By: Craig McElroy, CTO & Co-Founder, Contegix

At Contegix, one of our core values is to respect people, data and time. While all three of these are absolutely critical, whether dealing internally with coworkers or externally with customers, failure to respect data carries the most potential for detrimental impact.

We realize that data is the lifeblood of our customers, so this core value pertains to taking measures to ensure data is saved and preventing that data from inadvertently falling into the wrong hands. One of our steps for handling data remaining on drives as part of the server decommissioning procedures is to wipe that drive using a United States Department of Defense 5220.22-M compliant process.

Our utility of choice is the open source Darik’s Boot and Nuke (DBAN) (http://www.dban.org), which includes a number of data clearing options as well as the full DoD 5220.22-M method. This does a seven-pass wipe using random characters, complements of those characters, and random data streams. In 2004, the U.S. National Security Agency (NSA Advisory LAA-006-2004) found that even a single overwrite using the above method is sufficient to render electronic files unrecoverable. Furthermore, when recently meeting with a consultant from a major information security company specializing in computer forensics, he told us quite plainly that once you get past three passes of random writes, recovery is not possible.

While this data clearing approach accommodates the vast majority of data security needs we encounter, there are always going to be exceptions. The Defense Security Service, an agency of the DoD, provides a Clearing and Sanitization Matrix (C&SM), which specifies methods for sanitization of data. As of the June 2007 edition of the DSS C&SM, overwriting is no longer acceptable for sanitization of magnetic media, with only degaussing or physical destruction being acceptable. For cases of extreme data sanitization requirements where these guidelines must be met by our customers, we will provide arrangements whereby drives from that customer’s servers will be physically destroyed by a trusted
electronics recycling and media destruction firm.

While this approach clearly isn’t as green as a multi-pass wipe and repurposing of a drive, the logic board that contains no data is first removed from the drive and appropriately recycled before shredding takes place. Take a look at the included video to witness the gruesome fate that awaited some of the drives we recently took there for destruction.

For your own data protection concerns for all electronic devices capable of storing data, not just hard drives, review the NIST Special Publication 800-88, Guidelines for Media Sanitization (http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf).
Its recommendations can be applied to all types of organizations and are helpful in devising an appropriate policy based on the confidentiality level of your information.