News Stay informed about the latest enterprise technology news and product updates.

How much data deletion is enough?

We all know that deleting a file doesn’t actually “delete” anything. Deletion only marks the file’s clusters as free for re-use — data actually remains tucked away within the sectors of each cluster until they are overwritten by new data. To really destroy data, it must be overwritten multiple times. This ensures that the magnetic traces of previous recordings cannot be read with advanced laboratory equipment (even when new data is on the media).

But how many times do you really have to overwrite that deleted data before it’s actually considered secure? Once? Twice? Ten times? Experts say that multiple overwrites are worthwhile — even required — noting that anywhere from 7 to 11 writing passes may be needed to fully overwrite the old data.

And there’s no shortage of tools that promise to kill your old data. Professional products like FDRERASE/OPEN from Innovation Data Processing can securely erase the magnetic disk using three to eight passes. Even end-user products like File Shredder from promise to overwrite file data with random information up to 15 times, claiming that “it is practically impossible to recover the original data”.

Now there are circumstances when it pays to be extra thorough, but personally I think it’s overkill — a practice based on old MFM/RLL drive technologies. US DoD specification 5220.22 calls for three overwrites, while NIST standard SP 800-88 was revised in 2006 to call for only one overwriting pass on modern (post 2001) hard disks.

But I want to hear what you think. What tools are you using? How do you ensure that your old files are securely deleted? Does it even matter to you?

In the mean time, listen to this FAQ on Storage Security where Kevin Beaver offers practical answers to the most common storage security questions he hears from storage pros today.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It is perhaps important for your readers to understand that host-based secure erase / data shredder applications can actually have little or no effect on data stored in external cached storage arrays. In many cases, these arrays buffer writes so effectively that only the final pattern is written to the disk. As you say, overwriting the old data with multiple patterns may in fact be overkill, but with cached arrays it may also be impossible.
The comment from Barry Burke is right on... Readers should seriously consider the issue of insuring that multiple overwrites are effective. That is often as the article states what differentiates, a "Professional" solution like FDRERASE and a user program. The CCEVS Common Criteria Evaluation of the FDRERASE design reviews this as explained in the following paragraph extracted from the CCEVS material 3.5.8 Hardening of data On modern disk subsystems, all WRITE CCWs actually transfer data into subsystem cache memory before writing the data to the back-end disks. Data is written asynchronously from the cache to the back-end disk. If a subsequent WRITE modifies the same track before it is “hardened” from cache to disk, the previous data is discarded and never written to disk. The proper operation of FDRERASE requires that the program insure that the data is hardened to disk at the end of each pass. • On IBM and HDS subsystems, a COMMIT CCW is supported. COMMIT will insure that all cached data for a range of track addresses on a given device has been written to the back-end disks before any new I/O is accepted. • On EMC subsystems, COMMIT is not supported but unique EMC query commands will return the number of writes which are pending in the cache for a given disk device. This can be queried repeatedly at intervals until it reaches zero. • However, all of these vendors guarantee that write data will eventually be hardened to the back-end disk, even if a power failure occurs. For ERASE and SECUREERASE operations, FDRERASE issues the appropriate commands to insure that the data is hardened "at the end of each pass". When multiple passes are made on a disk special techniques are used to improve performance for example: • The first pass will write on all cylinders of the device, from the highest-number cylinder to cylinder 0. • A COMMIT will be issued for the top half (highest-numbered cylinders) of the device, since that data has probably already been hardened by the subsystem. • The next pass starts by writing the top half of the device with the next pattern. • A COMMIT will be issued for the bottom half of the device. • The pass continues to erase the bottom half of the device. • At the end of the last pass, the entire volume will be committed.
There is no Protection Profile created for any software overwrite or Secue Erase tool. I'm not sure what this FDRERASE tool is...I do not see it listed in the CCEVS nor assigned to any CCTL site. Since no where in 5220.22-M is it mentioned that software overwrite is recommended or available (clealrly no one here has actually read the NISPOM!), all that is left is theNIST SP 800-88 and the Clearing and Saitization matrix published by DSS. Remember that clearing technologies like software overwrite are at a lower level than Puging technologes. Firmware purge is viewed as "...the best option for an organization" Page 30 800-88.... check out