|
|
Key Points
• With modern hard drives, a single pass with the
Secure Erase command is sufficient to effectively wipe all data.
•
Encryption can facilitate secure deletion, but this measure is only as strong as
the keyword or phrase used to unlock the encryption.
• Establish data
retention and deletion policies as a means to protect the organization from
legal risks.
|
|
Most IT people understand the difference between data deletion and
sanitizing. Deleting a file is essentially the same as erasing a table of
contents entry in a book; the OS no longer knows where to find the information,
but it’s all still intact. Casual overwriting with new data may still not
eliminate the old information because new files may be written in smaller chunks
that don’t overwrite the entire underlying file. Moreover, even when a file is
entirely overwritten, old data may still be retrievable.
This is why
sanitizing, commonly called “wiping” or “clearing,” has traditionally entailed
conducting multiple overwrites with patterns of 0’s and 1’s. Each successive
writing on a groove reduces the likelihood of those stray bits surviving intact.
This is why security specs from the 1990s called for three or more overwrites in
order to claim true erasure. The gold standard of these specs was the Department
of Defense 5220.22-M, which also called for physical destruction of drives in
cases where top secret information was present.
However, in 2001, the
ANSI (American National Standards Institute; (www.ansi.org) added the SE (Secure Erase) command to the ATA
drive interface protocols. SE is found in all drives of at least 15GB capacity
made after that time. The command piggybacks onto the traditional format command
and conducts a single on-track data erasure of the entire drive. Thanks to SE,
in 2006, the NIST (National Institute of Standards and Technology; (www.nist.gov) finally proclaimed,
“Studies have shown that most of today’s media can be effectively cleared and
purged by one overwrite using current available sanitization technologies.”
Whereas drive wiping in the ’90s might take hours, today it can be done in
seconds.
 Beyond Wiping
However, the mechanics of data wiping
are only the beginning of a deletion discussion. The steps taken to erase data
might be commensurate with the sensitivity of that data. For instance, when
wiping might not be perceived as enough, some organizations might want to simply
drill a couple of holes through the drive and its platters. Only a few
laboratories in the world possess the tools needed to overcome such destruction,
and the time/cost involved for retrieving such data would be prohibitive save
for anything shy of many millions of dollars in return value.
Another
increasingly popular approach to secure data deletion involves using encryption.
Quite simply, if a drive implements full disk encryption, then an admin simply
needs to delete the encryption key on the drive in order to render its contents
into an undecipherable mess. Software tools allow admins to manage such deletion
across an entire enterprise from a single console. Unfortunately, the strength
of the encryption may not be the weak link in security here.
“Encryption
is essentially a delay mechanism,” says Hugh Thompson, program committee chair
of the RSA Conference (www.rsaconference.com). “If I want to break into an encrypted
drive, it’s less a matter of how good is the encryption and more about how good
is the chosen key. The problem comes down to average users. If my key is my
first name or something like that, then it defeats the purpose of the
encryption. So how do you get people to choose good keys? That’s why the
physical disposal issue remains important.”
Many enterprises recognize
that “dumpster diving” in its various forms remains a security risk. Companies
can’t simply throw out drives. The responsible course is to recycle drives,
either for materials or for sale into the second-hand market, but this requires
a lot of hours in hands-on media wiping and/or drive destruction. Good tech
recyclers will detail and document how they go about wiping drives that arrive
for recycling. They will often charge for this service, but the total cost of
disposal may well be lower than handling the disposal of drives in-house.
NIST offers this flowchart for helping to decide whether to
securely delete certain information from an organization.
(SOURCE:
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY; “GUIDELINES FOR MEDIA
SANITATION”; SEPTEMBER 2006.)
|
Create
Policies
Realistically, most data breaches don’t come from
swiping data off of wiped (or even casually deleted) drives. According to the
2010 Verizon Data Breach Investigations Report, only 15% of all breaches
involved physical attacks. Sean Regan, director of product marketing for
Symantec’s Information Management Group (www.symantec.com), feels that legal liability is the true root
of data remanence and deletion. If a company receives notice that it is under
investigation, it’s obligated to institute “legal hold,” meaning that nothing
with any possible relevance to the investigation can be deleted. The prospect of
legal hold arising someday has led many enterprises to simply keep everything,
just in case.
“Companies just made information and kept it on backup
tapes,” says Symantec’s Regan. “Well, backup was designed for full recovery. But
companies started keeping their backup tapes longer than 30 days because they
thought, ‘Well, if we have an investigation, we’re going to need to find and
pull this stuff.’ That is a huge problem, because now you have all of the
smoking guns, all of the email, "good and bad", piled on these tapes with no
good way to search it and very little visibility into what’s even on the tapes.
So companies are sitting on land mines and smoking guns with these tapes. I’ve
talked to companies with up to 800,000 tapes, and they don’t even know what’s on
them.”
Regan advises companies to have three things in place in order to
navigate the problem of accumulating data and effective deletion. First, delete
by default. Companies need deletion policies, and three to five years seems to
fit most SMEs. Second, have a legal hold switch. Legal hold trumps deletion
policies, so there must be a way for companies to suspend deletion upon
receiving a legal notice. Finally, become efficient with e-discovery. If a
business is sitting on terabytes of data, there must be a way to find desired
information, if only to then securely delete it. Regan states that this is
increasingly impossible without an archiving strategy. Data meant to be kept
should pour into a centralized archive where it can be easily managed.
Everything else should get quickly and securely flushed in accordance with
company policies.
The trick here is realizing true centralization,
especially in a time when workers’ personal computing devices are increasingly
creeping into business usage. The risk of having people be more productive and
always accessible is that they’re handling more kinds of data in ever more
places.
“Hygiene practices are tricky on machines you don’t control,”
says RSA Conference’s Thompson. “If you are accessing sensitive corporate data,
make sure it is on a machine that can’t be easily intercepted by someone else.
Even if it’s a personal device, it’s important to use things like full disk
encryption. If you’re accessing your private email from a public machine, like a
kiosk, realize that remnants get left behind. So educate employees about risks
so that they can make better choices in day-to-day access.” 
by William Van Winkle
|
