Media sanitization is the process of removing data from storage media (physical & logical) in a way that makes it irretrievable, even with advanced data recovery techniques. It is a crucial part of data lifecycle management and a cornerstone of secure IT asset disposition (ITAD). Media sanitization helps eliminate exposure to residual data during IT asset disposal, recycling or resale, data center decommissioning, return of leased or loaned equipment, and internal asset transfers. This helps mitigate risks of data leakage and helps meet regulatory compliance across industries with laws like HIPAA, FERPA, California’s CPRA and the EU-GDPR.
Types of Storage Media Used
In today’s enterprise environments, a wide variety of media store business-critical information. These include but are not limited to Hard Disk Drives (HDDs), Solid State Drives (SSDs), external drives, servers, mobile devices, memory cards, and to a lower extent, physical media like paper records, printed data, etc. For this article, the focus will be on digital media sanitization (Logical).
|
S.No.
|
Media Type
|
Interface
|
Recording/Cell Technology
|
|
1
|
Magnetic Drive - HDD
|
ATA/SAS/Fibre Channel
|
Conventional Magnetic Recording (CMR) or
PMR (Perpendicular Magnetic Recording)
Shingled Magnetic Recording (SMR)
|
|
2
|
Flash Drive - SSD
|
ATA/NVMe (PCIe)/SAS
|
Single Level Cell (SLC)
Multi Level Cell (MLC)
Triple-Level Cell (TLC)
Quad-Level Cell (QLC)
|
|
3
|
Hybrid Drive -SSHD
|
SATA/SAS
|
CMR/PMR or SMR & NAND Cache Combined
|
|
4
|
External Drive - HDD/SSD
|
USB, eSATA, Thunderbolt
|
Varies by underlying HDD/SSD
|
|
5
|
Memory Card - SD/microSD
|
SDIO, UFS, CFexpress
|
NAND Flash (May Vary)
|
Each media stores data differently based on the recording technology used by the drive manufacturer. For Example, in SMR drives data is stored in overlapping tracks, like shingles on a roof to boost storage capacity. In contrast, CMR drives record data in non-overlapping magnetic tracks with space in between them so that rewriting one track doesn’t affect its neighboring track. The variations in recording technologies create distinct risk vectors when the media is sanitized using global standards like NIST 800-88, or IEEE 2883 that use overwriting, Block Erase (BE), Cryptographic Erase (CE), and Secure Erase (SE) methods. Therefore, it is crucial to apply the appropriate media sanitization technique as per data sensitivity, recording technology, and intended reuse of the media. To help organizations navigate this easily, multiple publications such as DoD 5220.22-M, NIST SP 800-88, and IEEE 2883:2022 outline specific sanitization methods for different media types.
Popular Media Sanitization Methods
Below is a comparison of recommended methods for different media types, as defined by NIST SP 800-88 Rev 1, IEEE 2883:2022, and US DoD 5220.22-M.
|
Media Type/Interface
|
NIST 800-88 Rev 1 Guidelines
|
IEEE 2883:2022 Standard
|
US DoD 5220.22-M (NISPOM)
|
|
Enterprise HDD (Internal or External) Predominantly used in server storage systems, nearline storage & NAS environments PATA / SATA / eSATA / SCSI / SAS / USB
|
Clear: Overwrite all user-addressable locations Purge: Use ATA/SCSI Sanitize commands when supported like Overwrite EXT command (1-3 Passes), CRYPTO SCRAMBLE EXT command, SECURITY ERASE UNIT, Cryptographic Erase, Degaussing Destroy: Shredding, Pulverization, Incineration, Disintegration
|
Clear: Overwrite (1 or Multiple Passes) or use SECURITY ERASE UNIT (Normal Erase Mode) FORMAT UNIT command Purge: Use sanitize commands where available like Sanitize Block Erase, Sanitize Overwrite, Cryptographic Erase, SECURITY ERASE UNIT (Enhanced Erase Mode) Destruct: Disintegration, Incineration & Melting
|
Clear: Overwrite all addressable locations with a single character Sanitize: Degauss with Type I/II/III degausser
|
|
SSD Default storage drives in most laptops, MacBooks, desktops, and in some special requirement servers NVMe (PCIe)/SATA/ M.2 /U.2 (Flash Memory NAND)
|
Clear: Overwrite using one or multiple passes with fixed or complex values Purge: NVM Express Format command like User Data Erase command, Cryptographic Erase Destroy: Shredding, Pulverization, Incineration, Disintegration
|
Clear: For ATA SSD, use the above commands. For NVMe, clear the entire NVM subsystem using the Format NVM command Purge: Cryptographic Erase, Sanitize Block Erase, Sanitize Overwrite, or other vendor-specific operations Destruct: Disintegration, Incineration & Melting
|
The DoD Clear & Sanitization matrix predates modern SSDs and does not recommend any specific sanitize commands. For flash memory, it prescribes full chip erase per manufacturer instructions, plus overwriting addressable locations. However, it refers to NIST Special Publication 800-88 guidelines that can help organizations in making effective media sanitization decisions
|
|
Self-Encrypting Drive These drives can be found in Laptops, MacBooks, & Desktops SED over ATA / NVMe / SCSI (Hardware Encryption)
|
Clear: NA Purge: Recommends using Cryptographic Erase to sanitize the MEK (Media Encryption Key) Destroy: Shredding, Pulverization, Incineration, Disintegration
|
Clear: NA Purge: Cryptographic Erase is an acceptable purge technique, except for media where encryption keys are not stored on the storage device Destruct: Disintegration, Incineration & Melting
|
No guidance about encrypted drives
|
|
SSHD These drives are predominantly used in older Laptops, Desktops & Gaming Consoles Hybrid (Magnetic platters & Flash Memory)
|
Clear: Overwrite using one or multiple passes as it is a Clear technique for both HDDs & SSDs Purge: Using a combination of HDD & SSD techniques to sanitize both parts of the drive. Destroy: Shredding, Pulverization, Incineration, Disintegration
|
Clear: Requires implementing drive-specific (ATA/SCSI/NVMe) sanitization commands. Purge: It must address all regions (platter + flash). IEEE emphasizes sanitize commands for its flash component and degauss/destroy for the magnetic part. Destruct: Disintegration, Incineration & Melting
|
The manual does not mention the technique for hybrid drives; however, it refers to NIST 800-88 Guidelines for Media Sanitization
|
|
Memory Cards Used in Mobiles / Cameras / Portable devices SD / microSD (Removable NAND Storage)
|
Clear: Overwrite with at least two overwrite passes; additional passes may be used Purge: NA Destroy: Shredding, Pulverization, Incineration, Disintegration
|
Clear: Same as NIST 800-88 Purge: NA Destruct: Disintegration, Incineration & Melting
|
Clear: Overwrite all addressable locations with a single character. Sanitize: Perform a full chip erase as per the manufacturer’s data sheets, along with Clear. The DoD standard does not specify memory cards; however, it mentions Flash EPROM (FEPROM)
|
|
Mobile Devices Used as iOS / Android Endpoints iPhone/iPad (iOS)
Android (Various OEMs)
|
Clear: Perform a factory ‘Erase All Content and Settings’ if full-disk encryption is enabled Purge: Use vendor-supported eMMC secure erase, secure trim, or cryptographic erase Destroy: Shredding, Pulverization, Incineration, Disintegration
|
Clear: NA (Vendor Specific Support) Purge: Supports Factory Sanitize, Cryptographic Erase, eMMC commands Destruct: Disintegration, Incineration & Melting
|
It does not mention the technique for Mobile devices; however, it refers to NIST 800-88 Guidelines for Media Sanitization
|
These methodologies provide the technical foundation on which organizations can build their media sanitization policies. However, organizations must know that modern drives and newer data recording technologies are not covered by these standards. Therefore, organizations should use an automated, embedded tool that identifies the data recording technology in use and applies the appropriate media-specific sanitization method to ensure permanent data removal. In addition, the organization must also consider other mitigating factors before deciding on a media sanitization approach:
- Data Sensitivity
- Media Type
- Data Recording Technology
- Compliance Requirements
- Operational Needs
- Environmental Considerations
With this in mind, it is also important to remember that there is no one size fits all strategy that can be uniformly implemented across organizations. Organizations must carefully evaluate and decide which method delivers the right balance of security, compliance, and efficiency. Purge is the recommended de facto method for all drive types that store confidential information and require complete media sanitization. Purge (crypto erase, block erase, degauss, secure erase) neutralizes hidden areas, wear leveling, and encryption
Conclusion: Why Media Sanitization Matters?
Media sanitization is not optional; it is a regulatory, contractual, and security necessity. By following guidelines from standards like NIST SP 800-88, IEEE 2883, or sector-specific publications like the United States’ Internal Revenue Service’s media sanitization guidelines, organizations can ensure data is rendered unrecoverable, regardless of whether media is being repurposed, resold, or destroyed.
BitRaser provides comprehensive media sanitization solutions capable of executing both NIST & IEEE Clear & Purge techniques across HDDs, SSDs, servers, mobile devices, and more. It delivers verifiable, tamper-proof erasure reports that help in audits, making it easier for enterprises, government agencies, and ITADs to meet compliance requirements while streamlining asset disposition workflows.
+1-844-775-0101
