(By Dag Adamson – President Destroy Drive – Onsite Data Sanitization and Destruction)
During the entire lifecycle of servers and storage arrays, different preventative measures need to be employed to ensure security. In addition to secure end-of-life handling of hard drives, there are several other instances when data “wiping” / sanitization or physical destruction is needed to protect personal identifiable information, financial data, or valuable/proprietary information.
These different events include:
– Returning equipment to leasing companies or service providers
– Data Center Move
– Data Center Consolidation
– Cloud Migration
While some organizations choose to physically destroy or wipe hard drives themselves, many choose to outsource this activity to obtain:
- Scalability of wiping/sanitizing large quantities of hard drives
- Transfer the liability of data destruction to another party
- Stronger compliance by leveraging the expertise of an AAA NAID audited and certified resource
- Faster and more efficient data destruction
- Lower cost
- Value recovery of reusable hard drives
- Reduce strain on internal resources to focus on mission critical activities
SIMPLICITY and SCALABILITY
The process of data destruction is relatively simple. Physical destruction can be as simple as: remove the hard drive from the computing or storage platform and strike it with a blunt instrument like a hammer or puncture it several times with an electric drill. For a single or handful of drives this may be physically simple, however, when quantities increase – safety risks increase, drill bits seemingly only last for a few drives that contain hardened materials and speed of destruction becomes an issue.
A more efficient method would be to use a specialized piece of destruction equipment that “bends” the hard drive or shreds the hard drive in compliance with AAA NAID certification or the NIST 800-88 guideline.
Some data destruction software is relatively easy to use; however, some have technical limitations with RAID drives found in servers and connectivity & compatibility with large storage arrays. Specialized equipment, software and trained systems engineers are frequently leveraged from service providers overcoming these obstacles.
Optimally, hard drives can remain inside servers or large storage arrays containing 100’s and even 1,000’s of hard drives when advanced wiping/sanitization equipment and software is employed. Using specialized software and equipment in many cases is 10X faster than wiping individual drives.
Data collection of serial numbers can be simplified, and accuracy can be improved by leveraging state-of- the-art wiping/sanitization technology that automatically collects the make, model, and serial number of the hard drive. Anyone that has manually attempted to scan the serial number of a hard drive can attest that a technician must decipher which of the half-dozen bar-codes found on the face of a hard drive is the serial number.
LIABILITY TRANSFER / CERTIFIED PROCESSES
There continues to be a growing list of domestic & international laws/regulations requiring closer attention to data privacy, information destruction and especially compliance. Many laws including the Health Insurance and Portability Act (HIPAA) and the General Data Protection Regulation (GDPR) require evidence of processes and controls to assure proper compliance and stewardship of personal data. By leveraging vendors that are regularly audited by an independent data destruction standard, like the AAA NAID Certification, organizations can mitigate data destruction process risk and transfer the liability to professional and certified experts.
Highlights to AAA NAID Certified vendors includes:
- Detailed Audit – Physical Destruction and Sanitization
- Onsite and Plant Based Services
- Detailed attention to Chain of Custody
- Specific Requirements for Employee background checks and drug testing
- Highest level of operational and physical security
- Security / Threat Prevention – Conducted by independent 3rd party auditor
LOWER COST / VALUE CREATION
In addition to compliance, lower cost and value creation are important considerations in compliant data destruction. Rather than purchasing “bending” or shredding equipment that is only periodically used, organizations leverage service providers that have trained technicians that use the equipment regularly.
As an alternative, many organizations seek to off-set or even eliminate data destruction costs by performing compliant data wiping or sanitization and then remarketing servers or storage arrays. In the case of lease returns or using colocation or hosting services, it’s an imperative to wipe hard drives prior to returning equipment at the end of the lease or at the end of the service contract.
The good news: Even the most rigorous government data security requirements afford hard drive wiping / sanitization compliance. When performed with rigorous attention to process, and leveraging state-of-the-art technology, sanitization/wiping is a cost-effective method for compliant data destruction.
As with all professional service delivery, information is necessary to determine an initial scope of a data destruction program. The following information will help your DataSpan account manager determine the best and most compliant solution for your data destruction needs:
- Type of equipment (servers, arrays, loose drives)
- Manufacturer of server or array
- Model of server or array
- Number of drives
- Type of interface (SAS, SATA, SCSI, FC)