Written By Abhishek Jain
Updated on Sept 02, 2021
Min Reading 3 Min
The National Institute of Standards and Technology (NIST) formulates several guidelines and standards that help organizations sanitize their media devices and safeguard sensitive data. NIST, in collaboration with Information Technology Laboratory (ILT) has formulated the NIST 800-88 guidelines for media sanitization. Today, NIST 800-88 standard has become a widely accepted standard for data sanitization for destroying data from magnetic, flash-based and other storage technologies. It is the most trusted & prevalent standard used by the federal agencies and organizations to manage and reduce cyber security risks.
In our series of NIST articles, we have already described NIST SP 800-88 guidelines for media sanitization, Use of NIST standard, & difference between Clear, Purge & Destroy techniques. We have also covered an in-depth insight into NIST Clear standard. In this article, we will now dive deep into NIST Purge standard that explains overwriting, block erase and cryptographic erase as logical techniques to wipe ATAs, hard drives and SSDs.
The Purge technique follows physical or logical techniques that make target data recovery either infeasible or impossible using even state-of-the-art laboratory techniques. Under the Purge category, there are several techniques that can be applied for media sanitization depending on the type of storage media which we will discuss in the article in detail. The techniques include Overwrite, Block Erase, Cryptographic Erase, and Degaussing. Overwrite, Block Erase and Cryptographic Erase techniques use standard and dedicated commands that follow media-specific procedures to bypass the abstraction inherent in typical read and write commands.Types of Purge Techniques
In case encryption was performed on the device after the data was stored on the device, it is not recommended to use Cryptographic Erase. Also, if the key to decrypt the data on the device is available elsewhere (as a form of a backup or escrow key), it may be used to retrieve the data, rendering Cryptographic Erase useless for purging a device.
Overwrite, Cryptographic Erase, and Degaussing techniques as discussed earlier can be used to sanitize ATA hard drives (SATA, PATA, eSATA, etc.). Proper verification is important after the sanitization process is completed except for degaussing. If degaussing is opted, it should be ensured that an appropriate degausser is selected, degaussing is correctly applied & spot checking is done periodically to ensure that the process is working correctly.SSDs
SSDs can be sanitized using either the Block Erase technique or Cryptographic Erase technique or both if supported. If the device supports encryption and Cryptographic Erase is used, the block erase technique can be optionally used after that. If the block erase technique is not supported on the device, Secure Erase or Clear procedures can also be applied. After sanitization, verification techniques as mentioned in Section 4.7 of NIST SP 800-88 guidelines have to be applied.
Cryptographic Erase should be verified before the application of additional sanitization techniques. Degaussing should not be used as the sole purge technique for SSD media sanitization. However, it may be used for hybrid devices with non-flash memory components.Android
The process of purging Android devices depends on the device manufacturer and service provider. The ‘eMMC Secure Erase’ or ‘Secure Trim’ command may be used. Other equivalent commands or methods can also be used depending on the device’s storage media. Some versions of Android support encryption. Such devices can also be sanitized using the Cryptographic Erase technique. Organizations or individuals should contact device manufacturers to check what purge techniques are suitable for media sanitization.iPhones
All current and future generation iPhones and iPads support Cryptographic Erase. It is assumed that encryption is always on and all the data on the device is already encrypted. To purge an iPhone, follow the below-mentioned steps:
After sanitizing iPhones and Android devices, NIST 800-88 recommends navigating through the settings and menus on the device. This is to ensure and verify that sanitization has been completed effectively. If some user data or settings remain after the reset, the purge technique is not complete.
Now that we have discussed in detail about NIST Purge standard as defined in the NIST 800-88 media sanitization guidelines, the next step is to perform media sanitization by choosing the right solution. Advanced and certified tools like BitRaser Drive Eraser helps ensure eradication of data beyond recovery using NIST Purge Standard. The tool guarantees verification of data erasure along with generating tamper-proof reports and certificates for audit trails. This helps reduce risk of data breaches and enables organizations to meet global compliances.
BitRaser is the first choice for erasing data using NIST 800-88 Purge & Clear standard as it tested and approved by NIST (National Institute of Standard and Technology) and DHS (Department of Homeland Security) in October 2020. You may refer to the detailed report of the tests conducted on hard drive and SSD here.
NIST Purge provides a more thorough level of sanitization than NIST Clear standard that is used to wipe moderately sensitive data, while accepting the risk of laboratory retrieval. Purge is used for devices that contained more confidential data as it focuses on removal of all hidden areas including Host Protected Areas (HPAs and Device Configuration Overlays (DCO).
Devices that are properly sanitized as per the NIST guidelines don’t pose risks of data breaches or leaks. Transferring devices from one user to another, sale of old devices, or the disposal of IT assets make the media device susceptible to misuse. Responsible organizations always make sure that all threats of data theft are eliminated before the device changes hands. And media sanitization is the most effective when NIST 800-88 guidelines are adhered to.
BitRaser is NIST Certified
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|