Eradicate data – don’t destroy unwanted drives

Solid waste after being shredded to a uniform size.
Solid waste after being shredded to a uniform size.

Verity ES is a company that permanently deletes data from storage devices so they can be recycled instead of being destroyed, with three-pass overwrite deletion of an 8TB disk drive estimated to take three days.

Existing data sanitization and IT asset disposition supplier Revert has set up Verity ES – ES stands for Eradication Software – to delete drive data. This enables customers to recycle used-up and unwanted drives without compromising their ability to keep user data secure under the various compliance and regulatory obligations applicable in various geographies.

Saeed Karim.

Saeed Karim, CEO of both Revert and Verity ES, provided a canned quote saying: “The Verity ES certified, patent-pending enterprise software provides industry-leading data eradication security, economics and operational support, enabling organizations to permanently eliminate sensitive and private data extremely quickly, easily and across the widest range of devices and storage media.”

What does that mean?

Because the penalties for infringing compliance and privacy regulations can be financially severe, many if not most organizations totally destroy old drives in a shredding process that transforms the drives into fragments of scrap metal – e-waste suitable only for landfill. The Verity ES software ensues that data on a drive is replaced by meaningless signals and enables customers to then sell off unwanted drives – earning some revenue from them and reducing their e-waste burden.

Verity ES suggests that larger datacenter customers can end-of-life 500,000+ devices annually, with residual values ranging from $5 to $10,000+ per device, depending on the age, condition and media type. One customer reportedly gained $2.7 million in residual value from Verity ES’s ability to eradicate data from approximately 36,000 HDD and SSD disks. A competitor’s software failed to remove the data, according to Verity ES, which wants us to know it has a much better data eradication product.

Its software runs on a customer-built appliance and deletes data on a drive by overwriting it and doing so in three passes. A data analytics module provides real-time monitoring of operational performance using the data collected during eradication processing.

The software enables parallel data eradication processing of 500+ devices from a single appliance without any performance degradation. It supports country-specific data erasure regulations and standards for more than 25 countries. It also automatically determines the quickest and most efficient method to eradicate data on each device and media type, and supports disk drives and SSDs.

Verity says it “increases eradication success rates and yields” – which implies that the success rate is not 100 percent. Karim’s quote also said eradication took place “extremely quickly” and left us wanting to know more.

Checking the details

Glenn Jacobsen.

We asked Glenn Jacobsen, the president and COO of Revert, some detailed questions about the data eradication process.

Blocks & Files: How long does it take to eradicate data (overwrite) disk drives – eg, an 8TB drive, an 18TB drive? And how long does it take to eradicate data on for example an 8TB SSD? 

Glenn Jacobsen: It depends! If the manufacturer and system vendor firmware supports embedded sanitization functionality per the ATA and SCSI standards, the time to sanitize an HDD and SSD can be reduced by up to 50 percent. With Verity, an NIST PURGE-compliant three-pass overwrite with 100 percent verification for an 8TB HDD or SSD will take approximately 70 hours (3 days), while an 18TB HDD will take approximately 150 hours (6.5 days).

Blocks & Files: How is the eradication process verified? How long does the verification take?

Glenn Jacobsen: It depends on the verification method selected. NIST stipulates a full read of a minimum ten percent representative sampling of the media, which can be a pseudorandom sampling or a predetermined selection of user addressable and reserved areas. A full verification is one full read of every bit, byte, sector (cell or page) in user addressable and reserved areas. The time for a full verification equates to the time it takes to perform a single overwrite – so for an 8TB HDD or SSD, it will take approximately 20 hours.

Blocks & Files: Are drives that are going to be eradicated mounted in a Verity ES appliance? 

Glenn Jacobsen: Not at this time. Verity ES will provide the customer with the system prerequisites and consultation to build their own platforms on which to install Verity ES. That said, if there is customer demand, the sale or lease of a Verity ES appliance will be considered.

Blocks & Files: Can the Verity ES system support SATA, SAS and NVMe-attached drives? How about M.2 format SSDs? 

Glenn Jacobsen: Yes, Verity ES supports SATA and SAS HDDs, SATA and SAS SSDs, NVMe SSDs, and m.2 SSDs.

Blocks & Files: What is the cost advantage of Verity ES vs drive shredding? 

Glenn Jacobsen: Drive shredding depends on the method selected – on-site or off-site. On-site drive shredding typically costs $15–$20 per drive, and introduces the following issues:

  1. Does the size of the shredded remnants fully mitigate the risk of unauthorized access to data? This is especially important for SSDs.
  2. Where are the shredded remnants transported after the on-site shredding?
  3. What is the disposition of the shredded remnants? Will they be recycled or landfilled? Exported to another country?
  4. How does shredding support the sustainability goals and objectives of the business? With shredding, there are environmental concerns that must be considered, including carbon emissions (shredder, transport, recycling) and disposition of the shredded remnants (recycling or landfill?).

Off-site shredding introduces the primary risk of data breach. If drives containing PII or ePHI are released from the four walls of the datacenter, the data is no longer in control of the processing organization and technically constitutes a data breach. Chain of custody documentation typically applies to just the physical asset itself, not the data that is stored on the asset. This should be a non-starter when going through a decision-making process.

The ES data eradication enterprise software is available immediately from Verity ES