How to Really Delete Data for Absolutely Sure

 
 
By Larry Seltzer  |  Posted 2008-09-16 Email Print this article Print
 
 
 
 
 
 
 

There are different standards for certainty in deleting data, and different methods of accomplishing them. If not done properly, there could be serious security and compliance ramifications.

Everyone knows by now that when you delete data on a computer, it's not necessarily completely gone. The importance of this fact, and the need to be able to delete data with absolute certainty, has increased in recent years.

Imagine that you are upgrading, or taking out of service, a server that has had confidential data stored on it. This could be patient records in a hospital, credit card data in a retail organization, secret weapon plans in a defense plant, whatever. What do you do with the hard disks in the server? There are serious compliance issues at stake here.

Hard disks these days don't have much of a lifetime. The disks from a server you built two or three years ago are probably not worth saving for another use. But you can't just throw them out.

Standard formatting tools aren't perfect. They're not designed to eliminate data completely, but more to get the disk blank enough and set up for new use. In fact, all software tools have a tough job eliminating data, in that old data can survive multiple writes. Nevertheless, there are software products (such as those from Blancco) that erase data to varying standards of completion.

I have had to throw out a few personal drives over the last few years, generally when installing larger ones, and I've taken the old-fashioned approach to data destruction. I put the drive on the floor of my basement, and I give it a few whacks with a hammer. After that, the drive maybe useful as a maraca, but I challenge anyone to get meaningful data out of it. This method should be fine on drives made with glass platters, but some, alas, are made with aluminum.

There are many other forms of physical destruction to which you can subject your drives to make the data unrecoverable. You could drop them in an active volcano, for instance. This isn't convenient for most enterprises, and I haven't located any services in this area. Last year we saw the emergence of a new device: the hard disk shredder, which can chop an entire drive up into metal and glass and plastic confetti. This should do the job, but these devices are rare and expensive. They also create trash that is difficult, if at all possible, to recycle.

All of this is why the NSA defines rules for how to "sanitize" devices of data. They call for degaussing, which means to eliminate the magnetic fields in the device. Since the data exists on hard drives in the form of magnetic fields, this amounts to deleting the data.

You can buy commercial degaussers, such as those from Fujitsu. The new Fujitsu Mag EraSURE ME-P3 degausses magnetic media, including VHS tapes, in as little as 15 seconds. You can then safely send the drive out to recycling; a hard drive, however, will not function after degaussing, so you have to trash it somehow.

What's really interesting about these devices is the potential for an outsource market to develop. Degaussers like this are cheaper than shredders, but they still cost a lot (the high-end Fujitsu Mag EraSURE ME-P3 will sell for $53,000), so many companies who might need to use one can't justify the cost. What if companies put them on a truck and drove out to locations, like those paper shredding services, to degauss your drives? They could provide a certification, even video evidence, that the drive was erased, and maybe then even take it away for proper disposal.

One-man shops like me can make do with a hammer, but large businesses need something more sophisticated. Degaussers could be the ultimate tool.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.


 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel