Confidently erase data in active environments and from used IT assets.
Boost services throughout the device lifecycle—from first sale to end-of-life.
Expedite processes, recover more marketable product, and increase services.
Home » Resources » It’s Time to Get Serious About Data Sanitization
While many data privacy and protection guidelines and regulations address data sanitization in some form, none of them address it at a comprehensive level, and many send mixed messages by using varying terminology. To clear confusion throughout the data sanitization industry, streamlined terminology must be presented by an unbiased group of data sanitization hardware and software vendors, analysts, educators, ITADs and enterprises.
Security executive Richard Stiennon has previously held roles such as Chief Strategy Officer of Blancco Technology Group from 2016-2017 and Vice President of Research at Gartner Inc. from 2000 to 2004. Currently, Richard is a cyber security lecturer at Charles Sturt University in Australia and a strategic advisory member of the International Data Sanitization Consortium. His book, There Will Be Cyberwar, was named a Washington Post bestseller in April 2016. Richard is regularly featured in news publications such as Forbes, Dark Reading, Infosecurity Magazine, Network World and BetaNews, where he comments on data governance, data management, and cyber security.
It’s a well-known fact that the United States is lacking an overall data privacy regulation like the EU’s upcoming General Data Protection Regulation, the German Standard Data Protection Model or the Saudi Arabian Monetary Authority (SAMA)’s Cyber Security Framework. But even with the wealth of data privacy and protection regulation in other countries, there’s a key aspect that continues to be glossed over, hazily referenced or simply ignored altogether: data sanitization.
Data sanitization is the process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. A device that has been sanitized has no usable residual data. The data can never be recovered—even with the aid of forensic tools. There are three methods to achieve data sanitization: physical destruction, cryptographic erasure and data erasure.
While many data privacy and protection guidelines and regulations address data sanitization in some form, none of them address it at a comprehensive level, and many send mixed messages by using varying terminology. There is currently no set of defined data sanitization terminology upon which everyone in the industry agrees.
Here are a few excerpts from various texts to show how data sanitization has been talked about in the past and currently.
Right to erasure (‘right to be forgotten’)
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay….”
“…Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.”
“Information assets should be disposed in accordance with legal and regulatory requirements, when no longer required (i.e. meeting data privacy regulations to avoid unauthorized access and avoid (un)intended data leakage).”
“Sensitive information should be destroyed using techniques to make the information non-retrievable (e.g., secure erase, secure wiping, incineration, double crosscut, shredding).”
“Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:
A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention…”
4. ISO 27001
A.11.2.7 Secure disposal or reuse of equipment
“All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.”
Tested for Key Functions, R2/Ready for Resale
“Data Destruction General Principle – An R2:2013 electronics recycler shall be responsible for data destruction of all media it handles using generally-accepted data destruction procedures.”
“Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” In this instance, “disposal” refers to the “discarding or abandonment of consumer information” or “The sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.”
Even the commonly-cited NIST 800-88 Guidelines for Media Sanitization provide confusing data sanitization terminology, using terms like “clear,” “destroy” and “purge” in different ways than other such documents do. However, these guidelines do define “sanitization” in the following way: “Sanitization is a process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort.”
These are just a few examples of the many times data sanitization is referred to in data privacy and data sanitization regulations and guidelines. As you can see, different terminology is used throughout each document.
To clear confusion throughout the data sanitization industry, streamlined terminology must be presented by an unbiased group of data sanitization hardware and software vendors, analysts, educators, ITADs and enterprises. Then, a data sanitization best practices matrix must be created to provide all industries with guidance on how to best protect data throughout its lifecycle.
Stay tuned for an announcement in the coming weeks on how Blancco and our partners plan to make this goal a reality.