When organizations choose to invest in software to protect sensitive data, it’s important to know that it will not only be the best fit possible for the task at hand but also comply with any regulations with which your business must comply. But beyond that, it’s also nice to know that the software has been independently verified and certified by third-party organizations across the globe to do what it says it does. These accreditations can provide you and your security team with peace of mind.
Let’s start with certifications. A certification is an official document attesting to a status or level of achievement. Generally, a product or service must pass some type of evaluation by the certifying body or a third party in order to earn it.
In some cases, certain types of products and services are required to be certified in order to guarantee that they perform as advertised. In other cases, the certification establishes a level of confidence in the product or service and assures a user of its quality.
Blancco is proud to hold the most global certifications for data erasure products. For example, Blancco Drive Eraser 6, the current version of our drive erasure software, recently earned the National Cyber Security Centre’s Commercial Product Assurance (CPA) certification. The UK government requires that all official data is permanently overwritten using NCSC-certified methods. So, with this CPA certification, our Drive Eraser solution can be used in the UK by both public and private organizations alike to erase their sensitive data.
Certification processes vary widely and require different approaches for earning them. For example, one certification that Blancco is currently pursuing involves extensive evaluation and third-party testing. These tests ensure our software’s security features can withstand even the most complex cyber attacks while still performing its functions correctly. This particular certification typically takes between six and eight months to earn, and the product is subject to regular testing even after it becomes certified.
Some data erasure software providers claim certification from organized bodies or regulations. While it can be claimed that an organization complies with a specific standard or regulation, that organization cannot claim that they have a certification if it has not been formally awarded to them. Take certifications for HIPAA, the US Health Insurance Portability and Accountability Act, as one example. Claims that a business has a HIPPA certification can be misleading. According to the HIPAA Journal:
“Many companies claim they have been certified as HIPAA compliant or in some cases, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misnomer. There is no official, legally recognized HIPAA compliance certification process or accreditation.”
Instead, HIPAA compliance is continuous. It takes consistent effort for an organization to remain in compliance with the rules, rather than demonstrating compliance once to earn a certification. A more accurate wording would be that this organization erases in such a way as to meet the requirements outlined by HIPAA standards. This is true not only for HIPAA but for other guidelines and regulations as well.
Data Erasure Standards
Standards are set forth by government agencies and private institutions to ensure quality and consistency. Regarding data erasure, standards normally differ on the number of overwrites and what pattern is used to overwrite the device. Several standards also require BIOS freeze lock removal and verification of data erasure.
Any company can claim that their solutions comply with a certain data erasure standard. However, that may not be entirely true. According to the International Data Sanitization Consortium, to achieve data erasure, the software must:
- Allow for selection of a specific standard, based on your industry and organization’s unique needs.
- Verify the overwriting methodology has been successful and removed data across the entire device, or target data (if specifically called).
- Produce a tamper-proof certificate containing information that the erasure has been successful and written to all sectors of the device, along with data about the device and standard used.
Unless a product first meets these criteria, the product cannot truly meet any standard since they do not provide true data erasure.
NIST SP 800-88 Rev 1, “Guidelines for Media Sanitization” is a great example of a data erasure standard. These guidelines, released by the U.S. government, provide guidance and recommendations for erasing all types of storage media. NIST is regarded as the top data erasure standard and is considered a best practice by most businesses and organizations around the world.
NIST guidelines differentiate between three actions that can be taken to properly sanitize data. Clear applies to logical methods for recovering data and is typically executed through simple read/write commands. Purge, however, is a much more secure method that allows for the erasure of hidden sectors and Device Configuration Overlays, if they are present. This is ideal for more confidential data as it renders data unrecoverable using laboratory-grade techniques. The third method, Destroy, involves physical destruction and ensures data is unrecoverable by rendering a device completely unusable. Blancco supports both NIST Clear and NIST Purge methods of data sanitization through its software-based data erasure solutions.
Standards can also change with time and the introduction of new technology. NIST guidelines are quickly replacing outdated methods specified in an older version of DoD 5220.22-M. These overwriting methods do not support newer types of storage devices such as solid-state drives. This document from the US Department of Defense is no longer updated and no longer mentions overwriting requirements.
Blancco meets or exceeds over 25 global standards and algorithms for data erasure, from the United States Air Force System Security Instruction 5020 to the Australian Government Information Security Manual (AGISM). We have even created our own standard specifically for SSD erasure, which erases data that other methods may leave behind, with full verification and certification included as part of the process.
Recommendations, approvals, and endorsements are given by governing bodies or authoritative organizations and speak to a product’s quality. These show that the product or service delivers its stated results to others that may consider using them.
While these may not be considered official certifications, they still hold a similar amount of legitimacy based on the recommending body due to their high level of knowledge and authority on the subject. They are often based on a governing body’s own satisfactory use of a product. They may also be based on extensive testing by that organization or a third party or a combination of both testing and internal use.
For data erasure, the testing procedure is often similar for both recommendations and certifications. Tests are designed and performed to ensure that the product performs as it claims to while also maintaining the highest levels of its security functions.
Blancco is recommended or approved by over 15 international governing bodies and organizations, making it the most recommended data erasure solution in the world. We are proud to be recognized by organizations such as NATO and their Information Assurance Product Catalogue, The Norwegian National Security Authority, and the Asset Disposal and Information Security Alliance (ADISA), among others.
Compliance with Data Erasure Standards
To put it simply, compliance is the act of conforming to a standard, regulation or rule. Organizations of every type must be knowledgeable of and comply with certain rules to which they are subject. Even everyday individuals are expected to comply with the laws laid down by local and federal governments.
When it comes to data erasure, compliance means that data must be erased based on the methods, implementation triggers, security measures and standards that an organization is subject to. An organization may also be subject to regulations set by a government, standards adopted by the industry, or internal procedures and best practices specified by organization leaders. These rules and standards may also specify when data should be erased as well as how. For example, many organizations mandate that a storage device must be sanitized during decommissioning before it leaves the premises. An organization may also be required to erase sensitive data after a certain amount of time since its creation.
Compliance with data privacy and protection regulations is not something to be taken lightly. Governing bodies around the world are enforcing these laws more than ever and are more than willing to issue steep fines to an offending organization.
Compliance may also relate to guidelines laid out by an authoritative body. The NIST 800-88 guidelines mentioned previously are a great example of this. While compliance with NIST guidelines is not legally required by private organizations or those outside US jurisdiction, it has been adopted by both public and private entities around the world as the highest standard in data sanitization.
Although it may seem complex, compliance can be made simple with the right partner. Blancco meets the world’s highest standards for data erasure and has over 20 years of experience assisting organizations comply with even the most stringent data protection regulations.
Certifications, standards, recommendations and compliance are all important considerations, especially when it comes to maintaining data privacy at all stages of its lifecycle. Now that you know the difference, see how our full suite of data erasure solutions can help your organization.