Evolving data storage domain, compounded with the pervasiveness of the internet and the rise of global data protection regulations, has pushed organizations to adopt stringent and robust data retention & disposal policies. In addition, it has expanded the scope of organizations that collect, store, and process data to address data sanitization as a crucial element in data lifecycle management for ensuring data security, preventing data breaches, and achieving compliance.
With the emergence of international data privacy and protection laws, data protection has become a collective responsibility of the organization. The need to protect data has metamorphosed into a legal obligation with severe repercussions for non-compliance. The National Institute of Standards and Technology (NIST), in its SP 800 series, prescribes various security and privacy guidelines for US federal organizations. These guidelines mandate a robust data sanitization policy and explain best practices that can be employed for data sanitization.
What is Data Sanitization?
Data sanitization is the process of permanently destroying data on a storage device, making it irrecoverable by all means. Data sanitization not just ensures that data is irreversibly destroyed but also renders the device reusable. It is an irreversible, deliberate, and secure method of data destruction. In this regard, data erasure is a software-based approach to data sanitization that overwrites the existing data with 0s and 1s on all addressable memory locations with final verification and certification of the storage device being sanitized.
NIST SP 800-88 R1 defines media sanitization as a “process that renders access to target data on the media infeasible for a given level of effort.” NIST SP 800-172 takes it ahead and defines sanitization as a “process to remove information from media such that data recovery is not possible.” Furthermore, NIST SP 800-53 R 4 specifies that “the organization shall sanitize information system digital media using approved equipment, techniques, and procedures.”
Why is Data Sanitization Important?
Rising security concerns due to cyberattacks & data breaches prompted the enactment of data privacy laws in many countries, and all these laws feature data sanitization as an integral part of compliance. For example, article 17 of GDPR gives customers the “right to erasure,” that compels the organization to remove the customer’s data from their records completely. This data removal can be achieved successfully by practicing secure data sanitization.
It is also the recommended method to mitigate the risks involved with the disposal of IT assets, protecting sensitive information, and meeting audit and compliance requirements. Every organization should have a comprehensive data destruction policy as a part of data management to be safe from accidental data breaches and minimize damages from cyber-attacks. In Europe, fines of € 19,447,300 have been imposed in 2022 alone for various infringements, including that of Article 17. The largest fine was imposed on Google LLC in Spain, valuing € 10 Million, on 18th May 2022. It is important to note that GDPR was the catalyst that prompted the enactment of data privacy laws in the US, starting with CCPA (California Consumer Privacy Act) and followed by other states. These laws align very closely with GDPR, so strictness for non-compliance is severe. Data sanitization features prominently in all these laws. It would also be integral to the upcoming US federal data privacy law ADPPA (American Data Privacy and Protection Act).
One of the biggest advantages of data sanitization is that it reduces the data footprint in an organization’s storage realm. Reduced data footprint, in turn, significantly minimizes the data attack points (areas where an attack can be launched). This data reduction also means that the risk of an attack compromising data would be minimal. On the other hand, data breaches have severe monetary repercussions and can harm the organization’s brand value, customer confidence, investor sentiment, and trust. Therefore, organizations must endeavor to have a robust data destruction policy.
Data sanitization is also prominent in ITAD (Information Technology Asset Disposition) industry and promotes the circular economy concept. Given the amount of sensitive and confidential information stored in the IT assets processed by the ITADs, their end-of-life disposal must be securely and reliably executed. Organizations have been physically destroying these devices to mitigate data leakage risks, but this process is counterproductive and especially harmful to the environment. Data sanitization is a powerful and tested way to securely destroy data to promote device reusability. In addition, reusing, reselling, or donating these devices can boost revenue, cut costs, and promote environmental sustainability.
Despite data sanitization’s importance and growing significance, many organizations remain unaware or indifferent to it. There is an urgent need for organizations to up the ante on data sanitization if they want to remain significant. It must be a standardized and automated feature in their data lifecycle management cycle to ensure operational efficiency and a secure data protection environment. Understanding Data sanitization and the methods that should be used to achieve it would place an organization well suited and ready to achieve compliance and counter threats.
Methods & Approaches to Data Sanitization:
Three methods can be employed for achieving irreversible data sanitization as per NIST guidelines: Clear, Purge and Destroy. The categories of sanitization are defined as follows:
- Clear: It employs a standard read/write function to overwrite the data in all user-accessible locations. Clear overwrites the data with binary 1’s & 0’s on the media. Also known as overwriting or data erasure. This method provides moderate protection of data against simple recovery techniques. It can be used on floppy disk drives, ATA hard drives, SCSI drives, USBs, memory cards, and SSDs. The main advantage of this technique is that it promotes the reusability of media devices. However, the only disadvantage of this method is that it doesn’t address data stored in non-accessible or concealed storage locations. To address this concern, specialized data sanitization or data erasure software like BitRaser ensures that hidden areas like HPA and DCO can be erased.
- Purge: It applies physical or logical techniques that render target Data recovery infeasible using state-of-the-art laboratory techniques. Both Clear and Purge methods use the data erasure technique of overwriting the media. Whereas Clear uses only one pass overwrite, Purge employs three total write passes of a pseudorandom pattern so that the second write pass is the inverted version of the original pattern. This method extends the scope of clear method by utilizing physical and logical techniques to render data irrecoverable. It is used while handling sensitive and confidential data compared to the clear technique. Using overwrite, block & cryptographic erase methods, the data cannot be recovered even in a state-of-the-art forensic laboratory. It can be used on floppy, hard disc drives (ATA, SCSI), flash media like USBs, memory cards, SSD, etc. Unlike clear, it can also wipe data from non-accessible or concealed locations. Like clear, this method is environmentally sound and helps reduce e-waste by promoting the reusability of assets.
- Destroy: It renders target data recovery infeasible using state-of-the-art laboratory techniques, resulting in the inability to use the media to store data. It uses physical destruction approaches like shredding, incineration, pulverization, etc., to destroy the storage device. Although, destroy should be the last option when Clear and Purge fail to address all memory locations on the drive and when both erasure and sanitization verification becomes infeasible. This method can also be used for non-digital assets that cannot be sanitized using clear or Purge methods like printed papers, carbon paper, CDs, and DVDs. Although this method destroys the data, it doesn’t have any scope for verifying the data destruction. The main disadvantage of this method is its contribution to e-waste and the repetitive cost of buying new and destroying old equipment.
Data Sanitization Recommendations by NIST
Each method can be deployed per an organization’s requirement and the level of sanitization needed. Additionally, NIST advocates that organizations determine the sanitization method they need to deploy by considering the following factors:
- Categories of the information and its confidentiality levels.
- The storage medium and its manufacturing guidelines.
- The future of the media, whether it would be reused, resold, or donated.
An essential step in NIST guidelines is the verification of sanitization. NIST prescribes two types of verifications:
- Verifying after each sanitization step
- Representative sampling means using a subset of media randomly to verify sanitization).
Furthermore, verification also includes:
- Verify the equipment (Degausser, Incinerator, Shredder) used in the sanitization.
- Verify the expertise of personnel doing the sanitization.
- Verify the sanitization process on media.
Organizations may refer to the original publication by NIST to get a detailed understanding of these methods and how they apply to different media devices.
Protecting data is paramount, and the recent upsurge in federal and state data privacy laws bears witness to it. Data sanitization will continue to play a central role in data security and privacy. With the rapid growth of data gathering devices and systems, its relevance will be more significant in times to come. Environmentally sustainable, cost-effective, and socially responsible ways to ensure data sanitization will govern the future. Industries must adapt and implement prudent policies if they want to remain relevant in the future.