Realizing that existing standards for data destruction were outdated, the National Institute for Standards and Technology (NIST) created comprehensive guidelines for data sanitization and destruction in 2006. Since then, computer technology has changed significantly, and an update was needed. In 2012, the organization published the NIST 800-88 Revision 1 (which is still officially a draft), the first set of standards to try to address the growing use of solid state drives (SSDs) in storage arrays, tablets and mobile devices, and increasingly in laptops.
In their own report, NIST acknowledges how significantly SSDs have altered the data destruction landscape. NIST writes, “SSDs have already begun changing the norm in storage technology, and at least from a sanitization perspective, the change is revolutionary (as opposed to evolutionary).”
That final detail is telling. The technical specifications of SSDs make them largely immune to existing sanitization strategies; they require the development of entirely new techniques.
Addressing this gap in standards is one of the major goals of NIST’s recent revision. NIST and other data security experts recommend that SSD sanitization, like magnetic drive and media sanitization, be carried out as a process. A systematic approach to data destruction is the most reliable way to ensure that it has been comprehensively, effectively, and verifiably applied. Using the NIST standard as a basis, this is the process as it applies to SSD destruction:
Assessment
It is important to make certain determinations in advance of the data destruction process. First, what data could be on the devices and what are the risks associated with that data? Is the resale value worth the expense of proper sanitization?
Each one of these determinations will affect the choice of a data destruction process. If you do not have the technical resources and systems available, with the ability to control the quality of the process, then you probably want to hire a certified vendor to sanitize the devices. That can be done at your office or off site at a secure facility. Understand the nature of your SSD sanitization project before you make any final decisions.
Sanitization
According to NIST, there are three methods of sanitization for any device: clearing, purging, and destroying. The methods for SSDs are as follows:
- Clear – Overwrite the media using tools/methods that have been approved and validated by the organization. A clear pattern with at least a single pass using a fixed data value must be used.
- Purge – There are three methods for purging: the sanitize command, the secure erase command, or a process of cryptographic erasure.
- Destroy – Shred, disintegrate, pulverize or incinerate the device.
Clearing is the least time- and labor-intensive but may leave the device vulnerable to data recovery. Purging is much more reliable but requires more physical and intellectual resources. Destroying is the most reliable but removes the potential for resale.
Verification
This is the challenge with SSDs. Because of the way these drives store data, it is very difficult to validate that there really is no data remaining. Industry experts recommend that in addition to Secure Erase, a multi-pass overwrite is done to insure the drive writes to all cells. If these two steps are done along with an OEM wipe and reload of the operating system, you can be quite certain that all data has been overwritten.
Documentation
A “Certificate of Media Disposition” should be created for each device following the SSD erasure process, NIST says. This certificate documents information like the technical specifications of the device, the type of data that it contained, the SSD sanitization method used, and the time and place that it was conducted. It is important to create and retain these documents to ensure consistency and to create an auditable paper trail. This is important for compliance audits and quality control. A NAID certified vendor will provide you with these records.
The guidelines laid out in NIST 800-88 are not requirements but recommendations. These are the basis for best practices developed for secure SSD data destruction. A certified ITAD vendor can help you understand and implement these guidelines so that your decommissioned devices never hurt your company. To learn more about these issues, consult our white paper “10 Myths About IT Asset Disposition (ITAD) Data Erasure.”
