The world of data security is a dangerous place.
Millions of hackers and scammers are just waiting to get their hands on the data you work so hard to protect. The lines between good and evil are blurring as employees leverage their access to breach data they should protect instead.
In this world where no one seems to be exactly who they say they are, you must always prepare for an adventure! The importance of data security can't be overstated for businesses of any size.
Permanent data erasure has become more and more relevant in recent years. There are many ways to secure data. However, some data security tools used today don’t permanently eliminate all traces of information on storage devices.
Data erasure tools, also known as data destruction software, permanently obliterate sensitive material from storage devices and are typically used by government agencies, law firms, and private companies with sensitive or confidential data.
What is data erasure?
Data erasure, also known as data clearing or data wiping, is a software-based technique for effectively overwriting electronically stored data with random binary information as per a given standard. This is a necessary part of any secure hardware disposal or decommissioning process.
Data erasure is a technical and time-specific task that in-house IT security teams perform to achieve data sanitization. Compared to other commonly used data sanitization techniques, data erasure gives unauthorized individuals a minimal chance of gaining access to sensitive company data.
Data compliance laws and regulations have become more stringent, with new punitive fines and policies introduced over the past few years. This, driven by the frequency of cyberattacks, increasing exposure to criminal threats, and increased scrutiny for regulatory compliance, has made it inevitable for businesses to secure their data more seriously.
Data erasure is the preferred method of data sanitization. It can be performed in both active and inactive environments to meet the needs of different technologies and usage scenarios over time.
Before decommissioning or donating, businesses should sanitize data on servers, PCs, hard drives, and mobile devices. Destroying removable devices before they’re lost or stolen is essential.
Why is data erasure important?
Data breaches are common, and hackers always look for new ways to steal personally identifiable information (PII), intellectual property, and trade secrets. The rising retention of sensitive data, accelerated technological advances, and the limited lifespan of IT assets have driven the need for permanent data erasure of electronic equipment when they are retired or reconditioned.
Several laws have been enacted in different industries in recent years, guiding organizations on data protection and erasure to ensure regulatory compliance.
Data erasure is not a new technology, but it’s becoming popular because of data protection, privacy, and information security risks. In the face of unprecedented data leakage scandals and cyber-attacks, including ransomware attacks, government agencies and organizations need to enforce updated protection strategies for sensitive data management.
True erasure helps defend against data breaches, comply with many data security regulations, use resources optimally, and implement green practices while managing a complex portfolio of IT assets.
Erasing data offers enterprises tamper-proof erasure certifications to ascertain compliance with expanding data protection standards requiring data minimization, right to erasure, or right to deletion.
It also allows companies to move from less eco-friendly data and equipment disposal techniques to more sustainable circular business models. With data erasure, businesses can resell or repurpose devices without fear of exposing sensitive data, resulting in a considerable reduction in electronic waste.
What data erasure is not
Many people mistakenly believe that data erasure and various incomplete data sanitization approaches are identical. These inadequate data sanitization techniques aren’t proven to render data unrecoverable on suitable storage devices. They also don’t provide the required verification and certification stages for data sanitization.
Here’s a list of partial data sanitization methods:
- Data deletion
- Reformatting
- Factory reset
- File shredding
Want to learn more about Data Destruction Software? Explore Data Destruction products.
Characteristics of data erasure
Unlike traditional data destruction techniques, which can damage the storage media, data erasure is software-based. It can apply to both physical and virtual devices in an isolated or unattended environment.
Erasing data on a digital storage device means that all device sectors are verifiably replaced with zeros and ones. While the device's functionality is preserved, all data is irrevocably unrecoverable.
- Erasing data on a digital storage device implies that all sectors are verifiably rewritten with zeros and ones. This permanently destroys the data while the device continues to work.
- In targeted sanitization, a specified file, folder, or location, such as a logical unit number (LUN), is verifiably rewritten. At the same time, non-targeted regions remain intact and functional.
Secure data erasure gives you peace of mind that confidential data has been removed beyond recovery and access.
Data erasure software
Data erasure software overwrites information on all sectors of a storage device, such as hard disk drives (HDDs), with a string of useless pseudo-random data. A good erasure tool verifies purged data to confirm permanent data destruction.
Data erasure software can also remotely destroy sensitive data if an incorrect password is used to sign in. This technique is common in mobile devices to prevent theft and safeguard personal data in the event of device theft.
To achieve complete data erasure, a software solution must:
- Allow the selection of particular standards based on your industry's and company's demands.
- Confirm if the overwriting process effectively removed data from the entire device or target data.
- Generate a tamper-proof certificate, including details confirming that the erasure was successful and written on all parts of the device, along with other information about the device and the standard employed.
What is the difference between data deletion and data erasure?
Data deletion and erasure both remove data, but they’re radically different, from their goals and techniques to the end results.
Data deletion
An operating system (OS) uses a file system, which is essentially a table structure, to keep records of all the logical storage units or clusters on the hard drive and how these clusters store and retrieve data. File Allocation Table (FAT) and New Technology File System (NTFS) drives in Windows, as well as Apple File System (APFS) volumes in macOS, are some well-known file systems to store and retrieve information.
The file allocation table maintains the addresses of the data stored on the clusters, commonly called pointers (or Nodes in macOS). The OS removes the file's pointers during data deletion and designates the associated cluster in FAT or the master file table (MFT) as 'available' for new files or data storage.
Data deletion doesn’t erase the file or its contents but merely the pointer (the file's location), making it invisible and unavailable for regular use. However, the erased file still exists on the storage medium. Users can quickly recover it with data recovery software.
Data erasure
Data erasure overwrites existing data on a storage device with binary patterns such as '1s' and '0s' or meaningless pseudo-random patterns to erase or sanitize it. This deletes or sanitizes the data to render it completely useless. Simply put, when data is deleted or replaced with binary patterns, it becomes unintelligible.
The overwriting techniques to erase data on storage devices vary in terms of the patterns and passes employed and how the outcome of a specific overwriting method is checked on a drive. For example, the DoD 5220.22-M technique uses three passes of 0s, 1s, and random characters for complete data destruction with an erasure report.
Here’s a quick summary of the differences between data deletion and data erasure.
| Data deletion | Data erasure |
| Deletes the address of the file from the MFT | Destroys data by overwriting it with ones and zeros |
| Deleted data can be recovered using a data recovery tool | Erased data can’t be recovered by any technique |
Data erasure methods
According to the National Institute of Standards and Technology (NIST), data erasure can be done in the following ways:
- Overwriting: Obsolete or discarded data is overwritten with non-sensitive data (0's and 1's) using data erasure software.
- Block erase: A data erasure tool targets logical block addresses on the storage device, including those not currently mapped to active addresses, to wipe all data on the device.
- Cryptographic erase: This data erasing technique is used for devices with built-in data encryption characteristics, such as Self-Encrypting Drives (SEDs). A successful data erasure platform can destroy the key needed to decode the data on SEDs, rendering it unrecoverable.
Data erasure standards
Various data erasure strategies worldwide fully erase confidential, sensitive, and privileged information from different storage devices. Some of these erasure algorithms are created by the world's most renowned military agencies, such as the United States Department of Defense, governments, and commercial businesses.
These methods ensure that the secret and private files do not leak or get into the hands of an unauthorized entity or enemy and cannot be retrieved using any commonly available technique. Below are the most effective data erasure standards to erase data and solidify privacy and data security.
1. The United States Department of Defense (DoD 5220.22-M)
The Defense Security Service (DSS) created DoD 5220.22-M for safe data sanitization. It is also one of the most advanced, secure, and widely used erasure standards for data sanitization. It's implemented in three and seven passes with variable verification frequencies.
Other prominent versions of the standard are:
- DoD 5220.22-M (ECE): Overwrites data 7 times (7 passes)
- DoD 5220.22-M (E): Overwrites data 3 times (3 passes)
- DoD 5220.28-M (STD): Overwrites data 7 times (7 passes)
The difference is that each employs a different character and its complement in various verification intervals and number of passes.
2. US Army AR 380-19
The US Army AR 380-19 data erasure approach is defined and published by the US Army in Army Regulation 380-19. This data erasure technique eliminates the data in three passes.
- Pass 1: It generates a random character
- Pass 2: Writes a specific character over the data (for example, 1)
- Pass 3: Overwrites the complement of the provided character (which is zero) and then verifies the overwrite process
3. US Air Force AFSSI-5020
The United States Air Force (USAF) defined the AFSSI-5020 in Air Force System Security Instruction 5020. This data erasure technique uses zeros, ones, and pseudo-random values but in a different sequence and number of passes. It's very similar to DoD 5220.22-M.
- Pass 1: Overwrites zero on the dataset
- Pass 2: Overwrites one on the dataset
- Pass 3: Overwrites a pseudo-random number and then validates the overwritten data
4. Canadian RCMP TSSIT OPS-II
The Royal Canadian Mounted Police (RCMP) developed the TSSIT OPS-II data erasure method. It employs six passes of complementary repeat values before overwriting a pseudo-random character with validation in the seventh iteration.
- Pass 1: Overwrites a set value on the data (such as zero)
- Pass 2: Overwrites the complement of Pass 1 (in this case, one)
- Pass 3: Overwrites the complement of Pass 2 (zero)
- Pass 4: Overwrites the complement of Pass 3 (one)
- Pass 5: Overwrites the complement of Pass 4 (zero)
- Pass 6: Overwrites the complement of Pass 5 (one)
- Pass 7: Overwrites a pseudo-random value and validates the data erasure process
Unlike DoD 5220.22-M, which validates the overwrite after each overwriting step, this technique simply verifies the overwrite in the seventh iteration.
5. British HMG IS5
The British HMG IS5 erasure protocol employs two or three passes to write a mix of zero, one, and random data with verification. The British HMG IS5 3 pass method is far superior to the 2-passes method.
6. Peter Gutmann
Peter Gutmann invented the Gutmann data sanitization method in 1996. It is one of several software-based data sanitization standards in data erasure tools to overwrite existing data on hard disks and other storage devices. The algorithm works by overwriting some pseudo-random data 35 times (35 passes).
The critical point to remember here is that the Gutmann method employs random values for the first and final four passes and then uses a sophisticated algorithm from pass 5 to pass 31.
7. Russian standard (GOST-R-50739-95)
GOST-R-50739-95 is a set of Russian data erasure rules designed to prevent unwanted access to data. Below are some examples of this data sanitization algorithm.
- Method 1: Overwrites zero on the first pass and replaces random characters with the same characters from the first pass
- Method 2: Overwrites random characters with the first pass
Benefits of data erasure
The most popular media sanitization techniques include data erasure solutions or IT Asset Disposition Vendors (ITADS) for data destruction. The ITAD approach is more popular for several reasons.
For example, hardware asset disposal necessitates infrastructure and capacity, can also provide additional sanitization options and is an established line of business for handling old or end-of-life assets.
Some benefits of data erasure are:
- Data erasure allows businesses to cleanse their storage media on-premises. This is a strong argument for enforcing data security standards for regulatory compliance within a workplace. Data erasure often complements traditional data destruction methods such as shredding and degaussing. Regardless of the physical state and circumstances in the chain of custody, software-based data erasure offers fail-safe data protection.
- Modern data erasure software successfully sanitizes media while adhering to global erasure standards. This helps companies meet data security and privacy standards such as SOX, GLB, HIPAA, ISO27001, EU-GDPR, and PCI-DSS. Furthermore, data erasure software creates tamper-proof automatic erasure reports and certifications that serve as trustworthy audit trails for compliance needs.
- Data erasure enables device recycling, re-allocation, or redistribution. It increases efficiency and lowers expenses.
Challenges of data erasure
Data erasure may not be effective on flash-based media such as solid-state drives (SSDs) and USB flash drives. These devices may contain residue data unavailable to the erasure algorithm, and data can be recovered from the particular flash memory chips in the device.
Data erasure via overwriting is only effective for working hard drives that write on all sectors. In most cases, the software cannot overwrite faulty sectors, but it may contain recoverable data.
However, damaged sectors may be undetectable to the host system and, therefore, the erasing application. This problem can be avoided by encrypting the device before use. Malicious malware can potentially affect software-driven data erasure.
Data erasure is a more time-consuming process than other forms of data sanitization. Also, data erasure requires businesses to create policies and practices for all data storage devices.
Don't take chances. Overwrite that data!
The demands for information privacy, including data retention and erasure, have become a concern for organizations as privacy regulations have become more stringent. While data protection is crucial, erasing data after use is an essential component of the data usage lifecycle.
Not satisfied with just data erasure? Learn how different data sanitization methods can help destroy data permanently.
Keerthi Rangan
Keerthi Rangan is an SEO specialist and a former content marketing specialist at G2 focused on the IT management software market. Her content helps organizations understand the different IT concepts and corresponding software available to transform their businesses, data, and people. Keerthi leverages her background in Python development to build subject matter expertise in the software and IT management space. Her coverage areas include: network automation, software-defined networking (SDN), blockchain, databases, asset management, disaster recovery, intent-based networks, infrastructure as code (IaC), SaaS, and more.
