Managing data is important to modern businesses, which rely on all sorts of data in order to operate and be competitive. Data is a commodity unlike any other, and executives across industries and businesses know it. Data drives all sorts of activities, and managing the data is an important activity in itself. Data storage technology has come a long way; from huge, bulky, closet-sized drives to cloud-based storage, the journey has been quite remarkable, to arrive at a point where we can store more data on a micro SD card the size of a penny than we ever thought possible to store at all.
Data Must be Deleted, But is That It?
One of the things that organizations have to deal with as storage technology evolves is the obsolescence of their machines and devices. Rapidly progressing technology gives rise to the eventuality of having to deal with overhauling your IT systems and computers, which are data repositories in almost all organizations. The challenge is, therefore, to ensure that all the data stored in the obsolete/old devices is wiped clean before sending them out to be recycled, destroyed, or resold in secondary markets. We know that simply deleting files off of a hard drive or an SSD is not enough to ensure that all data that was ever recorded on it has been wiped well enough to make retrieving that data an unviable activity.
Introducing NIST SP 800-88
A standard for data sanitization emerged in the form of the NIST SP 800-88 Guidelines for Media Sanitization, which was published by the National Institute for Standards and Technology in 2006. It was revised in December 2014 and the latest version remains active to this day. These guidelines provide the proper steps and procedures to sanitize data from storage devices, regardless of their type, so that the data that was once stored in them is irretrievable under most circumstances, making the process of discarding/disposal of drives standard and secure to a large extent. These guidelines were originally developed for the use of the US government, but they are now accepted by private organizations as the best way to permanently remove data from media once they leave secure premises, although adhering to the guidelines is not compulsory.
NIST SP 800-88 is the definitive standard for data sanitization, and prescribes the different sanitization categories to wipe data clean. These categories relate to the different confidentiality levels of data that need to be destroyed. The guidelines also include various types of storage devices and technology that has not been invented. The comprehensiveness of the NIST 800-88 guidelines is critical in ensuring that organizations feel confident that when they dispose of their media, no residual data can be recovered after the media has left the control of the organization. To provide a better context regarding the scope of the guidelines, let us understand the different ways of destroying data and how NIST 800-88 provides three ways of dealing with end-of-life data: clear, purge, and destroy.
Data Destruction Methods and Their Shortfalls
Degaussing: This method is used primarily for magnetic media, such as hard drives. Degaussing is a method of demagnetizing the drives in order to wipe the data recorded on it. However, this method is becoming increasingly ineffective in erasing the data because of the increasing use of SSDs (solid state drives) which are flash based and not affected by magnetic interference.
Overwriting: Overwriting, as the name suggests, involves writing over the previously stored data. The data is overwritten with random data with no specific meaning or importance. This method is actually pretty effective, as long as all accessible areas in the drive have been overwritten, the vendor who sanitizes the drives is trustworthy and the sanitization commands have been implemented as expected.
Shredding: Shredding is physical destruction, breaking the drives into small pieces. This in theory is probably the safest way to ensure data destruction but it also falls short due to certain inherent disadvantages. First, drives have become smaller and denser, so even a small piece of the drive can retain a fair amount of data. Second, because drives are dense, they are difficult to shred, literally. The environmental cost of disposal through shredding is also huge and irresponsible.
Encryption: Encryption involves making the data indecipherable without a key. This is another effective method, but ensuring the destruction of the keys is another challenge.
How NIST 800-88 Prescribes Data Sanitization
In terms of data security, NIST 800-88 tackles the issues relating to access to residual data on the media. Once the drives leave the secure location of an organization and change hands, they become an easy target for exploitation unless NIST 800-88 guidelines have been used to sanitize the media. The guidelines provide three ways of tackling data destruction.
Clear: This method involves overwriting all user-addressable storage space using software or hardware. It provides a moderate level of protection. This includes a factory reset or standard read/write commands. Advanced, invasive methods of data recovery are required to breach a Clear operation.
Purge: Purge is a more advanced, secure method of data sanitization. Purging protects data from laboratory-type attacks using state-of-the-art techniques. This is useful in case of highly confidential data and involves overwriting cryptographic erasure, or block erasure. Purge can be applied through dedicated device sanitization commands which NIST 800-88 compliant vendors provide.
Destroy: Destroy adds another layer to Purge. Destroy renders the media unable to store any data further. It involves physical processes such as shredding, incinerating, pulverizing, melting, etc. However, it is advisable to avoid destruction of the media because of its environmental impact, especially given that media devices can be reused after purging.
Why NIST 800-88 is Beneficial
A key advantage that organizations have when applying NIST 800-88 guidelines is the last step in the process which ensures that data has been destroyed as per the standards. This step is verification and it is a critical step in the process that helps to ensure that data sanitization has been successful and that NIST 800-88 guidelines have been followed. The verification process involves two methods:
1. Verification that sanitization has been applied to all media in question, and
2. Verification of a sample of a media to show that no data is recoverable.
This step ensures full compliance with NIST standards and therefore provides organizations the much needed assurance that the data sanitization has been undertaken in the best possible manner.
Adonis: Data Security and Destruction Professionals Compliant with NIST 800-88
Adonis is an expert in data destruction and follows the NIST 800-88 guidelines. We are professionals experienced in handling the entire process of media sanitization and e-waste disposal right from collecting the hardware from the organization’s location to recycling or selling it to the secondary market. Adonis provides its clients with full control over the chain of custody by ensuring full traceability and transparency in the process. Adonis also removes all identifiable information from the devices, whether internal or external. We are committed to ensuring client satisfaction and peace of mind and we invite you to read this blog post which details our processes and our expertise. Reach out to Adonis for data sanitization and e-waste management needs.