Service provider takeaway: Service providers can deliver secure on-site data destruction services using appliance-based digital shredders with purge technology.
As public and private organizations realign their data protection policies to meet more refined compliance objectives, most security teams are responding by reassessing their security policies and filling gaps in their security posture. In the process, they are also coming to grips with the liability posed by data on legacy storage devices awaiting destruction in their storerooms. The need for a reliable means to mitigate this risk is fast becoming a significant focus.
One might expect to see service providers -- other than the physical destruction companies -- running to address this potentially lucrative business opportunity. Yet, due to confusion about effective practices and standards, many service providers have been discouraged from entering the marketplace, as few want to offer questionable or less than effective security practices that may ultimately impose potential liability. However,
Destroy and clear technology
One aspect of physical destruction companies' business is fueled by corporate customers who must destroy data but are not inclined to add a data destruction infrastructure. Customers typically do not want to purchase technology capable of purging high-capacity hard drives, such as disintegrators or degaussers, because of the associated costs. In addition to shelling out for a disintegrator or degausser, customers also have to bear the costs of building an environment suitable for operation.
But not all data destruction techniques cost customers dollars and cents -- some cost time and peace of mind. Multipass overwrite technology is offered by data clear software products and may require hours to process a hard drive. The duration of the process and the inability to assure customers that data is not forensically unrecoverable makes overwrite-type products unsuitable for company use or as a reliable means for service providers to offer data destruction services. Surprisingly, many products claim compliance to outdated standards such as DOD 5220, and are classified as clear-level data protection technology. But outdated compliance standards won't ease the minds of customers. Service providers need to look to current recommendations and understand the differences between clear and purge technologies.
When considering technology for data destruction it is important for service providers to differentiate between the various technologies and understand their capabilities. The National Institute for Standards and Technology (NIST) clarifies the capabilities of these technologies in their recommendation 800-88. One of the differentiations made in their recommendations is between clear and purge type technologies. Clear technology is susceptible to forensic reconstruction. Purge technologies, on the other hand, are capable of eradicating data from storage media beyond forensic reconstruction.
The one purge technology that is getting a lot of attention is Secure Erase. Unlike physical destruction technologies, Secure Erase affords service providers the ability to provide a reliable and efficient standards-based technology as an on-site service. Facilitated using an appliance format, Secure Erase is a very effective solution for purging data as an on-site or in-house service, and can do so at speeds as fast as 17 minutes per 100 Gig of volume space. As a portable appliance the service provider is able to deliver services affording clients a single point of destruction, where all devices processed are logged. Unlike costly, less effective clear technologies, such as software overwriting products, Secure Erase ensures no data remains, including any potentially recoverable data in margins, bad tracks or sectors.
Secure data destruction
Data destruction can be assured with an efficient and cost-effective model that you can offer as a value-added service. EDT's Dead on Demand Digital Shredder uses Secure Erase technology and incorporates an internal tamper-proof audit log. The appliance issues an adhesive certificate of destruction upon successful completion of the process. Delivering data destruction services using the Secure Erase appliance platform enables service providers to provide clients with absolute data destruction using a highly efficient process assuring true peace of mind for the client. Highly portable, EDT's triple-bay Digital Shredder weighs in at only 22 pounds and is available with a hardened transport case, making the delivery of on-site service easy.
Appliance-based digital shredding offers the client or service provider the ability to establish a single point of data eradication that reduces the worry of liability and meets security policy objectives.
About the author: Ryk Edelstein is the founder and director of operations at Converge Net Inc., a Montreal-based network services provider specializing in data loss prevention, risk and vulnerability management, automated policy violation detection and protection, and security solutions necessary to establish end-to-end protection for all sizes of enterprise.
This was first published in January 2008