Gartner—the world’s leading research and advisory company—has a big impact on terminology in the IT space.
The IDSC has refined Gartner’s definition to specify that the three primary means of data sanitization (physical destruction, cryptographic erasure, software overwrites) should include an attestation documenting results.
Gartner’s two primary analysts for the IT asset disposition industry, Rob Schafer and Christopher Dixon, along with other analysts, have tracked data sanitization’s adoption in the marketplace for several years.
Just as the market position of data sanitization has evolved, so has their definition of data sanitization.
Schafer and Dixon labeled data sanitization as climbing the “Slope of Enlightenment” in Gartner’s Hype Cycle for Endpoint Security, 2020, Hype Cycle for Data Security, 2020, and Hype Cycle for Privacy, 2020 reports. (Gartner subscription required).*
In each report, the authors referred to IDSC’s definition of data sanitization (Gartner definition below):
Definition: Data sanitization is the disciplined process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. A device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will not ever be recovered.
In these reports, the analysts noted differences between data storage media as part of the reason to include data sanitization verification when outsourcing data sanitization.
Under “User Advice,” the authors state, “ As different media (such as magnetic HDD storage vs. semiconductor-based NAND flash memory) require different sanitization methods, ensure your IT asset disposition (ITAD) vendor provides a certificate of data destruction with a serialized inventory of the data-bearing assets sanitized. Include a clause within your ITAD contract giving you the right to audit the ITAD vendor’s data sanitization processes/standards to ensure its compliance with your security and industry standards (e.g., NIST 800-88).”
It is worth noting that an integral part of NIST 800-88, the globally recognized media sanitization guidelines from the U.S. National Institute of Standards and Technology, is its recommendation to verify and certify results when sanitizing data storage assets.
According to Gartner’s website, “Gartner Hype Cycle methodology gives you a view of how a technology or application will evolve over time, providing a sound source of insight to manage its deployment within the context of your specific business goals.” This evolution goes through five Hype Cycle phases covering a technology’s market lifecycle.
The reports define the Slope of Enlightenment phase, where data sanitization is placed, as a phase where “Focused experimentation and solid hard work by an increasingly diverse range of organizations lead to a true understanding of the technology’s applicability, risks and benefits. Commercial off-the-shelf methodologies and tools ease the development process.”
So what has caused data sanitization to progress further along the Gartner Hype Cycle?
Under “Position and Adoption Speed Justification,” Schafer and Dixon mention several factors that are affecting data sanitization’s importance in today’s data-driven environment:
“Growing concerns about data privacy and security, leakage, regulatory compliance, and the ever-expanding capacity of storage media and volume of edge computing and IoT devices are making robust data sanitization a core C-level requirement for all IT organizations.”
The section continues:
“This requirement for comprehensive data sanitization should be applied to all devices with storage components (e.g., enterprise storage and servers, PCs, mobile devices, and increasingly, edge computing and some IoT devices). Where organizations lack this robust data sanitization competency, it is often due to handling the asset life cycle stages as isolated events, with little coordination between business boundaries (such as finance, security, procurement and IT).
“For mobile devices, a remote data-wiping capability is commonly implemented via a mobile device manager (MDM). Although such a remote capability should not be considered a fail-safe mechanism, reliability should be adequate for a significant majority of lost or stolen mobile devices.”
Under “Business Impact,” Gartner states:
“At a relatively low cost, the proper use of encryption, data sanitization and, when necessary, destruction will help minimize the risk that proprietary and regulated data will leak.
“By limiting data sanitization to encryption and/or software-based wiping, organizations can preserve the asset’s residual market value. The destruction of data-bearing devices within an IT asset typically reduces the asset’s residual value to salvage, incurring the cost of environmentally compliant recycling.
“The benefit rating is moderate, because data sanitization has become an increasingly accepted process to minimize the material business risk of data security. Although data sanitization will not necessarily result in increased revenue or cost savings, it will minimize the risk of significant monetary and brand damage that can result from serious ITAD-related data breaches.”
For all data sanitization methods however, attestation and accountability are critical components in ensuring data security concerns are addressed adequately.
* Gartner, Hype Cycle for Privacy, 2020, Bernard Woo, Bart Willemsen, 23 July 2020; Hype Cycle for Data Security, 2020, Brian Lowans, 24 July 2020; Hype Cycle for Endpoint Security, 2020, Dionisio Zumerle, Rob Smith, 15 July 2020 (Gartner subscriptions required).
There are three methods to achieve data sanitization: physical destruction, cryptographic erasure and data erasure. Learn the pros and cons of each—as well as what commonly used methods may leave data behind—by visiting our Data Sanitization Terminology and Definitions page.