Data sanitation can be a complex process, with industry demands and requirements changing as new formats and types of media emerge. As organizations face mounting pressure to innovate in the digital realm and move away from legacy operational models, the demand for data destruction services can become acute. With that in mind, what should businesses consider when they look to sanitize digital data devices?

The public sector presents a prime example of best practices. Agencies handle a wide range of sensitive data types. They tend to have a large scale of systems and the pressure to keep project costs down is acute. As such, private businesses can learn a great deal from the government, and a recent request for bids document from the New York Office of Information Technology Services puts a few best practices in the spotlight. Three lessons organizations can learn from this project are:

1. Take care of data destruction in house
The temptation to ship a bunch of hard disks, flash drives, solid-state drives and similar media formats to a third-party specialist can be acute when organizations want to keep costs down. Just stick the devices in a truck and let the economies of scale offered by a dedicated data destruction business take hold. The problem is that giving up control of media also means losing the chain of custody. The New York Office of Information Technology Services isn’t just bringing sanitation in house by asking bidders to come to their locations, they have also specified that at least one employee of the IT Services division will be present at all times to ensure devices are properly destroyed and handled according to the NIST SP 800-88 standards.

“Maintaining the chain of custody is much easier to do when data destruction is handled internally.”

Maintaining the chain of custody is much easier to do when data sanitation and destruction is handled internally. Having to ship disks off site means needing to track them through shipping, delivery and destruction, record that each device has been destroyed and somehow verify this with the third-party specialist. While there are some ways to manage end-of-life procedures of this sort for digital storage devices, doing so creates a level of complexity and overhead that is unnecessary. Instead, invest in dedicated hard disk degaussers, shredders and similar solutions and you can not only handle destruction without the hassle of shipping devices all over the place, but also ensure you maintain the chain of custody at all times.

2. Consider media diversity and full destruction
The contract bid document from New York frequently points to the need to destroy the media to the standards set forth in the NIST 800-88 standard. That means complete destruction to the point that the data is irretrievable and the device is unusable. The data must be sanitized to such a degree that data retrieval experts working in a specialized laboratory environment will be unable to get to any of the information.

Generally speaking, achieving full destruction involves a combination of clearing the disk, purging the disk and then destroying it.

  • Clearing: A software wipe erases data, similar to reformatting the disk, which is an option here. This is a solid first step simply to avoid any inadvertent data theft if a user grabs a device and plugs it in, but any data retrieval specialist will be able to restore a great deal of information from a cleared device. Clearing works well to initiate the destruction process because it sets the process in motion by providing an initial layer of protection, but it shouldn’t be more than a starting point.
  • Purging: Effectively purging data has to do with actually removing the data from the device. The NIST points to overwriting information, block erasing or cryptographic erasure as adequate for purging. Degaussing can also be an effective purging method, as the magnetic wipe leaves data irretrievable. The key with degaussing is to make sure the degausser applies enough force to counter the magnetic coercivity of the media device.
  • Destruction: The final step in data sanitation involves taking a purged device and fully destroying through some combination of incineration, shredding or pulverizing. The NIST also highlighted that degaussing also qualifies as destroying the data if the degausser is powerful enough.

Following through on this clear, purge and destroy process hinges on being aware of the types of storage media being destroyed. The bid document from New York highlights the varied media types involved in the project and what the expectations are for each. This self-awareness is critical because different devices required distinct destruction methods, and taking a strategic, intentional approach is critical.

“Degaussing qualifies as destroying the data if the degausser is powerful enough to counter a device’s coercivity.”

3. Account for environmental issues
Destroying anything can lead to environmental hazards, whether it’s through waste or fumes. In the case of hard disk destruction, organizations must carefully consider any fumes caused by disintegration or the possibility of sharp debris from crushed or pulverized drives causing a potential hazard. The bid for contract document from New York specifies the need to perform destruction processes away from areas where they may put humans at risk, particularly because of exhaust.

This is one area where degaussers really stand out. Because they focus on magnetic forces, they pose minimal threat to the environmental and can offer full destruction without causing harm. Furthermore, degaussers can be packaged into small form factors, such as wands, allowing for easy data destruction without generating waste. Degaussers provide an efficient way to erase data that doesn’t create environmental risk.

Preparing for your data destruction project
Many business types can benefit from degaussers. With the rise of mobile devices in the workplace, the continued move to Windows 10 as legacy operating systems go out of service and the increased reliance on the cloud and virtualization, organizations have many opportunities to decommission legacy hardware at a large scale. Properly destroying storage devices can free up physical space in offices and eliminate the security risk of having unused – or barely used – equipment residing in an office. Degaussers offer an effective data destruction method, and investing in a few machines to destroy data in-house offers considerable advantages over shipping devices off site. At Proton Data, our degaussers comply with leading standards and offer a uniquely powerful option for data destruction.