Protecting sensitive data isn’t always easy. Shredding is one of the most popular methods of data sanitization for tape cartridges, and on its surface, it seems like an appropriate choice — it’s inexpensive, easy, and provides visual evidence of the destruction attempt.
Unlike other techniques like degaussing (which has other potential issues that we address in this article), shredding is mostly automatic. Many IT departments assume that the process is straightforward; if employees can feed the tapes into the shredding device and document their work, they can handle the task, right?
Not quite. Unfortunately, shredding has significant limitations, and we believe that the process is not an effective choice. In fact, media shredders have always presented significant risks, but those risks have become more substantial with the introduction of new high-density formats.
Our team specializes in data cartridge disposal. In this article, we’ll address a few considerations that prevent shredders from serving as a secure method of sanitization, and we’ll also provide an alternative.
Shredding data tapes isn’t appropriately secure.
According to the National Institute of Standards and Technology (NIST)’s 800-88 guidelines, the most widely used data sanitization standards, shredding is an approved method of destruction for data tapes. However, the results must be appropriately secure. That’s a significant caveat. Per NIST:
The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality that the data cannot be reconstructed.
Media shredders are designed to annihilate hard drives, optical disks, and (of course) paper, but a number of engineering challenges prevent commercial shredders from handling data tapes effectively. Put simply, tape is a flexible, thin material — shredders simply aren’t designed to destroy it, and even high-end shredders may leave pieces of tape untouched. Malicious actors could find ways to use those strips of tape to reconstruct data, creating a potential vector of attack.
This isn’t a theoretical issue. Our team performed a 6mm shred of a set of LTO tapes; while the shredder apparently handled the job, we were able to recover tape pieces of over 130mm. Those pieces held a substantial amount of recoverable data.
Shredding tape makes data recovery difficult, but not impossible.
So, how much data is too much? That’s a difficult question to answer, which is why NIST uses the language “reasonable assurance in proportion to the data confidentiality.” A single megabyte of data could create a vulnerability. That’s why most organizations have protocols in place to prevent personnel from bringing in USB drives to transfer data. The USB drives could be compromised, and a worker could unintentionally transfer protected information outside of the organization’s control.
With that in mind, data sanitization provides “reasonable assurance" when the organization can virtually guarantee that all usable data — everything from a customer’s payment info to ERP login credentials — has been totally eliminated. Pieces of a shredded data cartridge simply don’t meet this threshold.
On an LTO-8 cartridge, a 10-cm piece of tape contains about 3 gigabytes of data. That format has over 6,600 tracks, which means that malicious actors would have more than 6,600 chances to access 4 megabytes of data (or more) on the recovered tape strip.
And while the threat is more significant for formats with a high data density, all commonly used tape formats (including legacy formats like DLT) can store a tremendous amount of sensitive information in a small area. Some formats don’t encrypt data by default; a bad actor would simply need to read the data from the tape fragment.
Shredding can also leave CM chips untouched.
LTO and 359x tapes use a cartridge memory (CM) chip to track end-of-data location data and to create a record of each cartridge’s usage. Every time data is written to an LTO cartridge, the CM chip keeps notes — and on LTO-8 tapes, the CM chip can store up to 16 kilobytes of data . That can include “real" data, and in theory, a CM chip could be used as the basis for an attack.
Currently, the risks of an attack via CM chip are remote, but as we’ve seen in recent months, malicious actors are creative and resourceful. Shredders are not equipped to destroy CM chips, and they often leave them untouched. An LTO-CM is about 20mm long, 10mm wide, and less than 1mm in width.
In our tests, we found that CM chips were almost inevitably intact after passing through commercial hard drive shredders. Of course, that’s not the fault of the shredder manufacturers — the devices simply aren’t designed to handle tape cartridges.
Enterprises must still use proper methods to dispose of shredded data tapes.
We’ve discussed the security issues presented by shredders, but to this point, we’ve ignored a major practical problem: Shredded tapes still need proper disposal. That means sending them to a landfill — which isn’t appropriate, since fragments of the shredded tapes are a potential attack vector — or incinerating them.
Incineration is a secure way to destroy data, but if an enterprise is going to incinerate tapes, why spend time and money shredding them? For larger projects, incineration is expensive and introduces environmental considerations, and personnel must keep track of all fragments of the shredded tapes until they’re eliminated. They must also ensure that no pieces of tape are caught in the shredder, and organizations must track the chain of custody for the tapes (and fragments) up to the point of incineration.
Shredding tape cartridges seems simple and straightforward, but it’s an outdated technique. Shredders simply aren’t capable of providing total assurance of data destruction, and other methods — like proper degaussing — should be employed before the physical media is recycled or destroyed.
If your enterprise needs to dispose of tapes, migrate older archives to a new format, or create protocols for data sanitization, Total Data Migration can help. Call us today at 800-876-3376 to find solutions for your next data destruction project.