February 1, 2017
You’d be hard-pressed to find a company that doesn’t follow a set of procedures and standards.
Companies adopt standards in a broad range of areas to ensure consistent execution; to enhance efficiency and performance; and to manage risk. Whether you’re earning ISO certification, responding to regulators, optimizing your business processes, or demonstrating quality to your customers, choosing and adhering to appropriate standards is a way to guide and measure success.
Standards in any given area tend to reflect the consensus on best practices for accomplishing the task at hand. In the area of data sanitization, the most prevalent standard has long been based on a Department of Defense document: DoD 5220.22M.
This post will take a look at how DoD 5220.22M – and specifically the 3-pass process – became the default standard for data erasure, and show why a 3-pass overwrite is no longer necessary to successfully erase modern hard drives.
The evolution of the hard drive
Technology has advanced significantly since PCs first starting showing up on desktops and server farms sprouted around the world. Hard drives have become smaller and able to store more data, lowering the cost of data storage. Solid state drives (SSDs) are beginning to overtake the traditional mechanical hard disk drives (HDDs) in terms of capacity.
As memory capacity has gone up, so has the size and complexity of the programs we run on our devices. Businesses are constantly upgrading to new and more powerful equipment and retiring older assets from service as the need for speed, capacity, and portability grows. Regardless of your refresh cycle, very few businesses keep assets in service for longer than 6 years. Those that do are usually retaining only the few machines necessary to run legacy software programs.
Why do changes to the hard drive mean changes to data erasure requirements? Let’s take a look.
The evolution of data destruction
Data erasure – and the appropriate technique to achieve it – has been widely discussed over the past 20 years. Many people cite a 1996 paper by Peter Gutmann, “Secure Deletion of Data from Magnetic and Solid-State Memory,” as the first serious look at the possibility of data recovery after an overwrite. While it was obvious from the beginning that simply deleting data wasn’t enough to ensure data couldn’t be recovered, the number of overwrites necessary to fully clear a drive was less certain.
With the need for data erasure becoming an ever more pressing issue as computers entered the mainstream, companies started to look for a standard that would demonstrate they’d taken the necessary steps to destroy their data. For U.S. companies, the obvious choice of guidance was the Department of Defense: if a company followed the same standards as the DoD, surely nobody would question the decision.
As corporations increasingly adopted the 3-pass standard called out in DoD 5220.22M, IT Asset Disposition (ITAD) providers began to advertise their ability to deliver that DoD “compliant” process. Even though research indicated a single pass would do the job – particularly with drives manufactured after 2006 – the 3-pass “standard” became a positive-feedback loop between beliefs and behavior: as more companies believed the 3-pass process to be the only safe option, more ITAD companies promoted it as proof of process safety…which is turn meant more companies demanded a 3-pass solution.
Is DoD 5220.22M still relevant?
Not really. Even the Department of Defense no longer references or uses DoD 5220.22M as a guideline. What’s replaced it? The DoD now references a publication from the National Institute of Standards and Technology: NIST SP 800-88. This new standard is based on National Security Agency research…research which has confirmed that one overwrite is sufficient to sanitize most drives.
In practical terms, this means the majority of drives you have in service can be securely sanitized using a 1-pass process. And since pre-2001 drives and drives with capacities less than 15GB – the drives that can’t be effectively sanitized with a single pass – have no remarketing value, ITAD providers automatically shred them…thus eliminating any concern over number of erasure passes for those devices. Reputable ITAD companies will always choose the method that provides optimum protection against data access for each drive and device type: their reputations depend on it.
The take-away: it’s time to move to NIST SP 800-88
If you’re still referencing DoD 5220.22M and specifying a 3-pass standard for data sanitization it’s time to align your corporate requirements with current thinking and standards and move to NIST SP 800-88 when specifying drive sanitization requirements. Any drive that cannot be cleared/purged using a 1-pass overwrite will be physically destroyed to ensure data cannot be recovered.
Your ITAD provider will also generate drive-specific erasure reports that verify the overwrite procedure has completed properly. This report will list the asset’s inventory profile – including the hard drive serial number, model number, and asset tag number – to document and guarantee the link between the erasure and the hardware.
OUR BLOG
Building the future of global commerce
Blog