National Institute of Standards and Technology
Guidelines for Media Sanitization
The modern storage environment is rapidly evolving. Data may pass through multiple organizations, systems, and storage media in its lifetime. The pervasive nature of data propagation is only increasing as the Internet and data storage systems move towards a distributed cloud-based architecture. As a result, more parties than ever are responsible for effectively sanitizing media and the potential is substantial for sensitive data to be collected and retained on the media. This responsibility is not limited to those organizations that are the originators or final resting places of sensitive data, but also intermediaries who transiently store or process the information along the way. The efficient and effective management of information from inception through disposition is the responsibility of all those who have handled the data.
The application of sophisticated access controls and encryption help reduce the likelihood that an attacker can gain direct access to sensitive information. As a result, parties attempting to obtain sensitive information may seek to focus their efforts on alternative access means such as retrieving residual data on media that has left an organization without sufficient sanitization effort having been applied. Consequently, the application of effective sanitization techniques and tracking of storage media are critical aspects of ensuring that sensitive data is effectively protected by an organization against unauthorized disclosure. Protection of information is paramount. That information may be on paper, optical, electronic or magnetic media.
An organization may choose to dispose of media by charitable donation, internal or external transfer, or by recycling it in accordance with applicable laws and regulations if the media is obsolete or no longer usable. Even internal transfers require increased scrutiny, as legal and ethical obligations make it more important than ever to protect data such as Personally Identifiable Information (PII). No matter what the final intended destination of the media is, it is important that the organization ensure that no easily re-constructible residual representation of the data is stored on the media after it has left the control of the organization or is no longer going to be protected at the confidentiality categorization of the data stored on the media.
Sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. This guide will assist organizations and system owners in making practical sanitization decisions based on the categorization of confidentiality of their information. It does not, and cannot, specifically address all known types of media; however, the described sanitization decision process can be applied universally.
Information disposition and sanitization decisions occur throughout the information system life cycle. Critical factors affecting information disposition and media sanitization are decided at the start of a system’s development. The initial system requirements should include hardware and software specifications as well as interconnections and data flow documents that will assist the system owner in identifying the types of media used in the system. Some storage devices support enhanced commands for sanitization, which may make sanitization easier, faster, and/or more effective. The decision may be even more fundamental, because effective sanitization procedures may not yet have been determined for emerging media types. Without an effective command or interface-based sanitization technique, the only option left may be to destroy the media. In that event, the media cannot be reused by other organizations that might otherwise have been able to benefit from receiving the repurposed storage device.
A determination should be made during the requirements phase about what other types of media will be used to create, capture, or transfer information used by the system. This analysis, balancing business needs and risk to confidentiality, will formalize the media that will be considered for the system to conform to FIPS 200.
Media sanitization and information disposition activity is usually most intense during the disposal phase of the system life cycle. However, throughout the life of an information system, many types of media, containing data, will be transferred outside the positive control of the organization. This activity may be for maintenance reasons, system upgrades, or during a configuration update.
Need for Proper Media Sanitization and Information Disposition
Media sanitization is one key element in assuring confidentiality. Confidentiality is defined as “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” Additionally, “a loss of confidentiality is the unauthorized disclosure of information.”
In order for organizations to have appropriate controls on the information they are responsible for safeguarding, they must properly safeguard used media. An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information. Media flows in and out of organizational control through recycle bins in paper form, out to vendors for equipment repairs, and hot swapped into other systems in response to hardware or software failures. This potential vulnerability can be mitigated through proper understanding of where information is located, what that information is, and how to protect it.
Types of Media
There are two primary types of media in common use:
In the future, organizations will be using media types not specifically addressed by this guide. The processes described in this document should guide media sanitization decision making regardless of the type of media in use. To effectively use this guide for all media types, organizations and individuals should focus on the information that could possibly have been recorded on the media, rather than on the media itself.
Trends in Data Storage Media
Historical efforts to sanitize magnetic media have benefitted from the wide use of a single common type of storage medium implemented relatively similarly across vendors and models. The storage capacity of magnetic media has increased at a relatively constant rate and vendors have modified the technology as necessary to achieve higher capacities. As the technology approaches the superparamagnetic limit, or the limit at which magnetic state can be changed with existing media and recording approaches, additional new approaches and technologies will be necessary in order for storage vendors to produce higher capacity devices.
Alternative technologies such as flash memory-based storage devices, or Solid State Drives (SSDs), have also become prevalent due to falling costs, higher performance, and shock resistance. SSDs have already begun changing the norm in storage technology, and—at least from a sanitization perspective—the change is revolutionary (as opposed to evolutionary). Degaussing, a fundamental way to sanitize magnetic media, no longer applies in most cases for flash memory-based devices. Evolutionary changes in magnetic media will also have potential impacts on sanitization. New storage technologies, and even variations of magnetic storage, that are dramatically different from legacy magnetic media will clearly require sanitization research and require a reinvestigation of sanitization procedures to ensure efficacy.
Both revolutionary and evolutionary changes make sanitization decisions more difficult, as the storage device may not clearly indicate what type of media is used for data storage. The burden falls on the user to accurately determine the media type and apply the associated sanitization procedure.
Trends in Sanitization
For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data. One major drawback of relying solely upon the native Read and Write interface for performing the overwrite procedure is that areas not currently mapped to active Logical Block Addressing (LBA) addresses (e.g., defect areas and currently unallocated space) are not addressed. Dedicated sanitize commands support addressing these areas more effectively. The use of such commands results in a tradeoff because although they should more thoroughly address all areas of the media, using these commands also requires trust and assurance from the vendor that the commands have been implemented as expected.
Users who have become accustomed to relying upon overwrite techniques on magnetic media and who have continued to apply these techniques as media types evolved (such as to flash memory-based devices) may be exposing their data to increased risk of unintentional disclosure. Although the host interface (e.g. Advanced Technology Attachment (ATA) or Small Computer System Interface (SCSI)) may be the same (or very similar) across devices with varying underlying media types, it is critical that the sanitization techniques are carefully matched to the media.
Destructive techniques for some media types may become more difficult or impossible to apply in the future. Traditional techniques such as degaussing (for magnetic media) become more complicated as magnetic media evolves, because some emerging variations of magnetic recording technologies incorporate media with higher coercivity (magnetic force). As a result, existing degaussers may not have sufficient force to effectively degauss such media.
Applying destructive techniques to electronic storage media (e.g., flash memory) is also becoming more challenging, as the necessary particle size for commonly applied grinding techniques goes down proportionally to any increases in flash memory storage density. Flash memory chips already present challenges with occasional damage to grinders due to the hardness of the component materials, and this problem will get worse as grinders attempt to grind the chips into even smaller pieces.
Cryptographic Erase (CE) is an emerging sanitization technique that can be used in some situations when data is encrypted as it is stored on media. With CE, media sanitization is performed by sanitizing the cryptographic keys used to encrypt the data, as opposed to sanitizing the storage locations on media containing the encrypted data itself. CE techniques are typically capable of sanitizing media very quickly and could support partial sanitization, a technique where a subset of storage media is sanitization. Partial sanitization, sometimes referred to as selective sanitization, has potential applications in cloud computing and mobile devices. However, operational use of CE today presents some challenges. In some cases, it may be difficult to verify that CE has effectively sanitized media. If verification cannot be performed, organizations should use alternative sanitization methods that can be verified, or use CE in combination with a sanitization technique that can be verified.
These characteristics can be used to drive the types of questions that media users should ask vendors, but ideally this information would be made readily available by vendors so that it can be easily retrieved by users to facilitate informed risk based sanitization decisions. For example, knowing the coercivity of the media can help a user decide whether or not the available degausser(s) can effectively degauss the media.
Types of Sanitization
Regarding sanitization, the principal concern is ensuring that data is not unintentionally released. Data is stored on media, which is connected to a system. This guidance focuses on the media sanitization component, which is simply data sanitization applied to a representation of the data as stored on a specific media type. Other potential concern areas exist as part of the system, such as for monitors, which may have sensitive data burned into the screen.
When media is repurposed or reaches end of life, the organization executes the system life cycle sanitization decision for the information on the media. For example, a mass-produced commercial software program contained on a DVD in an unopened package is unlikely to contain confidential data. Therefore, the decision may be made to simply dispose of the media without applying any sanitization technique. Alternatively, an organization is substantially more likely to decide that a hard drive from a system that processed PII needs sanitization prior to Disposal.
Disposal without sanitization should be considered only if information disclosure would have no impact on organizational mission, would not result in damage to organizational assets, and would not result in financial loss or harm to any individuals.
The security categorization of the information, along with internal environmental factors, should drive the decisions on how to deal with the media. The key is to first think in terms of information confidentiality then apply considerations based on media type.
In organizations, information exists that is not associated with any categorized system. This information is often hard copy internal communications such as memoranda, white papers, and presentations. Sometimes this information may be considered sensitive. Examples may include internal disciplinary letters, financial or salary negotiations, or strategy meeting minutes. Organizations should label these media with their internal operating confidentiality levels and associate a type of sanitization described in this publication.
Sanitization is a process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort. The level of effort applied when attempting to retrieve data may range widely. For example, a party may attempt simple keyboard attacks without the use of specialized tools, skills, or knowledge of the media characteristics. On the other end of the spectrum, a party may have extensive capabilities and be able to apply state of the art laboratory techniques.
Clear, Purge, and Destroy are actions that can be taken to sanitize media. The categories of sanitization are defined as follows:
It is suggested that the user of this guide categorize the information, assess the nature of the medium on which it is recorded, assess the risk to confidentiality, and determine the future plans for the media. Then, the organization can choose the appropriate type(s) of sanitization. The selected type(s) should be assessed as to cost, environmental impact, etc., and a decision should be made that best mitigates the risk to confidentiality and best satisfies other constraints imposed on the process.
Use of Cryptography and Cryptographic Erase
Many storage manufacturers have released storage devices with integrated encryption and access control capabilities, also known as Self-Encrypting Drives (SEDs). SEDs feature always-on encryption that substantially reduces the likelihood that unencrypted data is inadvertently retained on the device. The end user cannot turn off the encryption capabilitieswhich ensures that all data in the designated areas are encrypted. A significant additional benefit of SEDs is the opportunity to tightly couple the controller and storage media so that the device can directly address the location where any cryptographic keys are stored, whereas solutions that depend only on the abstracted user access interface through software may not be able to directly address those areas.
SEDs typically encrypt all of the user-addressable area, with the potential exception of certain clearly identified areas, such as those dedicated to the storage of pre-boot applications and associated data.
Cryptographic Erase (CE) leverages the encryption of target data by enabling sanitization of the target data’s encryption key. This leaves only the ciphertext remaining on the media, effectively sanitizing the data by preventing read-access.
Without the encryption key used to encrypt the target data, the data is unrecoverable. The level of effort needed to decrypt this information without the encryption key then is the lesser of the strength of the cryptographic key or the strength of the cryptographic algorithm and mode of operation used to encrypt the data.
If strong cryptography is used, sanitization of the target data is reduced to sanitization of the encryption key(s) used to encrypt the target data. Thus, with CE, sanitization may be performed with high assurance much faster than with other sanitization techniques. The encryption itself acts to sanitize the data, subject to constraints identified in this guidelines document. Federal agencies must use FIPS 140 validated encryption modules12 in order to have assurance that the conditions stated above have been verified for the SED.
Typically, CE can be executed in a fraction of a second. This is especially important as storage devices get larger resulting in other sanitization methods take more time. CE can also be used as a supplement or addition to other sanitization approaches.
When Not To Use CE To Purge Media:
When to Consider Using CE:
Additional CE Considerations
If the encryption key exists outside of the storage device (typically due to backup or escrow), there is a possibility that the key could be used in the future to recover data stored on the encrypted media.
CE should only be used as a sanitization method when the organization has confidence that the encryption keys used to encrypt the Target Data have been appropriately protected. Such assurances can be difficult to obtain with software cryptographic modules, such as those used with software-based full disk encryption solutions, as these products typically store cryptographic keys in the file system or other locations on media which are accessible to software. While there may be situations where use of CE with software cryptographic modules is both appropriate and advantageous, such as performing a quick remote wipe on a lost mobile device, unless the organization has confidence in both the protection of the encryption keys, and the destruction of all copies of those keys in the sanitization process, CE should be used in combination with another appropriate sanitization method.
Sanitization using CE should not be trusted on devices that have been backed-up or escrowed the key(s) unless the organization has a high level of confidence about how and where the keys were stored and managed outside the device. Such back-up or escrowed copies of data, credentials, or keys should be the subject of a separate device sanitization policy. That policy should address backups or escrowed copies within the scope of the devices on which they are actually stored.
Factors Influencing Sanitization and Disposal Decisions
Several factors should be considered along with the security categorization of the system confidentiality when making sanitization decisions. The cost versus benefit tradeoff of a sanitization process should be understood prior to a final decision. For instance, it may not be cost-effective to degauss inexpensive media such as diskettes. Even though Clear or Purge may be the recommended solution, it may be more cost-effective (considering training, tracking, and verification, etc.) to destroy media rather than use one of the other options. Organizations retain the ability increase the level of sanitization applied if that is reasonable and indicated by an assessment of the existing risk.
Organizations should consider environmental factors including (but not limited to):
Sanitization Scope
For most sanitization operations, the target of the operation is all data stored on the media by the user. However, in some cases, there may be a desire or need to sanitize a subset of the media. Partial sanitization comes with some risk, as it may be difficult to verify that sensitive data stored on a portion of the media did not spill over into other areas of the media (e.g., remapped bad blocks). In addition, the dedicated interfaces provided by storage device vendors for sanitization typically operate at the device level, and are not able to be applied to a subset of the media. As a result, partial sanitization usually depends on the typical read and write commands available to the user, which may not be able to bypass any interface abstraction that may be present in order to directly address the media area of concern.
On some storage devices featuring integrated encryption capabilities, CE provides a unique mechanism for supporting some forms of partial sanitization. Some of these devices support the ability to encrypt portions of the data with different encryption keys (e.g., encrypting different partitions with different encryption keys). When the interface supports sanitizing only a subset of the encryption keys, partial sanitization via CE is possible. As with any other sanitization technique applied to media, the level of assurance depends both upon vendor implementation and on the level of assurance that data was stored only in the areas that are able to be reliably sanitized. Data may be stored outside these regions either because the user or software on the system moved data outside of the designated area on the media, or because the storage device stored data to the media in a manner not fully understood by the user.
Due to the difficulty in reliably ensuring that partial sanitization effectively addresses all sensitive data, sanitization of the whole device is preferred to partial sanitization whenever possible. Organizations should understand the potential risks to this approach and make appropriate decisions on this technique balancing the factors described earlier in this section as well as their business missions and specific use cases. For example, a drive in a datacenter may contain customer data from multiple customers. When one customer discontinues service and another begins storing data on the same media, the organization may choose to apply partial sanitization in order to retain the data of other customers that is also stored on the same storage device on other areas of the media. The organization may choose to apply partial sanitization because the drive remains in the physical possession of the organization, access by the customer is limited to the interface commands, and the organization has trust in the partial sanitization mechanism available for that specific piece of media. In cases where the alternative to partial sanitization is not performing sanitization at all, partial sanitization provides benefits that should be considered.
Verification of Sanitization Results
The goal of sanitization verification is to ensure that the target data was effectively sanitized. When supported by the device interface (such as an ATA or SCSI storage device or solid state drive), the highest level of assurance of effective sanitization (outside of a laboratory) is typically achieved by a full reading of all accessible areas to verify that the expected sanitized value is in all addressable locations. A full verification should be performed if time and external factors permit. This manner of verification typically only applies where the device is in an operational state following sanitization so that data can be read and written through the native interface. If an organization chooses representative sampling then there are three main goals applied to electronic media sanitization verification:
Cryptographic Erase has different verification considerations than procedures such as rewriting or block erasing, because the contents of the physical media following Cryptographic Erase may not be known and therefore cannot be compared to a given value. When Cryptographic Erase is leveraged, there are multiple options for verification, and each uses a quick review of a subset of the media. Each involves a selection of pseudorandom locations to be sampled from across the media.
The first option is to read the pseudorandom locations prior to Cryptographic Erase, and then again following Cryptographic Erase to compare the results. This is likely the most effective verification technique. Another option is to search for strings across the media or looking for files that are in known locations, such as operating system files likely to be stored in a specific area.
The number of locations and size of each sample should take into consideration the risks in transferring the Target Data to the storage media of the machine hosting the sanitization application. As a result, the proportion of the media covered by verification for the Cryptographic Erase technique may be relatively small (or at least lower than the above guidance of 10 % for verification of non-cryptographic sanitization techniques), but should still be applied across a wide range of the addressable area.
However, these techniques may not always be available because the individual performing the sanitization may not have the authentication token needed to access and read the data stored on the drive. If an organization cannot verify that CE effectively sanitized storage media, organizations should employ an alternative sanitization meth