Data Erasure Software: All tools are not equal
By: Markku Willgren, Blancco
When it comes to data erasure software, all tools are not created equal. For example, data wiping freeware cannot guarantee – or prove – that all data is removed, and is more appropriate for personal use. On the other hand, certified data erasure offers a secure option for thoroughly removing data and providing a detailed report to prove erasure occurred so that hardware can be safely reused, disposed or sold.
When evaluating data erasure, or an IT asset disposition (ITAD) specialist or recycler to perform it, organizations should understand the importance of certifications, approvals and standards in providing the most secure erasure possible. “Certified” means that the data erasure software has been certified by a specific entity, such as a government or independent third-party evaluator. It may also be “approved” or “recommended” by such an entity. In addition, the technology used to remove the data may also adhere to a particular technical standard required by an entity.
The right certified data erasure software not only provides complete data removal and detailed erasure proof, it can also improve the productivity of those performing the erasure by automating the process. In addition, the software works for a wide range of hardware, including smartphones and tablets.
Best-in-class certified data erasure tools use a method of software-based and/or firmware-based overwriting that completely destroys all electronic data on hard drives and other digital media by overwriting it with a pattern of 1’s and 0’s. Many government and industry standards exist for the overwriting process itself. The key factors in meeting these standards are the overwriting pattern, number of times the data is overwritten and verification, all of which vary depending on the standard involved.
For example, Department of Defense (DOD) standards have in the past referred to seven or three overwriting rounds, while the current National Institute of Standards and Technology (NIST) recommendation is a single pass. Also, many standards require a method to verify that all data has been removed from the entire drive, as well as a view of the overwrite pattern.
To provide the most secure erasure possible and be prepared for a variety of recycling requirements, a business or ITAD should choose a tool that meets or exceeds as many major international standards as possible, while providing a validation certificate indicating such. Some of these standards include:
- US Department of Defense, DOD 5220.22-M & ECE
- US Army, AR380-19
- US Navy Staff Office Publication, NAVSO P-5239-26 for RLL
- US Air Force System Security 5020
- National Computer Security Center, NCSC-TG-025
- NSA overwriting standard
Certifications, approvals and recommendations
Certifications, approvals and recommendations indicate that a data erasure tool meets the highest criteria for removing data. They are critical for organizations that want to do business in a particular industry or with a government, but they also demonstrate that certified data erasure can effectively guard against exposure of sensitive data.
For example, the internationally-recognized Common Criteria certification verifies that data erasure software has completed a rigorous independent testing process validating its ability to permanently erase data from hard drives and other storage devices. It also verifies that the software conforms to standards sanctioned by the International Standards Organization (ISO-IEC 15408). For many US government departments and agencies, as well as contractors who support them, information security products must undergo a Common Criteria evaluation prior to purchase. For private organizations, Common Criteria offers confidence that an IT security solution has been tested and approved by an independent party.
NATO approval is another example of how data erasure tools protect sensitive data. NATO recommends certain data erasure software for removing data at various security levels, such as data classified as Secret, as proven by stringent disk forensic tests. Such approvals and recommendations provide users of this erasure software with confidence of complete data removal.
Selecting a data erasure tool that adheres to multiple certifications, approvals and recommendations means that a business is prepared to work in a variety of industry or government environments. Most importantly, it demonstrates that the erasure process has been proven effective by multiple independent parties.
While standards, certifications, approvals and recommendations may vary in their requirements, a key element in most such evaluations is the erasure report. A data erasure report should contain detailed information about a disk’s sanitization status. Reports contain information such as erasure date, hard drive serial number, specifics about the PC or disk, technician name and results/errors concerning the erasure process. This information is particularly useful when remarketing the erased equipment.
Data erasure software should access the entire drive, even hidden and locked areas, and provide a validation certificate if the overwriting procedure was successfully completed. In the erasure process, however, the software may encounter bad sectors that it cannot overwrite. In this case, the software should disclose the number of such sectors encountered and note that the erasure was incomplete. Depending on policy and risk tolerance, some organizations may want to refurbish a disk with only a few bad sectors, while others may choose physical destruction. For electronics recyclers, identifying the healthy disks offers potential revenue from remarketing, along with a reduction in e-waste.
Advanced data erasure tools have a range of benefits in addition to the security provided through standards and certifications. When determining the standards, certifications and reporting capabilities of data erasure software, organizations and recyclers should also look for certified data erasure software that can erase a wide range of hardware, which is crucial for efficiently serving emerging drive types like those used in smartphones and tablets. Whether the drive comes from a laptop, server, cable box or a variety of other equipment, a certified data erasure tool should support IDE, PATA, SATA, Fiber Channel, SCSI and many other drive types, including the increasingly common solid state drives (SSDs).
Also, certified data erasure software can automate the erasure process, allowing the technical staff to centrally administer the erasure of multiple disks over the network. SCSI, SAS, SATA, FC and even IDE drives may be erased simultaneously. The erasure process takes one gigabyte per minute on average for a DOD three-pass erasure of a typical older PC drive, while server-class drives can be erased significantly faster.
When the erasure process is complete, an erasure report is automatically generated and sent over the network to a management console or asset management database. The console validates the erasure report as genuine, verifies erasure is complete, and functions as a convenient repository for erasure reports. The reports can then be used as a trigger for authorizing removal or disposal of the sanitized asset.
Markku Willgren (firstname.lastname@example.org) is President, US Operations, for Blancco, a provider of data erasure and computer reuse solutions. Blancco data erasure software has over ten national and international third party approvals, certifications and recommendations – the most in the industry – and meets or exceeds all major international standards for secure data erasure.