Data erasure: a resilient process

« Redundant or end-of-life data still present in virtual machines or datacenter storage units, on a server, PC, or smartphone are all IT security breaches, » (…) « Whether these devices are operational in a still-active environment, repackaged, or doomed to be discarded, the data should no longer be recoverable. »

However, simply resetting devices or formatting a hard drive will not protect businesses sufficiently. The former will not remove any traces left by even deleted data and apps, and the latter will not fully detect hidden partitions and damaged files on the hard drive.

For an integral sanitization

The recommendation is therefore for complete data sanitization. Gartner[2] defines it as a « disciplined process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. »

In concrete terms, the hard disk is completely rewritten with algorithms. A check is then made to ensure the logical and complete erasure of the memory of each machine. An encrypted report is issued attesting to the completeness of the operation carried out, specifying the place, date, time, and nature of the latter, as well as the algorithms used for the complete disappearance of the data.

In addition, if the hard disk surface is not completely erased and, for example, the manufacturer’s partitions remain inaccessible, the error is noted in the erasure report.

Last, if deleting the data is not enough, the hardware is destroyed: « Physical destruction is the complement of secure deletion. Because if the medium is damaged, it cannot be erased, » explains Yves Gheeraert. « The company must therefore integrate this process into its cyber-resilience approach, in order to reduce its attack surface.

Certification, a guarantee of quality and peace of mind

In addition to securing the company’s assets, the total sanitization also complies with the principles of the General Data Protection Regulation (GDPR), in particular the right to be forgotten with regard to personal data.

« Thanks to a certificate attesting to the proper end of life of the hardware and/or personal data—especially of suppliers, customers, and candidates and former employees—the company will be in compliance with the regulations in force, » notes Yves Gheeraert.

« The ANSSI only certifies solutions if there is a demand from the public sector. If there is a need, it means that a danger exists. A certification will make the company and its customers aware of the dangers of not erasing data, while providing proof of compliance with GDPR requirements, in case of an audit by the CNIL. »

The organisation not only certifies the latest versions of erasure software, but also challenges the entire sanitization process—such as the encryption keys for the final report—thus pushing developers to continuously improve their solutions and features.

« Today, the need for antivirus software is recognised by all. Data erasure is equally important for data security, » concludes Gheeraert. « It must therefore be part of a holistic and integral approach to IT security.