Secure disposal of data from storage media is a critical aspect of data security and privacy. Any organization that handles sensitive data must ensure it is properly erased when no longer needed to prevent unauthorized access. Industry-standard methods such as zeroing out drives or physical destruction should be used to make data unrecoverable by any means, including forensic techniques.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, comprised of 197 control objectives structured in 17 domains. It can be downloaded at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The secure disposal control falls under the Data Security & Privacy Lifecycle Management domain.
For more information on data destruction best practices, refer to the National Institute of Standards and Technology (NIST) Special Publication 800-88 Rev. 1 - Guidelines for Media Sanitization: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
Who should care?
- CISOs with responsibility for data security and privacy
- IT managers tasked with securely decommissioning hardware
- Compliance officers ensuring regulations like HIPAA, PCI-DSS, and GDPR are met
- Datacenter operators who handle end-of-life equipment
What is the risk?
Failing to securely erase data from retired media could lead to sensitive information being recovered and misused by malicious actors. This may result in:
- Data breaches leaking customer PII, trade secrets, etc.
- Regulatory fines for non-compliance with privacy laws
- Reputational damage and loss of customer trust
- Providing threat actors fodder for spear-phishing and blackmail
Proper adherence to this control significantly reduces the likelihood of these adverse events by making the data extremely difficult and costly to recover once the media is discarded.
What's the care factor?
Organizations should care deeply about secure data disposal, especially those in highly-regulated industries like healthcare, finance, and government. The consequences of data leakage can be severe - millions in fines, lawsuits, and lost business.
However, even lower-risk businesses should still apply due diligence. Basic methods like full-disk erasure are low-cost and high-impact. At a minimum, avoid reselling or donating old drives without sanitizing them first.
When is it relevant?
Secure disposal methods should be used whenever storing media that held sensitive data, including:
- Servers, laptops, phones, printers, and IoT devices being decommissioned
- Defective hard drives and SSDs being RMA'd back to the manufacturer
- USB drives and backup tapes ready for reuse or recycling
- Cloud VM instances and containers that are being terminated
It's less relevant for ephemeral storage like RAM that loses data when powered off, or fully-encrypted drives where the keys are destroyed. But it never hurts to be thorough.
What are the trade-offs?
Secure data erasure takes time and specialized software or equipment, which may be expensive. Writing zeros to every sector of a high-capacity drive can take hours.
Physical destruction methods like shredding and incineration render hardware unusable, so components can't be harvested for reuse. Pulverized debris may be an environmental hazard.
Outsourcing destruction to a secure ITAD vendor means trusting a third-party with your sensitive data. Strict access controls and auditing are a must.
How to make it happen?
- Maintain an inventory of all data storage media, locations, and responsible parties. Track assets through their full lifecycle.
- Define a classification scheme (e.g. public, confidential, restricted) and label media accordingly. Have written procedures specifying disposal methods for each class.
- For each type of media and disposal scenario, select appropriate method(s):
- HDD: Full-disk erasure with ATA Secure Erase or DoD 5220.22-M 3-pass wipe
- SSD: Cryptographic erasure if supported, otherwise full rewrite or physical destruction
- Tapes: Degaussing or shredding. Maintain strict chain-of-custody when transporting
- Paper: Cross-cut shredding, pulping, or incineration
- Smartcards: Shred and destroy cryptographic keys
- If done in-house, use reputable sanitization software (e.g. DBAN, KillDisk, WipeDrive) and verify completion. If outsourcing, use only NAID-certified vendors.
- For highly-sensitive data, combine logical and physical techniques for added assurance. For example, run a secure erase on a drive, then shred it.
- Maintain detailed records of disposal activities, including asset details, method used, responsible parties, and evidence of completion (logs, video, etc.)
- Periodically audit the process and records to ensure procedures are being followed. Commission third-party audits for an unbiased assessment.
What are some gotchas?
- Reformatting a drive or deleting files doesn't actually erase the underlying data. Use secure erase tools instead.
- Some SSD models don't fully support ATA Secure Erase due to wear leveling. Check with the vendor whether the implementation meets sanitization guidelines.
- Older tape drives may not respond to erase commands or degaussers. Test your equipment.
- If using built-in OS secure erase, you may need temporary BIOS/UEFI passwords to boot to the utility. Ensure these don't get lost.
- Shredding or incinerating drives may release toxic chemicals. Use approved recycling facilities with proper ventilation and protective gear.
What are the alternatives?
Full-disk encryption (e.g BitLocker, LUKS, FileVault) can reduce disposal costs, as simply destroying the keys makes the encrypted data unreadable without elaborate erasure or destruction.
For less sensitive data, a single pass overwrite (writing zeros or random data) may be sufficient. Some regulations allow this for general business data.
Cloud providers may offer secure disposal as a service. For example, AWS and Azure let you specify erasure standards to apply when an encrypted EBS volume or VHD is deleted.
Explore Further
?