Company data falls into a bunch of different categories. Businesses will want to keep around some types of data because it’s valuable to them. They will have to retain certain data for set periods to meet compliance obligations. Some types of data must be destroyed after a specific timeframe. And some data may not be worth the storage costs. The specifics will vary according to the type of data, the industry, the jurisdiction, and the regulations that a company is subject to.
The important point is that organizations need to get rid of some of their data, and they often have to do it in very specific ways to abide by regulations and ensure that the data does not get exposed. The holy text for these practices is NIST Special Publication 800-88: Guidelines for Media Sanitization.
The term media sanitization doesn’t roll off the tongue as easily as a more common term like deletion, but it’s not just jargon for the sake of jargon. We hate to be sticklers, but traditionally deletion just involves removing the link to a file in the file system, without ever really removing the data itself. The data may get overwritten with other data over time, but a motivated attacker could potentially recover it.
So, if you work for a hospital and you are tasked with sanitizing old patient data, you can’t just “delete” it and throw the hard drive in the trash. Someone could find the hard drive and easily restore the data, leaving your hospital with a costly HIPAA violation on its hands for not securely destroying sensitive patient data.
What is media sanitization?
According to NIST SP 800-88, media sanitization is “A process to render access to Target Data on the media infeasible for a given level of effort.” It can be broken down into three categories:
- Clear – Clearing techniques involve reformatting, overwriting and erasure. These are logical techniques that may allow the data to be recovered, especially with forensic techniques. As an example, if you clear data by just overwriting it once, it may stop your average Joe from recovering it, but remnants of the data may still be recoverable with the right tools and know-how.
- Purge – Purging techniques can be logical or physical. The logical purging techniques are often similar to those of clearing, with one strong caveat: The techniques must “…render Target Data recovery infeasible using state of the art laboratory techniques.” This means that something like overwriting can also be considered purging, but only if it is done in such a way that the data is not recoverable. The specifics are dependent on the type of media you are trying to purge, and NIST SP 800-88 has a handy guide of the minimum sanitization recommendations for various media types in Appendix A. Other forms of purging can include degaussing, cryptographic erase and block erase.
- Destroy – Destroying data makes “…recovery unfeasible though state of the art laboratory techniques”. It also “…results in the subsequent inability to use the media for storage of data.” In other words, not only does this category require the data to be unrecoverable, but the hard drive or other media must be broken beyond repair. Examples include disintegration, pulverizing, melting, incinerating and shredding the media.
Note that there can be a lot of overlap between these categories. Degaussing a hard disk drive is both purging and destruction, because it renders the data unrecoverable and the drive is no longer usable. Any method that destroys data can also be considered purging, because if a hard drive has been disintegrated, data recovery will be “infeasible using state of the art laboratory techniques.”
Media sanitization in the cloud age
For cost, convenience, and a whole host of other reasons, we often like to store our data in cloud services. But before we do, we must think about its sanitization at the end of its life. The reason for this is that we don’t have access to the underlying hardware when we store data in the cloud, which limits the methods available for its disposal. If you show up at your cloud provider with a degausser, they aren’t going to let you in, no matter how noble your protestations.
In order to stay on the right side of the regulations, we must decide on how we ultimately plan to destroy data before we place it into the cloud. This is because one of the best options for securely erasing cloud data is cryptographic erasure or crypto shredding, which essentially involves encrypting it and then throwing away the keys. You must therefore keep track of the keys throughout the lifecycle of the data, and ensure that all copies of the keys are destroyed in order for the data to be appropriately sanitized.