Categories
Blog Data Erasure

Trends in Data Destruction

Advances in technology and the emergence of new data storage devices have led that data destruction has become a more complex issue because there are new aspects to it. This blog summarizes the current trends in data destruction.

The Emergence of New Data Storage Devices

Flash memory-based data storage devices with high capacity, small size, and fast data processing speed are now available. They have different physical properties than traditional magnetic hard drives. Even magnetic hard drives have changed—they have higher capacity and different physical properties than previous ones. Flash memory-based data storage devices exist in various forms, such as USB flash drives, external hard drives, etc. They are also built into laptops, tablets, and smartphones. In addition, large amounts of data are now stored in cloud systems, which sometimes need to be wiped clean as needs are. Data destruction processes need to be adapted to suit the newest data storage models.

New Media Sanitization Standard

As data storage devices diversify and technology advances, it is no longer possible to define a media sanitization method as a standard for all. In the United States, DoD 5220.22-M, which was recommended as the standard for disk-wiping algorithms, is officially no longer valid. NIST SP 800.88 Rev. 1, titled “Guidelines for Media Sanitization”, has taken its place. This document defines three categories of media sanitization: clear, purge, and destroy. It also provides minimum requirements and guidelines for each media sanitization category and each storage device. Every organization should refer to it to establish and implement its own media sanitization policies and procedures.

One-Pass Overwrite Is Sufficient

For the latest magnetic hard drives, the Guttman method (35-pass overwrites) and the DoD method (3- or 7-pass overwrites), which have long been recognized as international de facto standards, are no longer needed. Studies show that one-pass overwrite is sufficient. With the use of much higher density than in the past, the likelihood of recovering the original information using a magnetic force microscope is diminished. Indeed, there have been no reported cases of anyone using this manner to recover overwritten data. Nevertheless, many organizations are still using old overwrite standards, even though it seems like a ‘traditional ritual,’ which is an overkill.

Data Destruction Using Dedicated Sanitize Commands

Flash memory-based data storage devices, such as SSDs, provide dedicated sanitize commands which write and erase significantly faster than overwrite methods in magnetic hard drives. Overwriting flash-memory-based data storage devices dramatically shortens their lifespan. Also, the physical storage area that stores the actual data and the logical storage area that can be accessed by the software are distinct, so even if the software overwrites something on the drive, the old data may remain in a different area. The user needs to know the available commands for each storage device, to make sure every storage area of the device is wiped clean.

Cryptographic Erase (CE) Method

CE encrypts stored data and removes the encryption key, making the data irrecoverable. This process is faster and more efficient than erasing data, and CE is a good method to sanitize partial data in the cloud system as well. However, to use CE one must ensure that all encryption keys have been deleted completely and that all data has been encrypted. In addition, NIST SP 800.88 recommends that users consider the following when deciding whether to use CE: 1) whether encryption keys are generated in a proper manner, 2) whether the encryption the media to protect the data is strong enough, and 3) whether the security level of the encryption key and the wrapping technique are appropriate for the CE. In a nutshell, CE can be very efficient if used correctly, but it is difficult to verify that it has worked.

Limitations of Degaussing

A degausser cannot wipe out all storage devices. Flash-memory-based storage devices, for example, cannot take advantage of a degausser because their data is not damaged by magnetic shock. Some of the latest magnetic hard drives also have high coercivity, so data managers should make sure that their existing degausser actually works on the device they wish to erase.

Physical Destruction

The higher the density of a flash memory chip, the greater the chance of data recovery, unless it is shredded into pieces that are much smaller than the original device. In addition, since the flash memory chip is very hard, it is easy to damage the grinder, which may need a replacement of its parts or of the entire machine. Finally, physical destruction can generate harmful substances that must be handled carefully. Overall, the cost of physical destruction has been increasing.

The Importance of Software Wiping

NIST 800.88 recommends selecting a data erasure method according to three categories (clear, purge, and destroy) depending on the confidentiality of the data and whether the device is reused or controlled in the organization. As a result, organizations need to be selective and capable of different erasure methods, including software wiping, degaussing, and physical destruction.

It is widely recommended to have clearly defined software-wiping policies and procedures in an organization. For maximum security and convenience, organizations should undertake software wiping before reusing storage devices, even for devices that are slated for complete disposal. Outsourcing the entire data destruction process increases the likelihood of data leakage because the storage device must pass through the hands of several people before the data is erased completely. Thus, software wiping, which is less expensive than degaussing or physical destruction, is an essential requirement in an organization.

Secudrive Drive Eraser

Secudrive Drive Eraser provides suitable sanitization and verification methods for a variety of media. It provides ATA commands for SSDs as well as overwriting of magnetic disks. The hexadecimal view verifies the data before and after wiping. Furthermore, after the deletion, logs on computers, storage media, and wiping information are automatically generated. The logs can then be output as tamper-resistant reports and stored in various file formats for easy integration in the organization’s IT asset management system.

Categories
Blog Data Erasure

NIST SP 800-88 Summarized

NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization, can be summarized as follows: 1) the purpose and scope of the document, 2) the new trends in storage media, sanitization technology, and associated issues, 3) three types of media sanitization, and 4) information sanitization and disposal decision making. This blog omits roles and responsibilities relating to media sanitization in an organization, which is contained in Chapter 3 of the document. In order to give you a general understanding of this document, this blog post is a brief summary. It is recommended to read the full guidelines if you want to understand it thoroughly.

What is NIST SP 800-88?

NIST (National Institute of Standards and Technologies) released its Special Publication 800-88 Rev. 1, Guidelines for Media Sanitization, which was revised from its original edition of 2006. The guideline has been a new standard for media sanitization in organizations ranging from public to private, from the US to other countries. It is also known as ‘NIST SP 800-88,’ or ‘NIST 800-88.’

The objectives of the document: Guidelines, not a standard

Whereas ‘DoD wipe standard’ is a standard method for wiping hard disk drives, NIST 800-88 is simply guidelines for organizations. The guidelines cover media from papers to servers and sanitization methods from overwrite to shredding. The article states that the objective is “to assist with decision making when media require disposal, reuse, or will be leaving the effective control of an organization. Organizations should develop and use local policies and procedures in conjunction with this guide to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information.”

New Trends of Media Sanitization

You can shred paper to sanitize it. However, the sanitization of electronic storage media is more complex. In particular, new technological methods are needed for sanitizing emerging storage media.

1) The emergence of flash memory-based storage media: With the advent of flash memory-based storage media with higher capacity than conventional magnetic storage, overwrite is not sufficient for sanitizing them. Thus, the old DoD Standard is no longer valid for all media. This is one of the main reasons why the media sanitization method is becoming more complex as well.

2) Dedicated Sanitize Commands: Flash memory-based storage media are recommended to be sanitized by using dedicated sanitize commands. You should use the correct commands for your particular media (consult your vendor to find the right commands). 

3) The threat to degaussing: New magnetic storage also may have higher coercivity due to technological advances. Existing degaussers may not be suitable for them. Check with your degausser and storage media vendor to see if your current process is adequate.

4) The threat to physical destruction: The higher the density of flash memory, the smaller the size of the shredded particles needed for the physical destruction of it. Additionally, the increased hardness of the media may cause inadvertent damage to the grinder.

5) Cryptographic Erase(CE): New media often supports CE. CE is a very efficient way to prevent data recovery. It only sanitizes the encryption key, leaving the data encrypted in the storage. However, the disadvantage is that it is difficult to verify the sanitization, so it must be applied carefully.

Three categories of Media Sanitization

This document defines three categories of media sanitization:

1) Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).

2) Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques

3) Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.

Appendix A, Minimum Sanitization Recommendations for each media type, states that ‘clear’ can be accomplished by software wiping, ‘purge’ can be done by software wiping and degaussing, and ‘destroy’ can be physical destruction, for most magnetic media and flash memory-based storage devices.

Information Sanitization and Disposal Decision Making

The document offers suggestions for how to choose one of the above technique categories for sanitizing and disposing of media. (See the below flow chart.)

Figure: Sanitization and Disposition Decision Flow(Source: NIST SP 800-88, p.17)

1) Information Decisions in the System Life Cycle: You should consider how to sanitize data at the start of system development. The sanitization method depends on the type of storage device. The document recommends organizations to request a ‘statement of volatility’ of the device from the product vendor.

2) Determination of Security Categorization: Early in the system life cycle, you should determine the level of confidentiality of the information according to FIPS 199, NIST SP 800-60 Rev.1, or CNSSI 1253. This security categorization should be regularly updated and applied throughout the system’s life every three years or any time a significant change occurs in the system.

3) Determination of Reuse of Media: The sanitization method may vary depending on whether the media is reused or recycled.

4) Determination of control of media: The method of sanitization depends on whether the media is still within the organization’s control or whether it has been donated, resold, or disposed of externally.

5) Data protection level: For example, even within an organization, if two departments have different access rights to the information, you might need to sanitize the device that stored the information when it moves from one department to another.

6) Verification: You must verify that the sanitization has been completed properly. You can use both the full verification and the verification of the representative sample. The verification method should be selected carefully according to the technique used for the sanitization method and types of media. Appendix A offers verification methods for some media.

7) Documentation: Detailed information about the sanitized media, the sanitization method, verification method, and worker information should be documented and stored.

The appendices

The appendices of this document are full of practical information as follows: 1) The minimum sanitization recommendations for each media, 2) tools and resources relating to media sanitization, 3) cryptographic erase device guidelines, 4) device-specific characteristics of interest, and 5) a sample “certificate of sanitization” form.

Conclusion

In conclusion, the document is intended to help organizations make decisions to establish policies and procedures on how to sanitize the media. It also provides detailed minimum requirements and checklists on how to achieve three different types of sanitization, such as clear, purge, and destroy, depending on the nature of the media. Therefore, according to the guidelines presented in the document, organizations should create media sanitization policies and procedures to abide by the specific data protection regulations that organizations should follow. However, it is challenging for general users to obtain all the characteristics of all storage media from vendors and to have the verification method as the guidelines suggest.

Sanitization software can automatically adopt suitable wiping methods for specific media as well as provide automatic verification methods. Secudrive Drive Eraser provides suitable sanitization and verification methods for a variety of media. It provides ATA commands for SSDs as well as overwrite for magnetic disks. The hexadecimal view verifies the data before and after wiping. Furthermore, after the deletion, logs such as computers, storage media, and wiping information are automatically generated. The logs can then be output as tamper-resistant reports and stored in various file formats for easy integration with the organization’s IT asset management system. For more, see our blog post on how to use Secudrive Drive Eraser for HIPAA compliance.