Data Sanitization for End-Of-Use Assets
Taking The Worry Out of Retiring Assets
By Roger Gagnon, President & CEO, Extreme Protocol Solutions
Organizations across the globe are prioritizing Cybersecurity efforts as threats from cyber criminals are on the rise. As the circular economy and green initiatives grow simultaneously, increased vigilance in data security efforts for end-of-use enterprise and office systems needs to be prioritized as well.
Why Worry About Retiring Assets?
Most organizations focus on live data security, which of course is extremely important. Recently decommissioned assets, however, contain the same data that was just migrated to the new live systems. That data must be digitally destroyed on the end-of-use systems with an accompanying tamperproof certificate of destruction prior to re-use or recycling to satisfy regulatory compliance with HIPAA, FACTA, Gramm-Leach-Bliley, CMMC, GDPR, and a host of other industry or government-related data privacy laws that keep compliance and security officers awake at night with data breach concerns.
Just because an asset is being decommissioned doesn’t place any less importance on the data it contains, nor on the risk mitigation required to ensure its re-entry into the circular economy. In fact, the danger that this data can be utilized for nefarious purposes is even greater than live systems since these assets no longer hide behind corporate firewalls and other cybersecurity gateways that are constantly being monitored to protect against misuse of data. Because of this threat, it is of the utmost importance that organizations acquire certified software/hardware solutions or hire a certified IT Asset Disposition Company (ITAD) to effectively destroy all remnants of data on all data-bearing devices prior to those devices leaving their secured facilities.
Assets at Risk
The task of destroying this data can sometimes be overwhelming. In a data center, data-bearing assets range from enterprise storage arrays, hyper-converged storage, servers, blade servers, network switches, routers, firewalls, storage switches, and access points to assets commonly found in offices. In an office space, laptops, desktops, high-end Chromebooks, servers, mobile phones, tablets, high-end printers, scanners and copiers can all contain sensitive data that must be purged before removal from the facility. If that list of assets isn’t daunting enough, consider that for each asset type, there may be hundreds or thousands of combinations of manufacturer, model, and firmware for each device type. Each of these may behave slightly differently than the other and require either specialized knowledge or software to properly sanitize the data.
What Standards Exist
Fortunately, there are clear standards for data sanitization in place and new standards being finalized for both present and future use. Gone are the days of Department of Defense 3X, 5X, and 7X overwrites. Today’s storage is too varied and overwrites can be ineffective on certain types of storage media. Luckily, there are standards in place that provide secure, absolute data sanitization with forensic science to back them up.
- NIST SP800-88r1 (2014)
- This standard has been the gold standard since its inception. It is no longer being revised and therefore is not up to date with the latest storage devices and technology. Because of this, IEEE decided to update it and create a new standard, IEEE 2883.
- IEEE 2883 (2022/2023)
- This standard picks up where NIST left off and accounts for the latest storage devices. It will be the new standard moving forward. It addresses both digital sanitization and physical destruction of data-bearing assets.
Where to find help
Now that this article has rightfully put some fear into anyone in charge of managing these assets as they make their transition from in-use to end-of-use, take solace in the fact that there are solutions and services out there that can mitigate data security risks to the highest standards and provide certifications that can be used for security audits and regulatory compliance. There are vendors that manufacture certified data sanitization software and hardware solutions equipped to handle a massive variety of asset types and configurations for those inclined to leave nothing to chance and want to keep risk mitigation and data security in-house. There are also the aforementioned IT Asset Disposition Companies or 3rd party professional services companies, many of whom also provide on-site data sanitization services and white glove asset removal.
What to look for in a solution or service
First and foremost, any solution or service should have certification(s) that attest to their efficacy and professionalism. Certifying bodies such as R2, e-Stewards, and NAID AAA provide detailed audits of IT Asset Disposition (ITAD) companies and 3rd party service providers to ensure they are meeting a variety of standards for asset handling, tracking, and, of course, data security. Certifying bodies such as ADISA provide detailed forensic analysis of software solutions for compliance with NIST and IEEE erasure standards. Make sure that whomever you deal with has certifications appropriate to their function.
Conclusion
In today’s increasingly complex business environment, a massive number of data-bearing devices are constantly being placed in end-of-use states through technology refreshes, lease returns, malfunctions, and a variety of other reasons. Regardless of the inactive status of an asset, and no matter how daunting the task, data-bearing devices must be protected by proper sanitization techniques that adhere to the highest standards. Finding the right solution or service can be challenging, but proper due diligence and prioritization around data security will ensure that no data leaves a facility and keeps both businesses and customers safe.
About the Author
Roger Gagnon is the President and CEO of Extreme Protocol Solutions, a leading provider of data sanitization solutions based outside of Boston in Uxbridge, Massachusetts. He began his career as a data storage engineer for both EMC and Digital Equipment. In 1999, the Worcester Polytechnic Institute grad founded Extreme Protocol Solutions (EPS). Over the next two-plus decades, Roger built EPS into a global player in the data storage test, development, and sanitization markets. EPS remains committed to cutting-edge, customer-focused solutions that ensure risk mitigation while providing substantial ROI for Fortune 100, 500, and 1000 companies. Roger can be reached at rgagnon@extremeprotocol.com; EPS’s website is www.extremeprotocol.com.