Data sanitization is an important function while performing data cleansing, from data creation to data destruction, also called the life cycle of data. Once data has reached the end of its life, obsolete or redundant, it is important to destroy, clean, or sanitize that data securely. According to Gartner, a global research and advisory company providing information and tools for leaders in IT, there are three methods to achieve data sanitization: physical destruction, cryptographic erasure, or data erasure. Only these three methods will ensure complete data erasure.

Also, the IDSC (International Data Sanitization Consortium) defines data sanitization as the “process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable.” A device, or the data, that has been sanitized has no usable residual data. Even with the assistance of advanced forensic tools, the data will never be recovered. This ensures the exact data sanitization process is followed. IDSC has also described the same three methods as Gartner to achieve data sanitization: physical destruction, cryptographic erasure, and data erasure.

The Life Cycle Stages of Data:

• Create – New digital data gets generated, or the existing data is modified/updated, which includes images, documents, software code, database, or any sensitive information.
• Store – The digital data is saved to some digital storage repository (such as laptops, mobile device, servers, disk drives, including SSDs, SANs and internal drives or even in the cloud), and typically occurs in parallel with data creation.
• Use – Data is accessed by users in some sort of activity such as viewing, processing, or even deletion.
• Share – Information/Data is made accessible to others, such as between users, both to internal users and external users, which may be customers or partners.
• Archive – When data is less frequently used, it is marked non-active and is migrated to long-term storage systems for retention.
• Destroy – Data sanitization is performed to make the data permanently unrecoverable through various methods (e.g. physical destruction, cryptographic erasure, or data erasure as suggested by Gartner).

There are many other methods which may provide temporary data unavailability or restrict the data access through common methods but will not provide complete data sanitization. Some of these methods are:

• Data Deletion
• Reformatting
• Factory Reset
• Data Wiping
• File Shredding
• Data Clearing
• Data Purging
• Data Destruction

None of the above methods include the verification and certification steps necessary to achieve data sanitization. When considering a data sanitization method, consider your risk tolerance. Highly regulated industries which have to comply with data sanitization laws should opt for complete data sanitization to achieve compliance with data privacy and security regulations and mitigate the impact of a security breach.

With all of this in mind, it is still essential to ask: what makes a good sanitization process? There are a few things to consider, both from a technical and business standpoint.

From a business standpoint, the answer is simple – a good sanitization process must ensure that none of the information can be recreated. The system must result in a device that is wiped securely and safely, while preserving the drive for further use in client systems. Additionally, a system must conform to the standards set in the various compliance regulations the business faces. This includes things such as HIPAA, which control the manner in which data is collected and destroyed. Ensuring compliance here is of prime importance.

From a technical perspective, you need a few specific things. First, you need support for custom patterns and approaches. This is required as some data will be addressed in different ways than other data. What might be an appropriate way to wipe, say, credit card details, is not appropriate for someone’s address information. By allowing specific patterns and approaches, the solution can scale to the problem, giving us a great amount of control.

Furthermore, the chosen solution should conform with the major compliance and regulatory considerations through technical application. The solution should create a chain of custody, some sort of record of work, and general information used for tracking each solution as it’s applied. This is vital for ensuring not only the aforementioned regulatory compliance, but compliance with business procedures and internal approaches.

It is important to understand various technologies involved in data sanitization and implement best practices to comply with regulations pertaining to your case. At DiskDeleter, while designing our products, we make sure to comply with all requirements and regulations for data sanitization. For more information, check out our product, suitable for your requirements.