Written by Simon Kang and Daniel Chung
Many organizations use overwrite-based disk wiping software before reuse and disposal of old disks and PCs since it is secure, eco-friendly, and cost effective. In addition to their fundamental requirement of adopting global standard overwrite algorithms and their compatibility with various disk types, disk wiping solutions have begun to place more emphasis on management with features such as remote deployment, remote wiping, and detailed logging and reporting.
In order to wipe entire system disks, including the operating system (OS), traditional existing solutions need to load an additional because the wiping program cannot wipe its own OS. Often referred to as a CD/USB type, this type requires that a USB or CD that has been loaded with the wiping software and the additional OS be inserted into the machine and the booting priority be reordered in the BIOS so that the additional OS will run instead of the system OS. After doing so, the wiping program will be booted from the additional OS and will be able to erase the system disk OS.
Many disk wiping solution vendors offer this type of solution because it can be used in multiple situations such as when the machines are offline or do not have a working OS. But, typically, this type of solution is used by specialists since there are some required procedures such as BIOS setup, algorithm selection, and amount of overwrites selection which may be difficult for the average user. It has been common practice for companies to gather decommissioned PCs into a separate storage space, usually located with an in-house security team or with a 3rd party service company, for a certain period of time before a specialist would individually wipe all of the collected disks. The CD/USB type was purposed for this type of situation but there are concerns that data might be left vulnerable since the disks and computers are left unwiped while in storage or when transporting them.
More recently, vendors such as Blancco, WipeDrive, and Bluestsoft have begun offering wiping solutions that can be launched via EXE file. These types of solutions can be convenient since they do not require any additional booting device or BIOS setup. When the exe file is launched, the ISO file would be saved to the local disk and would register the additional OS to the boot file (boot.ini). By doing so, once the computer has been rebooted, the boot manager would be launched allowing the user to choose to boot the additional OS. Once selected, the wiping process would begin. Though the process is similar to the CD/USB type since the booting device is replaced with an ISO file, it can allow the specialist to wipe disks remotely before moving it to storage or for permanent disposal. However, this process can still be troublesome since each PC needs to be individually granted administrator rights in order to download, install, and run the exe file as well as instruct the user how to use the boot manager and which wiping type and settings to be used.
With both the EXE and CD/USB types, Windows PE and Linux are widely used as the additional OS. For Windows PE, this may be partly because of the familiarity of the Windows system. But if Windows PE is used as the additional OS, there are a couple of limitations due to Microsoft license policy which would require end-users to have to integrate Windows PE with the wiping software themselves and the OS would restart itself every 72 hours. Linux is a fairly unfamiliar OS for the average user. Also, both of these additional operating systems require the installation of additional drivers in order to make it possible to detect and recognize RAID systems. Overall, the limitations of the additional operating systems themselves can result in many inconveniences as well.
SECUDRIVE has recently launched a new method of disk wiping, referred to as the Native type. This type makes it possible to wipe the entire disk, including the OS, without any additional OS or booting device. This type keeps the existing OS and uses native API to launch the wiping process before the Windows API is activated. There are no limitations due to licensing policies of OS vendors and disk systems, including RAIDs, can be recognized without any driver installation. The administrator can preset the wiping algorithm and number of overwrites according to their corporate security policy. Users can then download the wiping client and wipe their entire disk with the click of a button. Alternatively, the administrator can even forcibly wipe target disks remotely after deploying an MSI file to the users’ PCs using Active Directory’s Group Policy (GPO). A manager can monitor the wiping process in real-time and can then check the detailed log and report prior to transporting the PC. This will make it possible to wipe PCs effortlessly and immediately, before moving them into storage or for permanent disposal.
The traditional disk wiping process where decommissioned PCs are sent to storage to be wiped collectively at a later time needs to be changed. In terms of security, it is an extremely risky to move unwiped, ownerless PCs to storage and leave them there for an extended period of time to collect dust. But now, a security manager can remotely wipe hundreds of disks simultaneously without moving them from their original location, all from the comfort of their own chair. They can monitor the wiping events through the network and then gather detailed logs and reports once the wiping process has finished. Undoubtedly, the native type would be the most secure and most convenient for corporate disk wiping.