In my most recent column, I briefly reviewed the seriousness of the data remanence problem on discarded disk drives. Today I want to wrap up with a pointer to an interesting product about which I have recently learned: Ensconce Data Technology’s Digital Shredder.

The online demo is unusually well done, with clear images, succinct and informative commentary, and useful details for a security or network administrator.

The introduction begins with a statement of the need for proper “decommissioning” of hard drives and shows a good summary table listing U.S. laws and other factors that impel organizations to ensure that discarded or repurposed drives have been properly wiped: Gramm-Leach-Bliley, Sarbanes-Oxley (see a recent article about SOx compliance from Network World's Technology Update), Fair and Accurate Credit Transactions Act of 2003 (FACTA) and the Health Insurance Portability and Accountability Act (see an interesting article about a HIPAA audit in Computerworld).

The demo continues with a review of the methods for sanitizing disk drives. Software overwriting alone, they say, is not trustworthy because the choice of algorithm may be inadequate and because certain portions of the drive may not be overwritten at all.

Degaussing is unreliable and even dangerous; sometimes drives are damaged so that they cannot be checked to evaluate the completeness of data wiping. The strong magnetic fields can also unintentionally damage other equipment. Outsourcing degaussing introduces problems of having to store drives until pickup, losing control over data and not being able to provide authenticated records of the data destruction.

Physical shredders are expensive and usually offered only by outside companies, leading to similar problems of temporary storage, relinquishing control and dubious audit trails.

The Digital Shredder is a small, portable hardware device that provides a wide range of interfaces (cloyingly called “personality modules”) covering today’s disk drives. The design objectives, quoting the company, were to provide:

1. Destruction of data beyond forensic recovery
2. Retention of care, custody and control
3. Certification and defendable audit trail
4. Ease of deployment
5. Ability to recycle the drive for reuse.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.