Ask Slashdot: Data Remanence Solutions?

MightyMartian writes "The company I work for has just had their government contract renewed, which is good news, giving me several more years of near-guaranteed employment! However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.' Now keep in mind that we are the same organization that has been delivering this contract all along, so the equipment isn't going anywhere. What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high. I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed. I'd like to write up a report to submit to our government contract managers, and would be interested if any Slashdotters have experience with this, or have any references or citations to academic or industry papers on dealing with data remanence without destroying physical media?"

Why not digital destruction?

[quanticle]

There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?

Your Problem

[CanHasDIY]

... is that your idea is logical, rational, and sensible, and therefore will not be considered an acceptable solution.

I recommend inventing some bloated bureaucratic process that involves miles of red tape, and doesn't actually address the issue at hand.

Hell, they might give you a fucking medal for that.

Depends.....

[Anonymous Coward]

Assuming it a Federal gov contract, there are different standards depending on the Department. Also depends on the classification of the drive. I would go with the standards of the Department you are contracted to.

Easy Peasy

[danwesnor]

If you believe the data shouldn't be destroyed, have your contracting office send the government contracting officer letter requesting the requirement be deffered until the end of the new contract.

The contract...

[Taelron]

The contract states that it must be physically destroyed. Depending on what kind of business you are in, the government will only accept physical destruction of a drive if classified data was ever on it.
You will need to adhere to the contract and destroy and replace drives or the Government will rake your company over the coals during an audit. They will also then demand monies paid back, tack on a huge fine, and possibly criminal charges on anyone that failed to properly dispose of and destroy the data per the contract.

Why would they agree?

[sirwired]

Your old contract requires the destruction of the equipment. Your new contract failed to price in its replacement. Why is this the agency's problem? If I were the client, I'm not going to go out of my way to evaluate your data destruction ideas and instead would simply request you perform the contract as agreed.

Make sure your negotiators don't foul this up for future contracts.

Re:Zero-fill?

[Shatrat]

If it's reversible, you do it.
The fact is that if the hard drive read head writes a zero, the hard drive read head will read a zero, it will not read a 0.0003 and be able to speculate that it was once a 1.

http://hardware.slashdot.org/story/08/09/06/189248/the-great-zero-challenge-remains-unaccepted [slashdot.org]

Re:Why not digital destruction?

[Joce640k]

The old "You can recover data even after it's overwritten" thing is a myth [wikipedia.org].

Today's bit densities are so high that it simply isn't going to happen.

Format them. Run a small program to write a file (can be the output of a RNG if you want) until the disk is full. Job done.

Or, as mentioned, use one of the many programs available for this.

Take the "repeatedly overwrite" thing with a pinch of salt unless you really enjoy sitting there watching hard drive lights blinking.

Re:All you have to do is...

[PhilHibbs]

You've said it better than I could - and I'd go further to say that the fact that he considered encrypting the data and then destroying the key indicates that the OP is incompetent to be doing this kind of work. You don't destroy data by making an unreadable copy of it. You destroy it by destroying it, which could mean physical destruction, or could mean multiple overwrites (but the face that the government requirements state physical destruction implies that they have already considered and rejected this option).

Re:Why would they agree?

[tlhIngan]

Exactly. They'll want certificates proving the drives were destroyed per the contract.

Part of your contract bottom line includes the cost of replacing those drives. If your company bid too low and won't make a profit, that's really a shame, but that's something you'll have to take up with the salesperson who wrote the proposal.

Also, realize that hard drives are only expensive *NOW*. Remember what happened in Japan that was supposed to kill the electronics market until the end of the year? In 6 month's time, the prices of hard drives will come back down. Unless your contract is only a month long, the destruction probably won't happen until then, which is probably a year or more down the road (unless it gets renewed again). In the mean time, you only destroy hard drives of PCs that are being decomissioned, so they've already been replaced and no issue at all.

Also - why are you trying to find ways around it? It's in the contract and you wouldn't have gotten it if you didn't agree to the requirement. Is it really to save the company a few bucks? Or is it the inner geek who can't see the sight of tossing a 500GB drive away?

Re:Why would they agree?

[Anonymous Coward]

I think you're looking at it the wrong way.

If the original contract requires the destruction of equipment, then the original contract price covers that. Not destroying the hard drives means you should give some money back to the government since you're not completing the work you were paid for.

If they allow old equipment to be used for the new contract there should be a discount on the new contract to account for this.

Re:Why not digital destruction?

[Local ID10T]

D-BAN is great... but if the contract says "Thou shalt turn over thy hard drives for destruction..." then its already been agreed on, and the cost was factored into the bid. Deal with it.

Re:Why not digital destruction?

[Sancho]

Yes, but this is a government contract with specific destruction requirements. Go complain to the feds if you don't like the myth. Or maybe the government knows something we don't. Who knows?

Poor negotiation is not best fixed technically

[malx]

I agree. You're trying to solve a commercial issue (and possible mistake) with a (poor) technical solution.

As you describe it, the original contract wanted the data destroyed at the end of the contract term. You've just had the contract *renewed*, which is another word for "extended". Why exactly would anyone want the data destroyed in mid-contract?

Your contact negotiators ought to have realised that the government didn't need you to destroy the data until the end of the new contract, and written that into the new contract, thereby over-riding the old one. More than saving you the money, it was one of your advantages as the incumbent contractor: compared with a competitor, you could perform the second contract term at lower cost simply because you could off-set the data destruction cost for which you were already contracted simply by writing into the new contract permission to defer that destruction! This would allow you to underbid any potential competitor - or if there is no likely competitor, writing deferral in would be a straight profit to you at no cost to the customer. That kind of win-win is *exactly* what your contract negotiators are paid to spot and capitalise on.

As poster above says, your contract office can still possibly rescue this by simply writing and asking for permission to not destroy the data until the end of the renewed contract term. All the same, missing this at contract negotiation time is something that should come up in somebody's annual performance assessment.

Re:Why not digital destruction?

[LordLimecat]

Its not a myth, its a theoretical possibility that either noone has the current capability to do, or they do and its simply too cost prohibitive, or else we simply dont know about it. Thats not terribly reassuring if youre dealing with data whose leak might cause jail time.

As for formatting, depending on how you format the drive, it may or may not overwrite the data at all and may leave it ripe for the picking.

Honestly, if youre dealing with government and they say "we want the drives shredded", DBAN set to a DoD approved setting MIGHT be a reasonable suggestion, as would encryption (as we can actually quantify the risk there, and it is vanishingly small), but saying "ah, just zero it once or format it, it doesnt make a difference" sounds incredibly foolhardy.