A lot of IT security folks are very conversant with data security, records management and even data retention policies. They are also aware that many compliance regimes, including PCI, HIPAA, and ISO 27001 call for deleting data after it is no longer needed. But such regulations and guidelines don’t call for specific methods of protecting data throughout its lifecycle. Language in PCI DSS, for instance, suggests that after an organization gets rid of data, (specifically credit card data), it no longer must protect it!
Look at the data sanitization language used across various standards, regulations and guidelines and you’ll see the term “data sanitization” defined in many ways. How do you determine the difference between data wiping, erasing, clearing, purging and data destruction? NIST SP 800.88r1 is generally considered the US Standard for media sanitization, but it focuses on protecting the media on which data is stored, not on protecting data itself.
The International Data Sanitization Consortium was formed to clear the air on taxonomy and best practices for data sanitization. So, let’s start with a definition of data sanitization. The term is used by Gartner in three different Hype Cycles (Data Security, Privacy and Storage Technology). Gartner, like NIST, recognizes three ways to destroy data: physical destruction of the media on which it’s written, encryption and overwriting. The two steps that must be added to these methods are verification and attestation. Without these two additional steps, organizations cannot provide an audit trail and would have a hard time proving the absence of the data in a regulatory action or law suit.
Physical destruction means either degaussing with magnetic fields or chopping up the storage media into fine enough pieces to make reconstruction near impossible. Some organizations, usually military or intelligence, do both—degauss on premise then ship to a shredding facility. There are great stories of other methods. Drilling through a hard drive certainly makes it hard for the casual user to read data off platters, but it’s not a complete method. Incinerating is good, if somewhat harmful to the immediate environment. One industry veteran reports seeing a large BBQ grill pulled from a truck in an office parking lot and loose hard drives brought out for a basting.
The problem with physical destruction is that the storage media rendered useless. Many hard drives still have useful life. Destroying them means destroying any residual value they may have.
Even with physical destruction, an organization must ensure that proper records are kept throughout the chain of custody. Having a policy without controls that can be tested and verified is not enough. Serial numbers must be tracked and photographs taken. These records should be signed off and kept for audit.
There is a belief that an encrypted drive is easy to handle. Remove the keys and the data is safe. True, but is the encryption key really erased? How was that done? Was it overwritten with a new key? Are there copies of the keys in a key server somewhere? How about in memory?
Data sanitization via cryptographic erasure (Crypto Erase) must have three steps:
- Find and securely overwrite all keys.
- Verify that all the data is indeed encrypted.
- Create a tamper proof report that includes the media identifiers, date/time, etc.
And then there’s secure data erasure: overwriting target data with a series of passes to prevent forensic recovery, testing to ensure complete overwrite and creating a tamper-proof report.
So here’s our working definition of data sanitization:
Data sanitization is the process of deliberately, permanently and irreversibly, removing or destroying the data stored on a memory device to make it unrecoverable. A device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will never be recovered.
There are 22 (and counting) different data erasure “standards” that specify anywhere from 3 to 35 passes of overwriting with 1s, 0s or random data. Each organization must decide how thorough they need to be to satisfy whatever compliance regime they are working under and choose a corresponding number of passes
To bring clarity to an industry, especially one that is maturing rapidly, good definitions are the best place to start.
How does your organization define data sanitization?