Dumpster-diving for e-data

For data whose loss would be catastrophic, the ultimate step is to physically destroy the drive, including the magnetic platters that hold the data.  NextPhase can reduce hard drive platters to fragments of a quarter inch or less. That's the minimum size, says Adam, from which a really determined expert could still retrieve data. "We call it disintegrating, as opposed to shredding," he says. "It comes out looking like cereal." The cost of such destruction: $4 to $15, depending on whether the customer wants NextPhase to record the serial number of the drive and document its destruction. The company can also destroy PDAs and personal communicators such as BlackBerries.

When it comes to USB or flash drives, filling the device with junk data and deleting it is enough to stop a casual hacker, says Kocher, but a more sophisticated adversary might be able to find data in a memory sector that is marked as bad or that is stored as part of the error-correction code in the device. Physical destruction may not be the ultimate answer for discarded flash drives, he says, because the chip within the drive that holds the data is quite small and might escape even a thorough shredding.

Before disposing of server hard drives that held sensitive information, Fuhler uses a commercial product to erase data from them. Before disposing of the RAID arrays, he "scrambles" the physical location of the hard drives that make any surviving partition tables useless. He then reformats the RAID array and reinstalls the operating system to prepare it for the next agency within state government that will use the array.

The human factor

Whatever you do to prevent Dumpster-diving, any security policy that gets in the way of users doing their jobs simply won't work, says Richard Stone, vice president of marketing at Credant Technologies, a mobile data protection software vendor in Addison, Texas. "A security process that says 'don't plug in USB drives' is not realistic," he says. A realistic policy, he argues, is one that allows users only to attach USB drives to devices that are protected by control software such as Credant's.

Finally, says Kocher, "the most important thing isn't even technology." Rather, he says, "it's making sure you hire people you trust and you educate them properly." He points out that 40 percent of security breaches are caused by current or former employees rather than outside hackers. And if malicious employees have access to sensitive data, he says, "there's not really any technical solution you can rely on to ensure nothing bad ever happens."

In other words, no matter how finely you shred your old hard drives, he says, "if you have a culture where employees are unhappy, that is a security threat."