DATA SANITIZATION
Data providers play an ever-increasing game of cat and mouse between the desire to provide effective, fast, and cheap storage and processing while managing their ever-increasing inventory of drives, systems, and storage devices. Because of this, the processes concerning the management of data on a large number of drives is very much a consideration data providers will engage in on an almost daily basis.
As part of this range of processes and approaches, the concept of data sanitation is perhaps the most important. Unfortunately, it also is the most complex when it comes to considerations of effective sanitization, and what makes a process better than another. Today, we’re going to address exactly that. By the end of this piece, you should have a firm grasp on why data sanitization is necessary, and what makes some approaches better than others.
Why Do We Engage in Data Sanitization?
Data providers deal with a lot of data throughout their typical processes. Not all of this data is needed, however – once data is processed, encrypted, or in the case of data erasure providers, marked for deletion, this data needs to be summarily erased. Unfortunately, simply marking data for deletion is not adequate.
This is because data, when marked for deletion, is not actually “deleted”. Modern operating systems and environments do not typically actually delete data when it is marked for deletion – quite the contrary, in fact. Data in this case is often simply “marked” for deletion, given a flag that notes the data should be deleted when the need for this space arises.
This is done due to the nature of a hard drive. Hard drives are digital in nature and utilize a magnetic platter to electromagnetically change the value on the platter to either a negative or positive pulse – in other words, into the binary of 0’s and 1’s. To erase this drive on-demand, the platter would have to be moved to a specific position, and the data on this section removed before anything else can really be done. This is time and process consuming.
Of course, when it comes to data erasure, speed is not the concern or at least the chief concern. The chief concern here is effectiveness. This is why simply marking for deletion is unacceptable, and data sanitization is needed.
WHAT IS DATA SANITIZATION?
In its most basic form, sanitization simply means the complete and total removal of data through non-physical means (contrarily, data destruction is the destruction of data through physical means, e.g. pulverization, grinding, and shredding). This typically takes a variety of forms, but they all function mostly in the same general manner.
When we erase a drive through sanitization, what we are actually doing is overwriting the drive with randomized sequences of binary values. We often do this in multiple passes and using specifically designed patterns. By doing this as opposed to simply deleting or even just wiping the drive-through formatting, we do a few things.
First and foremost, we make the forensic data on the drive unrecoverable. Forensic data is the data that is left over from classic delete processes. Even if the start of the file is erased or the data is scrambled, you can often combine these elements back together to get chunks of data. By using an erasure process, we assure forensic data is actually destroyed.
Secondly, we randomize the data in such a way that, even if it were somehow able to be reconstructed, the data itself wouldn’t make sense. By scrambling everything with set patterns, we make the data completely unreadable even with the best recombination processes and tools.
Finally, by using multiple passes, we ensure that even if some glitch were to happen in our system and process, it would ultimately have little to no effect. Due to the multiple passes, even this glitched area would eventually be covered and randomized anyways, reducing the risk to data recovery.
What Makes a Good Sanitization Process?
With all of this in mind, it must be asked – what makes a good sanitization process? There are a few things to consider, both from a technical and a business standpoint.
From a business standpoint, the answer is simple – a good sanitization process must ensure that none of the information can be recreated. The system must result in a device that is wiped securely and safely, while preserving the drive for further use in client systems.
Additionally, a system must conform to the standards set in the various compliance regulations the business faces. This includes things such as HIPAA, which control the manner in which data is collected and destroyed. Ensuring compliance here is of prime importance.
From a technical perspective, you need a few specific things. First, you need support for custom patterns and approaches. This is due to the fact that some data will need to be addressed in different ways than other data. What might be an appropriate way to wipe, say, credit card details, is not appropriate for someone’s address information. By allowing specific patterns and approaches, the solution can scale to the problem, giving us a great amount of control.
Additionally, the solution chosen should conform to the major compliance and regulatory considerations through technical application. The solution should create a chain of custody, some sort of record of work, and general information used for tracking each solution as it’s applied.
This is vital for ensuring not only the aforementioned regulatory compliance but compliance with business procedures and internal approaches.
Reputation Considerations
The final consideration is one that’s not as easy to quantify as the others. Your solution should have a great reputation behind it. Because of the nature of the solution we’re seeking, it might not always be clear how the data is handled – in this case, it’s just as important to ensure that the data is being deleted in a safe way as it is to ensure that no additional data is being generated or collected and that your solution is appropriate for the given types of data being handled.
Additionally, you should be sure that the solution is accredited, or at the very least, matches major standards. There is a range of technical and regulatory standards for almost every type of data you are likely to encounter – your solution should absolutely adhere to these. It’s not simply enough to delete – we want erasure that matches our high standards for increased security and data viability.
CLARAWIPE
ClaraWipe is a great solution that meets all of these qualifications. Not only does ClaraWipe come from a reputable company, but it also supports a wide range of standards and patterns, conforming to all major international technical and regulatory standards, including:
• Sarbanes-Oxley Act (SOx)
• HIPAA & HITECH
• Common Criteria Evaluation
• The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
• US Department of Defense 5220.22-M
• CSEC ITSG-06
• Payment Card Industry Data Security Standard (PCI DSS)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
•EU data protection directive of 1995
• Gramm-Leach-Bliley Act (GLBA)
• California Senate Bill 1386
Simply put, ClaraWipe is the most dependable, up-to-date, secure way to handle your data sanitization. Considering the wide range of requirements and stipulations for what is considered a “good” sanitization method, using something like ClaraWipe delivers on all of our requirements – and more.