Guide to Data Sanitization

Databyte Solution's guide to sanitizing your organization's (or personal) data based on NIST recommended practices

This is a ten minutes reading for anyone interested in knowing more about Data Sanitization. Information presented is based on the US National Institute of Standards and Technology's NIST 800-88, 800-60 and FIPS 199 publications.

Several different methods can be used to sanitize storage media. The general flow is to 1) Categorize the information to be disposed of, 2) Assess the nature of the medium on which it is recorded, assess the risk to confidentiality, and determine the appropriate method for sanitization. The selected method should be assessed as to cost, environmental impact, etc., and a decision should be made that best mitigates the risks to an unauthorized disclosure of information.

1. Classification of Information and Systems

The very first step of proper data sanitization is to classify and categorize the information and the systems hosting these information correctly. The reference of FIPS PUB 199 will be a good start. Ideally, this step should be done early in the system life cycle.

Security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.

There are three security objectives for information and information systems: Confidentiality, Integrity, Availability

  • “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…”

    • A loss of confidentiality is the unauthorized disclosure of information.

  • “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…”

    • A loss of integrity is the unauthorized modification or destruction of information.

  • “Ensuring timely and reliable access to and use of information…”

    • A loss of availability is the disruption of access to or use of information or an information system.

To categorize an information type or information system (refer to figure 1 below), we take the maximum impact level amongst the three considerations of confidentiality, integrity and availability. Information is categorized according to its information type. Note: An information type is a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation.

Security Category of information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE.

Security Category of information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, or HIGH.

Examples would include the following:

  • An administrative computer used for booking meeting rooms would probably be determined as having potential low impacts on confidentiality, integrity and availability, and just require a basic Clearing involving Overwrite and / or Secure Erase.

  • At the other extreme end, a server hosting an organization's Enterprise Resource Planning System would require thorough sanitization involving shredding.


Figure 1: Potential Impact Definitions for Security Objectives

2. Choosing the Appropriate Methods for Sanitization

There are many different types of storage medium and information storage systems. Different equipment require different sanitization and verification methods. The selected method should be assessed as to cost, environmental impact, etc., and a decision should be made that best mitigates the risks to an unauthorized disclosure of information.

Clear

Overwrite user addressable storage space on the media with non-sensitive data

Purge

Dedicated, standardized device sanitize commands that apply media-specific techniques / Degaussing / Destruction

Destroy

Completely Destroy the media

CLEAR

One method to sanitize media is to use software or hardware products to overwrite user addressable storage space on the media with non-sensitive data, using the standard read and write commands for the device. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also should include all user addressable locations. The security goal of the overwriting process is to replace Target Data with non-sensitive data. Overwriting cannot be used for media that are damaged or not rewriteable, and may not address all areas of the device where sensitive data may be retained. The media type and size may also influence whether overwriting is a suitable sanitization method. For example, flash memory-based storage devices may contain spare cells and perform wear levelling, making it infeasible for a user to sanitize all previous data using this approach because the device may not support directly addressing all areas where sensitive data has been stored using the native read and write interface.

The Clear operation may vary contextually for media other than dedicated storage devices, where the device (such as a basic cell phone or a piece of office equipment) only provides the ability to return the device to factory state (typically by simply deleting the file pointers) and does not directly support the ability to rewrite or apply media-specific techniques to the non-volatile storage contents. Where rewriting is not supported, manufacturer resets and procedures that do not include rewriting might be the only option to Clear the device and associated media. These still meet the definition for Clear as long as the device interface available to the user does not facilitate retrieval of the Cleared data.


Purge

Some methods of purging (which vary by media and must be applied with considerations described further throughout the NIST 800-88 document) include overwrite, block erase, and Cryptographic Erase, through the use of dedicated, standardized device sanitize commands that apply media-specific techniques to bypass the abstraction inherent in typical read and write commands.

Destructive techniques also render the device Purged when effectively applied to the appropriate media type, including incineration, shredding, disintegrating, degaussing, and pulverizing. The common benefit across all these approaches is assurance that the data is infeasible to recover using state of the art laboratory techniques. However, Bending, Cutting, and the use of some emergency procedures (such as using a firearm to shoot a hole through a storage device) may only damage the media as portions of the media may remain undamaged and therefore accessible using advanced laboratory techniques.

Degaussing renders a Legacy Magnetic Device Purged when the strength of the degausser is carefully matched to the media coercivity. Coercivity may be difficult to determine based only on information provided on the label. Therefore, refer to the device manufacturer for coercivity details. Degaussing should never be solely relied upon for flash memory-based storage devices or for magnetic storage devices that also contain non-volatile non-magnetic storage. Degaussing renders many types of devices unusable (and in those cases, Degaussing is also a Destruction technique).


Destroy

There are many different types, techniques, and procedures for media Destruction. While some techniques may render the Target Data infeasible to retrieve through the device interface and unable to be used for subsequent storage of data, the device is not considered Destroyed unless Target Data retrieval is infeasible using state of the art laboratory techniques.

  • Disintegrate, Pulverize, Melt, and Incinerate. These sanitization methods are designed to completely Destroy the media. They are typically carried out at an outsourced metal Destruction or licensed incineration facility with the specific capabilities to perform these activities effectively, securely, and safely.

  • Shred. Paper shredders can be used to Destroy flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality that the data cannot be reconstructed. To make reconstructing the data even more difficult, the shredded material can be mixed with non-sensitive material of the same type (e.g., shredded paper or shredded flexible media).

The application of Destructive techniques may be the only option when the media fails and other Clear or Purge techniques cannot be effectively applied to the media, or when the verification of Clear or Purge methods fails (for known or unknown reasons)


Databyte Solution offers solutions to organizations for the sanitization methods listed below:

  • Secure Erase - An overwrite command in the ATA standard (as ‘Security Erase Unit’) that leverages a firmware-based process to overwrite the media (either through an overwrite or CE, depending on manufacturer implementation)

  • Overwrite - Writing one or more patterns of data on top of the physical location of data stored on the media to prevent recovery of data

  • Cryptographic Encryption (CE) - Media encryption key (MEK) for the encrypted Target Data is sanitized, making recovery of the decrypted Target Data infeasible

  • Degaussing - To reduce the magnetic flux to virtual zero by applying a reverse magnetizing field. Degaussing any current generation hard disk (including but not limited to IDE, EIDE, ATA, SCSI and Jaz) will render the drive permanently unusable since these drives store track location information on the hard drive

  • Crushing / Bending - Bending of Storage Medium to damage it ; usually performed onsite for witnesses to verify physical destruction

  • Shredding / Disintegration - Disintegration of storage media and material into many small particles

3. Selecting the Appropriate Vendors and / or Equipment

By choosing vendors that are able to work with the organization's requirements, organizations can be assured of systematic sanitization and certified standards. Experienced vendors would be able to advise on minute details such as how storage sector sizing and SCSI interface would affect the usage of overwriting or secure erase software and commands.

A suitable vendor would be able to provide the appropriate equipment, methodology and provide recommendations for the appropriate method(s) of sanitization of your organization's information and information systems.

Contact Databyte Solution for an obligations free chat and quotation for your organization's data sanitization needs

Equipment

For equipment where results cannot be easily verified (e.g. a degaussed HDD looks identical to a normal HDD), it is recommended to stick to evaluated products by NSA / CSS.

Easily verifiable and visible end results such as physical destruction through shredding are usually self explanatory.

4. Proper Records Keeping

By keeping records of data sanitization with the following key fields according to NIST 800-88 Rev 1 standards, organizations will be able to properly account for sanitization and disposal activities.

The following details are recommended by the NIST 800-88 Rev 1 for records:

Media Information:

  • Manufacturer / Vendor

  • Serial Number

  • Model

  • Organization / Media Property Number

  • Media Type

  • Media Source

  • Classification

  • Data Status

Sanitization Details:

  • Sanitization Description (Clear, Purge or Destroy)

  • Method Used

  • Tool Used

  • Verification Method

  • Post Sanitization Classification

  • Media Destination

5. Conclusion

Different organizations will have different information and information systems that require different end of life sanitization solutions. It is important to understand what types of data is stored on a device in order to apply the techniques that best balance efficiency and efficacy to maintain the confidentiality of data.

First, Classify your information's importance according to the objectives of confidentiality, integrity and availability (this should ideally happen early in the system life cycle).

Secondly, Select the appropriate methods for sanitization that are commensurate with the security categorization of the confidentiality of information contained on the media. The decision process is based on the confidentiality of the information, not the type of media. Once organizations decide what type of sanitization is best for their individual case, then the media type will influence the technique used to achieve this sanitization goal.

Thirdly, employ a reputable and certified vendor or contractor, or purchase evaluated equipment that meet sanitization requirements

Lastly, ensure that proper records are kept during the entire process.