It is safe to say that Hardware Asset Management is an overlooked, but still vital, part of IT Asset Management. Audit risk and multi-million-pound contracts tend to mean that SAM gets the bulk of a busy ITAM team’s focus. However, recent legislative changes such as the GDPR & state-by-state privacy legislation such as the CCPA mean that the risks of poor disposal practices have come to the fore, and a key risk component is ensuring that recycled kit has been securely erased.
The growth of the Circular Economy concept, along with more specific campaigns such as Free ICT Europe, means that potentially your hardware recycling strategy could be seen as part of your overall corporate responsibility activities. With technology at such a high maturity level even 5-year-old laptops could have a long and useful life ahead of them with second owners.
Before we can participate in these movements, however, we need to ensure that our devices have been securely erased. How do we go about that, ensuring that we can prove erasure to meet regulatory requirements such as the GDPR? The topic of hardware recycling is much broader than erasure alone, with standards such as R2, EPRA/ARPE, and WEEE. This guide is solely focused on erasure requirements and should be read in conjunction with the requirements of waste electrical equipment codes applicable to your region.
Why not destruction?
Secure disk erasure is a time-consuming and resource-intensive process. For many years it simply wasn’t considered worth the time and effort by large companies and so they physically destroyed their magnetic media. Personally, I’ve even resorted to using a sledgehammer and cold chisel to destroy hard drives and have incinerated magnetic tapes. In the current climate, neither of these methods, nor the slightly less extreme method of degaussing, meet our obligations to Reduce, Reuse, and Recycle. Disintegrating hard drives is non-sustainable and wasteful.
Capabilities & Key Findings
This guide is primarily for enterprise-grade secure erasure technology. Required capabilities in this space include;
- Erasure audit trail
- Erasure status reporting
- Mass erasure techniques
- Remote, local, and network erasure
- Secure erasure of differing hardware types
- Integrations via API or similar technologies to other tools
There are a number of technical standards and guidance papers for what constitutes acceptably-secure erasure. A good starting point is the UK National Cyber Security Centre (NCSC) guidance on secure sanitisation of storage media. For readers in the US, NIST have similar guidance.
Some key takeaways from this guidance include;
- Treat SSD devices differently to magnetic media (they’re much harder to securely erase)
- Apple & most Android phones may be securely and easily recycled due to mandatory hardware encryption
- If you do end up physically destroying devices, make sure the bits left over are no bigger than 6mm across
Whilst focused on enterprise-grade solutions, consideration should also be given to whether you wish to devote internal resources to this activity. Data erasure, and hardware recycling in general, is a resource-intensive activity which may be better served by a managed service provider or recycling partner.
In compiling this list, we have attempted to include vendors from across the marketplace in terms of size, geography, and product capability. If, as a vendor, you are not listed please contact the author for inclusion in a future edition of the guide. This guide is focused on self-service software-only solutions to hard drive erasure and so does not include services with a hardware component or offsite/onsite managed service providers.
BitRaser Enterprise Edition supports simultaneous secure erasure of up to 65,000 hard drives across a network, using PXE boot and a central management console. Certified erasure reports are stored centrally on the management console server. The application is priced per erasure with no license expiry.
Blancco Drive Eraser 6
Blancco Drive Eraser claims secure data erasure for HDDs & SSDs in desktops, laptops, and servers. The solution provides an electronic tamper-proof certificate of erasure. Erasure can take place remotely or locally and can be performed on multiple storage devices simultaneously. The solution is certified by the NCSC until September 2019.
Certus Software can erase up to 200 HDDs simultaneously, and provides support for erasing SSDs. It supports 13 common erasure patterns. The software can be locally-installed or cloud-hosted and is priced per number of erasures per annum. Local or network-based erasure is possible. The solution is certified by the NCSC until June 2020.
Extreme Protocol Solutions Xerase
Xerase provides the ability to securely erase hard drives locally, attached to a dedicated erasure station, or via PXE. Erasure is also possible through the use of a USB key. Secure erasure reports are provided via secure PDF.
ITRenew Teraware 3
ITRenew Teraware 3 is predominately a datacenter secure wipe product. Offering support for HDD & SSDs with full forensic certification, the solution claims to wipe 1TB every 2.5 hours and can run simultaneously on an unlimited number of drives.
Jetico BCWipe Total Wipeout
Jetico BCWipe Total Wipeout provides centralized wiping and reporting for enterprise customers, including SSD and SSHD (hybrid/fusion) drives. It supports any operating system. Two purchase options are available – an unlimited annual subscription or a per-wipe token-based system. Controlled from a central web console the system uses a variety of methods including PXE boot to wipe multiple drives simultaneously. Role-based access to wiping capability is provided.
White Canyon WipeDrive Enterprise
White Canyon WipeDrive Enterprise provide data security and secure chain of custody for storage media in an enterprise environment. Erasure reports are irrefutable. Erasure can take place locally, across a PXE network, or via central deployment of the tool (rather like an inventory agent deployment). The solution is priced per erasure. Certification of the tool by the NCSC expired in April 2019 – certifications last for two years so it may be pending re-certification.
Youwipe Data Erasure Tool
Youwipe Data Erasure is certified by NIST, ADISA, and against ISO27001 for secure hard drive erasure. A centralised management console provides the ability to remotely wipe devices, and the solution is priced per wiped device.