Why Data Deletion is Such a Complex Task
29 Jul 2020
Every company should get to grips with the topic of data security – at the very latest when data carriers leave the premises. In everyday use, this security is ensured by using passwords and encryption. But what happens when computers, laptops and mobile devices – or even USB sticks – are disposed of? Since the introduction of the GDPR, data security has come into sharper focus for companies – also regarding the disposal of old equipment. But there are still a lot of gaps in people’s knowledge.
Even pre-GDPR, businesses were already obliged to manage personal data appropriately and securely. But for many companies, it was the GDPR which brought the issue into view for the first time. Art. 17 GDPR defines the right to be forgotten, which enables the affected people to demand that their data is securely and reliably deleted after the agreed usage. But beyond this, it is important to protect their data from being accessed by strangers. If they end up in the wrong hands, personal data, internal company reports or plans for products could be detrimental to business.
Companies often believe that defective or formatted data carriers can simply be disposed of without presenting a security risk. But that’s not true. It doesn’t take much effort for anyone who wants to, to access the data on these kinds of data carriers. Therefore, to ensure data security, companies must firstly ensure with technical means that the data deletion is irreversible – and they must also document this in order to protect themselves against claims and industrial espionage.
This means that other procedures must be used to ensure this data has been irreversibly and verifiably destroyed. Here the options are to destroy the data carrier or to use software-supported data deletion. But, in addition to hardware and software, knowledge about the correct deletion methods for the relevant storage media is essential for implementing a secure solution. In the following, we will take a closer look at the different storage media and the suitable data deletion methods.
How does data deletion and data carrier destruction work?
Fundamentally, there are three methods to be sure that data does not end up in unauthorised hands: physical destruction of the data carrier, software-supported data deletion and crypto erasure methods which irreversibly delete the key for encrypted data. All three methods can ensure secure data deletion, but they are not equally efficient on all types of storage media, or they cannot be performed in the same way for all storage media. So let’s take a closer look at the technical prerequisites.
What storage media are there?
Here we’ll explain the two commonest types of storage media, which are most relevant for most companies, to clarify the potential pitfalls of the different data deletion methods.
We won’t be considering other storage media, such as optical data carriers (e.g. CDs) or magnetic tapes. These, too, have their own specific features which influence secure data deletion. As these other types of data carriers don’t have a large role to play in most companies, at this point, we’ll only mention them in passing.
Hard drives store data on rotating disks, which are written magnetically. The data is stored via the permanent magnetisation of the drive segments. Despite the increasing prevalence of the faster SSD technology, we expect the popularity of hard drives to continue, since they offer large storage capacities at inexpensive prices. The service life of a hard drive depends on its use and its mechanical loading, but is generally regarded as very reliable. As failures are always possible, it is however always advisable to make a backup despite the excellent service life.
In solid-state drives (SSDs), and in mobile phones and USB sticks too, data is stored on flash drives in the form of an electric charge. All these devices often work differently in detail, but a general overview is sufficient to understand the pitfalls for data deletion associated with the type of storage.
On flash drives, data is stored in cells which consist of individual floating-gate MOSFETs. These cells are arranged on a printed circuit board and subdivided into small groups. In this way, a great deal of data can be packed into a very small space. One disadvantage of flash technology is that the number of deletion cycles is limited, meaning that the service life is lower than that of hard drives. The data is also written on the storage media in a different way to hard drives. This is to increase the service life and to separate faulty blocks. How the data is written depends on controllers – which may differ depending on the manufacturer and also the model. So it is not possible to make a blanket statement about how data is written on flash storage.
Due to the absence of moving mechanical parts however, SSDs are also less susceptible to failures due to impacts or being dropped – which, in addition to their small dimensions, makes them particularly attractive for use in laptops. But because their structure is completely different to that of hard drives, this means their data deletion requirements are also different.
Data deletion and data carrier destruction procedures
As already mentioned, there are essentially three different methods to irreversibly destroy data.
Destroy the data carrier
The first method is the mechanical destruction of data carriers. This is often the method of choice for highly-sensitive data, to be absolutely sure that the data can never be retrieved. But here, too, there are pitfalls which you need to watch out for.
A popular method of deleting hard drives is demagnetisation. Here the hard drive is exposed to a strong magnetic field, which removes the magnetisation on the drive. This procedure destroys the hard drive: it cannot be reused afterwards and must be sent for recycling. This procedure can also be used for other storage media, such as magnetic tapes and discs. However, the procedure is unsuitable for all types of flash-memory-based storage. Another problem is that older demagnetising equipment is not always able to generate the field strengths required to reliably destroy more modern hard drives.
Another option for destroying data carriers (and the information they hold) are shredders. This process mechanically shreds the hard drives. However, to ensure this procedure is truly secure, it is a requirement that only very tiny hard drive pieces are left over. The DIN 66399-2 standard specifies how large the remaining pieces may be for the corresponding security levels. Here the type of data carrier also makes a difference. To comply with security level 5, hard drives holding confidential data are permitted maximum residual particle sizes of 320 mm². For flash storage, a maximum of only 10 mm2 is permitted, for the same security level. This is due to the data density and the physical construction of the data carriers. Therefore when shredding data carriers, care must be taken that the appropriate standards are complied with for the relevant storage media.
Destroying hard drives is not the only way to ensure that data does not end up in the wrong hands after disposing of the data carrier. For economic reasons and to protect the environment, it makes sense to continue using functional data carriers and to give them a second life. Particularly for newer laptops and mobile phones where the memory is soldered into place and cannot be replaced, it is better to consider secure data deletion rather than scrapping the device entirely.
If the data carriers are already completely encrypted with at least 128-bit encryption, there is the option to not overwrite the data carrier itself multiple times, but just the key which is needed to decrypt the data. If this key is lost, the data cannot be retrieved. This procedure is known as crypto erase and, because it doesn’t take very long, it is an inexpensive process. This process also has its disadvantages, however, as it cannot be used for all data carriers (complete encryption of the data is a basic prerequisite) and it is not always possible to ensure that – due to human error – the decryption key has not been stored in another location, which would allow the data to be retrieved after all. Therefore the crypto erase procedure only offers limited protection.
A secure procedure is the complete overwriting of the data carrier with random numbers, multiple times. Depending on the security standards to be fulfilled, the data carrier is overwritten up to seven times. This means it is impossible to retrieve the data previously on the drive.
Although this procedure is easy to implement for hard drives, flash storage presents more of a challenge. Due to the way flash storage works, one single writing operation will not necessarily overwrite all regions of an SSD. To be absolutely sure that all regions on a flash storage device are overwritten, it is necessary to work at the level of the device’s firmware. This means that not only must many different manufacturers be supported, but always the latest models as well.
Although this article has only scratched the surface of data deletion, it is clear that this is a complex issue which must not be ignored under any circumstances. Secure handling of data is essential to protect your company from claims due to data protection infringements, as well as from industrial espionage.
We at Green IT Solution will advise you on which methods for data deletion or data carrier destruction are the right ones for you and, with our certified partners, will perform this service for you in line with BSI standards. Get in touch with us for an in-depth consultation.