Problem solve Get help with specific problems with your technologies, process and projects.

Data sanitization policy: How to ensure thorough data scrubbing

Could you be inadvertently leaking sensitive data via poorly sanitized devices? Learn techniques for thorough data scrubbing in this tip.

As technology integrates into every aspect of business practices, digital information protection becomes of the utmost importance. Businesses must protect against phishing, scamming and skimming, but who would think to protect against the disposal of old IT assets that are supposedly already sanitized? Given the progressively shorter lifespan of these assets, coupled with larger storage capacities, IT assets tend to hold confidential business data beyond the end of their useful life.

To define our terms, IT assets include, but are not limited to, standard computing devices such as desktop systems and notebooks, flash media, and non-traditional devices such as cell phones, smartphones and cameras. When a business' IT asset nears the end of its useful life, the device needs to be sanitized to make sure the confidential data it carries is removed before the device is retired or reused. Common methods of sanitization include imaging (or cloning), formatting and FDISKing. These methods appear to sanitize the devices on first glance; however, research has shown that residual data remains after employing such sanitization techniques.

Sanitization is important at two different points: One, when the business images devices in order to reuse them, and two, when a device is permanently retired. First, businesses frequently image and sanitize devices when they are reassigned to new users. Imaging will replace the core OS files, the MFT and the FAT; however, it does not actually delete the old data. Instead, Windows removes the instance of the file you can see and manipulate, then marks the file for deletion. When Windows is in need of space, the file can be overwritten; then, and only then, is it actually deleted from the asset. Considering the increasing capacity of storage devices, there can be gigabytes worth of residual data on supposedly sanitized devices. Imagine the possible consequences of a poorly executed data scrubbing incident, in which confidential business data is inadvertently passed from the CEO or CIO to an hourly employee.

Devices must also be sanitized when they are retired. Most devices that are no longer useful to a business could typically still be used for several years, but are simply too slow for current use. Therefore, businesses sell, donate or dispose of the devices. At this point, businesses need to make certain they have a solid data sanitization policy in place that takes into account the imaging scenario explained above, or they could be retiring more than just a device; they could be giving away confidential company data.

Both situations should employ the same data sanitization policy; however, they should introduce different consequences if employees don't follow that policy and confidential data is released. In the first consideration -- internal reuse -- the data stays within the business. However, when an IT asset is retired, the data is given away as a bonus to the new owner, external to the company. The consequences of accidental data disclosure within an organization can be embarrassing to the site, but would not typically violate any laws. However, data disclosure outside of the confines of the organization could result in violation of privacy laws. Furthermore, the release of confidential and sensitive company intelligence could result in the accidental release of trade secrets. Once the data is released, it is no longer the property of the organization that released it.

Regardless of the used device's destination, there are a few simple steps a business can take to ensure its confidential data stays confidential. First, Boot and Nuke, a free tool available for download from DBAN, effectively sanitizes used media. One of the benefits of DBAN is it will permanently delete the data from all devices it detects; therefore, you can sanitize multiple drives at one time, which should happen right before the drives are imaged. Boot and Nuke will sanitize hard drives, external drives, flash media, memory cards, cameras and other drive-based media.

Businesses need to ensure their non-traditional devices are sanitized as well. The best way to do this is to secure data wipe your iPhone, BlackBerry or Android phone. There are also proprietary tools available from the manufacturers of said devices that allow sanitization from remote locations in the event of theft of portable devices. Another important consideration with portable media: There is typically a backup of the device on a computer somewhere; therefore, ensure the computer is sanitized as well.

The key to an effective business sanitization practice is consistency and effectiveness testing. Whatever sanitization policy a business adopts, it needs to periodically test the effectiveness of its data-scrubbing technologies and processes. In most cases, this will mean manually deleting files, then restoring back to factory default. The business can image a drive that it believes is sanitized, and then deploy forensic tools and approaches to see if it finds any residual data. Finally, the sanitization policy needs to be deployed to every single IT asset that contains storage media. This includes computers, flash memory, cell phones/smartphones, PDAs, cameras, photocopiers and network printers.

Proper data sanitization includes using approaches like those described above, in addition to imaging, FDISKing or formatting assets. Failure to sanitize a drive properly could damage both a company's reputation and its bottom line.

About the author:
Ashley Podhradsky, D. Sc., is an assistant professor in the Computing and Security Program at Drexel University. Dr. Podhradsky teaches and conducts research in digital forensics and information security. Her research has been recognized in academic conferences and journals within the U.S. and internationally.

This was last published in January 2011

Dig Deeper on Data security strategies and governance