What’s behind the global shift to data erasure?

Authorities worldwide, from Singapore’s Government Technology Agency to a security-critical public agency in India, have shifted to erasing data with software to ensure their data management is watertight. Here’s what you need to know about why and how.

Physical methods of destroying hard drives may still leave data vulnerable to recovery efforts by forensics experts. Image: Envato Elements

Early this year, a well-known US investment bank agreed to pay US$60 million to settle a lawsuit over a personal data breach. Customers had argued that older servers that still contained customer data disappeared when the bank transferred them to an external vendor. The plaintiffs also accused the bank of failing to remove customer data before reselling two data centres to third parties.

Data leaks can come from anywhere, from poorly secured databases to hardware that is retired improperly. Yet the final step – disposing of data in a secure, verifiable manner – may be the most overlooked. But as the case above demonstrates, organisations need to pay as much attention to the data removal process as they do to maintaining high cybersecurity standards.

As governments accrue citizen data to provide more digital services, it is critical that every step of the data management process is accounted for to ensure that citizen data remains protected.

Strict security standards

Gone are the days when best practice was to wipe the contents of a hard drive with a magnetic pulse (degaussing) or physically destroy it using methods such as drilling or burning. Fredrik Forslund, Blancco’s Vice President & General Manager International, earlier told GovInsider that although such physical methods may be more reassuring, they come laden with risks.

Degaussing has no effect on newer technology such as solid-state drives and certain types of hard disk drives. Physical destruction, such as by shredding, can also be risky, as many industrial shredders produce fragments much larger than the recommended width of 2mm, which can leave data vulnerable to recovery efforts.

NIST Special Publication 800-88 r1 is a US government document that lays out how an agency may securely sanitise data from storage media so all data is irretrievable. It includes the option of using software-based data erasure to combat keyboard-level data recovery attempts as well as laboratory-level recovery attempts that use advanced forensic techniques.

Agencies such as Singapore’s Government Technology Agency, which is responsible for the delivery of the government’s digital services, are increasingly including software erasure as a method to destroy data.

According to a Blancco press release, the company’s software will be used on up to 100,000 computers available to Singapore’s government agencies between 2022 and 2024. The PCs and laptops will come equipped with data erasure software, and providers will make site visits to erase outgoing hardware when devices reach end of life. Blancco’s erasure software will also generate tamper-proof, digitally signed certificates of erasure that can verify all data has been removed.

The certificates can also be hosted on a dedicated regional or local server, rather than on Blancco’s cloud storage space, says Masayuki Morita, Vice President of APAC at Blancco Technology Group. This is in line with the increasing switch to storing sensitive data within geographical jurisdictions, rather than on distributed cloud platforms, that governments around the world are making.

Green goals

One benefit that comes with the shift to data erasure is that agencies can extend the life of their media storage devices – when data has been thoroughly erased, hardware can be reused. This can contribute to circular-economy goals and help agencies save money.

A Blancco survey of 596 public sector respondents globally found that organisations annually dispose of roughly one solid-state drive for every three employees, refreshing technology every three to four years, even while devices are still functional. This not only contributes to the growing problem of e-waste, but also leads to higher carbon emissions as manufacturers have to produce more hardware to replace outgoing technology. The manufacturing phase contributes to the largest percentage of carbon emissions, Morita says.

According to Morita, Blancco will soon be rolling out a sustainability dashboard that can track the potential carbon savings when agencies choose to extend the lifespan of their storage devices rather than refreshing technology with new devices.

Once data is securely erased, agencies can either choose to reuse devices in-house, resell the devices, return leased devices, or donate the devices to charities. In Australia, Blancco is working with ICT service provider Ethan Indigenous to securely erase used government and enterprise laptops to enable indigenous young people to transition to economic independence through education and skills training for IT industry work. Blancco is also working with the non-profit Dariu Foundation in Vietnam to provide 70 rural schools and 2,000 disadvantaged children with free rentals of used desktops and laptops donated by businesses.

Streamlined data management

Finally, the shift to data erasure is also streamlining the process of managing data security for government employees. When agencies rely on physically destroying media storage devices, it can lead to inefficiencies. As devices move from hand to hand – from agency to external vendor – the chances of data leaks increase. This is especially true when an agency is moving thousands of devices, as the destruction of each device needs to be accounted for.

With data erasure, providers can perform immediate onsite sanitisation. Then, the system can automatically generate an audit trail to verify that each and every device has been erased. For peace of mind, agencies can also send a sample of devices to a digital forensic lab to confirm that data is no longer retrievable.

This is what a security-critical government agency in India did when it was shifting to software-based data erasure. After a specialty data forensics provider applied rigorous techniques to test drives erased with Blancco Drive Eraser, it concluded that the data had been completely eradicated and could not practically be recovered. This allowed the agency to securely transition to a workflow that helped it to improve both financial and environmental sustainability.

Morita also says that Blancco provides an application that can be hosted on an IT management platform – such as ServiceNow – so that government employees can track the erasure process smoothly and have full visibility over it.

When you run a marathon, the easiest part to overlook is cool-down exercises – but they’re critical to relieving muscle soreness and bringing your body down to a state of rest. Secure data erasure is similarly vital: when government agencies incorporate the most up-to-date sanitisation processes into their policies and workflow, they can secure their data to the very end, improve their efficiency, and achieve their green goals.