When you create a backup of any type of data, there inevitably comes a time when the backup is no longer needed and you need to retire your assets in a safe way. Maybe you have sufficient backups of the data in your retention plan, you need more storage space, you migrated your data to a new medium, or your media is obsolete or damaged. Without a secure process for data destruction, your business is at risk of regulatory penalties and unintentional data disclosure. Due to regulations like HIPAA and NSA requirements, destroying sensitive data is required by law. So now the question arises, how do you dispose of your data properly?
Here are a few methods for destroying obsolete data. Each method has their pros and cons. Deciding which of the methods are right for your business will likely depend on your industry, regulations, and preferences.
This is one of the cheapest and easiest disposal methods. Media can be reused for future backups and there are many programs you can easily use to do this.
However, it is not 100% effective. If someone has the right tools, your data can still be recovered from an overwritten drive. Most criminals won't go to the level of sophistication that is needed to recover data from overwritten disks, but it's necessary to keep this in mind. The other drawback is this is not very quick. The time it takes to perform these tasks solely lies in how much data must be overwritten.
If you are disposing media because it has been physically damaged, you will not be able to use this method and you are left with the physical hardware that you need to get rid of in another way.
Best For: Reusing disks or tapes for future backups
|Inexpensive||Data can still be recovered after overwriting|
|Media can be reused||Process can be slow|
|Many options for how to overwrite||Cannot overwrite data on damaged media|
Degaussing is the process of demagnetizing media to completely erase the disk or tape. Degaussing is the standard method for data destruction on physical media. If you use the proper kind of degausser, all data on the media will be completely erased and unrecoverable. There are quite a few degaussers on the market and not all Degaussers are created equal.
As media technology has advanced and allowed users to store more data on a disk, their magnetic value, or coercivity, has also increased. If you choose this method of data destruction, make sure you use an NSA-recommended degausser that has a magnetic field powerful enough to erase your media. Anything less will not be a strong enough magnetic field to completely erase your data.
All media that needs to be permanently destroyed should be deguassed before physical destruction. Disks and hard drives can no longer be used after they have been degaussed. Some tapes are reusable after degaussing, but make sure you know if they are before degaussing.
Best For: Magnetic media, before physical destruction
|Data is deleted and cannot be recovered||Media may not be reusable|
|Fast in-house data disposal method||Degausser must be strong enough for each magnetic media type|
|Can be very cost-effective method||Initial purchase cost|
|Meets NSA and CESG requirements for sanitisation of classified information||Doesn't account for physical disposal of media after degaussing|
Physical Destruction: In-House
The NSA recommends that all media used for data storage be physically destroyed. Media destruction machines, like shredders, crushers and disintegrators, have been created for the sole purpose of destroying obsolete backup media.
A variety of media destroyers are available for purchase online. Purchasing a device for on-site media destruction can be a substantial upfront cost, but may be worth the cost over time. Once the media is destroyed, your business will still need to figure out how to dispose of the Electronic Waste (eWaste) in an environmentally compliant manner.
Best For: Businesses with a large quantity or a continuous accumulation of obsolete or damaged media that can no longer be used and cannot be overwritten.
|100% certainty data is completely destroyed||Initial purchase cost|
|Easy in-house method can be done at any time||Machine capable of destroying each type of media|
Physical Destruction: Professional Service
Taking media off-site to a professional destruction service can be a convenient and cost-effective option. Most certified disposal services let you choose between complete destruction or destruction followed by recycling of your backup media.
If you are taking media off-site, make sure the service provider you choose is credible, certified, and uses secure, verifiable practices. Always get a certificate of disposal when using any service of this kind and be suspicious of any service that refuses to offer this sort of written assurance for their work. Use a service vendor that uses environmentally friendly practices to handle and dispose of your eWaste, for example an eco-friendly incineration process.
Online shredding services do exist, but it can be difficult to trust that destruction was carried out using best practices, or that it has been done at all. Businesses typically want to avoid these kind of mail-in services.
Best For: Businesses that do not want to invest in on-site setup of data destruction. Businesses with a small amount of obsolete or damaged media that can no longer be used and cannot be overwritten.
|100% certainty data is completely destroyed||No infrastructure purchase necessary|
|Convenient - media is destroyed, recycled or disposed of for you||Verification problems|
Most businesses will want to use a combination of these methods for data destruction. Overwriting data is a good method to use while the media is still usable. Once media has become obsolete, degaussing before physical destruction is a common best practice and highly recommended by the NSA. Recycling destroyed media is a way Bottom line: however your business chooses to dispose of their backups, make sure the process is secure, compliant, and verifiable.