New opportunities for conformance are around the corner, thanks to the IEEE’s ‘P2883 – Standard for Sanitizing Storage’ and the upcoming revision of ISO/IEC 27040, ‘Information technology — Security techniques — Storage security.’

Data Sanitization Conformance & the Need for Concrete Standards

When it comes to protecting end-of-life IT assets, sanitizing data storage media—from smartphones to drives to server arrays and more—keeps data from being recovered, protecting it from unauthorized access. Concerns over data breaches, data privacy, and data protection continue to escalate globally, making properly executed data sanitization more critical than ever.

Yet, data storage technologies are outpacing the recommendations found in current sanitization reference documents and guidelines: While data storage technologies change significantly around every 18 months, globally referenced guidelines, best practices, and standards may take years to revise.

For instance, ISO/IEC JTC1 – Information Technology addresses data sanitization conceptually and has some technology specifics. This standard is at least five years old. NIST 800-88, a global reference which itself is more than seven years past its most recent update, can be imprecise when addressing sanitization requirements for different data storage media. In addition, methods or processes that are presented as “guidelines” or “recommendations” or “best practices,” also leave organizations and vendors without a secure set of objective rules when it comes to claiming conformance.

The growing need to protect data from loss and cyberthreats, as well as numerous regulatory requirements, means a hard and fast “yes/no” is necessary when deciding whether IT assets are properly sanitized at decommissioning.

Emerging Standards May Make Conformance Clearer

Thankfully, two key international standards bodies—the Institute of Electrical and Electronics Engineers (IEEE) and the International Organization for Standardization (ISO)—are putting solid conformance claims within reach. How? By creating separate, but interrelated standards that are regularly but independently updated.

Taken together, these voluntary standards would not only specify when sanitization should occur, but how to sanitize various devices. This provides two distinct, authoritative reference points for conformance. The revision schedules between these two standards are set to more closely keep pace with technological changes in data storage media.

If you represent a data-driven organization, data security audit or certification organization, or a manufacturer of data storage technologies—you can begin preparing for these changes now.

Standards Change #1: IEEE P2883 – Standard for Sanitizing Storage

P2883, as drafted, defines sanitization as the ability to render access to target data on storage media infeasible for a given level of effort. It updates, adds to, and reinforces much of the content in NIST 800-88 to address modern technologies, simultaneously moving from guidance to conformance requirements. One of the things it does is reduce the need to interpret distinctions between NIST Clear and NIST Purge.

For instance, currently, one primary distinction is that NIST Clear prevents data access via keyboard attack and NIST Purge prevents access via laboratory attacks. However, this leaves room for interpretation as those attack types can shift as technologies and attack methods evolve. To make the distinction clearer, P2883 specifies both methods and desired outcomes for various levels of sanitization and verification.

Drafted by the Security in Storage Working Group, a cohort of leading technology experts, this IEEE standard will specify methods of sanitizing logical storage and physical storage. It will also provide technology-specific requirements and guidance for eliminating recorded data from all types of digital storage media. In essence, it will provide a voluntary “how to” standard for sanitization. And, because IEEE standards can be updated more frequently than resources with longer revision schedules, processes that address newer technologies can be addressed more quickly.

P2883 provides:

  • A baseline standard, with no dependencies, on how to sanitize data by media type according to accepted industry categories of Clear, Pure, and Destruct
  • Clear language and instruction so that organizations know whether they have achieved sanitization and can confidently make appropriate conformance claims
  • Clarification around various methods by media and type of sanitization (e.g., does degaussing achieve Clear, Purge, or Destruct-level sanitization for a given device?)
  • The ability to be referenced by other standards documents, such as NIST or ISO standards, so that they also advance the most up-to-date sanitization methods for changing technologies.

With this conformance clarity, particularly if widely adopted, organizations will be able to make more precise decisions around how they treat their end-of-life IT assets.

If you represent a data-driven organization, data security audit or certification organization, or a manufacturer of data storage technologies—you can begin preparing for these changes now.

This will result in greater confidence that their data is adequately protected, and the knowledge that they can point to clearly meeting a specific method (Clear, Purge, Destruct) of sanitization during audits and certifications.

While IEEE P2883 does not address virtual storage, all consumers of data storage technologies, especially those that store sensitive or high-value data, and the vendors that manufacture, maintain, and support these technologies, will stand to benefit from this level of clarity. Additionally, regulators and other standards development organizations may be able to leverage the contents of this standard.

IEEE P2883 is scheduled for release in the summer of 2023. For more information visit the “P2883 – Standard for Sanitizing Storage” project page. A current IEEE Draft Standard for Sanitizing Storage is also available for purchase.

Standards Change #2: Update to ISO/IEC 27040

P2883 explains how to sanitize various media. By contrast, ISO/IEC CD 27040 Information technology — Security techniques — Storage security, currently under development, will describe when to sanitize.

The current version of this standard is ISO/IEC 27040:2015, which aligns its data sanitization approach with that of NIST 800-88. This standard, which also covers other aspects of storage security, is reviewed every five years.

Data storage has undergone tremendous transformation over the past decade, going from more isolated connectivity and physical/geographic protections to remote, virtual, and cloud-based architectures. Because of this transformation, the updated standard will take a more system-centric approach, supporting information security management system (ISMS) requirements according to ISO/IEC 27001, including logical and cloud storage.

Likewise, from a sanitization perspective, the ISO/IEC 27040 draft is radically different from the published standard. For one thing, most of the device-specific language has been removed. In addition, the draft defers to IEEE 2883, outlined above—rather than NIST–when recommending how specific types of media or logical storage can be sanitized, and which sanitization methods to use.

One of the more important aspects of the revision is the inclusion of multiple “shall” statements, giving clear requirements and actions when determining

  • which points in an asset’s lifecycle (e.g., maintenance, disposal) require sanitization
  • what constitutes compliance, including minimal acceptable conditions for using cryptographic erasure
  • what constitutes s proof, or record, of satisfactory sanitization

The update to ISO/IEC 27040 also broadens its instructions on confirming a particular data sanitization method has been achieved.

For instance, while maintaining the Clear, Purge, and Destruct framework, it refines the verification/validation aspect of NIST 800-88 as it relates to physical destruction: “Destruct” verification should kick off a physical evaluation of the final condition of destroyed materials. This inspection—of shred size, for example—will help organizations weigh the cost and necessity of taking further action—such as additional shredding—to protect the most sensitive data.

The updated content also aligns with the new ISO/IEC 27002, adds controls for NVMe-oF technology and Intelligent Platform Management Interface (IPMI) specifications, and includes a new scheme for identifying requirements and guidance.

The revision, under development by the ISO/IEC JTC 1/SC27 Information security, cybersecurity and privacy protection technical committee, is scheduled to be completed after P2883 is published, enabling the two standards to work together.

To keep up to date, subscribe using the RSS feed on the ISO/IEC WD 27040.3 page (See the RSS icon to the right of the “General Information” heading).

Applicability to Manufacturers, Vendors & Users

ISO/IEC 27040, in particular, emphasizes the need for enterprise organizations to consider end-to-end asset management when thinking of data protection.

IEEE P2883 provides the specificity for organizations to know they can do this well.

With the advent of these two standards, IT asset disposal can no longer be treated as an afterthought and second to active network cybersecurity efforts. This will produce a greater expectation across industries when it comes to protecting data and ensuring data privacy when it comes time to retire any type of digital media.

Furthermore, with the clarity these standards bring, more and more enterprises are going to be better prepared and confident in their ability to sanitize end-of-life assets for secure reuse, resale, or recycling. The next step is that they will be looking for products and services that make conformance to these two standards easier to achieve.

Therefore, the ease of adhering to these new sanitization standards is sure to be a contributing factor when enterprises consider device purchases to use within their information systems.