The Criticality of On-Site Data Destruction in Secure IT Asset Disposal

November 21, 2018 at 3:38 pm by Heidi White

PII-securityAs the world marches inexorably towards a completely digital future, there is an ever-increasing demand for cloud-based data storage. To accommodate this digital sprawl, expansive data centers are being built at a rapid rate, with their servers continuously writing and overwriting data onto increasingly dense hard drives, with absolutely no downtime. As a result, data centers are constantly removing and replacing hard drives as they fail. The big question: what happens to the old drives?

The answer is not a simple one. Several methodologies are utilized for end-of-life data disposal, many of which are determined by security compliance requirements — such as NSA, NIST, HIPAA, and more recently GDPR— as well as health, safety, and environmental standards. In addition, volume of e-waste and drive type also come into play when determining the best solution for IT asset disposition, or ITAD. Regardless of the methodology employed, the commonality of secure ITAD is the critical importance of complete data sanitization.

cybersecurityNews stories on data breaches, cybersecurity threats, and compromised personal information have become a daily occurrence, and both rotational hard disk drives (HDDs) and solid state drives (SSDs) store vast amounts of data on small surfaces. Even when these devices are cracked, scratched, or broken, data is still retrievable from remaining fragments — as long as the remaining pieces are large enough. Drilling into a platter-based hard drive or snapping a solid state drive into several pieces is largely ineffective at preventing the possibility of data retrieval. Likewise, erasure, overwriting, and/or reuse of hard drives is a completely inadequate method of end-of-life data disposal. Erasure and overwriting frequently miss small blocks of data on the drive, making reuse an absolute security disaster. Even small amounts of personal or sensitive data left on a drive can result in catastrophe if the device is compromised. Any company truly concerned about secure ITAD understands that total destruction of the drive is the only acceptable option.

HDD and SSD destruction is accomplished through crushing, shredding, or disintegration of the drive, and the ultimate solution is largely dependent upon drive type, volume, and security requirements. In addition, convenience, operator health and safety, space limitations, user interface, noise concerns, and budget also have an impact. Choosing the right solution isn’t as simple as picking a shredder from a catalog, and instead requires a comprehensive situational consultation and assessment. Because most manufacturers of data destruction devices don’t offer consultative services, many data centers, hospitals, educational, and financial institutions find themselves frustrated with the process and instead turn to outside vendors to manage their data destruction – a decision that invites the potential for serious consequences.

Third party data destruction services are available as either off-site or on-site. Off-site services pick up discarded drives at the client’s location and transport them to a data destruction center. The inherent risk with off-site data destruction is three-fold:

  1. Allowing drives with live data to leave the premises increases liability.
  2. Some less-than-savory off-site destruction companies have been known to employ questionable business practices. For example, one company caught their disposal vendor trying to outsource destruction to a third party, and then caught a different vendor selling off old devices rather than destroying them, even though their contract explicitly said not to do so.
  3. The extended chain of custody with off-site destruction exacerbates risk.

Third party on-site data destruction is a better option, but still carries with it some uncertainty. Third-party destruction services only provide the most commonly utilized destruction devices; therefore, unique devices and more stringent regulatory requirements present challenges to many third-party providers. In addition, drives still physically leave the premises and are in the hands of people not in the drive owner’s employ. Unfortunately, the introduction of each and every outside element adds a layer of risk that exponentially increases liability.

SEM’s degauss, destroy, document bundle provides audit-proof peace of mind for secure information end-of-life. NSA listed and NIST compliant.

Clearly, the safest, most secure methodology for sensitive end-of-life asset disposal is in-house, on-site hard drive destruction. Fortunately, solutions exist that readily meet the strictest regulatory, health, safety, and environmental requirements, as well as accommodate today’s more rugged enterprise drives and ever-increasing drive volume. Shredders and disintegrators are available with different final particle shred sizes, horsepower, throughput, and even noise level, and degaussing and crushing solutions are available that meet even the NSA’s stringent two-step requirement for secure HDD disposal. The most demanding organizations will even find the availability of comprehensive in-house documentation options that provide a fully audit-proof destruction paper trail for meticulous record-keeping that mitigates liability.

SEM has over 50 years of industry experience. Click for timeline.

One question remains: what is the best in-house data destruction setup? The reality is that there is no easy answer. Determining the most efficient and effective solution can pose a challenge without proper guidance, and most data destruction solution providers have limited depth of expertise. After all, the demand for large-scale secure data destruction is relatively new, as data centers didn’t even exist until the early 1990s. Having been in the secure information destruction business since 1967, SEM provides a unique approach to end-of-life ITAD by working as a trusted partner with our clients, who benefit from our extensive industry knowledge and decades of experience with top secret government clients and their demanding destruction requirements. The good news is that once the most cost-effective and secure in-house data destruction solution has been determined, security-focused organizations enjoy the ultimate in data protection, efficiency, and peace of mind.

Published by

Heidi White

Heidi is Director of Marketing at SEM and is passionate about data security, health and fitness, and her family.