Confidently erase data in active environments and from used IT assets.
Boost services throughout the device lifecycle—from first sale to end-of-life.
Expedite processes, recover more marketable product, and increase services.
Home » Resources » What is NIST 800-88, and What Does “Media Sanitization” Really Mean?
NIST 800-88, published by the National Institute for Standards and Technology, is known for its media sanitization categories of Clear, Purge and Destroy. Its principles can apply to magnetic, flash-based, and other storage technologies. And, it can cover everything from mobile devices and USB drives to servers—or even technologies not yet developed.
The latest update, NIST 800-88 Rev. 1, is one of the most widely used data sanitization standards requested or required by the U.S. Federal government, and its adoption has spread to countless private businesses and organizations.
Read on to understand how this important set of guidelines approaches making end-of-life data irretrievable from digital storage media.
Vivian is a career writer and editor, having covered technology-related topics for government and B2B organizations since before LinkedIn and the iPhone. As Blancco’s communications and content manager, she supports the development of thought-leadership-based copy for web, social media, and other Blancco communication channels.
“An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information.”—NIST 800-88, Rev.1, “Background”
“An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information.”
NIST Special Publication 800-88 (“NIST SP 800-88” or more simply, “NIST 800-88”), “Guidelines for Media Sanitization,” is a U.S. government document that provides methodical guidance when it comes to erasing data from electronic storage media. The goal is to effectively sanitize media so that any and all data is irretrievable once the data or data storage device reaches end-of-life.
NIST 800-88 is widely known for its data sanitization categories of Clear, Purge and Destroy. Its principles can apply to magnetic, flash-based, and other storage technologies, from USB drives to servers. In fact, the guidelines are not intended to be technology specific. Instead, the guidelines and workflows this document outlines are intended to apply universally to various media types, including those that may not have yet been invented.
Originally published for government use, NIST 800-88 has become widely adopted in private industry as the best way to ensure that data is removed from media once that data moves from a more secure to a less secure setting. For that reason, NIST 800-88 principles come into play whether a media asset is moving from a high level of confidential protection in one department to another, less secure department within the same organization, or whether that device is destined to leave the organization entirely.
These security guidelines were first published by the National Institute of Standards and Technology (NIST) in 2006. In December 2014, the guidelines were revised, making the current version “NIST Special Publication 800-88 Rev. 1” (“NIST SP 800-88, Rev.1”).
This latest update continues to be one of the most widely used data sanitization standards requested or required by the U.S. federal government. NIST 800-88 has also become the “go-to” media sanitization standard even when compared to another popular “standard,” Department of Defense (DoD) 5220.22-M. DoD 5220.22-M has not been updated recently and does not apply to more modern technologies like solid-state drives (SSDs). Private businesses and organizations within the U.S. are also adopting NIST sanitization standards and leaving the DoD three-pass method increasingly behind.
What’s more, the U.S.-originating “Guidelines for Media Sanitization” has also become a global reference document with principles incorporated into notable international standards such as ISO/IEC 27040:2015.
This blog article will provide you with a quick summary of what NIST media sanitization means. It will also provide an overview of how NIST 800-88 works to prevent unauthorized access to confidential or sensitive business and personal data.
The NIST definition of “sanitization” is “a process that renders access to target data on the media infeasible for a given level of effort.” The methods an organization chooses to sanitize its data depends heavily on the confidentiality level of that data.
The authors also emphasize that this process must consider end-of-life sanitization from the very beginning of data storage planning. That means assessing media and workflows implemented at the early stages of building an information system. Understanding what levels of sanitization are possible with the components used to store and process data can make it easier to implement sanitization properly when it’s needed.
NIST 800-88 sanitization workflow considerations continue through recycling, transferring or permanently retiring media at device or data end-of-life. There are also many points of vulnerability in between where data could be inappropriately accessed. These can include times of infrastructure maintenance or third-party involvement.
At each of these points, the NIST 800-88 Guidelines point out that it is the confidentiality needs of the data that will drive sanitization decisions, not the media type itself.
Essentially, NIST advocates that users determine what sanitization method to use by:
Once these determinations have been made, the organization can choose what type of sanitization method is most appropriate given any other considerations (cost, environmental impact, technology and technical skills available, etc.).
Ultimately, the goal is to choose a data sanitization solution that most lessens the risk to confidentiality while respecting any other constraints involved.
The weakest link in a system is often the one that’s taken for granted, ignored, or simply not considered. A common data protection vulnerability happens when devices change hands without the original data being adequately removed from the device. All too often, confidential data moves from a highly protected data storage environment to a much less protected one, simply because operators believe, but have not verified, that data has been sufficiently eradicated.
NIST 800-88 addresses the problem of residual data head on:
“The application of sophisticated access controls and encryption help reduce the likelihood that an attacker can gain direct access to sensitive information. As a result, parties attempting to obtain sensitive information may seek to focus their efforts on alternative access means such as retrieving residual data on media that has left an organization without sufficient sanitization…. Consequently, the application of effective sanitization techniques and tracking of storage media are critical aspects of ensuring that sensitive data is effectively protected by an organization against unauthorized disclosure. Protection of information is paramount.”—NIST SP 800-88, Rev.1, “Executive Summary”
“The application of sophisticated access controls and encryption help reduce the likelihood that an attacker can gain direct access to sensitive information. As a result, parties attempting to obtain sensitive information may seek to focus their efforts on alternative access means such as retrieving residual data on media that has left an organization without sufficient sanitization…. Consequently, the application of effective sanitization techniques and tracking of storage media are critical aspects of ensuring that sensitive data is effectively protected by an organization against unauthorized disclosure. Protection of information is paramount.”
In other words, those determined to gain access to sensitive data may go for the lowest hanging fruit: storage devices that have left an organization’s physical walls or that are otherwise accessible without adequate security measures in place. Unless proper data sanitization has been verified and documented with an audit trail, there’s no way to know what information is still accessible even after devices have been supposedly “wiped” or data has been supposedly deleted.
Traditionally, several other methods have been used to protect against unauthorized access to information stored on old or retired data storage media. But with today’s technologies, older methods can either be inefficient, not completely effective—or costly.
For instance, inadequate data sanitization can include:
Because reformatting, “wiping” and even encryption may not be enough to protect all data, NIST 800-88 provides three ways of dealing with end-of-life data: Clear, Purge and Destroy.
The Guidelines offer Clear, Purge and Destroy as valid options for sanitization based on the confidentiality requirements of the data rather than the storage technology on which the data resides. The NIST document goes into details for each method for various media configurations and situations, including how these apply to cryptographic erasure.
The linchpin, however—the attribute that provides confidence that data has been sufficiently sanitized and that organizational information is securely and permanently removed—is verification.
If understanding confidentiality levels is one bookend to NIST, stringent verification is the other.
“Verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality. Two types of verification should be considered. The first is verification every time sanitization is applied…The second is a representative sampling verification, applied to a selected subset of the media. If possible, the sampling should be executed by personnel who were not part of the original sanitization action.”— NIST SP 800-88, Rev.1, “Information Sanitization and Decision Making.”
“Verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality. Two types of verification should be considered. The first is verification every time sanitization is applied…The second is a representative sampling verification, applied to a selected subset of the media. If possible, the sampling should be executed by personnel who were not part of the original sanitization action.”
As previously mentioned, a single overwrite is usually enough to erase data from a magnetic drive. Yet, erasure may not be complete if the process does not consider and handle areas that are defective, unallocated or not mapped to active Logical Block Addressing (LBA) addresses. Dedicated sanitization methods may make up the difference, but confirmation can depend on vendor statements. For non-magnetic media, other attributes of those media can make it difficult to know if the data deletion methods applied were truly effective.
As quoted above, NIST Media Sanitization Guidelines lays out two options for verification:
NIST 800-88 lays out specifications for different storage devices methods and sampling sizes, particularly addressing instances where Cryptographic Erase has been used. To make this verification process more efficient, Blancco can automate these verification processes according to user preference.
It’s important to understand that verifying erasure is part of NIST recommendations. Without it, inadequate sanitization methods could be implemented in earnest and still leave organizational data vulnerable and exposed. Conducting the exercise of eradicating data through Clear, Purge, or Destroy mechanisms does not, in isolation, adequately meet audit-proof sanitization standards.
But it’s not only the process and final device state that should be validated. The equipment used (does it operate correctly and produce accurate information?), staff competencies (are they skilled in using the tools and evaluating results?) and the results are all critical elements to validate that the media has been sanitized properly and completely.
Finally, proof of NIST 800-88 sanitization comes in the form of a detailed certificate for each piece of electronic media that has been sanitized. This certificate can be printed or electronic, but it is a critical element that validates that data has been rendered irretrievable from the media that has been sanitized. It typically lists each storage device by serial number. A proper certificate also describes the type of sanitization (i.e., Clear, Purge, Destroy), method used (i.e., degauss, overwrite, block erase, crypto erase, etc.), the tools and the verification methods used and several other pieces of information.
For any organization that must prove compliance with data security regulations and guidelines (including NIST), including heavily regulated industries, an auditable certificate is necessary. Without this certificate, NIST sanitization is neither complete nor guaranteed.
To learn more about NIST Media Sanitization Guidelines, consider the free resources below:
You may also download NIST Special Publication 800-88, “Guidelines for Media Sanitization” in PDF format from the NIST website.
You can be confident in achieving NIST sanitization across all your digital storage media. Blancco offers secure, permanent, and complete data sanitization services that meet the most stringent data erasure algorithm standards, including NIST 800-88 Clear and NIST 800-88 Purge, on both magnetic and flash-based media. For every erasure, your organization receives a certified and tamper-proof report that confirms complete data sanitization.
Find out how our solutions help enterprises and data centers by supporting HDD and SSD erasure of laptops, desktops, servers and storage systems, as well as targeted erasure of files, folders, LUNs and virtual machines. Free trials available.