Ask Slashdot: Data Remanence Solutions?

MightyMartian writes "The company I work for has just had their government contract renewed, which is good news, giving me several more years of near-guaranteed employment! However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.' Now keep in mind that we are the same organization that has been delivering this contract all along, so the equipment isn't going anywhere. What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high. I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed. I'd like to write up a report to submit to our government contract managers, and would be interested if any Slashdotters have experience with this, or have any references or citations to academic or industry papers on dealing with data remanence without destroying physical media?"

DBAN

[jd142]

DBAN, Darik's Boot and Nuke, will wipe a hard drive to any of several government standards. If they are fine with mere software disposal of data, then DBAN is the way to go. http://www.dban.org/.

If they insist on physical destruction, I'm sure there are companies in your area that will handle that for you.

Re:Zero-fill?

[ajlitt]

You mean like this? Maybe you should read the articles you cite before you use them to correct someone else.

Re:Easy Peasy

[rjstott]

Totally agree, if the contract is renewed the destruction can't be necessary until termination of the extension UNLESS this is not a renewal but a NEW contract. THEN you need to ask for a WAIVER

Re:Why not digital destruction?

[mlts]

I like combining DBAN with HDDErase.

HDDErase will do an ATA low-level secure erase that tells the controller to zero out all sectors. Even though that are on the relocated table which would be inaccessible via normal software solutions.

After HDDErase does its job (which it does in a pretty quick amount of time since there is no I/O involved, but just the write head laying down zeros), running DBAN on the drive adds further insurance. Realistically, this will remove all data.

Of course, prevention is a good idea as well. This is why I have some type of FDE software on my drives. This way, a simple zeroing out of the drive will be enough. In fact, the format command in Windows will check to see if a disk is BitLocker protected and zero out the places where the volume key resides, so even if someone knew the password to the drive, it will do them no good.

Re:Why not digital destruction?

There is software out there (like D-BAN) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?

Some classifications of data require destruction of media. See NIST SP 800-88:

http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

In NIST/DoD parlance, what DBAN is cleaning/purging; i.e., either overwrite, or invoke the SATA Secure Erase command. Degaussing is also classified as purging (though the disk becomes unusable AFAIK); degaussing is better suited towards tapes IMHO.

You also need to Validate that it has been done, and document that fact for each drive that has been sanitised.

The OP will have to ask the contract manager at what level the information is considered at (low, medium, high) and then make plans accordingly. If it's high security, one can simply purge the media if you want to re-use the media with-in an organization, but if you ever want to toss the disk (or even if it's in a RAID array and you need to replace because it died), you need to destroy it and record that fact.

So if your EMC/NetApp/Dell array has sensitive information, you can't send it back to the OEM if sensitive data ever touched it: you have to make arrangements with the OEM so that you can destroy it. Ditto for your laptop/desktop drives: if Lenovo/HP want/s the drive back, they can't have it as otherwise you'll be breaking your contract with the government.

Re:Why not digital destruction?

Yea, you're remembering that contest how you want to remember it. The prize was a pittance, and the "company" offering it was a handful of people. There were also ridiculous restrictions, such as not damaging the single physical drive the whole challenge was based around. And several data companies said they likely could recover some data, just not necessarily the specific file that that the challenge was based around (as a general rule, you can't target a file, you get whatever it is you get). But the process involves ripping the drives to pieces and costs significantly more than the challenge was worth. And since the challenge was issued by a handful of guys rather than an actual, large company, very little publicity would have been generated, so it wasn't worth it to anyone.

Now, even if that story happened exactly as you remember it, it's still irrelevant. The point isn't that that it's currently possible, it's that it's theoretically possible and thus may be trivial in the near or distant future. For certain kinds of data, that is a world of difference.

It's not up to us, or the submitter

[DragonHawk]

It really depends on the terms of the contract. That's what controls. You can theorize and speculate and pontificate all you want, that contract is what they agreed to, and what the government agreed to pay for.

Now, the phrases "sent to an appropriately recognized facility" and "data remanence" make me suspect this is classified information, which would mean the contract is under NISP (National Industrial Security Program) jurisdiction. There are four possible CSAs (Cognizant Security Authorities) -- DoD, DoE, CIA, and NRC. I'm really only familiar with DoD, but I believe the rest follow suit on this. To wit:

Since Oct 2007, when ISL 2007-01 (Industrial Security Letter) was issued, overwrite methods are not acceptable for fixed disks. Degaussing or physical destruction are the only acceptable methods.

Degaussing has to be done using a deguasser which is on the NSA EPL (Evaluated Products List). This generally renders the hard disk inoperable. (Modern hard disks have their servo tracks encoded at the factory, and generally don't have field low-level format capability.)

Physical destruction has to cover the entire recording media. (e.g., "target practice" isn't acceptable.) They generally want the entire recording surface ground off, melted down, shredded to dust, and/or raised above the curie point. You can't just toss it in any old shredder.

You have to provide a certificate of destruction, saying you've done this. Failure to do so results in loss of Security Clearance, loss of contract, loss of future contract opportunities, fines, and/or jail. I wouldn't recommend it.

Now, submitter mentions they're going on to a new contract. If this is DoD, they should check the DD254 to see if it's the same classification derivation. If it is, they should be able to get approval to continue using the old systems. They should have a formal ATO (Approval To Operate) that identifies who to contact.

Now, if I'm way off base, and this isn't classified, then it's still up to what the contract says. There are various government standards that might be called out. NIST 800-88 is one; it allows for sanitization by overwrite, IIRC.