Gartner’s Views on Data Sanitization

Gartner has a big impact on terminology in the IT space. Its two primary analysts of the IT Asset Disposition industry, Rob Schafer and Christopher Dixon, have identified “data security (thorough data sanitization of all data-bearing assets)” as one of the two key findings in their annual Market Guide for Asset Disposition, the other being ecological disposal.

On top of that, Rob Schafer has contributed to three of Gartner’s famous Hype Cycles, Data Privacy, Data Storage and Data Security. In the Gartner Hype Cycle for Data Security 2017, Rob and his co-author Phillip Dawson predict that general adaption of data sanitization is still 2-5 years out. In other words, the understanding of where to apply data sanitization and its benefits for data security is still growing.

The authors provide a definition for the term:

“Data sanitization is the consistently applied, disciplined process of reliably and completely removing all data from a read/write medium so that it can no longer be read or recovered.”

They then go on to argue that “[g]rowing concerns about data privacy and security, leakage, regulatory compliance and the ever-expanding capacity of storage media are making robust data sanitization a core competency for all IT organizations.”

Finally, they suggest that organizations “…create appropriate data sanitization/destruction standards that provide specific guidance on the destruction process, based on data sensitivity.”

The IDSC was formed, in part, to refine Gartner’s definition to specify that the three primary means of data sanitization (physical destruction, cryptographic erasure, software overwrites) must include a verification step, as well as an attestation, for audit purposes.

Another goal of the IDSC is to create template versions of those recommended standards.

Under Business Impact, the Hype Cycle report states: “By limiting data sanitization to encryption and/or software wiping, organizations can preserve the asset’s residual market value; the destruction of data-bearing devices within an IT asset typically reduces the asset’s residual value (RV) to salvage, incurring the cost of environmentally compliant recycling.”

This is one of the primary drivers for data sanitization, the other being the afore mentioned data security concerns.

Many organizations are beginning to incorporate data sanitization into their processes for data security, privacy and even storage cost reduction. As your organization begins to build out its capacity, it’s important to understand the industry terminology. Gartner’s definition is a good starting place; however, the industry can do much to enhance how we talk about and implement appropriate data sanitization.

See how the IDSC defines data sanitization and related terminology.