Data Erasure Overview
By Thomas Westerbeek van Eerten & Mateusz Lorczak, NKS-GROUP SP. Z O.O.
n today’s digital era we are surrounded by information. It is coming to us from multiple sources, and on top of that we are a creator of sources of information in many levels and channels.
Private information can be sensitive in a way that criminals might harm us with the details we share by ourselves like photos and status updates. But how is it with companies?
Companies and their IT/Security departments naturally need to ensure their processes secure information in a way that there is no unauthorised access – for both confidential company details like revenues, costs, etc., but also the details on its employees and customers. Current regulations force companies to implement security measures to ensure data is obtained and kept in a secure manner.
One of the security measures to ensure data is protected at the highest secure manner is data erasure. To properly delete data is not easy and requires knowledge not only about the technical aspects but also about how to guarantee that a product does what it is supposed to do or when and how to delete data. In this article we try to give an insight of what is involved in the safe erasure of data.
DATA ERASURE SOLUTIONS
There are three different types, techniques and procedures for media destruction
- Electrical destruction – Logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
- Degaussing – A process that will ensure there is insufficient magnetic remnants to reconstruct the data. An electromagnetic degausser passes an electrical charge through a degaussing coil to generate a magnetic field and results in the subsequent inability to use the media for storage of data.
- Mechanical destruction – Disintegrate, Pulverize, Melt, and Incinerate. These sanitization methods are designed to completely Destroy the media. They are typically carried out at an outsourced metal Destruction or licensed incineration facility with the specific capabilities to perform these activities effectively, securely, and safely.
EXPLANATIONS ABOUT CERTIFICATIONS, ACCREDITATIONS, PRODUCT ASSURANCES, COMPLIANCES
“Be sure the product is secure”
In the world of security products, a variety of Certifications, Product Assurances, Accreditations and Compliances are offered. Certificates & quality labels are issued by various organizations to assure a security product meets their requirements. Below you can find the distinction between Certifications, Product Assurances, Accreditations and Compliances.
Products can be certified by various organizations. The highest available certifications are from governing security departments. Most countries have their own national standards and certification bodies or work with local certified and approved test laboratories to audit the vendor.
To set an international standard for certifications of security products, the following national bodies setup and joined the international agreement on the mutual recognition of IT security and issue certificates based on the Common Criteria Recognition Arrangement “CCRA-2014”: Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, Malaysia, Netherlands, New Zealand, Norway, Pakistan, Republic of Korea, Republic of Singapore, Spain, Sweden, Turkey, United Kingdom, USA.
In addition, there are many other countries that are certifying products based upon the same Common Criteria standards but are not an official member. In the security target of each certified product is defined what exactly has been certified.
Accreditation is the independent, third-party evaluation of a conformity assessment body against recognized standards.
Accreditation bodies are established in many economies with the primary purpose of ensuring that conformity assessment bodies are subject to oversight by an authoritative body. Accreditation bodies that have been peer evaluated as competent, sign regional and international arrangements to demonstrate their competence. These accreditation bodies then assess and accredit conformity assessment bodies to the relevant standards.
The most important and recommended accreditation for data security products is the NATO NIAPC.
The NATO Information Assurance Product Catalogue (NIAPC) established under Directive AC/322-D (2019) 0041-REV1, provides NATO nations, and NATO civil and military bodies with a catalogue of Information Assurance (IA) products, Protection Profiles and Packages that are in use or available for procurement to meet operational requirements.
3. Product Assurances. A security scheme
A Product Assurance scheme is to help companies demonstrate that the security functions of their products meet the defined standards (known as Security Characteristics) and consist of product testing and assessment. The assessment of the applicant’s is the approach to product development, evolution and support and includes reviews of documentation and interviews with the organization and a forensic assessment of the tool’s performance against a set of target media.
A leading Product Assurance research center for security products is ADISA – the test laboratory where software overwriting products can have claims made about their effectiveness verified. A product claim test will be issued as evidence that the product is according to the scheme.
The term compliance literally means the fulfillment of requirements; in the narrower sense, therefore, legal conformity and adherence to the law by the company and its employees as well as “integrity, honesty and business ethics”.
Companies and government institutions that have implemented compliance regulations also defined processes for Data Security.
Until recently, data was only erased when a device became end-of-life. Large organizations and companies have now implemented procedures that define the standard periodic deletion of devices for various reasons.
A very important aspect is that this process is only carried out by certified software of which it is very explicitly clear what exactly has been certified.
The leading compliances in the world today are NIST and GDPR.
The NIST SP 800-88 Guidelines for Media Sanitization provide instructions to organizations on how to effectively erase storage and mobile devices in a secure and permanent way.
The GDPR law requires that the user must have the ability to have personal data erased and receive written proof of this. The right to erasure is also known as ‘the right to be forgotten’.
THE SUPPLY CHAIN
Each organization has a different process. There are multiple parties in the supply chain and it is therefore a must for every organization to have full control over the data and its security through a solution that complies with the laws and regulations of the countries in which the organization operates.
When devices need to be erased because they are at the end of their life cycle, an employee leaves the organization or because a standard has been set that those devices must be erased every certain period, it is essential that the entire data erasure process has full control and transparency.
The ideal solution provides an infrastructure that allows the organization to setup a user structure to enable all parties in the supply chain to carry out the data erasure process and retain complete control. This solution provides the possibility to erase data before IT assets are removed from the working environment and minimizes the risk factor that data gets out of an organization.
ASSET PROTECTIONS STRATEGY
Best practice: Asset & Data Protection as a Standard
The ideal solution is a cloud-based end to end asset management application to manage the complete life cycle from the collection to resale of each asset by using RFID and NFC technology for full transparency and GPS Tracking.
The real time-based application should consist out of the following modules:
- Customer Management
- Collection & Logistics - schedule, collect and track
- Certified Data Erasure
- Diagnostics and Testing
- Co2 savings calculator
CERTIFIED ENGINEER PROGRAM
The Software manufacturer is running its Software Certification Program, to ensure that the foundational knowledge necessary to design and execute a secure erasure process based on the given tool set. This training and certification will focus on the following:
- An in-depth understanding of the use and configuration of the tool set
- PXE, Standalone and Remote software implementation
- The software’s Web Manager reporting tools
- Hard drives, SSDs, RAID configurations
- Mobile Device (iOS and Android) Erasure options
- Meeting/Exceeding major erasure standards (NIST 800.88r1, BSI, DoD 5220.22-M, NATO, etc.)
- Relevant hardware and software knowledge to data erasure such as TPM chips, HPA, DCO, Wear leveling areas, etc.
After successfully completing training, an exam will be administered. Based upon the result the individual will be issued a certificate and badge for identification.
CASE STUDY – HUNGARY
The National Media and Communications Authority (NMHH) performs the tasks of regulating and supervising communications and media supervision in Hungary.
If consumers do not permanently delete their data from media devices that are no longer in use, they can easily reach the next user of the device. You do not need to be specially trained to restore the original files. If other smart devices are connected to your phone, it’s even easier to access this data, whether it’s photos or your current passwords. Therefore, it is especially important that the erasure method used on durable media is irrevocable and secure.
A cloud-based portal where all users can erase their devices themselves free of charge and get a certificate as proof.
The software manufacturer has built a platform that is accessible for all citizen in Hungary under the address: www.veglegestorles.hu
Each hardware product that is sold has an Erasure License Code included. The customer has the option to permanently erase all the data stored on the durable media device on the platform. Each code on the label is disposable and authorizes one erasure and the consumer receives a tamper proof digital certificate that proves the erasure of all data on the device. The perfect suitable solution contains an informative subpage on www.nmhh.hu/veglegestorles for traders and consumers.
CASE STUDY – VEHICLE MANUFACTURER (Global Corporate company - largest vehicle maker in India)
With more than 450.000 employees the largest vehicle maker in India needed an efficient and 100% secure data erasure solution as a service. For the cause of the extreme sensitivity of the data there was no Internet connection and the Company relied on actual physical destruction of the drives. Physical destruction is expensive and wasteful. In the same time the Company is dedicated to carbon footprint and caring for the climate so now all these computers can still be reused, sold to the used market industry or donated to charitable organizations
The offline solution of the Software used allows to create an environment where a large number of systems could be processed by a very small number of certified trained technicians.
The offline solution of the software provides the Automotive Company with an audit log for each piece of hardware, creating a tamper proof data erasure report proving that each device had been successfully wiped. With the software, the Automotive Company now lowered their environmental footprint by creating the possibility that used equipment can be safely reused internally or externally.
As you can see, there are many things involved when it comes to erasing data. As described, we need to define what data should be erased and how it should be done, what certifications or assurances should the erasure product have, what regulations and compliances should be followed, and who is authorized to carry out the process? We hope to have given you a brief insight of what data erasure is all about. Thank you for your attention.
FAIR USE NOTICE: THE LOGO IMAGES USED IN THIS ARTICLE BELONG TO THEIR RESPECTIVE OWNERS AND ARE STRICTLY USED FOR NON-PROFIT EDUCATIONAL PURPOSES ONLY IN ACCORDANCE WITH THE “FAIR USE” DOCTRINE. THE USE OF THE LOGOS MAY NOT HAVE BEEN AUTHORIZED BY THEIR RESPECTIVE OWNERS.
Thomas Westerbeek van Eerten & Mateusz Lorczak
Thomas Westerbeek van Eerten
Certus Software GmbH – Experienced Business Development Manager professional with a demonstrated work history in the IT security industry.
BNKS Group Poland sp. z o. o. - Electronics screening and repair processes professional with 15 years of experience in operations space, including customer interaction services and freight logistic support. Recycling and self-repair enthusiasts that always try to look “under the hood” of his devices, to find out how they actually work”