A wide variety of data types are recorded on a range of data storage technologies, and businesses need to ensure data residing on data storage devices and media are disposed of in a way that ensures compliance through verification of data eradication.
When media are repurposed or retired from use, the stored data often must be eliminated (sanitized) to avoid potential data breaches. Depending on the storage technology, specific methods must be employed to ensure that the data is eradicated on the logical/virtual storage and media-aligned storage in a verifiable manner.
Existing published standards such as NIST SP 800-88 Revision 1 (Media Sanitization) and ISO/IEC 27040:2015 (Information technology – Security techniques – Storage security) provide guidance on sanitization, covering storage technologies from the last decade but have not kept pace with current technology or legislative requirements.
New standard makes conformance clearer
Recently published (August 2022), the IEEE 2883-2022 IEEE Standard for Sanitizing Storage addresses contemporary technologies as well as providing requirements that can be used for conformance purposes.
The new international standard, as with ISO/IEC 27040, defines sanitization as the ability to render access to target data on storage media infeasible for a given level of effort. IEEE 2883 is anticipated to be the go-to standard for media sanitization of modern and legacy technologies.
The IEEE 2883 standard specifies three methods for sanitizing storage: Clear, Purge, and Destruct. In addition, the standard provides technology-specific requirements and guidance for eradicating data associated with each sanitization method.
It establishes:
- A baseline standard on how to sanitize data by media type according to accepted industry categories of Clear, Purge, and Destruct
- Specific guidance so that organizations can trust they have achieved sanitization and can make confident conformance claims
- Clarification around the various methods by media and type of sanitization
- The standard is designed to be referenceable by other standards documents, such as NIST or ISO standards, so that they can also reflect the most up-to-date sanitization methods.
With this conformance clarity, particularly if widely adopted, organizations will be able to make more precise decisions around how they treat their end-of-life IT assets.
In addition, IEEE recently approved a new project IEEE P2883.1 (Recommended Practice for Use of Storage Sanitization Methods) to build on IEEE 2883-2022. Anticipated topic will cover guidance on selecting appropriate sanitization methods and verification approaches.
If you represent a data-driven organization, data security audit or certification organization, or a manufacturer of data storage technologies—you should begin preparing for these changes now.
More Information
For more information visit the IEEE 2883 – Standard for Sanitizing Storage project page. The current IEEE Standard for Sanitizing Storage is also available for purchase.
There is an IEEE webinar on Storage Sanitization – Eradicating Data in an Eco-friendly Way scheduled for October 26th. Register now.
The SNIA Storage Security Summit held in May this year covered the topic of media sanitization and the new standard and you can now view the recorded presentation.
Eric A. Hibbard, CISSP-ISSAP, ISSMP, ISSEP, CIPT, CISA, CCSK
Chair, SNIA Security Technical Work Group & Chair; INCITS TC CS1 Cyber Security; Chair, IEEE Cybersecurity & Privacy Standards Committee (CPSC); Co-Chair, Cloud Security Alliance (CSA) – International Standardization Council (ISC); Co-Chair, American Bar Association – SciTech Law – Internet of Things (IoT) Committee