What are the NIST 800-88 Guidelines?
“An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information.”
—NIST 800-88, Rev.1, “Background”
NIST Special Publication 800-88 (“NIST SP 800-88” or more simply, “NIST 800-88”), “Guidelines for Media Sanitization,” is a U.S. government document that provides methodical guidance when it comes to erasing data from electronic storage media. The goal is to effectively sanitize media so that any and all data is irretrievable once the data or data storage device reaches end-of-life.
NIST 800-88 is widely known for its data sanitization categories of Clear, Purge and Destroy. Its principles can apply to magnetic, flash-based, and other storage technologies, from USB drives to servers. In fact, the guidelines are not intended to be technology specific. Instead, the guidelines and workflows this document outlines are intended to apply universally to various media types, including those that may not have yet been invented.
Originally published for government use, NIST 800-88 has become widely adopted in private industry as the best way to ensure that data is removed from media once that data moves from a more secure to a less secure setting. For that reason, NIST 800-88 principles come into play whether a media asset is moving from a high level of confidential protection in one department to another, less secure department within the same organization, or whether that device is destined to leave the organization entirely.
These security guidelines were first published by the National Institute of Standards and Technology (NIST) in 2006. In December 2014, the guidelines were revised, making the current version “NIST Special Publication 800-88 Rev. 1” (“NIST SP 800-88, Rev.1”).
This latest update continues to be one of the most widely used data sanitization standards requested or required by the U.S. federal government. NIST 800-88 has also become the “go-to” media sanitization standard even when compared to another popular “standard,” Department of Defense (DoD) 5220.22-M. DoD 5220.22-M has not been updated recently and does not apply to more modern technologies like solid-state drives (SSDs). Private businesses and organizations within the U.S. are also adopting NIST sanitization standards and leaving the DoD three-pass method increasingly behind.
What’s more, the U.S.-originating “Guidelines for Media Sanitization” has also become a global reference document with principles incorporated into notable international standards such as ISO/IEC 27040:2015.
This blog article will provide you with a quick summary of what NIST media sanitization means. It will also provide an overview of how NIST 800-88 works to prevent unauthorized access to confidential or sensitive business and personal data.
What is Media Sanitization?
The NIST definition of “sanitization” is “a process that renders access to target data on the media infeasible for a given level of effort.” The methods an organization chooses to sanitize its data depends heavily on the confidentiality level of that data.
The authors also emphasize that this process must consider end-of-life sanitization from the very beginning of data storage planning. That means assessing media and workflows implemented at the early stages of building an information system. Understanding what levels of sanitization are possible with the components used to store and process data can make it easier to implement sanitization properly when it’s needed.
NIST 800-88 sanitization workflow considerations continue through recycling, transferring or permanently retiring media at device or data end-of-life. There are also many points of vulnerability in between where data could be inappropriately accessed. These can include times of infrastructure maintenance or third-party involvement.
At each of these points, the NIST 800-88 Guidelines point out that it is the confidentiality needs of the data that will drive sanitization decisions, not the media type itself.
Essentially, NIST advocates that users determine what sanitization method to use by:
- understanding and categorizing the information according to confidentiality levels
- assessing the nature of the storage medium
- weighing the risk to confidentiality, and
- determining how the media is to be used in the future (That is, will it be reused within the organization? Donated? Shredded or otherwise rendered unusable?).
Once these determinations have been made, the organization can choose what type of sanitization method is most appropriate given any other considerations (cost, environmental impact, technology and technical skills available, etc.).
Ultimately, the goal is to choose a data sanitization solution that most lessens the risk to confidentiality while respecting any other constraints involved.
What Problem Does NIST 800-88 Solve?
The weakest link in a system is often the one that’s taken for granted, ignored, or simply not considered. A common data protection vulnerability happens when devices change hands without the original data being adequately removed from the device. All too often, confidential data moves from a highly protected data storage environment to a much less protected one, simply because operators believe, but have not verified, that data has been sufficiently eradicated.
NIST 800-88 addresses the problem of residual data head on:
“The application of sophisticated access controls and encryption help reduce the likelihood that an attacker can gain direct access to sensitive information. As a result, parties attempting to obtain sensitive information may seek to focus their efforts on alternative access means such as retrieving residual data on media that has left an organization without sufficient sanitization…. Consequently, the application of effective sanitization techniques and tracking of storage media are critical aspects of ensuring that sensitive data is effectively protected by an organization against unauthorized disclosure. Protection of information is paramount.”
—NIST SP 800-88, Rev.1, “Executive Summary”
In other words, those determined to gain access to sensitive data may go for the lowest hanging fruit: storage devices that have left an organization’s physical walls or that are otherwise accessible without adequate security measures in place. Unless proper data sanitization has been verified and documented with an audit trail, there’s no way to know what information is still accessible even after devices have been supposedly “wiped” or data has been supposedly deleted.
What is Inadequate Data Sanitization?
Traditionally, several other methods have been used to protect against unauthorized access to information stored on old or retired data storage media. But with today’s technologies, older methods can either be inefficient, not completely effective—or costly.
For instance, inadequate data sanitization can include:
- Degaussing—a method of demagnetizing hard drives so that all data is destroyed—is ineffective on today’s increasingly popular flash-based solid-state drives (SSDs). The NIST Guidelines specifically state, “Degaussing, a fundamental way to sanitize magnetic media, no longer applies in most cases for flash memory-based devices.” But because of changes in magnetic force, today’s degaussing techniques may eventually be insufficient for tomorrow’s magnetic devices, too, “..because some emerging variations of magnetic recording technologies incorporate media with higher coercivity (magnetic force). As a result, existing degaussers may not have sufficient force to effectively degauss such media.”
- Overwriting—which essentially records over previously stored data with random or specified patterns—is highly effective on specifically defined, user-accessible areas of magnetic drives. It’s so effective, that typically only one pass is needed. Again, though, this method has its weaknesses, as the Guidelines state: “One major drawback of relying solely upon the native Read and Write interface for performing the overwrite procedure is that areas not currently mapped to active Logical Block Addressing (LBA) addresses (e.g., defect areas and currently unallocated space) are not addressed. Dedicated sanitize commands support addressing these areas more effectively. The use of such commands results in a tradeoff because although they should more thoroughly address all areas of the media, using these commands also requires trust and assurance from the vendor that the commands have been implemented as expected.” In other words, overwriting may not reach all addressable areas on those drives Unless the sanitization vendor diligently documents and verifies if and when hardware commands have been included in the erasure process, organizations are often left to trust that specialized commands, in addition to the default overwriting processes, have been used to completely sanitize the entire device.
- Shredding—or other physically destructive methods that cut the drive into small pieces—is becoming increasingly challenging. That’s because the density of data storage on smaller and smaller devices means that all but the smallest shred size can leave recoverable information intact. While this can still be a fully acceptable method if the shred size is small enough, increasingly dense chips are actually damaging conventional shredders (see page 7 of the Guidelines). And, of course, any physical destruction method also means that the device being destroyed is completely unusable, resulting in both environmental and cost impacts.
- Encryption—a method by which data is made indecipherable by complex code algorithms—can be very effective, but there’s no way to validate that all encryption keys have been erased before the device moves on.
So, How Does NIST 800-88 Help Protect Against Unauthorized Data Access?
Because reformatting, “wiping” and even encryption may not be enough to protect all data, NIST 800-88 provides three ways of dealing with end-of-life data: Clear, Purge and Destroy.
- Clear applies logical techniques to sanitize data in all user-addressable storage locations. This protects against simple, non-invasive data recovery techniques and provides a moderate level of data protection. Clear is typically applied through the standard Read/Write commands to the storage device. This can include rewriting with a new value or using a menu option to reset the device to the factory state (when rewriting is not supported). The data is then overwritten and verified. Most devices support some level of Clear sanitization. It does not, however, address hidden or unaddressable areas.
- Purge applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques. Purge provides a more thorough level of sanitization than Clear and is used for more confidential data. Purge requires the removal of hidden drives (Host Protected Areas (HPA) or Device Configuration Overlays (DCO), if they’re present. A firmware-based command is then triggered, depending on the type of drive. Finally, the last step verifies the write. There are times, though, when Purge cannot be applied to all devices based on the firmware involved. Blancco’s Research and Development teams regularly tackle such instances, and Blancco solutions support Purge for most HDD and SSD drives today.
- Destroy renders target data recovery infeasible using state of the art laboratory techniques. It also renders the media incapable of storing data afterward. “Destroy” can include shredding, incinerating, pulverizing, melting, and other physical techniques. These can be necessary for drives that are already beyond all possible use or standard overwriting methods because of physical damage. That said, Purge (and Clear, where applicable) may be more appropriate than Destroy in many cases. Because “Destroy” renders media unusable, physical destruction takes a toll on natural resources. Not only does it contribute to environmental waste, it lessens the lifespans of information technology storage devices. These devices can often be used by other departments within the original organization, or even donated or sold to organizations with less stringent performance needs. There can also be difficulties in physically destroying some types of media, whether because of the particle size needed to effectively make all data irretrievable, the expense, or other factors. For these reasons, Blancco recommends considering Purge and Clear whenever these options are supported and it makes business sense to do so. There are also instances, for highly protective data, where Purge and Destroy are used together to provide extra peace of mind against any form of data recovery.
The Guidelines offer Clear, Purge and Destroy as valid options for sanitization based on the confidentiality requirements of the data rather than the storage technology on which the data resides. The NIST document goes into details for each method for various media configurations and situations, including how these apply to cryptographic erasure.
The linchpin, however—the attribute that provides confidence that data has been sufficiently sanitized and that organizational information is securely and permanently removed—is verification.
Match the Method to the Media—and Verify, Verify, Verify
If understanding confidentiality levels is one bookend to NIST, stringent verification is the other.
“Verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality. Two types of verification should be considered. The first is verification every time sanitization is applied…The second is a representative sampling verification, applied to a selected subset of the media. If possible, the sampling should be executed by personnel who were not part of the original sanitization action.”
— NIST SP 800-88, Rev.1, “Information Sanitization and Decision Making.”
As previously mentioned, a single overwrite is usually enough to erase data from a magnetic drive. Yet, erasure may not be complete if the process does not consider and handle areas that are defective, unallocated or not mapped to active Logical Block Addressing (LBA) addresses. Dedicated sanitization methods may make up the difference, but confirmation can depend on vendor statements. For non-magnetic media, other attributes of those media can make it difficult to know if the data deletion methods applied were truly effective.
As quoted above, NIST Media Sanitization Guidelines lays out two options for verification:
- Verification that sanitization has been applied to all media in question (typically not applicable for each piece of media when using “Destroy”)
- Verification of a sample of the media to show that no data is recoverable
NIST 800-88 lays out specifications for different storage devices methods and sampling sizes, particularly addressing instances where Cryptographic Erase has been used. To make this verification process more efficient, Blancco can automate these verification processes according to user preference.
It’s important to understand that verifying erasure is part of NIST recommendations. Without it, inadequate sanitization methods could be implemented in earnest and still leave organizational data vulnerable and exposed. Conducting the exercise of eradicating data through Clear, Purge, or Destroy mechanisms does not, in isolation, adequately meet audit-proof sanitization standards.
But it’s not only the process and final device state that should be validated. The equipment used (does it operate correctly and produce accurate information?), staff competencies (are they skilled in using the tools and evaluating results?) and the results are all critical elements to validate that the media has been sanitized properly and completely.
Finally, proof of NIST 800-88 sanitization comes in the form of a detailed certificate for each piece of electronic media that has been sanitized. This certificate can be printed or electronic, but it is a critical element that validates that data has been rendered irretrievable from the media that has been sanitized. It typically lists each storage device by serial number. A proper certificate also describes the type of sanitization (i.e., Clear, Purge, Destroy), method used (i.e., degauss, overwrite, block erase, crypto erase, etc.), the tools and the verification methods used and several other pieces of information.
For any organization that must prove compliance with data security regulations and guidelines (including NIST), including heavily regulated industries, an auditable certificate is necessary. Without this certificate, NIST sanitization is neither complete nor guaranteed.
You may download NIST Special Publication 800-88, “Guidelines for Media Sanitization” in PDF format from the NIST website.
How Blancco Can Help
Blancco offers secure, permanent, and complete data sanitization services that meet the most stringent data erasure algorithm standards, including NIST 800-88 Clear and NIST 800-88 Purge, on both magnetic and flash-based media. For every erasure, your organization receives a certified and tamper-proof report that confirms complete data sanitization.
Blancco software solutions serve enterprises and data centers by supporting HDD and SSD erasure of laptops, desktops, servers and storage systems, as well as targeted erasure of files, folders, LUNs and virtual machines. Blancco’s mobile solutions also aid resellers by ensuring data erasure for mobile phones and tablets.
Let us know if you have questions about how to get started. We’d be happy to help.