Data Sanitization - Definition, Importance, Methods And Advantages

By | Nurkhairunnisya Binti Mohamad Khairi & Muhammad Anis Farhan Bin Yahaya

 

For many years, oil has been one of the main and arguably the most valuable commodities around the world. However, it is no longer considered the main resource. Today, data is considered one of the most important assets for an individual or organization. Data represents one of the main components used to derive better decision making that creates revenue opportunities, cost savings, and more efficient operations (Fauerbach, 2017).

 

Data needs to be handled and maintained properly once it has reached the end of its life or if it is deemed trivial, obsolete, or redundant. One has to dispose of the data in the right way to prevent any misuse by irresponsible entities which will bring about negative consequences to the individual or organization.

 

 

What Is Data Sanitization?

 

Data sanitization is a crucial and important phase in the data lifecycle management. It is the process of erasing, removing, or destroying data trails from any data storage devices such as hard disk drive (HDD), solid-state drive (SSD), flash drive, mobile phone, and memory card. Once it has been sanitized, no data can be found and cannot be recovered again by any means, even with the

 

Importance Of Data Sanitization

 

The current trend of accelerated technological developments in the digital devices sector is resulting in frequent hardware upgrades and software updates for better and more efficient business administration and operations. At the same time, the enormous amount of data being digitized and stored in digital devices has made data security critical to everyone. The sanitization of the hard disk becomes a necessity when selling, donating, returning, reusing, or disposing of your hard disk, which is one of your most significant IT assets.

 

There are several reasons for it. Some are as follows:

 

  1. You and/or your organization potentially could be at risk of losing your personal, private, and confidential information to individuals or organizations with ill means. They may extract data from your hard disk and use it for their benefit or to malign your and/or your organization's reputation.
     
  2. You and/or your establishment could be at risk of losing a large amount of significant information to unauthorized users as they are able to recover the data by using any recovery software or services.
     
  3. The organization, particularly the government departments, has legal obligations set up by The Malaysian government that they should always abide by to maintain work culture and task-flow. Organizations should comply with several international laws such as Gramm- Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley Act (SOX) and also the Malaysian Personal Data Protection Act (PDPA) 2010 to prevent the breach of your data.
     
  4. Simply deleting data using Delete or Shift + Delete key simultaneously or even formatting your hard disk is still unsafe. It does not remove the data from the hard disk completely, only the link (reference) to the stored data is lost while the data remains on the disk.
     
What Is MyCyberSecurity Clinic?

 

Logo
Description automatically generated

 

MyCyberSecurity Clinic (MyCSC), an initiative by CyberSecurity Malaysia, an agency under the Ministry of Communications and Multimedia Malaysia (MCMM) is a trusted entity that specializes in data recovery and data sanitization. With the tagline "Where trust comes first", MyCSC manages the information security according to the requirements in the ISO/IEC 27001 Standards to achieve an overall information security assurance through the preservation of confidentiality, integrity, and availability.

 

To protect a business's relevant information during the entire data security lifecycle, ISO/IEC 27001 Standards, which is an international standard on how to manage information security, provides two specific controls, Annex A.8 and Annex A.11 related specifically to information disposal as below:

 

  1. Control A.8.3.2 – Disposal of Media
    Whenever a media shall be discarded, the use of procedures should be considered to ensure proper information disposal.
     
  2. Control A.11.2.7 – Secure Disposal or Reuse of Equipment Equipment containing storage media shall be verified to ensure it is free of sensitive information before disposal or reuse.

 


Popular Methods Of Data Sanitization

 

In general, data sanitization services provided by MyCSC are based on the type and characteristics of the digital storage device, state of data, and the required level of data sanitization. There are three well-known methods of data sanitization which are physical destruction, cryptographic erasure, and data erasure.

 

First, Physical Destruction is a process of destroying the storage devices physically which means, it can be achieved by using a crushing machine, shredder machine, and degaussing machine. Degaussing is a form of physical destruction whereby data is exposed to the powerful magnetic field of a degausser and neutralized, rendering the data unrecoverable, but the drives or tapes cannot be re-used upon completion. However, the Degaussing method is ineffective when applied to SSD. Physical destruction is an effective method of destroying data.


Graphical user interface
Description automatically generated

Example of Degaussing Machine (Source: Google)


Second, Cryptographic Erasure is the process of using encryption software (either built-in or deployed) on the entire data storage device and erasing the key used to decrypt the data. While the data remains on the storage device itself, by erasing the original key, the data is effectively impossible to decrypt. As a result, the data inside the storage media is unrecoverable. Cryptographic erasure is a quick and effective method to achieve data sanitization. However, sometimes it does not meet the regulatory compliance requirements.


Finally, Data Erasure is a software-based method of obliterating data by securely overwriting data from any storage device using zeros and ones onto all sectors of the device. By overwriting the data on the storage device, the execution of this process makes the original data impossible to be recovered. In order to achieve data erasure, the software must:


  1. Allow for selection of a specific standard, based on the individual’s or organization’s specific needs and requirements.

  2. Verify the overwriting process has been successful and remove data across the entire storage devices.

  3. Produce a tamper-proof report containing information of erasure process has been successful and written to all sectors of the device, along with the information about the storage device including the type, manufacturer, model number, serial number & capacity of the particular storage devices, and also the method of data sanitization that has been used.

    Although data erasure is the most effective method of data sanitization, it is a time- consuming process compared to physical destruction and cryptographic erasure.



Advantages Of Data Sanitization By MyCyberSecurity Clinic (MyCSC)


Data sanitization ensures the security of data during the hardware upgrading and/or disposal stage by sanitizing the storage devices that are being replaced, thus mitigating the risk of data leaks when the replaced drives are reused by other entities. Furthermore, the replaced or discarded digital storage devices can also be safely reused or recycled. Hence, it will contribute to the eco-friendly movement promoted by the government and reduce the cost to the individual or organization.


Through data sanitization service offered by MyCSC of CyberSecurity Malaysia, we will address your needs for safe and secure deletion of data from storage devices that are to be retired, upgraded, or reallocated. With information security at the core of our service and our identity as the national custodian of cybersecurity specialist agency, engaging standard and secure processes, we provide an effective and trustworthy data sanitization service. Over the years, MyCSC has received and handled numerous data sanitization cases from both the public and private sectors.


MyCSC’s technical staff are well-trained, highly skilled and knowledgeable. We keep abreast with emerging industry trends and cutting-edge technologies, particularly on data sanitization. Furthermore, MyCSC’s data sanitization lab is equipped with the latest software tools and equipment to ensure that the process of data sanitization can be performed well and within a given standard level agreement or SLA. Our team will ensure that our customers always receive the best service.