The in-depth guide to data destruction
A critical part of securing intellectual property is the timely elimination of records and data you no longer need. Here's the scoop on overwriting, degaussing and physical destruction of media.
By Bob Violino
February 06, 2012 — CSO —
A key part of any information security strategy is disposing of data once it's no longer needed. Failure to do so can lead to serious breaches of data-protection and privacy policies, compliance problems and added costs.
When it comes to selecting ways to destroy data, organizations have a short menu. There are basically three options: overwriting, which is covering up old data with information; degaussing, which erases the magnetic field of the storage media; and physical destruction, which employs techniques such as disk shredding. Each of these techniques has benefits and drawbacks, experts say.
Some organizations use more than one method. For example, microprocessor maker Intel uses all three, "depending on what we're trying to do and for what purpose," says Malcolm Harkins, CISO and vice president of the IT group.
[Also read Why information must be destroyed by Ben Rothke]
The data destruction market hasn't changed much in the past few years, says Ben Rothke, an information security professional with extensive experience in data destruction. "If there is any trend, it is that more firms are aware of the importance of data destruction," Rothke says.
Still, some organizations, particularly smaller ones, need more education about data destruction, according to Jay Heiser, an analyst at research firm Gartner. "We consider this a very important topic, but it is not one that Gartner clients spend a lot of time asking us about," Heiser says.
"Enterprise clients generally have a pretty good idea of how to deal with this; the practices have been relatively consistent over a period of years, and it doesn't generate a good deal of attention."
Unfortunately, Heiser says, there are still many small-to-midsize businesses that haven't fully thought through the risks of undestroyed data.
There are also persistent questions among all types of companies about how to handle data that's in the hands of cloud computing providers.
"The concern that I am most often asked about by Gartner clients involves the treatment of data on the part of service vendors, especially software as a service [SaaS]," Heiser says.
While a traditionally outsourced data center provider will typically commit to destroying data at the end of a contract and confirm this destruction in writing, that type of policy is rare to nonexistent for SaaS, Heiser says.