February 1, 2003, was a tragic day as Space Shuttle Columbia crashed and took the lives of its seven crew members. Many people thought everything was destroyed in the crash. But a significant amount of items, including 40% of the shuttle itself, were eventually recovered. One of the items recovered was a 400MB Seagate hard drive, where 99% of the data contents were successfully recovered.
That a hard drive could fall from space and be fully recovered may be an anomaly. But it attests to how resilient data can be. However, there are times when you don’t want data to exist anymore when it has reached the end of its useful life. This is where the IT practice of data destruction comes in.
Many erroneously think that data is eliminated if you delete a file, format a hard drive, partition a hard drive, and the like. Without getting into the technical details, even after doing all of those, the data has gone nowhere and will still reside on the hard drive or whatever storage media it is on.
How to deal with that topic is detailed in a short but essential new book, Net Zeros and Ones: How Data Erasure Promotes Sustainability, Privacy, and Security (Wiley). Here, authors Richard Stiennon, Russ B. Ernst, and Fredrik Forslund give the reader a detailed overview of developing a data sanitization program.
The authors bring deep industry experience and real-world knowledge to every chapter. While Ernst is the Chief Technology Officer at Blancco, a company that specializes in data sanitization and sells sanitization tools and services, and Forslund is the Vice President and General Manager there, they make sure that the book is vendor agnostic. Stiennon is the Director of the International Data Sanitization Consortium, which works to bring consensus around terminology, definitions, and best practices for data erasure.
What is often referred to as data deletion is more appropriately known as data sanitization. And that is the process to ensure data is permanently erased from whatever media it is on. This is a critical need as companies retire older computers and other media with terabytes of accumulated data. These media contain data assets that have trade secrets, emails, client data, employee records, business and financial information, and other valuable data.
From a regulatory perspective, various government regulations and industry standards require data destruction. Failure to comply with the regulations can result in expensive legal fees and fines.
The need for data sanitization is not a new topic. One of the few books on the subject is Best Practices for the Destruction of Digital Data. Authors Ryk Edelstein and Dr. Gordon Hughes wrote that the ability to perform effective data sanitization hasn’t kept pace with the advances in high-capacity hard drive storage technology.
Here in Net Zeros and Ones, the authors fill in many of the developments in the field over the years. The authors provide the reader with everything they need to know on the topic. While there is a lot involved in doing sanitization correctly, the main things to know about are the regulatory requirements and appropriate sanitization techniques to use for the media at hand.
Ryk Edelstein (president of Cicada Security Technology) notes that for those who need to achieve absolute destruction, they must grind the media to a particle size smaller than the smallest recoverable unit, sector, or melt the media to slag, etc., to ensure data can never be recovered.
That approach, though, may be excessive for most organizations. The authors write that if the media has been appropriately pulverized into small pieces, they know of no instances where the data has been successfully recovered.
For an organization that pulverizes many hard drives or outsources their data destruction tasks to a service provider that may pulverize thousands of drives daily, all of these media pieces enter a sizeable receiving area, where the ability to effectively recover the data from the millions of drive shards is so complex that even nation-states can’t do it.
This book is relevant to everyone in information security as data sanitization is the final part of the data lifecycle, and security is an integral part of that. The fact that this book is just over 150 pages shows that data sanitization is not really that difficult. While the devil is in the details, the basic process of sanitizing media is relatively easy.
This is a topic close to my heart, as I will be presenting at RSA Conference 2023 on Implementing and Managing Electronic Data Disposal and Destruction.
For those who won’t be able to attend my presentation, Net Zeros and Ones is a pragmatic and highly practical guide to help you on your data sanitization journey. The topic is an important one relevant to every organization. And this is the book to have if you want to succeed at it.