The Efficiencies of NIST-Compliant Data Sanitization

More isn’t always better, and that can apply to how your company securely disposes of end-of-life data bearing IT assets. This is particularly relevant in reference to how the data is wiped, i.e., sanitized. A little bit of history can explain why the best solution for most companies today has changed.

It’s very likely you’ve heard of “DoD wipe” or the “DoD standard,” which generally refers to the Department of Defense (DoD) 5220.22-M, which specifies a process overwriting hard drives with patterns of ones and zeros. The process requires three secure overwriting passes and a verification at the end of the final pass. For many years, this was used as the gold standard for data sanitization.

Multiple passes were the standard.

In those days, the common mantra was that multiple passes were required for an effective data wipe. This originated – at least in part – due to a study in 1996 that was published by Peter Gutmann. He suggested that data needs to be wiped 30 times or more to be considered irrecoverable. Indeed, as WhiteCanyon points out, hard disk drives built in the late 90’s and very early 2000’s could show what are called “bit shadows” remaining after a data wipe. These are locations on the wiped drive that could potentially reveal what was written in that location.

What is the NIST standard?images (1)

The DoD standard has remained very much alive throughout the years and is still used to this day. However, emerging technology demands a better data wiping solution, especially as companies seek to maximize value from their disposition efforts. This is where NIST comes in. NIST, also known as the National Institute of Standards and Technology, established the 800-88r1 “Guidelines for Media Sanitization” for this purpose. In fact, the standards outlined by NIST have been adopted by the Department of Defense themselves.

Why is NIST such an efficient solution?

The NIST Guidelines outline a clear approach of sanitization for every device type, segmented by three overarching levels of procedure: Clear, Purge, and Destroy. Generally, the Clear step of the guidelines advises a data wipe with a minimum of one overwrite pass – as contrasted with a minimum requirement of multiple passes. (Of course, this depends on the device, and the 800-88 Guidelines cover devices ranging from non-magnetic media to mobile devices as well.)

So, why does the age-old cliché of “more is better” not hold true in this case?

Better technology means only one wipe is usually required: Technicians from Sipi Asset Recovery explain that, years ago, the magnetic head in hard disk drives were simply not as precise or accurate – nowhere near the precision of HDDs today. Therefore, the wiping process itself is that much more precise – meaning one overwrite pass is enough to sanitize most modern drives where this procedure is applicable.

NIST saves time: Time is money, and a single overwrite pass will indeed save time as well. Our technicians estimate that, in real-world scenarios, DoD wipes can take up to 4 times as long to complete compared to a NIST-compliant single pass wipe; e.g., 40 hours vs. 10 hours.

NIST is better for the environment: As the time required to sanitize drives is shorter, wiping hard drives per the NIST standard saves energy and electricity and is thus more ecologically conservative.

Conclusion

In the end, all current methodologies can satisfy most requirements. What is important is “choice.” Specifically that companies have a choice for data sanitization, and may employ the method that is most optimal for any element of cost, efficiency, data security or supply-chain considerations. Sipi Asset Recovery offers a true “portfolio” of choices in Data Destruction methods.  Reach out to us to learn more. 

Topics: What's New in ITAD, Certification and Compliance