New IEEE Data Erasure Standard Fills Technology Gap
By Bernard Le Gargean, Blancco
The Institute of Electrical and Electronics Engineers (IEEE) released a new standard in August 2022 for sanitizing logical and physical storage, along with technology-specific requirements for the elimination of recorded data. There are several advantages to this new standard that will be appealing to enterprises that send their laptops, desktops, drives, mobile devices, and other IT assets along the reverse logistics journey. This article will give you a bit of an introduction to what it’s all about.
Known officially as the IEEE Standard for Sanitizing Storage (IEEE 2883-2022), this specification provides guidelines for securely erasing data on storage technology developed after the National Institute of Standards and Technology (NIST) issued NIST Special Publication 800-88, Rev. 1, “Guidelines for Media Sanitization,” in 2014.
While NIST 800-88 remains the most widely used data erasure standard in the United States and in many parts of the world, technology continues to advance since its publication almost a decade ago. IEEE and NIST are different organizations, but the new standard can be seen as a natural continuation of NIST principles.
That said, IEEE 2883-2022 aims to fill a growing information gap since NIST 800-88 was last revised. For instance, it provides guidance for securely sanitizing SATA, SCSI, and NVMe drives that have grown in popularity as data storage needs have evolved. Since the NIST standard provides limited guidance for these technologies, IEEE 2883-2022 offers a critical resource for organizations that need to securely remove data from these types of drives.
Why Your Organization Needs to Know IEEE 2883-2022
The new standard is available for purchase through IEEE’s website as a downloadable PDF or as a printable guide. While there are currently no mandates to use the IEEE standard, doing so provides your customers with the security that their newer devices can be sanitized following guidelines from a globally respected association.
Implementation requires following the standards and processes described. The addition should be straightforward for organizations that already use the NIST guidelines, as IEEE 2883-2022 contains many key similarities.
For instance, IEEE standards are as quick (and sometimes quicker) to execute than NIST standards. Yet they also leverage and recommend new technological capabilities introduced since 2015 (such as restoring depopulated storage elements, resetting write pointers, and clearing NVMe buffers) for an additional level of data security.
The new standard provides:
- Clear language and instruction so that organizations know whether they have achieved data sanitization and can confidently make appropriate conformance claims
- Clarification around various data destruction methods by media and type of sanitization (e.g., does degaussing achieve Clear, Purge, or Destruct-level sanitization for a given device?)
- The ability to be referenced by other standards documents, such as future NIST publications or ISO standards, so that they also advance the most up-to-date sanitization methods for changing technologies
It also classifies data sanitization into three categories, which are similar to NIST’s, on how to sanitize data by media type:
- Clear. Prevents simple, non-invasive data recovery using software. This method of sanitization uses logical techniques to erase all data available on all user-addressable storage locations, but not hidden or non-addressable areas. Most devices support some level of Clear sanitization, which provides a moderate level of data protection while keeping the devices usable.
- Purge. Uses logical or physical techniques to remove all data, ensuring that even a specialist using state-of-the-art laboratory techniques in data recovery could not access data. While data recovery is infeasible, the storage media and the storage device may be reused.
- Destruct. Techniques such as disintegrating or incinerating devices in a way that leaves them unusable.
The Role of IEEE 2883-2022 in Reverse Logistics
With this new standard, reverse logistics companies now have more methods of sanitizing logical storage and physical storage in a wider range of newer data-holding assets. Also, by leveraging IEEE 2883-2022, organizations can process a larger range of device types. Finally, when enterprises send devices to an ITAD, recycler, or reverse logistics provider for processing, they will often specify a standard; you may therefore see an increase in customers asking that the IEEE standard be used as enterprise security policies evolve.
But what is data sanitization?
Data sanitization ensures that all data – no matter how sensitive – can never be recovered from a data storage drive. This is imperative for drives and devices that have accessed or stored potentially sensitive data, such as personally identifiable customer information or proprietary business information.
While some data sanitization methods physically destroy devices and render them unusable, software-based data sanitization, or data erasure, allows organizations to confidently reuse, resell, and recycle functional laptops, mobile phones, and desktop computers, including returned, end-of-first-life, end-of-lease, or end-of-contract devices, without fear that data will be compromised.
Reverse logistics companies will want end users who send back devices to confidently know their functional devices no longer hold sensitive data. By wiping to the IEEE 2883-2022 standard, reverse logistics companies can ensure that the devices they receive can be reused without exposing data from the previous user.
The Growing Need for Data Erasure—and the New IEEE Standard
The amount of data continues to increase rapidly. Modern storage solutions can hold ever-increasing amounts of data, creating a cybersecurity risk. As reverse logistics companies process a growing number of more advanced devices and drives, it is imperative that all data gets successfully cleared.
Other data sanitization recommendations and guidelines provide a starting point for managing end-of-life data on SATA, SCSI, and NVMe drives. IEEE 2883-2002 clarifies much of the confusion that often exists in data erasure guidance, allowing organizations that adhere to it to prepare devices more quickly and confidently for the next stage in their lifecycle.
IEEE 2883-2002 adoption will gradually increase over time as the standard becomes more ingrained in data and asset lifecycle management processes. Blancco has already integrated IEEE 2883 conformance into its data erasure software in response to customer demand. Plan today for when and how your organization will utilize this new standard to improve asset sanitization during your reverse logistics processes.
Bernard Le GargeanBernard Le Gargean is the ITAD product manager and data erasure expert at Blancco. In this role, he crafts the product roadmap for IT asset disposition customers, helping them improve their processes, increase their yield, and maintain their satisfaction.