It's not about the erasure, it's about the data about the data erasure - well almost

It amazes me that after the best part of 20 years erasing data I still meet people who don't "get" the importance of data erasure.  Technically it's not difficult but it must be absolute.  Like a climber’s rope; few will marvel at the structure and make up of a rope but you sure as hell don’t want it to fail and even if it does you want a fail-safe.  

The founder and ex-CEO of Blancco Kim Väisänen once said, "It's not about the erasure, it's about the data about the data erasure".  At the time especially coming from Kim it slapped me round the face.  There are dozens of tools which can send a simple known command to a drive.  The key is to prove the device has done what you have told it to and then proving that with a traceable output which confirms that something was completed, by whom, when, what and where.  The traceability is as such at least as important as the function.

Kim Väisänen also once said to me “a fool with a tool, is still a fool”.  He meant that even if you develop the very best tool to do a job in the hands of a human being mistakes will always be made.  I once toured a large ITAD in West Chicago.  The IT chap showed me the erasure line which used CD’s and stickers.  I asked “what happens if you make a mistake” and he answered “we don’t”.  He and his team are the first perfect human beings I have ever met.  They really shouldn’t be erasing hard disks but should have applied their skills to open heart surgery perhaps.

So using a tool to erase is the simple part in that technically it’s not very challenging.  Traceability and proof and preventing on-sale if there has been a mistake are far more challenging.  Capturing the unique details of the hard disk drive and parent device is a part of this.  Recording the operator, date and time and what has been undertaken is another, however far more important are the fail-safes.

What happens when the power fails or the fire alarm goes off half way through?  What happens when somebody makes a mistake and puts the label on saying the drive is safe when it is not? This is especially a risk when an operator is doing boring repetitive tasks. 

It’s more complicated than simple reporting. The business process needs to check and inspect that the drive and device are safe before allowing the on-sale or shipment of either the hard disk or the parent device.  In real terms this is far greater a risk then either the tool used or the number or patterns of overwrites. Joe going on his lunch break or replying to a text message from his girlfriend rather than this tool, or that is a greater real world challenge.


Sending a command to a drive is simple.  Ensuring 100% human accuracy requires systematic fail-safes.  I agree that erasure is just one part of the data-lifecycle however it is an important one.  Think of all the money spend on retention of data and protection of data such as encryption. Destruction is the end of the data-life cycle and in the future we will need to prove that this has been successfully completed.

Too busy to think Data

This week we failed to help a friend in need.  He'd left a single copy of those everso valuable baby photos on his Laptop and failed to back it up.  I really feel for him.  Despite a platter change and a huge amount of effort it was too late.  Technically it's possible to recover data from mechanically damaged platters but sadly baby photos don't justify the cost.

These days we have free Cloud services thrown at us from multiple providers however most corporations quite rightly prevent or block them as they can lead to uncontrolled business data leaking in to private cloud space.  It's easy to do if not controlled.

In the past we have found extremely sensitive data on discarded "home computers".  I remember the launch sequence of a missile system being one!  One can imagine an under pressure worker bringing home some important work to finish off over night, probably on an uncontrolled USB stick and copying it on to his home PC.  That's two uncontrolled copies before we consider factors such as the cloud.

In my friend's example however it's the opposite.  He works for a company who manage their data very carefully.  Whilst he's obviously been able to copy his personal data to the device it's excluded from his normal business data and so it's not backed up.  All hard disks will fail at some point so this is a time bomb. 

My point is that due to human nature we fail to consider the implications of our data actions.  We just assume it will be there when we need it and not there when we need it gone.  But this is very often not the case and is always a rash assumption. 

Just like a warehousing error is very often in fact two errors; 1) where something should be and 2) where it actually is... we have the same consideration with data.  We must consider BOTH where we want data to be and where we do not want data to be.

What The Cloud does is enables the data to be in a dozen places at once without us thinking about it.  Yet that's exactly what we need to do.  Think about it.