The Shifting Sands of Data End-of-Life Destruction

Written by

In this age of Big Data, consumers and organizations alike demand the ability to harvest, create, store and analyze more data without compromising operation speed. The need for increased storage capacity hard drives and optimal transference of data often eclipses what is currently available on the market. However, things changed with the planned introduction of innovative data-writing technologies that serve to ‘cram’ more data on a disk (i.e. write more data on less surface), thereby increasing data density to yield larger-capacity hard drives.

At the same time, mandated compliance regulations concerning data security are constantly evolving to keep pace with the ever-changing landscape of more complex technology and heightened criminal sophistication. The National Security Administration (NSA), Central Security Service (CSS), National Institute of Standards and Technology (NIST), and Information Security Oversight Office (ISOO) work to keep federal standards of data storage and destruction ahead of cyber-criminals, who continue to discover new ways of breaching data security walls. Likewise, numerous regulations are also in place for commercial organizations.

Organizations working with data pertaining to classified information, controlled unclassified information (CUI), information for official use only (FOUO), sensitive but unclassified information (SBU), personal health information (PHI), or personally identifiable information (PII) must be vigilant about following trends in data technology, data security regulations, data crime, and data end-of-life destruction; otherwise, they risk exposure to a data breach.

Recent Trends of Note

Manufacturers of data storage technology are always trying to accommodate consumer demand while simultaneously serving the high security needs of organizations and government agencies. Recently, consumer products such as video cameras and camcorders have become significantly more sophisticated, providing users with a more powerful and engaging experience – and storing more data than ever.

For example, a mere 10 years ago it was rare to have the average consumer fill even a one-terabyte hard drive. Today, consumers are chomping at the bit for more and more memory-storage capacity within their machines, so they can rid themselves of external hard drives, thumb drives and discs.

As mentioned, this development has prompted major hard drive manufacturers such as Seagate and Western Digital to develop new writing technologies that increase data density. In turn, this requires that more durable materials be used in hard drive construction. These denser hard drives are commonly referred to as enterprise drives since they are typically found in enterprise environments. This makes destroying ‘average’ hard drives analogous to destroying enterprise hard drives, which are engineered to withstand higher temperatures and 24/7 usage. As such, organizations are forced to adapt and/or upgrade their data storage and data destruction capabilities. Currently, SEM is the only manufacturer to engineer devices specifically for enterprise drive destruction.

Given these developments, it’s not surprising that legislation regulating data destruction continues to get more stringent. The standards for CUI established by the ISOO in Executive Order 13556 are a prime example. The directive delineates clear requirements for the destruction of CUI at the end-of-life. Specifically, all paper containing CUI must be destroyed by using either cross-cut shredders that produce particles no larger than 1mm x 5mm or by using a disintegrator equipped with a 2.4mm security screen. Any Executive agency that handles CUI (which includes FOUO, PII, and SBU) is subject to regulation under Executive Order 13556.

Likewise, the NSA and the CSS act jointly to keep the NSA/CSS Evaluated Products Lists for secure data destruction up to date with current standards for government classified data. Standards exist for all types of storage media, including solid state and hard disk drives, magnetic media, optical media, and paper. As these standards change, previously compliant destruction devices may no longer be acceptable, forcing users to adapt.

As the Industry Innovates, So Do the Criminals

In recent years, the growth of massive data breaches has reached a level that has affected branches of government, some of the largest businesses in the United States and even entire cities and municipalities. In response, the NSA/CSS and the ISOO continue to raise the bar on data destruction manufacturers to produce devices that can better prevent destroyed data from being reassembled and used maliciously. Any organization not in compliance leaves itself vulnerable to a catastrophic data breach that could put its employees, vendors, partners and/or customers at risk.

As data destruction security standards tighten, government agencies and private businesses must always ensure that the destruction devices they use are compliant. When considering your organization’s data destruction process, it behooves you to plan for stricter regulations than currently required. By doing so, you will save on the associated costs of meeting new requirements as they are introduced.

Brought to you by

What’s hot on Infosecurity Magazine?