hard drives -- that are used when media must be destroyed.
The degaussing method uses a powerful magnetic field that basically neutralizes the "orientation" of the magnetized particles that make up the writeable surface of storage media. This method is typically used for erasing in bulk when media will be reused but be free of retrievable data.
Some data overwrite programs can be downloaded for free such as Eraser and will overwrite data as much as 30-plus times. There are other commercially available products that will automatically overwrite a file with random data more than 100 times. Because of the time it may take to overwrite date up to 100 times, these products may not always be suitable for very large-scale tasks with time constraints.
Third-party services can also be used for media overwrite, and each one of them will claim they have a better method than the next one. While there may be merit to evaluating whether a product that exceeds 50 times is better than the one that exceeds 20 times, is it probably a better idea to ensure that the service provider has guarantees and verifiable controls in place to ensure that nothing gets overlooked.
For very security-conscious organizations, there might be requirements to destroy residual data in temporary storage such as RAM or battery-backed cache on storage arrays. For a good and comprehensive paper on data disposal, see NIST Special Publication 800-88, "Guidelines on Media Sanitization".
About the author: Pierre Dorion is the Data Center Practice Director and a Senior Consultant with Long View Systems Inc. in Phoenix, AZ, specializing in the areas of business continuity and disaster recovery planning services, and corporate data protection.