24 January 2012

Data Destruction in the Age of Outsourcing

With more IT work being outsourced and more sensitive data being hosted by outside parties, maintaining positive control over sensitive data is a hot topic.  Maintaining positive control of sensitive data is required during all phases of the system lifecycle, including lifecycle events which require decommissioning of environments and destruction of data.  When choosing a hosting provider, it is important to understand all of the protections afforded to the sensitive data entrusted to the provider.  While this article is not intended to be a comprehensive guide or checklist with which to evaluate a hosting provider, I wanted to touch on one important data security topic that contains a lot of nuance in terminology and is confusing to many people, including security professionals:  data destruction. 

For providers aligning to the Payment Card Industry Data Security Specification (PCI-DSS), audit requirements are specific in the need to conduct media destruction.  Requirement 9.10 states that media containing cardholder data must be destroyed when it is no longer needed for business or legal reasons.  Other types of audits have similar requirements for data destruction.  But how is data destruction accomplished?  And what is acceptable to consider the data “destroyed”?  Many hosting providers, when faced with audit requirements such as PCI, will state that they align to US Department of Defense (DOD) guidance for data destruction. 

Oh, really?  DoD guidance?  So what does that mean?  This is actually a complicated question and one that has more nuance than one might expect.  In many cases, customers and security professionals believe “compliance with DOD data destruction guidance” to imply overwriting of the data with either a 3-pass or 7-pass algorithm.  This is often attributed to Department of Defense instruction 5520 and represents a generally correct understanding of DOD procedures as they existed in the past.    As the threat has changed, so too have DOD procedures for data clearing and sanitization.  

The National Industrial Security Program Operating Manual (DOD 5520.22-M, also called the “NISPOM”) defines two different scenarios in paragraph 8-301 relating to clearing, sanitization and release of media.  Clearing is the process of eradicating data on media before reusing the media in an environment that provides an acceptable level of protection for the data that was on the media before clearing.  Sanitization is the process of removing the data from the media before reusing the media in an environment that does not provide an acceptable level of protection for the data before sanitizing.  In other words, hard drives or other media staying at the same data classification level need to be cleared, but hard drives being used at a lower classification level need to be sanitized.  To put this into a perspective that more closely resembles a typical business environment, media containing sensitive information that is leaving a secured, production data center floor would likely need to be sanitized, not cleared, since only a secured, production data center environment is likely to provide controls adequate to protect sensitive customer data.    (The NISPOM can be found at http://www.dss.mil/isp/fac_clear/download_nispom.html .)

In the DOD, the National Security Agency Central Security Service (NSA/CSS) is the agency responsible for determining the procedures for conducting clearing and sanitization.  Current NSA/CSS guidance on drive sanitization can be found in NSA/CSS Storage Device Declassification Manual 9/12 located at http://www.nsa.gov/ia/_files/government/MDG/NSA_CSS_Storage_Device_Declassification_Manual.pdf .  Current guidance calls for sanitization to be accomplished with an approved automatic degausser, an approved wand-type degausser or via incineration.  Hence, by virtue of the process required, a sanitized hard disk would not be usable in an environment that provided lower levels of protection than the data originally stored on the device required.  Again, to put this into the context of a typical business, if the business were to comply with current guidance, once a drive contains sensitive data, it could likely not be used outside of the secured data center environment since only the secured data center environment likely provides the necessary controls.    For most businesses, complying with current DOD data clearing and sanitization guidelines as outlined in NSA/CSS 9/12 would be a fairly simple if somewhat costly proposition since media re-use would be fairly limited once sensitive customer data is written to the media. 

For most businesses, strict compliance with DOD guidelines may not be warranted.  When evaluating a hosting provider, it is better to look beyond claims of DOD compliance and focus instead on the processes used to control data within the hosting provider environment and develop an understanding of the controls in place to enforce the process.  Don’t allow claims of compliance with DOD guidelines derail your understanding of the processes and controls.  NIST Special Publication 800-88, Guidelines for Media Sanitization, available at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf, provides both a decision making process for when sanitization and clearing are appropriate and guidance on recommended technical methods.   When evaluating a hosting provider, looking at data destruction in light of the NIST guidance is highly recommended along with understanding and defining contractually your requirements around data handling and destruction.  Bottom line:  focus not on claims of compliance, but on making sure the controls are adequate given the value of the data you need to protect.