Tuesday, October 4, 2011

Electronic Media Destruction - Does Size Really Matter?



http://ow.ly/6Novt

An article by Thomas Laino and Julius Younke published by sdbmagazine.com.

This article discusses the destruction of electronic media, and the standards for "sanitization" of electronic media.

The article states, "The generic term "sanitization" is applied to different methods of eliminating data from digital media and hard drives. Sanitization is defined in National Institute of Standards and Technology (NIST) Special Publication 800-88, "Guidelines for Media Sanitization," as "the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed."  A link to the applicable NIST guidelines is available in the article.

The article provides information regarding acceptable practices for destruction of media, as per the NIST guidelines. As part of this discussion, the article states, "NIST Special Publication 800-88 does provide for shredding of hard drives as an acceptable method of physical destruction but does not indicate a minimum particle size. This standard also provides the following definitions of the above methodologies:
Disintegration is "a physically destructive method of sanitizing media; the act of separating into component parts."

Pulverization is "a physically destructive method of sanitizing media; the act of grinding to a powder or dust."

Shredding is "a method of sanitizing media; the act of cutting or tearing into small pieces."
Incineration is "a physically destructive method of sanitizing media; the act of burning completely to ashes."

The article also provides a link to the "NSA/CSS Storage Device Declassification Manual", which was produced by the National Security Agency/Central Security Service and provides guidance for classified storage device disposal.

The article goes on to discuss the methods used for shredding drive, and the factor of the size of the drive itself, and how this plays into the costs and time involved with the destruction process.  The article also examines the theory vs. the practice.  It seems that certain times in "theory" data can be recovered from a shredded or damaged drive, but in actual "practice" it would simply not be cost feasible to really do what is needed to recover the data.  For example, "For a drive that is 20 gigabytes in size (small by today's standards), approximately 160 billion bits with a magnetic flux change need to be photographed. The space required to store all of these photographs is approximately 16 terabytes."

The article concludes with the following advice, "Does it matter if the shredded hard disk particle size is 15 millimeters, 40 millimeters or even larger?

It would be impossible to reassemble a hard drive's shredded platters and read it by the hard disk components. Though the particles could be read individually by microscopic photography, the time and expense would be unreasonable.

Size does matter, but only to the owner of the hard drive that contains sensitive information. It all comes down to reasonable sanitization based on the potential sensitivity of the data. One may feel that the smaller particle is more secure, but the larger particle size also will make data recovery unreasonable."



No comments:

Post a Comment