A key part of any information security strategy is disposing of data once it's no longer needed. Failure to do so can lead to serious breaches of data-protection and privacy policies, compliance problems, and added costs.
When it comes to selecting ways to destroy data, organizations have a short menu. There are basically three options: overwriting, which is covering up old data with information; degaussing, which erases the magnetic field of the storage media; and physical destruction, which employs techniques such as disk shredding. Each of these techniques has benefits and drawbacks, experts say.
[ Find out how to prevent brain drain: Protecting your organization's IP. |Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Read Bill Snyder's Tech's Bottom Line blog for what the key business trends mean to you. ]
Some organizations use more than one method. For example, microprocessor maker Intel uses all three, "depending on what we're trying to do and for what purpose," says Malcolm Harkins, CISO and vice president of the IT group.
[Also read Why information must be destroyed by Ben Rothke]
The data destruction market hasn't changed much in the past few years, says Ben Rothke, an information security professional with extensive experience in data destruction. "If there is any trend, it is that more firms are aware of the importance of data destruction," Rothke says.
Still, some organizations, particularly smaller ones, need more education about data destruction, according to Jay Heiser, an analyst at research firm Gartner. "We consider this a very important topic, but it is not one that Gartner clients spend a lot of time asking us about," Heiser says.
"Enterprise clients generally have a pretty good idea of how to deal with this; the practices have been relatively consistent over a period of years, and it doesn't generate a good deal of attention."
Unfortunately, Heiser says, there are still many small-to-midsize businesses that haven't fully thought through the risks of undestroyed data.
There are also persistent questions among all types of companies about how to handle data that's in the hands of cloud computing providers.
"The concern that I am most often asked about by Gartner clients involves the treatment of data on the part of service vendors, especially software as a service [SaaS]," Heiser says.
While a traditionally outsourced data center provider will typically commit to destroying data at the end of a contract and confirm this destruction in writing, that type of policy is rare to nonexistent for SaaS, Heiser says.
"Although the storage architecture of most SaaS services probably means that data from former customers will quickly be written over and soon become virtually impossible to recover, there's no good way to know if this is the case," he says. "The SaaS market also has little or no convention surrounding the treatment of former client data on backup media."
Cloud services will likely increasingly shape how data destruction is perceived and performed in the coming years, says Ariel Silverstone, vice president and CISO at online travel services provider Expedia.