R2 Guidance & Knowledge Base
Podcast 22 – Purge? DIAL? Data Sanitization with Steve Mellings and Jonmichael Hands
Ask The R2 Guru is a podcast developed by SERI, Champions of Electronics Sustainability. This podcast is a series of short and helpful tips designed for electronics recyclers and refurbishers interested in the R2v3 Standard and the certification process. So, grab a cup of coffee and give them a listen.
ADISA general: https://adisa.global/about-us/
ADISA Product Assurance: https://adisarc.com/product-assurance-2023/
SERI Sanitization Software list: https://sustainableelectronics.org/knowledge-base/sanitization-software-examples-information-sheet/
Circular Drive Initiative: https://circulardrives.org
IEEE 2883-2022: https://standards.ieee.org/ieee/2883/10277/
PODCAST TRANSCRIPT:
Podcast 22 – Purge? DIAL? IoT? Data Sanitization with Jonmichael Hands and Steve Mellings
October 2023
One of the most important functions of any R2 facility is proper management, processing and sanitization of data bearing devices in electronic equipment. We have two guests on this episode of Ask the R2 Guru, internationally known experts in data sanitization operations and techniques. And yes, we will discuss the difference between Purge and Clear, what a DIAL Rating is, and what to do about those new devices in the Internet of Things. I’m RG from SERI, Champions of Electronics Sustainability.
We talk a lot about data security and sanitization, that is because it is one of the chief concerns of customers of R2 facilities. To provide resources for you to talk to those customers, we want to explore the latest in data security and sanitization. The latest international Standard for Sanitizing Storage is IEEE 2883-2022, which describes the available methods of data sanitization by device. The ADISA ICT Asset Recovery Standard 8.0 allows a customer with data devices to be matched with an ITAD facility that can perform data sanitization based on data sensitivity and the needs of each customer. It also describes the detailed requirements for the entire data security and sanitization process. Although the R2v3 Standard is broad and describes the best practices for managing used electronics for reuse and recycling, a key part of the R2v3 standard is data security and sanitization as described in Core Requirement 7 and Appendix B. At SERI, we understand how important data security and sanitization is to almost every R2 facility in the world, and we strive to stress that importance and concern as we champion electronics sustainability.
And now, I would like to introduce my two guests — Jonmichael Hands, Advisor to the Circular Drive Initiative and member of the IEEE Security in Storage Working Group. Jonmichael is one of the authors of the IEEE 2883 Standard. We also welcome Steve Mellings, CEO of ADISA, the administrators of the ADISA ICT Asset Recovery Standard, Version 8.
Roger Greive (RG) Let’s begin by asking you both —what do you guys see as the biggest data concerns or challenges for customers of ITAD facilities? Jonmichael?
Jonmichael Hands (JM): Yeah I know one of the most important things for data is just data classification which we see a lot of folks just not properly doing some basic housekeeping on low versus medium versus high business value data like that that’s an extremely important prerequisite for how you describe the the risk tolerance of customer, what type of media sanitization method or technique to use, how the data is handled but yeah I think a lot of these companies are just looking to ITADs to go figure that out but it’s up to the company to classify
(RG): and Steve?
Steve Mellings (SM): Yeah I agree and good morning, or good afternoon wherever you might be everybody I agree JM, I think one of the challenges in the ITAD community is it seems to be the silver bullet that people are looking for and nobody likes an answer we should be well it depends and unfortunately it depends on the client and so the industry is often left to answer questions which it may not have all the information necessary to answer the question… how far do we need to go with sanitization from a logical perspective and a physical perspective and I think that’s one of the biggest challenges, Roger to answer the question directly, is I think ITAD now needs to become a little bit more of the guide if you like to the customer to help the customer save them from themselves was the phrase that I heard recently, because this is getting more and more complex — sanitization and more and more challenging and I think that the one-size-fits-all idea for sanitization I think is going to be a thing of the past. And I think what we’re looking for is to build structure and maturity within the process and the industry has come a long way globally I think in the last 10 years, 15 years and I think sanitization is a process and a technique it has different layers and different complexities and I think that we need to start as an industry, stop looking for the silver bullet — the silver bullet solution and build kit bag — a multiple solution point if you like because customers will have different risk appetites will have different different threat adversaries and they’ll have different categories of data and different budgets as well and all of these different flavours of service will need to be catered for by the industry and that’s really that’s an opportunity I think to really start adding value just through knowledge and education to the customer into this process.
(RG): Jonmichael, you have an overview of this entire thing from your position, that being a semi administrative function– what do you hear from the ITAD facilities themselves?
(JH): Yeah… I have interviewed quite a few of these ITAD providers and talked to a lot of the folks that are writing software for this like media sanitization tools and data erasure suites. Some of them, the bigger ones are well connected and plugged into what’s happening in the storage world and the broader storage trends; some of them or not, right? and so one of the things that I see that’s very very bad is and this is a red flag or if you see a media sanitization software that says we support 50 different wiping algorithms and then the DoD standard and 15-pass over writes –this is all just garbage and none of this is required anymore so I think first is just understanding like what are the modern media sanitization specifications and I think I think we were going to go into IEEE 2883-2022 in this talk I think a little bit but this is the gold standard for media sanitation right now and it’s actually a fairly easy read so yeah I don’t expect everybody to read this document but certainly if you’re managing an ITAD and you’re managing customer data like this this is something you should read.
(RG): Let’s go back for a moment, Jonmichael back to NIST 800-88. NIST — National Institute for Standards and Technology, an American group, did a document 800-88 back now more than 10 years ago. Tell us a little bit about the origin of that and where it stands today.
(JH): So, the thing is that and I guess I’ll just say like you can just tell like you just said the I think the document was released in 2015 so I believe the with the draft in 2014 supposed to develop the end of 2013 and 2014– storage technologies changed quite a bit from that obviously I was a product manager for the very first NDD drive at Intel back in 2014 and that’s where we launched the very first NBD SSD. in June of 2014 so there’s a little bit of mention in there but it’s really doesn’t comprehend kind of modern and you need devices which are actually the majority of storage prices now going forward right? … the consumer space shifts hundreds of millions of Ndot super SSDs to consumer access these enterprise space — hundreds of exabytes so this is the largest data segment by unit count by far so understanding that’s pretty important, but… Mostly, one of the most important things is that NIST is not an international spec and it doesn’t have any “shalls”, meaning that you can’t — there is no formal compliance program to NIST-800-88. There are lots of people that have been putting best effort things in there to be basically be able to describe to compliance or adherence to the spec, but there is no actual requirements in NIST 800-88. I don’t think people really quite understand that but people outside the US don’t care necessarily what NIST has to say so IEEE 2883-2022 has much broader scope , being an international spec. The other major thing that happened between NIST 800-88 and IEEE 2883-2022 is that the deprecation of some older destruct methods such as shredding so the wording in IEEE 2883-2022 is much more precise about incineration, disintegration, and melting about particle size and so I think just blindly kind of smashing a hard drive, well the track density … you remember, these modern hard drives have 10 disk platters in there and each platter has two terabytes of data on there plus more actually more — one of some of the new drives just got released of the 2.4 terabytes of data per disk platters — 10 platters and so over 500,000 tracks per square inch. If you just try to break a hard drive and you have little tiny shreds that are three or four millimeters — that that’s a problem now it didn’t used to be and so I I don’t think people quite have a grasp on just how dense data is and not to make things scary, we understand how they work because humans engineered them so we know how to make the data go away as well.
(RG): Steve, you work with facilities all the time on a practical basis… how do you react to these changes in the storage technology that Jonmichael described?
(SM): I think the first thing to say and I think this should be done widely is we really need to get behind IEEE 2883 as a sanitization specification because it really is the best that there’s been. That’s without a shadow of a doubt in my opinion …there are bits and JM don’t shout at me …there are bits in their work which we will interpret differently, I think Roger and shall talk about in a second but from a logical perspective, the specification for sanitization is the one we need to be following. Now, the practical application which we’re seeing is difficult to verify compliance so again, JM mentioned some software vendors earlier on and we do see a different level of maturity for different software vendors. Some really understand this and under the hood because we have a lab so we do test products and we look what commands are being sent to drives that we know support those commands in the behaviour when it doesn’t get supported we look at exactly what intelligence the software has and we’re able to come up with an idea of what the good, bad and the ugly look like. At the moment, there are just a few really good products out there and some others are striving to meet some of these requirements but there are others and JM mentioned this, that are less good and what’s happening on the GUI is not reflecting what’s happening on the bus at all and we’re seeing software having multiple different options for sanitization but actually just do a basic overwrite regardless of what you select. And I think this is the bit that’s the challenge for the ITAD because where does trust — where do you earn trust first of all but where does, where can trust be given and I think that at the moment there’s an awful lot of trust being placed in the software which is the fundamental part of our sanitization strategy within the industry; and I think that there are some fantastic software products with some brilliant companies behind them but there are some who are aspiring and worse still there are probably some who are not at that page. Now the one bit and I’d love to go off on a tangent if I may, is just about the destruction piece and I think I IEEE 2883-2022 is in fact the best specification. I think and I’d like to discuss this with JM as well if we may– I think there are other countermeasures that the ITAD facility has which decreases the likelihood of attack on a shredded particle size and because we’ve got two mil in the lab at the moment which we’re verifying the size with some opticals some software analysis, so we can see how the electronics are exposed; we can see how an attack could be mounted on a 2-mil shred, but the likelihood of that threat manifesting itself into a real attack is in my opinion really really slim when a piece of shredded drive is aggregated so I don’t know where it’s hidden amongst other shredded material, it’s anonymized so I don’t know where it’s coming from and it’s in a secure facility — I think if a threat adversary who had that type of technical capability and motivation was looking to attack the ITAD sector, I don’t think it would be at the shredded particle size because their likelihood of successful attack is so low. It would probably be closer to the client on a vehicle just leaving the facility where the drives may still be intact and from our side of ADISA we’ve just — I don’t think I’ve spoken to this to you about this year actually, but we’ve just put a document together and we’re forming a committee to accept and adapt IEEE 2883-2022 into the ITAD community. We’re going to accept the logical piece because we think that’s the best that there is. The adaption is, our recommendation is to accept additional countermeasures to decrease the likelihood of an attack on shredded material and I think that’s where the industry, Roger can really take these specifications in these standards and adapt them to environments that they weren’t necessarily written for — which means that you get the best of all worlds.
(RG): As we dive into this, Jonmichael there there’s a lot of emphasis on purge versus clear as methods… could you take us all through the, just the basic definition of the difference between these two and why purge is so important.
(JM): Yeah sure so clear was really meant to protect against non invasive data recovery. Example: somebody walks into a data center, picks up a drive, puts it in a system and is able to just use basic software tools to read the LDA span — read the blocks of the device and so it clear is meant to be quick, fast, inexpensive, easy way to prevent against simple data recovery like that
(RG): what does that do? What does clear actually do?
(JM): yeah so this is the question …there actually are and the reason I really like the way that 2883 is lined out you can go to the section for clear and say OK I have a SATA drive …what’s clear for SATA? I have an NVMe drive, what is it clear for NVMe? So there’s.. so one of the major differences and I’ll get to purge here in a sec is that the way the SSD’s work today — if they have a NAND controller they have a little bit of DRAM; the controller basically accesses lots of on packages but the way that NAND flash works is it has to be erased before it can be programmed and the reason this happens is just the fundamental physics of like floating data charges cells’ electrons and you have to remove them before you before you program your cell — but because of this SSD’s have spare area, they have overprovisioning, they have extra space and the actual mapping of like what the host thinks the block is to what the SSD does is actually logical– it’s not physical so the data is being wear-leveled and moved around in the drive dynamically all the time and so there happens to be places in the drive that could have been user data or were user data that are now or that are over provisioned space that the host cannot access, and so one of the major differences between clear and purge is that purge will actually make sure to go in and fully remove all that data that was overprovision space that blocks any place that was user data. And so a clear is just removing user data and from and being able to be verified from the host interface so other things like so purge is very focused on the actual sanitize command in SAS and SATA of where the sanitized command is actually very robust for you cannot stop the sanitize command and then say for instance you send the sanitize commands, you can’t just pull the drive out and or try to cancel the command that the drive from where we’ll execute the sanitize until it’s done and will not acknowledge any commands besides reading logs and such — it will deny all data commands to the drive so this ensures that it goes once the command gets sent the drive is going to sanitize itself –is it cannot be stopped so there are quite a few enhancements in purge that make sanitize the actual sanitize command much more robust and reliant method.
So there there’s some places that we would use clear like your first since from doing internal reuse from one organization to another or you have any kind of like non-high business, like low business value type data clear, is totally acceptable. The difference is that most older drives will always support clear in some way the way we kind of written the spec, but the purge — there is some requirements especially around the types of purge — the way you talk about media sanitization and again I’m a stickler for this because I see a lot of people in ITAD talking about drive wiping or data erasure — these are not actual definitions and sanitization is a definition and we can define it, right? The idea of sanitize purge is basically being able to remove all user data in such a way that data recovery is not able to be done even with state-of-the-art equipment so it could be purge is denying a very sophisticated type attacker that has access to physical assembly physical interface even kind of exploits for firmware what’s whatnot — the purge method is designed to basically remove all the data in anywhere that was user data in a very robust way so yeah — just again to highlight the importance of the terminology there are purge methods so we have clear, purge and destruct and then within the purge we have three techniques, which would be block erase, crypto erase and overwrite and the reason why there’s three of them is that there’s different media types, right? The IEEE 2883 spec really covers major storage interfaces which are SATA, SAS and NVMe.
(RG): Can you say those again please what what are the three types?
(JM): So you have again 3 sanitize methods, so clear, purge and destruct and within purge you have three techniques which are overwrite, block erase and crypto erase and conveniently the folks that wrote the NVMe spec and SAS spec SATA spec for sanitize command were also the authors of 2883 so don’t worry this lines up very very clearly in those specifications when you’re sending the sanitize command through the storage interface. You can select one of those three techniques — overwrite is mostly used for hard drives because again hard drives don’t have what I just described which is an SSD you have to erase the data before you write it. On a hard drive you can just overwrite the data. So when you delete data on a hard drive. the hard drive doesn’t actually delete any data doesn’t write zeros over that data it just deletes the if you’re deleting data on the file system it just updates the file system — it doesn’t do anything. So there are remnants of data on the drive. If you if you like grab a hard drive and even if somebody removes the file system that doesn’t prevent data recovery from a sophisticated attacker that knows how to look at the logical interface and reconstruct the data.
(RG): So this is like tearing the table of contents out of a book but leaving the text of the book…
(JM): Exactly, and that’s an absolutely fantastic way to describe it and so overwrite is a way for hard drives that again and the good thing is that even really old hard drives support this. Now crypto erase is actually the most and best effective way of media sanitization but the reason why not all drives support it is that not all countries support encrypted drives and there are legal ramifications and I know there’s a lot of concern, especially in systems like shipping drives within a system from major OEM ‘s shipping these into geos like Russia or China that may not want drives with encryption and so this is extremely unfortunate because crypto erase can instantly remove all the data by sanitizing the crypto key and leaving all the data encrypted and so this is much faster, right? Where an override of a modern hard drive may take 20 or 30 hours, you can do a crypto erase in about one or two seconds and it is if you if you meet all the prerequisites for the crypto erase then it’s actually just as secure… it’s an official purge method, right which means that you cannot access the data even with state of the art equipment.
(RG): And I’d advise the listeners to the podcast to get a copy of 2883 and take a look at appendix B because it’s a really great description of what crypto erase is and how it does work. It’s well written, it’s not that that technical either … it’s understandable by normal humans.
(JM): yeah the one caveat… I know this is kind of Steve’s wheelhouse is like OK now about all these amazing sanitize techniques, OK and you may want to apply different ones based off different storage media or different drive types or what your drive supports, but like how do if your drive supports a sanitize script that meets the requirements in an ESP? Unfortunately you can’t do that today and that’s where third party test houses and certification lists and they’re asking the vendor and talking… these are extremely important things to know before you go implement some of these strategies.
(RG): And Steve, that leads directly to my next question for you…ADISA, your organization, developed the ICT asset recovery 8.0 standard which incorporates this process but everything else around it… can you tell us a little bit more about generally what ADISA 8.0 is and does?
(SM): Yeah absolutely Roger so we’ve been going 12-13 years now ITAD certification started off in the UK is still predominantly UK based but our focus is data — data compliance and data sanitization so we look at where risk could pervade the process and we, through criteria we look at countermeasures which need to be deployed to decrease that risk either to the physical asset or to compliance or to the logical asset. So we evolved in the last what, three years ago now that we started the process we now a recognized UK GDPR certification scheme which means we’ve been evaluated by the regulator over here in the UK as being compliant with the law and that took two years of development with them and we’ve been out auditing against that in the UK and we’ve got a an EU version because of Brexit we’ve got an EE version now which is out with the Irish data commissioner as well and we hope to succeed in getting that across the line for an EU GDPR compliance scheme. Now the interesting bit there and I’m going to little segue if I may back into IEEE 2883-2022 is that the time of writing the standard we pulled our specification for sanitization out so it’s a standalone document and the reason we did that is that we needed it to be able to evolve with the right sort of controls and sort of procedure and things like that. We needed to evolve more frequently than a three-year revision cycle of a standard because technology and forensic data recovery techniques I should say are evolving almost on a monthly basis and knowledge as well I express is evolving as well. And so going back to the point which you mentioned on about the industry the ITAD community’s got an awful lot to contend with and I think having doubt about sanitization is the one piece that they can’t have doubts for, and so this is the one bit that we collectively from either certifications or standards we need to get this right and I think when you look at IEEE why we’ve just, 2883 I should say, why we’ve just recommended its adoption is this is the best specification by a long way it can make an awful lot of headaches go away all the doubts go away… how you can verify compliance without that is complex and it does require a lab to do quite extensive testing which is what we do at the moment it’s not necessarily for the ITAD community to do this and worry about this in their facility, it’s about their software partners to pick up the load there in my opinion and to actually start to present products that when you lift the hood they do what they say they do and that means we can verify that against specifications like 2883.
(RG): There’s a certain amount of trust involved on the part of the IT facility when they purchase a product for data sanitization, they want to be able to know that it is effective and can evolve with the changing conditions that Jonmichael describes in terms of evolving technology. What about everything else around the data security process that your ADISA standard 8.0 does address in terms of matching a supplier of these devices with an IT facility to provide these services — you call it DIAL.
(SM): Yeah, Roger it’s a some slightly unpopular view …so when we started the work with the regulator over here and I know this is this is an international podcast but a lot of the guys in the US will probably think it’s not relevant but within GDPR EU and UK and an awful an awful lot of global privacy laws they use terms like appropriate and that’s because the law has to be applicable to a butcher and a banker and so they can’t specify what would be applicable but the risk owner, the data controller is meant to take put in place an appropriate assessment so that they can determine what would be appropriate for them based on their threat adversaries, types of data, category of data, volume of data — all of those types of metrics. So when we presented our industry standard to the regulator, the controls, the criteria that we put in place which with the controls – ADISA had specified them which they straight away they said that’s not appropriate, it needs the risk owner and this goes back to one of JM’s points earlier on about the customers need to start specifying more of this because that’s the only way of really evidence in control. And so what we did with standard 8 is that we went back to a very old process which came out of CSG which is an offshoot of GCHQ it’s now national cyber security center called Information Assurance Standard 1 which looked at — it was business impact tables and there would be a range of metrics which enable you to come out and say I’m an impact level 1,2,3 or 4 or whatever it may be and people in your supply chain would treat you accordingly. And so we adapted that process to be the Data Impact Assurance Levels and so this is a process – five questions that customers to ITAD have to go through and they have to talk about who their threat adversaries are, what their risk appetite is, (I actually disagree with that it’s budget) I did try and get budget through but they rejected that but you don’t get anybody say hey I’ve got a high appetite for risk but you may get somebody say I’ve got no budget and therefore I have to accept that risk pervades the process and so it’s threat adversary, it’s risk appetite, volume of data, it’s categories of data and then we also look at the impact of a data breach — what would happen, and that enables customers of the ITAD to come up with their own DIAL level so that be a 1-2 or 3 with three being the highest and that means that the service that the ITADs are meant to deliver would be commensurate to the dial rating so if it’s a dial 3 we’d be expecting far more layers of physical security — we’d be expecting far greater detail over the chain of custody during transportation so it was a serial number tracking during transportation you get the idea — is that it enables ITADs to customize their service based on a metric which their own customers tell them. The idea is that this does away with the concept of everybody loading a specification into an engagement without really understanding why they just keep piling touch points on top — , piling standards on the specifications, certifications and making this really difficult ITAD service to deliver because the customer says I want it all. DIAL was designed to actually force is quite an abrasive phrase, but to get the customer to engage — to think about their role in this; to think about their operational environment so that the ITAD delivers a service which is enough but not too much and then enables us to maintain a little degree of control over cost but it also allows us to evidence compliance and the evidence that we’re providing a service as determined by the controller, which is exactly what the law states should be the case.
(RG): So this process of matching suppliers of data devices with the facilities that manage the sanitization of those devices wraps up into the larger operational aspects of ADISA 8.0 with things like using IEEE 2883 as the underpinning for that standardization process. This is how it begins to tie together R2v3, a similar method of an overall operational set of requirements for facilities that do data sanitization and what security measures they need to employ. It’s an interesting process and it’s one that has to change with the times, especially with the evolution of things such as Internet of Things devices or devices such as wearables or watches that might not have a more of a standard or expected method of sanitization. So a question for the both of you as we move forward into this evolution of devices and the more pervasive and sometimes hidden data devices within other devices — what’s the method of anticipating these changes and how are they being addressed? Jonmichael?
(JH): I know that SERI is doing some work in in this area and had some specs but I’ll just speak on kind of behalf of how the IEEE security story working group is thinking about this so yeah there will be a 2883 dot next which would be whatever the most likely 2024 edition that includes things like eMMC NAND devices that would be on a phone or like an SD card there’s going to be another specification that kind of just defines — OK if you’re going to have a device that can purge itself what would a good purge look like and basically defining how that purge is architected agnostic of specific interfaces. I mentioned IEEE 2883-2022 is very focused on for the storage interfaces SATA, SAS and NVMe. Not surprisingly that a lot of the authors are heavily invested in the storage world and to be fair that’s where most of the world’s data is stored today but there is a big chunk about, I believe a third of the NAND market is these mobile devices and it’s really like if you were Apple and you’re doing a factory reset OK well we trust that they’re going to be removing all their user data by sanitizing the encryption keys, doing the right things on that but you buy a $30 Android phone — is this actually, is factory reset actually removing the data? It’s not clear right so I think it’s extremely challenging to try to cover every single device type and I applaud SERI for trying, but just to be clear I think the way to think about this is for priority of reuse and carbon emissions, it generally scales with the cost of the device so if you think about a device that costs more than the priority for reuse and use extension of that device should be higher because the carbon emissions from manufacturing that are intrinsically going to be higher because it’s more expensive, right? Meaning that it costs more to produce. So that’s how I would think about this problem and it’s a challenge because they said there’s going to be hundreds of millions of devices and how do we how do we make sure that all these things are eventually you’re not going to the effort to sanitize something shouldn’t be greater than the value recovery for sanitizing.
(RG): And admittedly most of the amount of data being stored in a storage center a room full of servers is a lot more than what’s in a smart doorbell or a thermostat or a rental car but it’s still data out there moving around all the time and i it works its way into our society in every country on earth through these devices that are more and more pervasive in our lives. And we have a data experts working group with SERI that is looking at this stuff and Steve, your chief technologist Phil Turner is a member of that group as are you Jonmichael and we thank you both for your participation in that because it’s little bit of a moving target in terms of the global view of where the technology that surrounds us is headed but simultaneously got to get down to the actual process that our facilities use and the methods of standardization used as well.
I do want to get back to something you touched on Jonmichael terms of the sustainable aspects and the carbon impacts of what we do and Steve this is something else that that you might be able to talk about with how the how the DIAL method addresses your possible contribution to the circular economy …how are these companies matching each other up help the process of overall sustainability and circularity?
(SM): I go first on this one, Roger because they’re not lead on because I’m not the technical uh brains here at ADISA so I lead on to JM it maybe to pick this up … if you look at circularity within ITAD’s you could talk about early earlier refresh cycles and things like that and you can talk about the right to repair and that that’s not necessarily what I’m going to cover right now but I’ll deal with the more straightforward one which is people destroying perfectly serviceable devices. Now that could be anecdotally because I don’t have any real metrics for this it’s got feel that that’s typically either because of fear and concern of risk whether a theoretical risk or whether actual risk persists to their data or it could just be that it’s a simple solution in other words we just want to process where we can destroy everything on site we can see it being destroyed. If we’re talking as an industry about sustainable IT we need to extend the product life cycle as much as we can so we need to address, before we talk about repair and preparation for reuse all of the good stuff that’s in R2v3 that we don’t cover, we need to address sanitization and we need to make sure that people who are engaging in the process in an intellectual way can look to standards to certifications and build assurance and that’s what it’s all about building assurance and building confidence that they can accept a degree of risk because nothing’s perfect and accept a degree of risk to do either the greater good from a sustainability perspective or from a financial perspective and really challenge their “We have to destroy” because if you need to destroy that’s absolutely each organization’s own requirement but I often think that it’s that classic adage of you never gonna get fired if you buy IBM — other manufacturers exist of course but I think if you’re destroying your devices you’re not gonna get in trouble in your eye in anybody’s eye rather for having a risk to data because the media has been effectively destroyed — there are recovery techniques but has been effectively destroyed. I think we need to challenge that. What DIAL does is it enables organizations to identify who they are themselves so if I’m a DIAL 1 organization and I’m destroying drives there’s a huge disconnect there. Really, the only type of organization who should be destroying media, not just drives of course, are those where whose data is are such high value to them it’s almost loss of life type stuff or impact on global economies — it’s that level of approach for me and they’re few and far between and having worked with some of the services here in the UK, I think the industry likes to be attracted to that high risk club because it gives more of a curb appeal if you like. The reality is that most business is reasonably benign and fear which pervades decision making means that people will default to the buying IBM — shredding my devices –and we have to challenge that. DIAL enables organizations to identify who they are and then enables them to challenge internal existing internal process and procedure. The risk? Well, with any process there is always a risk and that’s why seeing 2883 coming out is brilliant for the industry because it is written by experts in the field who understand the technology and whose motivations are pure. We just want data to be sanitized there’s no it’s not come from the industry it’s not come from a certifications body — it’s actually come from a really smart bunch of engineers and that’s why we need to get behind it.
(RG): Jonmichael? Circularity? Sustainability?
(JH): Yes well, obviously this is near and dear to my heart. I’m the secretary and treasurer of a 501C6 non-profit called Circular Drive Initiative of which Steve at ADISA is a member.
We started this journey like understanding, when I found out some of these hyperscalers that were my customers when I worked at Intel that then I found out they were shredding millions of drives a year each and I had confirmation directly from these guys that that that is the case. I just started asking questions OK well why don’t you have encryption on the drives? Don’t you use proper media sanitization? and all this the data erasure coded like what are you guys doing like why? You guys already know that there’s no data on these drives we mentioned earlier right? Steve just said like the tolerance for risk — for hyperscale or where if one data ends up on eBay and had customers Facebook data out there, that’s not a good scenario for them right? it’s catastrophic, especially or if it’s some kind of bank data from Azure storage or AWS like that that’s very bad and so their tolerance for risk is effectively 0. So if you choose a IEEE 2883-2022I approved purge sanitization technique and you do a verification which is basically read back all the user LBA space you’re trying to prove that the data is gone — that’s the idea behind verification is how do you prove that the data went away. You can get the risk down to near 0, and as you said it’s almost impossible to say there’s zero risk, right? but people would apply multiple methods like people would degauss the drive and then override it or and then throw it in the shredder and that’s their effective way to get to zero risk right? But there are ways to get the risk to effectively zero and have the drive still be in a reusable state. Obviously there are prerequisites right like understanding you have to be a little bit more mindful about the drive vendor firmware and the software because at the end of the day the way IEEE 2883-2022 was written is a way that’s highly leveraging the sanitized commands on the drive basically the vision for this is the drive gets the command sanitize everything and it’s basically foolproof and gives you that assurance and verification that that all the data went away but effectively you still have to kind of if the device is doing this you can’t read all the data back for instance in a crypto erase if you change the media encryption key you try to read back all the data it’s just going to be random data OK so how do you prove to an auditor that’s not just that’s not the old random data but new random data and so some of these things are actually fairly complex but if you understand and work with the vendors, work with certifications, and work with software tools that are reputable that actually go into these things like I just mentioned it is like actually looking that next level down that there is a easy way with purge to get to basically effectively zero risk. The impact is like what would be the impact if this this data was recovered low medium high and then the assurance is how certain are you that the data went away. And you can with the host interface and the methods available today you can get very very certain and is it 99.99999% well we I don’t think anybody’s broken the ES 256 so if the if the drive actually did perform the crypto erase on there then you are for certain the data went away, but getting customers to trust that, versus – it’s much easier for somebody to just look at a a pile of shredded drives and saying, yeah, sure, I’m pretty sure the data is gone there, versus having to do the hard work which is understanding device firmware and cryptography and all the other stuff that goes into media sanitization but a lot of people are taking the easy way out and we’re trying to make it much easier for people to take the reuse path.
(RG): So in summary, as we do our best with every podcast to provide practical information for R2 facilities we could go through this fairly quickly what would the two of you suggest for people to do, what should they look at, what should they read as they stay R2 certified — what do they do to become better at this? Jonmichael?
(JH): yeah I think I I said earlier but I just want to highlight it is that being very confident and diligent in using the right terminology and to stop saying we’re going to wipe the drives we are going to perform a purge media sanitization on these drives and get the risk to zero. That’s a much better way to talk about this stuff and I and I again I hate being a stickler here but like that kind of loosey gooseyness with data erasure and this whole field has caused a lot of uncertainty for end customers which led to the shredding and so obviously yeah keep looking towards the new IEEE stuff — we are working on a bunch of specs in progress but now I don’t expect every single technician to have read the entire spec but if you’re running an ITAD facility, certainly look for software and drives that support this and the software I believe ADISA said it has a list of some products that come through the certification so looking for software compliance suites that comply with 2883 it is a good place to start even if you can’t read through the entire thing but it it’s a fairly easy read I wish it was free I think I think the spec is like 80 bucks or something like that we tried to make it free but for what it’s worth it it’s it’s not that hard to get hold of.
(RG): Good.. and Steve what’s your advice to the average R2 facility on how to look at this?
(SM): I think it kind of goes back to a point I made earlier on which is that I don’t think data sanitization is a one-time fix. I think a lot of organisations will probably put something in place which is fit for purpose and then they’ll kind of rest on their laurels a little bit. I think this is about maintenance and about continued striving for improvement. I will without a shadow of doubt people should buy a copy of IEEE 2883 even if you’re looking for just how to structure some marketing material about sanitization there’s a whole bunch of really good straightforward (it sounds like I’m going on commission here) but it’s a really good straightforward knowledge in there… I’m not a technologist and I understood an awful lot of it which goes to say it’s very readable. I think that organizations need to mature in their thought process for sanitization there’s –picking up on JM’s comment, we still talk about shredding hard drives or overwriting hard drives, erasing hard drives — we need to talk about storage media which is much bigger, broader and we need to understand the how some of that storage works some of its nuances that will affect both our material handling of those but also perhaps the sanitization specifications that we put into play. I will also say that your best friend is going to be your software vendor and if you’ve got a software vendor who really understands this stuff who is ahead of the curve in terms of the development cycle so not looking about what storage media types are coming out from the enterprise today but actually looking what’s going on the market today because in 18 months, two years, three years they’ll be the storage media that they’re gonna need to be addressing — they’re the type of vendors to put your business with because they’re going to save you from having to understand this in the minutia, and I think that would be my advice is don’t think of this as a one-time fix; think of it as a key part of your value proposition and make sure that you’re not just playing the following game that you are actually using a vendor that’s been tested or yourself being tested so that you can verify to your customers that you are providing the type of assurance this is concerned which in turn will drive your ability to convince them to extend the product life cycle and lead towards sustainable ITAD.
(RG): And Steve, the ADISA website does have a listing of these companies that your lab has tested, correct? These software companies?
(SM): Yeah absolutely so adisarc.com is our lab website not the main adisa.global you can go from the main adisa.global and you’ll see if you go on there it’s called product assurance 2023. Note it’s not called NIST 888 compliance or IEEE 2883 compliance because they’re much bigger than that –we’re just looking at the outcomes, we’re looking at how the software is actually presenting itself to drives that we know support the commands and then we will introduce drives that don’t support the commands and we will look to see exactly what the software is doing in those type of scenarios as well. So yes go to the arc website data Research Center website and you’ll be able to see under the product assurance 2023 five products that have already been verified as being compliant.
(RG): and the R2 website also has another listing of these software companies and we offer that too as as a resource to R2 facilities to begin navigating through this process of finding a reliable piece of software to do these very important functions in data security and data sanitization. Well thank you both very much for your time and your collective expertise in addressing this — this process is ongoing and we look forward to having you both back at some time in the future as this technology evolves and our way of managing it evolves we hope in parallel so thanks guys.
(JH/SM) thanks, Roger.
That’s it for this episode of Ask the R2 Guru. Thanks for listening, and thanks as always to the SERI team for their assistance in producing this podcast. You can find a complete transcript of the Podcast in the R2 Knowledge Base on the SERI website. Along with that transcript, you’ll find links to the resources and websites mentioned by our guests Jonmichael Hands and Steve Mellings. It’s all at sustainable electronics dot org.
Episode Description:
Jonmichael Hands and Steve Mellings are both experts in data security and data sanitization. Jonmichael was one of the authors of the IEEE 2883-2022 Data Sanitization Standard and Steve is CEO of ADISA, the administrator of ADISA ICT Asset Recovery Standard, Version 8. In this episode of Ask the R2 Guru, Roger Greive engages these two experts in a lively discussion of the current state of data storage, security practices, new technologies in data storage/sanitization and how R2 facilities can stay up to date with the latest best practices in this area.
