Securely dispensing with electronic hardware and the data it contains is essential to any IT security strategy. Failure to do so could result in serious breaches of sensitive information. That could include financial documents, intellectual property, personal contacts, social security numbers, and tax information, just to name a few examples.
Businesses are responsible for all kinds of sensitive data and motivated to protect it. Information can be recorded on paper, optical, electronic, or magnetic media, all of which need to be protected when they are no longer in service. Given the volume of data now being stored digitally, and how easy it is to access that data, electronic hardware now poses the most significant risk to post-use IT hardware security.
Regardless of the media and the types of files involved, there are a few ways to effectively and thoroughly remove the data it contains – a process known as sanitization.
How is Data Removed from Digital Devices?
There are basically three options: clear, purge, and destroy.
These are broad descriptors for different techniques used to render the target data on the media impossible to recover. These are the standards set forth by the National Institute of Standards and Technology (NIST). The NIST guidelines stress that no one method is superior to the others. All are recommended and secure measures for eliminating risks posed by stored data.
Information that has been eliminated by clearing cannot be retrieved by data, disk or file recovery utilities, as well as other keyboard (software-based) techniques used by data scavengers.
Overwriting is an example of clearing. The goal in overwriting is to replace written data with random data in a way that renders the original information unrecoverable. This is not unlike recording over a tape with new music – except in this case, the new “music” is effectively just static.
Most media can be cleared by one overwrite pass. Clearing cannot be used for media that is damaged or not writable.
Purging is essentially the same as clearing. The result is that the data is effectively wiped from the device in a way that prevents an attacker from reverting or recovering what was once there. Compared to clearing, purging provides extra protection against more sophisticated data theft methods and tools known as “laboratory attacks.” (An example of a laboratory attack would be stealing passwords by reading residual heat on a keyboard.)
Purging and clearing will both leave you with a device that can be re-used (assuming it is undamaged) and are good options for electronics that will be refurbished and resold rather than recycled as scrap.
Degaussing is a process for purging information from magnetic storage. It used to be a common utility on older computers that used magnet-based hard drives. These days, Solid State Drives (SSD) are more common, and they are unaffected by degaussing.
Many regard destroying as the most secure way of eliminating data. Not only is the information destroyed, the physical device is, too. Once destroyed, the device cannot be reused as originally intended. So it’s obviously not the solution if you are looking to get some value back from your electronics by reselling them. But it does effectively mean the original device no longer exists, meaning there is no risk to its contents or its previous owner.
Physical destruction methods include disintegration, incineration, pulverizing, shredding, and melting.
Notice That We Didn’t Include Deleting?
Simply deleting files, emptying “recycling bins,” and clearing caches and temporary files, does not go far enough to clear or purge information from a device. Even performing a “factory reset” leaves some things untouched, like the contents of a SIM or SD card or any other non-local storage.
But How Do You Know the Data is Truly Gone?
Following sanitization, the next step in ensuring that the target data is no longer at risk is verification. A process known as representative sampling verification helps flag any instances of incomplete sanitization. By randomly sampling different sections of the media storage and looking for anything unexpected, this process provides an extra layer of security and confidence that there is nothing left for potential attackers to recover.
A certificate of media disposition will show that each piece of electronic media has been sanitized. The decision regarding whether or not to complete a certificate of media disposition and how much information to record depends on the level of confidentiality of the data on the media device.
In the case of destroyed electronics, the very act of shredding the physical media prevents the same kind of verification, but also prevents a would-be attacker from being able to reassemble and access the media.
How Does Cobalt Protect Data?
Cobalt uses a combination of these three methods to process data-bearing hardware. The exact process is determined by the type of device, the type, and sensitivity of the data it holds, and what its ultimate destination is: recycling or refurbishment and resale.
Cobalt’s Middletown, Ohio facility is home to a sophisticated shredding system the length of a football field. This system physically destroys all kinds of electronics and sorts out the pieces into different materials to be prepared for recycling. Cobalt also has a hard drive sanitizing system for clearing and purging, as well as a mobile hard drive shredder that we can bring on-site to a client’s facility. The level and type of sanitization we employ is discussed with each client to determine the preferred solution for their media.
Regardless of the specific path, every step of the process is documented through multiple reports generated along the way. This documentation, as well as certificates of disposition, are made readily available to clients through a 24/7 online portal. Documentation protects our clients in the event of an audit, and is required by our own independently-audited certifications.