The Data is Wiped… Now What? Monitoring the Effectiveness of the Media Sanitization Process
By Mike Cheslock, E-Reuse Services Inc
Electronics asset recovery, reverse logistics and IT Asset Disposition professionals who perform electronic storage media sanitization (aka, “data wiping”) are trusted to effectively and completely eradicate data, thus protecting sensitive information from being compromised. Data destruction standards and guidelines outline ways to properly execute this process. From those standards and guidelines, organizations create and implement operational procedures and deploy solutions that enable them to sanitize a wide array of storage media formats, often in very high volumes. In this way, a data destruction process is not unlike a manufacturing process: Identify the objective, create a process, deploy the tools to meet the objective and measure the result. Unfortunately, the one area where media sanitization processes have come up short (especially compared to manufacturing processes) has been in measuring the result; a step most commonly known as Quality Control.
A Brief History
Until around 2013, QC practices were almost completely absent from media sanitization processes, and there were no guidelines in place requiring it with few even recommending it. The existing sanitization process was considered adequate, and “quality control”, redundant. If data wiping software reported a “passed” result, it was accepted as ironclad. That sentiment has gradually changed over the 7 or so years, arguably beginning with the National Association for Information Destruction’s (NAID) recognition of a need to independently verify that data erasure processes have been effective. Later, we saw changes to the 1st (and still most recent) revision of NIST Special Publication 800-88, rev. 1, which has become the lynchpin of media sanitization standards and the document upon which most American businesses base their data destruction procedures. (Section 4.7 of the new document focuses specifically on the verification process and has been significantly expanded since the original version.) More recently, we’ve seen e-Stewards require NAID certification (effectively mandating NAID’s aforementioned recognized need), and forthcoming changes to version 3 of R2 will also require independent verification of the results of data wiping processes.
With the recognition that media sanitization is a process containing several potential points of failure, and that those failures have snowballing consequences, an independent quality control measure is clearly and universally warranted in operations that perform it. In its absence, any operation can only hope that their entire process is not only performing well, but that it is perfect every time. When it comes to data security, however, “Hope is not a strategy.”
QC, for You & Me
So, what does a media sanitization quality control process look like? Well, we have the advantage of not being the first industry with a need for effective quality control. (In fact, QC is rather prevalent; bordering on universal.) Given, then, that we have no need to invent the wheel of quality control, adapting lessons from other industries to the electronics reuse space should give us a fairly clear view of what QC should be.
Change the Conditions
If we consider the way in which manufacturing operations approach quality control, we invariably see that the tools used to manufacture a given widget will not be used to validate the performance of the manufacturing process. Separate, purpose-built instruments are used to scrutinize over the work performed by whatever tools or equipment performed the original manufacturing. One important (and applicable, for our purposes) reason for this is that, in the case if the conditions that existed during manufacturing process (such as the software used, the hardware calibration, or the technician’s performance) resulted a failure to produce an acceptable result, duplication of those conditions for the purposes of measuring the performance of the manufacturing process may prevent identification of the failure.
Bringing it back to our industry, most data wiping software tools perform (or provide the option to perform) a separate “verify” pass after performing a data wipe. This process essentially reads the drive after performing the data wiping procedure in order to confirm that the data that the wiping tool intended to write is in fact what is present on the media. Simply running a separate “verify” pass after the erasure process has been completed, though, provides little added assurance that the sanitization was successful. This is because multiple conditions that can prevent the data wiping process from being effective can also prevent the verification pass from recognizing any indication of that ineffectiveness. In other words, experience tells us that in the case that a hardware / software / firmware combination failed to successfully wipe a drive (despite producing a “Passed” result), reusing the same hardware, software and firmware to determine its own effectiveness is as ineffective in practice as it is illogical in theory.
Modifying any conditions that can reasonably impact performance is critical for ensuring that we have an uninhibited view of the performance of the media sanitization process. Therefore, any verification process must use different software and different hardware. Furthermore, even the individual(s) responsible for erasure verification should be different than those responsible for executing the erasure process. (The logical exception to this being the case that human interpretation of the quality control results is not necessary, such as through the use of a purpose-built tool or otherwise standardized process in which the results are not open to interpretation.) In any case, we know that the use of separate tools is necessary in order for an erasure verification process to be consistently effective.
Redundancy is Critical
It’s important to recognize that internal quality control measures and external (or 3rd party) validation are not the same thing. They complement one another, and while they each address aspects of the need for quality control, neither can serve as a standalone solution to it.
In the past, annual external audits performed by certifying authorities have been used to provide some visibility into media sanitization operations’ performance. More recently, business send wiped media to entities that professionally validate the results, monthly, quarterly, or annually (depending on their processing volume and the guideless or requirements to which they are subject). 3rd party verification is very important, because it offers the unbiased assessment of an organization professionally responsible for evaluating the performance of such operations. Despite this value, it presents a major shortfall when used as a standalone QC solution, however: The infrequent periodicity of such audits in contrast to the regularity with which the sanitization process is executed. In other words, these audits only tell you whether you got it right that time, but you’re doing data erasure every day… The sample size is statistically too small to represent a viable quality control measure, by itself.
“Given, then, that it is impossible to practically (or cost-effectively) employ the use of 3rd party verification on a reasonable sample size, and that internal quality control measures offering adequate sample sizes lack the kind of accountability necessary, a two-pronged approach is paramount.”
Conversely, frequent internal erasure verification provides valuable, regular insight into the daily performance of a data wiping operation. Furthermore, it allows organizations to almost immediately determine whether typical, seemingly innocuous changes to the conditions of the data erasure operation (such as different media formats, software & firmware updates, or new personnel) have had an impact on the performance of the data wiping operation, and if so, to take corrective action in a timely manner. This process by itself does not, however, offer the value of an independent, unbiased scrutiny of 3rd party verification.
Unfortunately, it is impossible to practically (or cost-effectively) employ the use of 3rd party verification on a reasonable sample size, while internal quality control measures offering adequate sample sizes lack the kind of accountability necessary. A two-pronged approach, then, is paramount. The implementation of a combination of regular internal erasure verification and external 3rd party “audits” of the process is the only practical approach for providing complete visibility into the effectiveness of data erasure operations.
Getting it Done
With evolutions of industry standards, customer requirements, and our understanding of industry best-practices for protecting information on used data-bearing devices, IT asset recovery businesses and electronics refurbishers will need to ensure they implement a comprehensive quality control program for their data erasure processes. Such organizations will need to:
- Establish and document a policy for quality control / erasure verification, including determining an acceptable sample size and/or frequency for both internal and 3rd party verification. This policy should be based on governing standards, customer requirements, and any other specific business needs, and seeking the help of industry consultants may be will-advised.
- Deploy tools and/or procedures for conducting internal quality control testing of wiped media (in accordance with the established policy), and maintain a defensible audit trail, and
- Engage with a 3rd party for periodic independent erasure verification (in accordance with established policy).
With this set of measures in place, organizations can be assured that they are acting as the best possible custodians of customers’ data, are in compliance with the latest certification requirements and industry best practices, and that the results reported by their media sanitization process are accurate, and consistently reliable.
Mike CheslockMichael is Co-Founder of E-Reuse Services, Inc, and is a consultant for businesses dealing with the reuse and repurposing of used electronic assets. He has been in the electronics reuse field since 2006, consulting with and delivering solutions to enterprise organizations in every vertical market. He has worked closely with leaders in the Information Technology Asset Disposal Industry to simplify on-site and in-house media sanitization practices, strengthen the audit trail, and decrease labor and energy-related costs. Having worked with other thought-leaders in developing new media sanitization standards, Michael is an expert in the guidelines and challenges that surround the handling of end-of-service storage media, and in the methods and technologies that allow organizations to meet those.