The Shifting Sands of Data End-Of-Life Destruction

October 7, 2019 at 1:09 pm by Paul Falcone

Ever-increasing data volume is driving change in technology and associated compliance regulations

In this age of Big Data, consumers and organizations alike demand the ability to harvest, create, store, and analyze more data without compromising operation speed. The need for increased storage capacity hard drives and optimal transference of data often eclipses what is currently available on the market. However, things will change soon with the planned introduction of innovative data-writing technologies that will serve to “cram” more data on a disk (i.e., write more data on less surface), thereby increasing data density to yield larger-capacity hard drives.

At the same time, mandated compliance regulations concerning data security are constantly evolving to keep pace with the ever-changing landscape of more complex technology and heightened criminal sophistication. The National Security Administration (NSA), Central Security Service (CSS), National Institute of Standards and Technology (NIST), and Information Security Oversight Office (ISOO) work to keep federal standards of data storage and destruction ahead of cybercriminals, who continue to discover new ways of breaching data security walls. Likewise, numerous regulations are also in place for commercial organizations.

Organizations working with data pertaining to classified information, controlled unclassified information (CUI), information for official use only (FOUO), sensitive but unclassified information (SBU), personal health information (PHI), or personally identifiable information (PII) must be vigilant about following trends in data technology, data-security regulations, data crime, and data end-of-life destruction; otherwise, they risk exposure to a data breach.

Recent trends of note

Manufacturers of data storage technology are always trying to accommodate consumer demand, while simultaneously serving the high security needs of organizations and government agencies. Recently, consumer products such as video cameras and camcorders have become significantly more sophisticated, providing users with a more powerful and engaging experience—and storing more data than ever.

For example, a mere ten years ago it was rare to have the average consumer fill even a one-terabyte hard drive. Today, consumers are “chomping at the bit” for more and more memory-storage capacity within their machines, so they can rid themselves of external hard drives, thumb drives, and discs.

As mentioned, this development has prompted major hard drive manufacturers such as Seagate and Western Digital to develop new writing technologies that increase data density. In turn, this requires that more durable materials be used in hard drive construction. Essentially, since data will be “packaged” closer together within the hard drive, it’s critical that construction materials be highly stable and only modifiable during the writing process. These denser hard drives are commonly referred to as enterprise drives since they are typically found in enterprise environments. This will make destroying “average” hard drives analogous to destroying enterprise hard drives, which are engineered to withstand higher temperatures and 24/7 usage, and are constructed with heavy-duty components. As such, organizations will be forced to adapt and/or upgrade their data storage and data destruction capabilities. Currently, SEM is the only manufacturer to engineer devices specifically for enterprise drive destruction.

Given these developments, it’s not surprising that legislation regulating data destruction continues to get more stringent. The new standards for CUI established by the ISOO in Executive Order 13556 are a prime example. The directive delineates clear requirements for the destruction of CUI at the end of life. Specifically, all paper containing CUI must be destroyed by using either cross-cut shredders that produce particles no larger than 1mm x 5mm or by using a disintegrator equipped with a 2.4mm security screen. Any agency in the public or private sector that handles CUI, FOUO, PII, or SBU is subject to regulation under Executive Order 13556.

Likewise, the NSA and the CSS act jointly to keep the NSA/CSS Evaluated Products Lists for secure data destruction up to date with current standards for government classified data. Standards exist for all types of storage media, including solid state and hard disk drives, magnetic media, optical media, and paper. Recently, new standards for optical media were issued that require CDs to be destroyed to a maximum edge size of 5mm, and DVDs and Blu-ray Discs to be destroyed to a maximum edge size of 2mm. (Previously, requirements for DVDs were 5mm and Blu-Ray discs could only to be incinerated.) As these standards change, previously compliant destruction devices may no longer be acceptable, forcing users to adapt.

As the industry innovates, so do the criminals

In recent years, the growth of massive data breaches has reached a level that has affected branches of government, some of the largest businesses in the United States, and even entire cities and municipalities. In response, the NSA/CSS and the ISOO continue to “raise the bar” on data destruction manufacturers to produce devices that can better prevent destroyed data from being reassembled and used maliciously.

hard-drive-shredder

All agencies and businesses that collect, house, and destroy classified, CUI, FOUO, PII or SBU must ensure data is protected from the moment of collection until the end-of-life, in accordance with the standards established by the appropriate agency. Any organization not in compliance leaves itself vulnerable to a catastrophic data breach that could put its employees, vendors, partners, and/or customers at risk.

In short, as data destruction security standards tighten, government agencies and private businesses must always ensure that the destruction devices they use are compliant.

When considering your organization’s data destruction process, it behooves you to plan for stricter regulations than currently required. By doing so, you will save on the associated costs of meeting new requirements as they are introduced. At SEM, we offer equipment that often exceeds the specified requirements for destruction, such as our Model 344 paper shredder and our line of enterprise class drive destroyers.