Disk data remanence: Part 2

The long view of security strategies for your network.

In my most recent column, I briefly reviewed the seriousness of the data remanence problem on discarded disk drives. Today I want to wrap up with a pointer to an interesting product about which I have recently learned: Ensconce Data Technology’s Digital Shredder.

The online demo is unusually well done, with clear images, succinct and informative commentary, and useful details for a security or network administrator.

The introduction begins with a statement of the need for proper “decommissioning” of hard drives and shows a good summary table listing U.S. laws and other factors that impel organizations to ensure that discarded or repurposed drives have been properly wiped: Gramm-Leach-Bliley, Sarbanes-Oxley (see a recent article about SOx compliance from Network World's Technology Update), Fair and Accurate Credit Transactions Act of 2003 (FACTA) and the Health Insurance Portability and Accountability Act (see an interesting article about a HIPAA audit in Computerworld).

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In my most recent column, I briefly reviewed the seriousness of the data remanence problem on discarded disk drives. Today I want to wrap up with a pointer to an interesting product about which I have recently learned: Ensconce Data Technology’s Digital Shredder.

The online demo is unusually well done, with clear images, succinct and informative commentary, and useful details for a security or network administrator.

The introduction begins with a statement of the need for proper “decommissioning” of hard drives and shows a good summary table listing U.S. laws and other factors that impel organizations to ensure that discarded or repurposed drives have been properly wiped: Gramm-Leach-Bliley, Sarbanes-Oxley (see a recent article about SOx compliance from Network World's Technology Update), Fair and Accurate Credit Transactions Act of 2003 (FACTA) and the Health Insurance Portability and Accountability Act (see an interesting article about a HIPAA audit in Computerworld).

The demo continues with a review of the methods for sanitizing disk drives. Software overwriting alone, they say, is not trustworthy because the choice of algorithm may be inadequate and because certain portions of the drive may not be overwritten at all.

Degaussing is unreliable and even dangerous; sometimes drives are damaged so that they cannot be checked to evaluate the completeness of data wiping. The strong magnetic fields can also unintentionally damage other equipment. Outsourcing degaussing introduces problems of having to store drives until pickup, losing control over data and not being able to provide authenticated records of the data destruction.

Physical shredders are expensive and usually offered only by outside companies, leading to similar problems of temporary storage, relinquishing control and dubious audit trails.

The Digital Shredder is a small, portable hardware device that provides a wide range of interfaces (cloyingly called “personality modules”) covering today’s disk drives. The design objectives, quoting the company, were to provide:

1. Destruction of data beyond forensic recovery
2. Retention of care, custody and control
3. Certification and defendable audit trail
4. Ease of deployment
5. Ability to recycle the drive for reuse.

The unit can wipe up to three disks at once. It includes its own touch screen; offers user authentication with passwords to ensure that it is not misused by unauthorized personnel; provides positive indications through colored LEDs to show the current status of each bay; can format drives for a range of file systems; and can be used to re-image a drive by make bitwise copies from a master drive in one bay to a reformatted drive in another.

Readers can download a 13-page White Paper about the problem and the product without even having to register (!). I wish more companies were so open about providing information freely.

Based solely on the materials I have seen, this device looks interesting.

[DISCLAIMER: As always, I want it clearly understood that I have no financial interest whatever in this product and have not even had any contact with the company other than receiving a pamphlet and reviewing their Web site.]

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.