Data wiping: on itad and secure sanitization of your virtual and physical it assets

Remember the early days of records retention when you knew how to securely dispose of a paper report and its copies?

The secure disposal of today's virtual records is another story. One method used to ensure secure destruction of digital data is known as data wiping. This practice securely overwrites some data on one or more pieces of data storage hardware. According to various industry standards, this type of secure erasure can occur once or multiple times — often by overwriting the data with a string of zeroes or other unintelligible characters.

Data Wiping and Secure ITAD for Retired or Decommissioned Hardware Assets

Most standards describe some type of secure erasure in the context of hard disk storage media. When media is decommissioned, scrubbing or wiping the data clean is usually required before the device can be reused, recycled, destroyed or remarketed.

Data wiping has traditionally been performed on a desktop, laptop or server as part of the process of decommissioning such systems. For highly sensitive environments, the disk media itself may even be physically destroyed.

Many free erasure tools exist. Unfortunately, these often lack features corporations need to track and record their own due diligence: documented chain-of-custody procedures, third-party certifications, auditable reports and certificates of destruction. For that, many organizations turn to providers who specialize in IT asset disposition (ITAD). Secure sanitization is typically part of a secure ITAD service.

Is Secure Sanitization Possible for Virtual Data Assets Alone?

The task of data wiping is less clear for data that might still live "out there" on various corporate IT systems. Such IT system hardware hasn't reached end-of-life, yet the sensitive data upon it may still need to be securely wiped. This can apply to data with increasingly regulated, Personally Identifiable Information (PII), such as required for HIPAA. There are also GDPR requirements, which are another important consideration.

However, sensitive virtual data can exist in multiple places: On virtual machines in the network, inside one or more databases, in various reports, on backup copies, replicated to other systems, stored as blocks in a logical unit number (LUN) within a network storage system, distributed via email and saved locally as attachments, in system log files (such as for Adobe PDF documents), etc. Then there are data assets in a multi-tenant environment within a third-party provider's cloud.

Can secure data sanitization be used for any of these contexts? Some industry commentators believe it can, or at least that this is the direction secure sanitization needs to go for live IT environments. Industry authors are getting into the secure data sanitization discussion, too. This includes Joel Reardon, author of "Secure Data Deletion," and Greg Schulz, author of "Cloud and Virtual Data Storage Networking."

For secure data sanitization in the cloud, users can see examples of what's allowed. One example: Google Amazon's "Overview of Security Processes." Users of third-party cloud services should ask their provider how their data is secured (and can be securely sanitized) as well as what the customer can do to ensure secure sanitization of their own data.

Sorting It All Out

Larger data management platforms also exist to help companies define rules on data handling, records retention, automated destruction, etc.

Evolving regulations make it difficult to know if a company is doing enough to securely destroy affected data. Can the process be handled in-house? Should it be outsourced? Who should oversee it: A chief data officer (CDO)? The compliance/governance team? Corporate lawyers? Records and information managers? IT?

For help, ask your ITAD provider what they are doing with other clients in your sector. Seek out ITAD providers who can also offer advice on related issues of data life cycle management, information governance and practices for emerging regulations like the GDPR.

In the end, secure sanitization may come down to doing what you can with expert advice. According to this TechTarget article by Michael Cobb, it may be about taking "reasonable measures." For Carl Gottlieb, it may be just doing the right thing. "The key is to focus on what your rationale would be if you were stood in front of the regulator (e.g. ICO in the UK) or a judge in court," he said.

Remember the early days of records retention when you knew how to securely dispose of a paper report and its copies?

The secure disposal of today's virtual records is another story. One method used to ensure secure destruction of digital data is known as data wiping. This practice securely overwrites some data on one or more pieces of data storage hardware. According to various industry standards, this type of secure erasure can occur once or multiple times — often by overwriting the data with a string of zeroes or other unintelligible characters.

Data Wiping and Secure ITAD for Retired or Decommissioned Hardware Assets

Most standards describe some type of secure erasure in the context of hard disk storage media. When media is decommissioned, scrubbing or wiping the data clean is usually required before the device can be reused, recycled, destroyed or remarketed.

Data wiping has traditionally been performed on a desktop, laptop or server as part of the process of decommissioning such systems. For highly sensitive environments, the disk media itself may even be physically destroyed.

Many free erasure tools exist. Unfortunately, these often lack features corporations need to track and record their own due diligence: documented chain-of-custody procedures, third-party certifications, auditable reports and certificates of destruction. For that, many organizations turn to providers who specialize in IT asset disposition (ITAD). Secure sanitization is typically part of a secure ITAD service.

Is Secure Sanitization Possible for Virtual Data Assets Alone?

The task of data wiping is less clear for data that might still live "out there" on various corporate IT systems. Such IT system hardware hasn't reached end-of-life, yet the sensitive data upon it may still need to be securely wiped. This can apply to data with increasingly regulated, Personally Identifiable Information (PII), such as required for HIPAA. There are also GDPR requirements, which are another important consideration.

However, sensitive virtual data can exist in multiple places: On virtual machines in the network, inside one or more databases, in various reports, on backup copies, replicated to other systems, stored as blocks in a logical unit number (LUN) within a network storage system, distributed via email and saved locally as attachments, in system log files (such as for Adobe PDF documents), etc. Then there are data assets in a multi-tenant environment within a third-party provider's cloud.

Can secure data sanitization be used for any of these contexts? Some industry commentators believe it can, or at least that this is the direction secure sanitization needs to go for live IT environments. Industry authors are getting into the secure data sanitization discussion, too. This includes Joel Reardon, author of "Secure Data Deletion," and Greg Schulz, author of "Cloud and Virtual Data Storage Networking."

For secure data sanitization in the cloud, users can see examples of what's allowed. One example: Google Amazon's "Overview of Security Processes." Users of third-party cloud services should ask their provider how their data is secured (and can be securely sanitized) as well as what the customer can do to ensure secure sanitization of their own data.

Sorting It All Out

Larger data management platforms also exist to help companies define rules on data handling, records retention, automated destruction, etc.

Evolving regulations make it difficult to know if a company is doing enough to securely destroy affected data. Can the process be handled in-house? Should it be outsourced? Who should oversee it: A chief data officer (CDO)? The compliance/governance team? Corporate lawyers? Records and information managers? IT?

For help, ask your ITAD provider what they are doing with other clients in your sector. Seek out ITAD providers who can also offer advice on related issues of data life cycle management, information governance and practices for emerging regulations like the GDPR.

In the end, secure sanitization may come down to doing what you can with expert advice. According to this TechTarget article by Michael Cobb, it may be about taking "reasonable measures." For Carl Gottlieb, it may be just doing the right thing. "The key is to focus on what your rationale would be if you were stood in front of the regulator (e.g. ICO in the UK) or a judge in court," he said.