- About the IDSC
- What is Data Sanitization?
- Policies & Standards
Gartner—the world’s leading research and advisory company—has a big impact on terminology in the IT space. The IDSC has refined Gartner’s definition to specify that the three primary means of data sanitization (physical destruction, cryptographic erasure, software overwrites) must include a verification step, as well as an attestation documenting results, for audit purposes.
Gartner’s two primary analysts for the IT asset disposition industry, Rob Schafer and Christopher Dixon, along with other analysts, have tracked data sanitization’s adoption in the marketplace for several years.
Just as the market position of data sanitization has evolved, so has their definition of data sanitization.
In 2020, Schafer and Dixon labeled data sanitization as climbing the “Slope of Enlightenment” in Gartner’s Hype Cycle for Endpoint Security, 2020, Hype Cycle for Data Security, 2020, and Hype Cycle for Privacy, 2020 reports. (Gartner subscription required).* In each report, the authors referred to IDSC’s definition of data sanitization:
Definition: Data sanitization is the disciplined process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. A device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will not ever be recovered.
Also in these same 2020 reports, the analysts noted differences between data storage media as part of the reason to include data sanitization verification when outsourcing data sanitization:
User Advice: As different media (such as magnetic HDD storage vs. semiconductor-based NAND flash memory) require different sanitization methods, ensure your IT asset disposition (ITAD) vendor provides a certificate of data destruction with a serialized inventory of the data-bearing assets sanitized. Include a clause within your ITAD contract giving you the right to audit the ITAD vendor’s data sanitization processes/standards to ensure its compliance with your security and industry standards (e.g., NIST 800-88).
According to Gartner’s website, “Gartner Hype Cycle methodology gives you a view of how a technology or application will evolve over time, providing a sound source of insight to manage its deployment within the context of your specific business goals.”
This evolution goes through five Hype Cycle phases covering a technology’s market lifecycle.
The reports define the Slope of Enlightenment phase, where data sanitization is placed, as a phase where “Focused experimentation and solid hard work by an increasingly diverse range of organizations lead to a true understanding of the technology’s applicability, risks and benefits. Commercial off-the-shelf methodologies and tools ease the development process.”
So what has caused data sanitization to progress further along the Gartner Hype Cycle?
Under “Position and Adoption Speed Justification,” Schafer and Dixon mention several factors that are affecting data sanitization’s importance in today’s data-driven environment:
Growing concerns about data privacy and security, leakage, regulatory compliance, and the ever-expanding capacity of storage media and volume of edge computing and IoT devices are making robust data sanitization a core C-level requirement for all IT organizations. This requirement for comprehensive data sanitization should be applied to all devices with storage components (e.g., enterprise storage and servers, PCs, mobile devices, and increasingly, edge computing and some IoT devices). Where organizations lack this robust data sanitization competency, it is often due to handling the asset life cycle stages as isolated events, with little coordination between business boundaries (such as finance, security, procurement and IT).
For mobile devices, a remote data-wiping capability is commonly implemented via a mobile device manager (MDM). Although such a remote capability should not be considered a fail-safe mechanism, reliability should be adequate for a significant majority of lost or stolen mobile devices.
Under “Business Impact,” Gartner continues:
At a relatively low cost, the proper use of encryption, data sanitization and, when necessary, destruction will help minimize the risk that proprietary and regulated data will leak.
By limiting data sanitization to encryption and/or software-based wiping, organizations can preserve the asset’s residual market value. The destruction of data-bearing devices within an IT asset typically reduces the asset’s residual value to salvage, incurring the cost of environmentally compliant recycling.
The benefit rating is moderate, because data sanitization has become an increasingly accepted process to minimize the material business risk of data security. Although data sanitization will not necessarily result in increased revenue or cost savings, it will minimize the risk of significant monetary and brand damage that can result from serious ITAD-related data breaches.
Our summary: Increasing data security and minimizing breach liability are primary benefits to incorporating data sanitization for device disposal. Getting greater value from extended use of data storage assets, as well as greater sustainability, are additional benefits to using software-based data sanitization rather than solely relying on data destruction or even encryption.
For all data sanitization methods however, verification is still a critical step in ensuring data security concerns are addressed adequately.
* Gartner, Hype Cycle for Privacy, 2020, Bernard Woo, Bart Willemsen, 23 July 2020; Hype Cycle for Data Security, 2020, Brian Lowans, 24 July 2020; Hype Cycle for Endpoint Security, 2020, Dionisio Zumerle, Rob Smith, 15 July 2020 (Gartner subscriptions required).
Many organizations are beginning to incorporate data sanitization into their processes for data security, privacy and even storage cost reduction. As your organization begins to build out its capacity, it’s important to understand the industry terminology.
Click below to see how the IDSC defines data sanitization and related terminology.