I was asked recently to provide some thoughts on physical data destruction for an article David Spark (CISOseries.com, Twitter: @dspark, LinkedIn) was working on.

Here are my complete musings on the subject:

The initial step when considering data destruction is basically the same first step in data protection: Take time to understand what kind of data you’re working with. Policy around data classification is going to dictate certain aspects of how that data must be treated. Is it proprietary source code of your product? An employee’s laptop? A payroll server hard drive with PII? Website backups? Customer data? A Top Secret list of spies in the field? More sensitive data is going to require greater lengths to ensure the data cannot be recovered. And the inability to recover data is the goal of data destruction. Risk management techniques can be applied to determine the criticality of data not being recovered, the threat if it is recovered, and the loss the organization could face if it were to be recovered.

Policy and procedure for data destruction must take into account Legal and Financial data holds and retention periods. Does the data that was being stored need to be moved and stored elsewhere and for how long? If you are moving data from a local server to the cloud, additional questions need to be answered: Is the new location following location-based restrictions? Does the new location meet the same standards and comply with the same laws as the old location (e.g. for HIPAA, GDPR, CCPA, etc)? Data governance needs to be considered for any data being moved to a new location before moving it.

A lot of the concerns around physical data destruction (for example, hard drives or RAM) relate to dependency on a supply chain. This could involve shipping or transfer to another facility. Remote workers may be shipping laptops back to the organization when their employment is terminated (or may fail to). There are services that will come onsite to pick up your asset(s) to take them to a destruction site. Validation of destruction is going to be based on some form of trust. Chain of custody for assets is a critical piece of this process.

Software sanitization, if possible, should be used before sending an asset offsite to be destroyed. Even if a hard drive is encrypted, the data it stores may not be. If the storage media is functional, it is important to delete and overwrite (as many times as deemed necessary) any data that was stored on the media before physically shredding it.

An organization may consider handling physical destruction of the asset in-house and on-premises. If an org has multiple locations, this may mean buying degaussing devices (if appropriate) and/or shredding machines for each location. This is probably not ideal for a few reasons. First, these machines can be incredibly costly. Second, doing data destruction right can be tricky. Third, more than one method for sanitization and destruction may be required, and it may vary based on the manufacturer and/or type of asset. The risk of data exposure from a disposed asset may outweigh the risk of giving your asset to a reputable, specialized service provider that focuses on asset destruction with fully transparent and auditable processes.

Shredding does not in all cases provide the best level of security and is not always necessary, especially if an asset can be reused, making software sanitization potentially more cost-effective. Solid State Drives (SSDs) cannot be degaussed and files that have been wiped or erased still have some chance of being recovered. If you plan to re-use an SSD, you should understand that sanitizing flash-based media can decrease its lifespan.

While I have seen claims that one half inch or 2mm is small enough for shredding to render an SSD “destroyed”, NIST 800-88v1 warns that a device “is not considered Destroyed unless Target Data retrieval is infeasible using state of the art laboratory techniques.” Methods for achieving this seem extreme, but they are: “Disintegrate, Pulverize, Melt, and Incinerate. These sanitization methods are typically carried out at an outsourced metal destruction or licensed incineration facility with the specific capabilities to perform these activities effectively, securely, and safely.” Such methods are going to be more costly than doing a few things in-house and calling it a day, but if the data is deemed to be a high enough classification, NIST methods may be warranted as the only way to completely mitigate the risk of potential data recovery.

In the end, data destruction is about minimizing risk, so the sensitivity of the data is going to dictate how much effort and budget is going to be needed to minimize that risk to an acceptable level for the organization. For some assets, a combination of software sanitization and shredding may be appropriate. NIST methods may be appropriate for others. Your process should take these factors into account, and have multiple supporting procedures for different types of media (SSD vs HDD), for different data classifications, and potentially for different customer or contractual needs.