Consuming too much data is like overeating. It’s really easy and cheap to overeat, but it’s very costly dealing with obesity (e.g., health complications and losing weight).
You can’t lose weight by cutting off a limb and similarly you can’t lose data by simply hitting the ‘Delete’ key. There are so many steps and considerations before you even have the right to get rid of the data. And even then, the ‘Delete’ key doesn’t cut it.
“Various legal, business, and compliance requirements have created a logistical landmine in terms of the handling and disposing of assets,” explained Jimmy Sanders (@jfireluv), head of information security, Netflix DVD.
Managing data’s end of life is often not handled well.
That concern is just the tip of the data pile iceberg as I discovered after interviewing dozens of CISOs and security professionals. They offered their sage advice on how to get rid of digital data. Read on.
Got feedback? Join the conversation on LinkedIn.
Thanks to our sponsor, IT Asset Management Group
Editor’s note: This article is part of CISO Series’ “Topic Takeover” program. While the article sponsor, IT Asset Management, and our editors agreed on the topic of data destruction, all production and editorial is fully controlled by our editorial staff.
1: Ask first, “Why do you want to dispose of data?”
“Why do you want to dispose of data,” asked Randall Frietzsche (@rfrietzsche), enterprise CISO, Denver Health. “Is it required by a regulatory driver? Is it a legal risk to retain the data for a certain period of time? Or is there a business need that would drive either data retention or destruction?”
Knowing the answers to these questions will guide your decision making for the rest of the tips.
2: Make sure everyone knows deleting is not erasing
Cybersecurity professionals know the difference. Most others are unaware.
“Let people know that deleting is not erasing,” added Lohrmann. “There are hundreds of stories of PCs and laptops being bought at secondhand stores with the data still on the hard drive – easily restored.”
3: Beware! Dumpster divers are a real thing
“Combing through landfills looking for electronics is common practice (especially near urban centers),” warned Peter Liebert, CISO, Cerner Corporation who also noted that the threat doesn’t have to target you directly. Your data could easily be on someone else’s drive that wasn’t disposed of correctly.
4: Your size will determine whether you’ll outsource data destruction
Small organizations with just one site often handle their data destruction in house. After that, data destruction becomes cumbersome and an easy decision to outsource.
“We use a mixture of in-house/onsite resources (for initial de-dup and processing) and external/offsite vendors (for disposal and certification),” said Helen Patton, former CISO, The Ohio State University.
One of the reasons Patton works with outside companies is because “it’s challenging for the security lead to make sure independent assurance of the end-to-end process is happening… Partnering with internal and external auditors is a good way to make this work.”
And if you have fear of giving it to an outside company, just look at the risk.
“The risk of data exposure from a disposed asset may outweigh the risk of giving your asset to a reputable, specialized service provider that focuses on asset destruction with fully transparent and auditable processes,” said April C. Wright (@aprilwright), Security Researcher with ArchitectSecurity.org.
5: DIY data destruction
For those times you need to destroy the data yourself, or it’s not a high risk situation, Allan Alford (@allanalfordintx), host, Cyber Ranch Podcast, offers up these “do it yourself” data destruction tips: “Disassemble the disks and throw the platters into one of those giant tree mulching machines or disassemble the disks and hammer, score, and drill the platter.”
6: Build a relationship with your data destruction vendor
“A great practice is to intimately know your IT asset disposal provider and their operations,” advised Frank Milia (@ITAssetRecvry), partner, IT Asset Management Group (ITAMG). “Physically, or ‘virtually,’ visit their facilities and require vendors provide key operational, privacy, and security policies.”
And if you’re subcontracting through an OEM or VAR, said Milia, make sure you still have a transparent view into operations so you can document processes as if you were handling the process directly.
“We would wheel out the trash bin and proceed to shred all of the drives, chips, etc… It was actually pretty cool to watch,” said Street. “I do not consider a hard drive’s data unrecoverable until I’m holding its remains in little bitty pieces.”
7: Put someone in charge of data destruction
“Any disposal process still has a big human component,” admitted former Ohio State University CISO, Patton.
“Make sure you explicitly name the key stakeholders at your organization that are responsible for the data protection practices specifically associated with the disposal of your retired IT assets and electronic media,” added ITAMG’s Milia.
8: If you don’t record it, it didn’t happen
“We perform a disk degauss (DOD wipe). But just as important as the actual wipe is the documentation of the wipe,” argued Mark Eggleston (@meggleston), CISO, Health Partners Plans. “There is a saying in healthcare which goes ‘if you don’t document it, it doesn’t exist.’”
That argument really translates everywhere.
“Your data destruction/asset destruction program is only as good as your asset management program,” added Cerner’s Liebert.
For those companies not in heavily regulated industries, “they really do not have good asset management practices,” explained Tom Cornelius, founder, Secure Controls Framework. “Record keeping is generally a ‘nice to have’ feature that a lot of companies don’t use very much… In more regulated industries, the record keeping is very important, but that comes with process maturity from a ‘must have’ requirement that means fines if they fail to track assets down to HDDs.”
9: Know your inventory and classify your data
“The initial step when considering data destruction is basically the same first step in data protection,” said ArchitectSecurity.org’s Wright.
“We have to know ‘what our data is,’ ‘where it’s located,’ and ‘what types of data we have,’” explained Denver Health’s Frietzsche. “If I cannot identify the locations and systems with sensitive data, then I have to spend the same budget dollars on securing everything equally.”
The peanut butter approach doesn’t work when protecting data, nor will it work on the destruction of data. Focus on policy connected to specific data types.
“Policy around data classification is going to dictate certain aspects of how that data must be treated,” said Wright. “More sensitive data is going to require greater lengths of destruction to ensure the data cannot be recovered.”
10: Know where your regulated data resides or it’ll cost you
To not know where your data resides, and not know if and when you destroyed your data, can result in a nasty fine as Morgan Stanley discovered last year. They had to pay a $60 million fine for “failing to effectively assess or address risks associated with the decommissioning of its hardware.”
11: Data classification has inherent conflicts
“Data inherently exists under multiple classifications simultaneously, and for many sectors has competing compliance demands asserting governance over it. A single data element can rationally be within scope of HIPAA, GDPR, CCPA, numerous state regulations, and client contractual provisions,” said Premise Health’s Johnson. “An organization needs to able to first clearly classify and categorize data elements, and then have some matrix to determine which regulatory, contractual, or internal policy requirement takes precedence when conflicting requirements arise. Conflicts will arise.”
12: Make sure you can destroy data wherever it resides
“It is pretty crazy how large the number of devices now keep data that we would consider sensitive and when you want to get rid of said devices you are scrambling to figure out how to remove your data,” said Softbank Investment Advisers’ Hayslip.
Devices to consider are virtual assets, mobile devices, removable media, and printers..
“If assets are leased or need to go back to the manufacturer, we contractually require that we destroy the data prior to removal from on premise,” said Anahi Santiago (@AnahiSantiago), CISO, ChristianaCare.
For data stored at third party vendors…
13: Data retention and destruction in your vendor oversight process
“One of the things I think gets missed frequently is data retention at vendors, whether and how they are deleting your data on your retention schedule, or if they have their own requirements driven by their own policies or regulations,” said Marnie Wilking (@mhwilking), global head of security and IT risk management, Wayfair. “It’s really important to include data retention and destruction into your vendor oversight process, and ensure they can meet your destruction timeline requirements.”
Many of the security practitioners I spoke to kept referring to NIST’s guidance around data sanitation.
“When you control the media yourself, [NIST’s guidance] works great,” said Wilking. “But if your data is in the cloud or hosted by a third party and you don’t have the ability to control the media yourself, then you really need to make sure you understand how that media is handled post-key-destruction.”
14: Deleting the encryption key may not be enough
When you can’t physically destroy the media, deleting the encryption key can be a sufficient method of data destruction.
While NIST’s guidelines support this, the data could still be recovered.
“Encrypting data before it is disposed of is not enough to properly dispose of the data due to technology standards in the future being able to break the top encryption of today,” said Netflix DVD’s Sanders.
“We found out that when you destroy the key and release a volume in AWS, AWS will make that volume available to someone else to use and ultimately overwrite, which is fine, but they can’t guarantee when that volume might be overwritten,” said Wayfair’s Wilking. “In the weird case that the volume isn’t reused for several years, your encrypted data is still sitting on that volume. If that particular algorithm is cracked in that period of time, now your data, which was deemed ‘destroyed’ based on NIST standards, is susceptible to unauthorized exposure because the encryption has been broken.”
15: Who needs to/has rights to delete the data?
“The underlying asset we need to protect is always going to be the customer’s data,” noted Al Ghous, CISO, Envision Digital. “Cloud providers either need to provide the customer the ability to purge their data if they decide to leave the service, or have an intake process with an internal workflow to accomplish the same. In the former, the accountability lies with the customer, and in the latter the accountability lies with the cloud provider.”
16: Data destruction in depth
Given that it’s always about the data, consider all the other protections you can put around data destruction should one of the levels fail. For example, one level could be encryption.
Again, that’s just one level.
“Even if a hard drive is encrypted, the data it stores may not be,” said ArchitectSecurity.org’s Wright. “It’s important to delete and overwrite (as many times as deemed necessary) any data that was stored on the media before physically shredding it.”
17: Donation balances risk aversion with community support
“If you are donating [equipment with hard drives] then the question is how paranoid are you and your company,” asked Softbank Investment Advisers’ Hayslip.
“From a security perspective, it’s always easier to scrap and recycle. But that may not support the business’ philanthropy objectives,” said Patton, formerly of The Ohio State University.
Get your paranoia in check, advised Cerner Corporation’s Liebert, “If it is ‘good enough for the government’ it is definitely good enough for you. The US government has resold/reused their used computer equipment for years with (relatively) few issues.”
“I believe it’s important to give back to the community,” said Hayslip. “But always understand the risks.”
Dennis Leber, CISO for The University of Tennessee Health Science Center can and will donate equipment under certain conditions: “Machines must meet the criteria of never being used to store any regulated or classified data.”
18: Be prepared for destroying data on employee-owned devices
“If an employee uses their own laptop or even company owned laptop, chances are they have sensitive data on it,” noted Envision Digital’s Ghous.
Pulling data off an employee’s device gets a little complex, but not if you set it up right from the start. In previous jobs, Ghous’ team has deployed mobile device management (MDM) solutions which allows corporate data to be segmented and it allows for remote wipes of just your data. Other organizations bypass the need to manage employees’ devices by using virtual desktop infrastructure (VDI) technology that prevents any local data stores.
19: Don’t sit on it… literally
“Find a simple solution that meets all of the compliance requirements applicable to your organization and then make sure it gets used. If you end up keeping data-filled laptops and drives in a filing cabinet while you search out the ultimate, perfect destruction solution you’re just storing up problems for yourself quite literally,” said David Peach (@realdavidp), CISO, head of privacy and compliance, The Economist Group.
“Do not let it build up,” concurred Cerner Corporation’s Liebert. “The longer you keep these assets just sitting there (even secured) the more risk you accumulate.”
CONCLUSION: Asset destruction is part of asset inventory
You don’t need to convince any security professional of the need to know their asset inventory. It’s a directive in the top two spots of the 20 CIS Controls. While there are passing references to destruction being defined in standards, it doesn’t appear to be a called out control, noted Shawn Bowen (@smbowen), CISO, Restaurant Brands International.
“There might be a need for adding a new sub-control in CIS 1 and 2 and a new sub-category in CSF ID.AM that calls out a disposition plan for assets. We would need a new sub-control to CIS 13 (Data Protection) as well,” said Bowen.
Data destruction is a necessary and often neglected requirement for the business. Its name sounds like it should be rather easy, but as we’ve discovered for reasons of privacy, regulatory, and corporate exposure it’s absurdly complicated.
“[Ultimately] data destruction is about minimizing risk,” said ArchitectSecurity.org’s Wright. “The sensitivity of the data is going to dictate how much effort and budget is going to be needed to minimize that risk to an acceptable level for the organization.”
Creative Commons photo attributions: (CC BY-SA 2.0) Bertram Nudelbach, Clarence Risher, (CC BY 2.0) Ervins Strauhmanis, (CC BY-NC 2.0) Katie Chao and Ben Muessig, Mike, (CC BY-NC-ND 2.0) Matthew, and Sangudo.