With the digital age comes the necessity to store, manage and protect sensitive information. From financial information to personal data, companies give data security maximum attention to protect themselves and their customers.
One critical aspect of data security that’s sometimes an afterthought is the proper disposition of IT assets. IT asset disposition (ITAD) companies must maintain a robust chain of custody and ensure maximum data security during the disposition process.
In this blog post, we'll explore what to look for when engaging with an ITAD company to manage your retired IT and data center assets.
What are the foundations of good data security?
Maintaining data security is essential with the ever-growing reliance on technology for businesses worldwide. It's crucial to keep sensitive information from falling into the wrong hands, and there are several actions companies can take to protect their data.
The first step towards good data security is knowing what data you have and what your data policies are, as different data requires different treatment — for example, government data.
Companies then utilize data security measures such as encryption, firewalls, antivirus software and regular data backups to ensure high data security.
But what about when the time comes to replace or upgrade IT assets? Competitive businesses are constantly looking for new ways to generate efficiencies, which often comes hand-in-hand with upgrading their technology.
Applying a zero-risk strategy to data destruction is essential for achieving peace of mind for businesses looking to move on their IT assets. This is where IT asset disposition companies can lend a helping hand with a variety of data destruction options available, suitable for all storage media types within your business.
Data storage — Types of storage media
To select the most appropriate data destruction method, you must understand the type of data storage technology you have. Storage media refers to the various devices or components that are used to store digital data.
There are several types of storage media available, each with its own unique features and advantages. Here are some of the most common types of storage media, how they work and where they’re typically found in businesses.
Hard disk drives (HDDs)
HDDs are the most common type of storage media used in personal computers and laptops. They consist of spinning disks called platters which are coated with a magnetic material that stores data. The platters in a hard drive have an arm that contains magnetic heads and each platter is subdivided into multiple sectors.
These sectors are further divided into thousands of subdivisions, known as bits, which have the ability to store an electric charge. When the read/write head scans the sector, it detects the bits and their corresponding charges, which can then be interpreted using binary code (0s and 1s).
Today, HDDs can store anywhere from 250GB to 20TB of data and are a primary storage device for digital data within businesses. They’re commonly found in desktop computers, laptops, servers and data centers, and are regularly used as a backup storage solution to prevent data loss in case of system failure or other disasters.
Solid state drives (SSDs)
SSDs are similar to HDDs but use flash memory to store data instead of spinning disks. When data is written to an SSD, it’s stored in blocks of NAND-based flash memory. These blocks are organized into pages, which can be read from or written to individually. To write data to a page, the SSD controller must first erase the entire block.
Solid State Drives (SSDs) have become increasingly popular in recent years due to their faster read and write speeds. As they don’t have any moving parts, this makes them more durable and less susceptible to damage. SSD capacities range from as little as 128 gigabytes (GB) to as much as 4 terabytes (TB) or more, and they’re commonly found in laptops, desktop computers and servers.
In addition to their use as a primary storage device, SSDs can also be used as a cache for frequently accessed data, or in combination with HDDs in a hybrid storage solution. SSDs are also used in gaming systems to improve load times and overall performance.
Hybrid drives
Hybrid drives are a type of storage media that combines the features of a traditional hard disk drive (HDD) and a solid state drive (SSD). In a hybrid drive, the SSD component acts as a cache for the HDD component.
This means that frequently accessed data is stored on the SSD for quick access, while less frequently accessed data is stored on the HDD for long-term storage. The result is a storage solution that offers fast boot times and application loading, while still providing plenty of storage space for large files such as photos and videos.
Hybrid drives are often used in laptops and desktops where a balance of performance and capacity is desired.
Optical discs
These include CDs, DVDs, and Blu-ray discs. They are popular for storing music, movies and software programs, but their storage capacity is limited compared to HDDs and SSDs. Optical disks are made up of a circular, flat disc made of plastic or glass, which is coated with a reflective layer that reflects the laser light.
The disc is divided into tracks and sectors, which allow the laser to read and write data in a specific pattern. The laser beam creates pits and lands on the reflective layer of the disc which represents the 0s and 1s of data in binary code.
Optical media is commonly used to back up critical data, such as financial information, customer records and employee files. It’s also used for archiving older data that must be kept for regulatory compliance or other reasons.
In data centers, optical media is used in a similar way, but on a larger scale. Data centers store vast amounts of information and optical media is an efficient and cost-effective way to back up and archive this data. Optical media is also used for distributing software and firmware updates to servers and other equipment in the data center.
USB flash drives
These are small, portable storage devices that can be connected to a computer’s USB port. Data is stored on the USB flash drive using electrical charges.
When you save a file to the USB flash drive, the data is converted into electrical charges and stored in the memory cells. The memory is divided into small blocks, each of which can be individually erased and rewritten.
Most USB flash drives have a storage capacity of several gigabytes, making them a convenient and portable way to store and transfer files between computers.
They’re also inexpensive and widely available, making them a popular choice for data storage. They can be hard to manage and keep track of in a business environment, given their small size and portability.
Memory cards
These are small, removable storage devices used in digital cameras, smartphones and other portable devices. They’re available in different sizes and formats, such as SD cards and microSD cards.
Memory cards work by using a series of memory cells made up of transistors and capacitors. These cells are arranged in a grid-like pattern on the memory card's circuit board. When data is written onto the memory card, a charge is sent to the specific cell that corresponds to the binary code for that particular piece of data.
Overall, memory cards provide a convenient and portable way to store and transfer data between different electronic devices. In businesses, memory cards are typically found in mobile phones, tablets and cameras.
A note on new types of storage media…
As technology advances, so does the need for better and more efficient storage media. With this in mind, there are several new storage types emerging.
These include helium, DNA, holographic and quantum storage. While much of this new technology is in its early stages, it has the potential to become a viable option for long-term data storage. As such, it’s important to understand the technology and how to securely eradicate data when that is required.
Maintaining data security during IT asset disposition (ITAD)
The proper disposition of IT assets is critical to maintaining data security. IT assets such as laptops, servers and hard drives can store vast amounts of sensitive data on the various storage media types, and the improper disposition of said assets can lead to ramifications, including data breaches, data theft and reputation damage.
ITAD companies facilitate the secure destruction of sensitive information, handling assets in a way that complies with industry standards and regulations, reducing the risk of security threats.
It’s critical for ITAD companies to have a chain of custody in place when it comes to data destruction. This documented process tracks the possession, handling and transfer of assets - including storage devices - from collection to disposition.
Not only does this mitigate risk, protect sensitive information and maintain compliance, but it also ensures transparency and accountability in data handling throughout the entire process.
Initially, there’s a decision to be made on whether to clear your data on- or off-site. This all depends on the types of data and storage media you have, along with the data’s location and volume.
There are several methods available to businesses looking to erase data and achieve complete peace of mind over their information. TES offers several on- and off-site data destruction methods to facilitate safe data erasure.
On-site degaussing
Degaussing is a process that erases data from storage devices by exposing them to a magnetic field. Degaussing, sometimes known as purging, works by creating a powerful magnetic field that is stronger than the magnetic field used to write data to the disk.
When the disk is exposed to this field, the magnetic particles on the disk become disordered and lose their alignment, effectively erasing any data stored on the disk.
It’s important to note that degaussing is a destructive process that permanently erases all data on the disk.
TES' on-site process begins with an engineer delivering degaussing equipment to your site, which applies an electromagnetic pulse of 9,000 Oersteds, almost twice the coercivity level in today's disk drives.
This erases all information on the storage device and renders the hard drive inoperable, meaning it can never be reused. It's important to note this method is only usable on magnetic drives – HDDs.
On-site puncturing
Puncturing requires machinery that punches multiple pins in the storage device to render the data unreadable and unrecoverable. This method is effective, but not suitable for all types of storage media.
For example, puncturing holes in solid state drives (SSDs) may not be effective because these devices use a different type of memory than traditional hard drives.
In addition, some types of storage media may be too thick to be effectively destroyed by punching holes. In these cases, it may be necessary to use other methods such as shredding to ensure that data is completely destroyed.
On-site shredding
Shredding differs from puncturing and degaussing because it’s an effective data destruction method for various storage including HDD, SSD and hybrid drives, USB drives, SIM cards, SD and MicroSD cards, and spindle drives.
Hard drive shredding is the process of destroying a hard drive or other storage media by physically breaking it into small pieces.
This is done to ensure that the data on the media is completely destroyed and cannot be recovered. Shredding usually involves using a powerful shredder that’s specifically designed to destroy hard drives.
The shredder uses sharp blades and sieves to grind and cut the equipment into small pieces, typically no larger than a few millimeters in size. This destroys the platters, the read/write heads and other components of the hard drive or other storage media.
Hard drive shredding is particularly suitable for large volumes of drives requiring urgent data destruction.
Memory devices can be shredded per your company's security policies before being certified as destroyed. Waste is then removed and goes through a recycling process.
Whichever data destruction method is applied, maintaining ITAD data security compliance is essential and can be achieved by following industry standards closely.
Off-site data erasure
Off-site data erasure involves erasing data from storage devices at a secure location separate from your premises.
Specialized software is often used to perform data erasure by overwriting existing data in binary format with random characters, making it unrecoverable.
There are several types of storage media that can be overwritten using software. Some of the most common types include hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives and memory cards.
When it comes to overwriting storage media, it's important to note that the process can vary depending on the specific type of media. For example, with HDDs and SSDs, the software used to overwrite the media will typically need to perform multiple passes in order to ensure all of the original data has been completely erased.
This is known as a ‘secure erase’ and is often used when sensitive information needs to be completely removed from a drive.
On the other hand, with USB flash drives and memory cards, overwriting the media can be a bit simpler. In many cases, simply formatting the drive using the built-in formatting tool in your operating system can be enough to overwrite the data and make it unrecoverable.
Data erasure is a great option because it allows the storage media to be reused, allowing for improved value recovery and environmental outcomes.
With off-site erasure, transporting the assets must be considered. This is where secure reverse logistics comes into play, which refers to transporting the storage devices that need data erasure in a safe and controlled manner.
Secure reverse logistics means the assets aren’t tampered with or exposed during transit, a vital step in assuring data security.
Off-site shredding
Off-site shredding mirrors the on-site method but occurs away from the client’s premises. The physical destruction method sees storage devices mechanically shredded into small pieces, making data recovery impossible.
Once again, secure reverse logistics is a necessary step in this process to prevent unauthorized access or data exposure during transit — even with assets slated for shredding.
Data destruction certification
Regardless of the method of data erasure chosen, certification of data destruction should be provided as standard. A certificate of data destruction is a document that verifies that confidential information stored on a device has been securely and permanently erased.
This document serves as proof that sensitive data has been destroyed in a manner that meets legal and industry standards.
It’s important for businesses and organizations that handle sensitive data to obtain a certificate of data destruction to protect themselves from the risk of data breaches and legal liabilities.
The certificate typically includes details such as the date and time of destruction, the method used to erase the data and the serial number or other identifying information of the device. The certificate is usually issued by a reputable data destruction service provider or an IT asset disposition company.
Process for failed drives
Failed drives are storage devices that can’t be successfully erased or shredded due to operational or physical issues. Handling these drives is an aspect of ITAD that involves careful management.
These drives are identified during the initial evaluation process and are often unsuitable for standard data destruction methods. ITAD companies can employ specialized procedures, such as crushing or disassembly, to ensure data irreversibility.
Managing these failed drives is key in preventing the exposure of sensitive data in circumstances where standard data erasure methods might not be available.
Standards and regulations for ITAD data security compliance
ITAD companies must meet specific standards and regulations to ensure secure data destruction. These regulations protect businesses and individuals from improper IT asset disposition risks.
A critical standard for ITAD companies is the National Institute of Standards and Technology (NIST) Special Publication 800-88. The NIST 800-88 standard provides guidelines for secure data destruction and covers the types of media that can be destroyed and the methods that can be applied. NIST 800-88 is now widely adopted and recognized by governments and corporations as the best-in-class method for ensuring effective media sanitization.
For a more detailed breakdown of the NIST 800-88 standard and the different methods available within the regulations, visit our blog post here.
The importance of ITAD data security compliance
The most vital aspect of compliance is assuring businesses that their data has been destroyed safely and securely. These regulations are carefully designed for ITAD companies to follow, exponentially reducing the risk of data breaches and cyber threats. Failing to comply with these regulations can lead to legal and financial consequences, alongside reputational damage.
For businesses, choosing an ITAD company that complies with these standards is crucial for protecting sensitive information. Some companies — like TES — achieve a data overwrite standard that exceeds NIST 800-88 regulations, giving you extra peace of mind over your data.
Want to learn more about NIST 800-88 and read about our recommended media sanitization process?
Download our in-depth guide to learn about erasing end-of-life data from storage devices and how we help organizations like yours, no matter where your assets are located.