Policy for Destruction:
Does the above phrase ring a bell? Do you wonder why there should be a policy in place for “Destruction”. Are we living in a hypocritical world?
Well, some destructions are for good!!!!
Organizations that deal a lot with sensitive data need these “destructions” at its best. The trouble is “deleting” the data doesn’t really mean it is deleted. With various developments and technologies in place, there is a lot of possibilities that the data can be retrieved even from a physically damaged device.
What is Data Destruction?
It is the process of destroying data stored in various formats such that it is made completely irreversible. It must be noted that data destruction is not the same as physical destruction. It is a common myth that both are similar in nature.
Physical destruction can be termed as the process of making a device unusable as it involves shredding it into pieces. This does not qualify for data destruction and will not guarantee data has been destroyed. With the evolution of solid-state drives (SSD) where the data is stored densely, there is a possibility of data being usable from shredded fragments.
So what should an organization do apart from Data Destruction?
Organizations should go beyond the data destruction and venture into data sanitization. Many a times these terms are often used interchangeably, but, it is not the same. Data Sanitization ensures that the data is not recovered even by using forensic tools. For organizations which deal with highly sensitive data, sanitization is the best option to be followed.
There are few standards which prescribe the best way to perform data sanitization. For instance, the US Department of Defense (DoD) has a specific set of guidelines on data sanitization. Encryption is one of the ways of performing data sanitization. Crypto Erasure could also be looked upon as an alternate. However, it is up to the organization to decide on the use of methods based on its business need, the type of data it handles etc.
Methods to achieve Data Sanitization
There are three methods to perform data sanitization viz.
- Physical Destruction
- Cryptographic Erasure
- Data Erasure
Physical Destruction involves the process of shredding media devices into tiny pieces with the help of mechanical shredders or degaussers.
Degaussing is a form of destruction where in the data is exposed to powerful magnetic field which in turn makes the data unrecoverable. However, on the flip side degaussing is not effective on SSD’s
Cryptographic Erasure is the process of using encryption software which also erases the key used to decrypt the data.
The encryption algorithm used should be a minimum of 128B. The primary drawback of this method is that since the data is available in the media (in unrecoverable mode), it does not achieve the regulatory compliance. Symmetric and Asymmetric algorithms are available and one should be careful while choosing it. There are multiple factors which also needs to be considered like:
- Key Size
- Performance during encryption and decryption
- Known Attacks and weakness of the algorithm
- Approval by third parties (NIST algorithmic validation program)
Data erasure is the software-based method of securely overwriting data using ones and zeroes onto all the sectors of the device. A tamper proof report or an audit certificate stating that data has been completely removed and not recoverable
There are various terms used interchangeably and organizations should ensure that these terms/activities are NOT Data Sanitization.
Data Deletion – The process of deleting data and emptying the recycle bin. The fact is that the data is still recoverable.
Reformatting – It is executed on a media with an intent to remove all the available data. But the fact is it can still be recovered with forensic tools available from the market, and there are free tools available which makes the job easier
Factory Reset – All the data is removed from the devices, but it is important to understand what methodology the vendor uses while resetting. Not all vendors use cryptographic erasure.
Data Wiping – Often confused with data erasure. Data wiping is the process of overwriting data without verification and it does not provide a certified / audit report
So with all these guidelines in place, what should organizations do?
Every organization should have a decommissioning policy which clearly states the standard operating procedures. These policies should be implemented by someone experienced in decommissioning digital assets. The policy should address (not limited to)
- Logging of decommissioning process
- Degaussing of devices
- Physical destruction of media
- Recordings of the destruction
Organizations should know the relevant regulations which are suited to their line of business and adhere to it. At the end of the day the implementation should be in a very transparent & traceable manner which would help in a clear audit trail.