PODCAST TRANSCRIPT:

Data Sanitization, Part 1

Data security is one of the most important areas covered by the R2 standard. Every R2 certified company needs to conform to Core Requirement 7 for data security to ensure that all data devices are properly identified and securely managed throughout the recycling chain. And among the process requirements, Appendix B addresses enhanced levels of data security including logical data sanitization, using specialized software for that purpose. So what is data sanitization software, how does it work, and what resources are available to R2 facilities to learn more about it? That’s the topic of this episode of Ask the R2 Guru. I’m  RG from SERI – Champions of Electronics Sustainability.

Let’s begin with some basic definitions. Data sanitization is the removal and destruction of data from a data storage device to prevent recovery of that data.  Methods of sanitization can be classified in two broad categories: physical   and logical sanitization. Physical data sanitization is the actual destruction of data bearing materials using methods such as shredding, grinding, or incineration. Logical data sanitization also removes the data but it uses various software techniques to make the original data permanently inaccessible. And finally, verification is the process by which the effectiveness of the data sanitization process is confirmed. In this podcast we will focus on the software used for logical Sanitization.

Let’s move on to  an example of how data can be stored on a drive.  When a disk drive or a solid state drive is new, the various microscopic locations within that device, usually called sectors, are empty. They do not contain any information whatsoever because they are new from the factory. There is also a little piece of software in every data device that manages the device itself —  deciding where to write information and then keeping track of where everything was written. It’s goes by various names but it’s basically a directory. Once data devices are used, they gradually fill with user data, and the directory keeps track of where everything is.

These devices require more than a simple erase to bring them back to a fully sanitized condition, ready for reuse. There is an erase or disk reformat function in most computers, but clicking on that button does not truly erase the drive. It instead disconnects the directory on that drive from the rest of the information on it. It’s a little bit like taking a book and ripping the out table of contents and the index. It makes it hard to find things, but all the words in that book are still there. Logical sanitization is more than deleting a directory, it is a process that puts new random data, such as all ones and zeroes, over all the original information in a data device. It’s like taking each page of that book and writing over every word so that the original words are unreadable. The term for this is in fact overwriting. It’s also called data wiping although that description is not technically accurate.

Logical sanitization software usually follows one or more of the following steps. First the software identifies the serial number, make, model and capacity of the drive. That information is entered into a digital record detailing the results of the sanitization process. Next, the data device is evaluated to see if it is fully functional and that all sectors on the device are useable and can be accessed. This is a necessary step before overwriting those sectors with random characters. If the software finds nonfunctional sectors or some other defect in the drive, that drive is then flagged as bad. Those bad drives are usually sent for physical sanitization using shredding or some other physical destruction method. But if everything is good on the drive, the overwrite process begins. This usually takes a while, depending on the size of the drive. The overwriting step is usually followed by a verification step to ensure the process was completed successfully. The final step is to record the results of the testing and overwrite process, clearly identifying each drive has or has not successfully been sanitized.

There are of course variations on this. Sometimes sanitization software can be used to sanitize hundreds of devices at once, and other configurations sanitize only one device at a time. There is also a wide variation in the reporting functions of logical sanitization software. Some software focuses on a single operating system while others can analyze and repair network functions or complete hardware testing in addition to data sanitization.

Following the logical sanitization process, the R2 requirements in Appendix B call for 5% of all logically sanitized storage media to be independently verified by a competent party. The purpose of an independent verification is to ensure that the entire process was successful in sanitizing the device, from the proper configuration and use of the software to the appropriate handling and processing of the device.  Of course, an important aspect of this verification is that it is performed by someone that is independent of the sanitization process, so personnel used to perform the sanitization may not be involved in this verification step.

So, what does this mean for your facility, and how do you decide which software is right for you?   There are a number of factors to consider. The first consideration is the types of devices are you looking to sanitize because the software is often designed for specific devices and sometimes even specific operating systems.  Also, consider the number of devices that your facility will be sanitizing.  Understand that the time required to perform the logical sanitization can vary considerably by device and by the size of the storage media.  Next, determine whether you want to purchase software with a one-time purchase fee or use software that charges by the number of units sanitized.  You should also carefully check the reporting functions of the software, especially if you need to connect to an existing ERP system at your facility.  There are a variety of sanitization software programs available, so these key points will help guide you to those that are best suited for your needs

We’ve developed a Sanitization Software Information Sheet that lists some of the main suppliers of data sanitization software with links and a few comments that might provide additional helpful information. SERI is not recommending or endorsing any of these products but we’re providing this to you as a reference to help you in your search.  If you know of other software that we have not included, please let us know and we’ll be happy to add that to the list.

Finally, you’ll note that this podcast episode is part one on data sanitization. It’s an important topic and following up on this introductory episode, we will bring you more detailed information in a   future podcast including some interviews with data sanitation experts.

So that’s it for this episode of Ask the R2 Guru. Thanks as always to the SERI team for their assistance in producing this podcast series. The supplementary information sheet with links to data sanitization software companies is available on our website as part of the script for this podcast. Look for that in the Podcast section of the R2 Knowledge Base on the SERI website. You’ll find that at sustainable electronics.org.