Thursday, 10 May 2007

securely wiping disks

Recently there was some conversation on one of the lists I subscribe to about the best way to wipe disks. The biggest gripe was the amount of time it took. It's not really about time, it's about data security. Here's my two cents on the subject:

Wiping disks takes time. Disks can also contain potentially valuable information. Deciding how to wipe and what to wipe is a value judgement.

For most purposes something like DBAN will give you a wipe to a standard that will satisfy most auditors (it conforms to standards, standards are good, auditors have to cover their backsides too), and it has the added security of making sure that that credit card number in a cached really has gone. Important, as you never know where your disks end up. One time in Morrocco I saw a whole pile of second user disks (some still with vendor stickers on them suggesting they came from a large facility manager) on a market stall.

Occasionally, you (or your masters) want to be really certain the data is gone. I once worked on a project where we engaged a company to dispose of our hardware securely. This involved breaking down machines, zeroing any static ram and having the disks cut in half by a very large man with an even larger angle grinder. You then accompanied said man to a very hot furnace where you watched him put the bits of disk in the furnace and shut the door. That _was_ data disposal.

Wiping disks is about managing risk, not time

No comments: