Data Centers and NIST Compliance: Why 800-53 is Just the Start

August 22, 2023 at 4:42 pm by Amanda Canale

The world of data storage has been exponentially growing for the past several years and shows no signs of slowing down. From paper to floppy disks, HDDs to SSDs, and large servers to cloud-based infrastructures, the way we store data has become increasingly intricate using the latest and greatest major technological advancements. 

As the way we store our data continues to evolve, it’s becoming increasingly vital for data centers, federal agencies, and organizations alike to implement proper and secure data cybersecurity and information security practices, and appropriate procedures for secure data sanitization and destruction. Data center compliance is essential for various reasons, primarily centered around ensuring the security, integrity, and reliability of their data and systems. By complying with industry standards and regulations, data centers can safeguard sensitive data and ensure that proper security measures are in place to prevent unauthorized access, data breaches, and cyberattacks – both while data storage devices are in use and when they reach end-of-life. 

In summary, data center compliance falls under both cybersecurity and physical security best practices, and secure data sanitization and destruction. For a data center to operate at optimal performance and security, one cannot be without the other.

When discussing data center compliance, it’s important to not leave out an important player: the National Institute of Standards and Technology (NIST). NIST is one of the most widely recognized and adopted cybersecurity frameworks, is the industry’s most comprehensive and in-depth set of framework controls, and is a non-regulatory federal agency. NIST’s mission is to educate citizens on information system security for all applications outside of national security, including industry, government, academia, and healthcare on both a national and global scale. 

Their strict and robust standards and guidelines are widely recognized and adopted by both data centers and government entities alike seeking to improve their processes, quality, and security. 

In today’s blog, I want to dive into the two most important NIST publications data centers should consistently reference and implement into their security practices: NIST 800-88 and NIST 800-53. Both standardizations help create consistency across the industry, allowing data centers to communicate and collaborate with, and more effectively protect partners, clients, and regulatory bodies. Again: cybersecurity and destruction best practices go hand-in-hand, and should be implemented as a pair in order for a data center to operate compliantly. 

Step 1: Data Center Security and Privacy Framework

NIST 800-53

NIST 800-53 provides guidelines and recommendations for selecting and specifying security and privacy controls for federal information systems and organizations. While NIST 800-53 is primarily utilized by federal agencies, its principles and controls are widely recognized and adopted as a critical resource for information security and privacy management, not only by federal agencies but also by private sector organizations, international entities, and more importantly, data centers. 

NIST 800-53 serves as a comprehensive catalog of security and privacy controls that data centers can use to design, implement, and assess the security posture of their IT systems and infrastructure, all of which are crucial in sustaining a data center. The controls are related to data protection, encryption, data retention, and data disposal, and serve as a valuable resource for data centers looking to establish intricate and well-rounded cybersecurity and information security programs. 

NIST 800-53 addresses various aspects of information security, such as access control, incident response, system and communications protection, security assessment, and more. Each control is paired with specific guidelines and implementation details. These security controls, of which there are over a thousand, are further categorized into twenty “control families” based on their common objectives. (For example, access control controls are grouped together, as are incident response controls, and so forth.) These control families cover various aspects of security, including access control, network security, system monitoring, incident response, and more, offering data centers much higher rates of uptime and ability to minimize downtime.

Since data centers often handle sensitive and valuable information, they require robust physical security measures to prevent breaches and unauthorized access. NIST 800-53 addresses physical security controls, including access controls, video surveillance, intrusion detection systems, and environmental monitoring, which are vital in protecting the data center’s infrastructure.

It’s important to mention that while NIST 800-53 provides an increasingly valuable foundation for securing data center operations, organizations may need to tailor the controls to their specific environments, risk profiles, and compliance requirements. NIST 800-53 offers a flexible framework that allows for customization to suit the unique needs of different data center operators, making it a vital and critical resource.

Step 2: Data Destruction Compliance 

NIST 800-88

First published in 2006, NIST 800-88 and its Guidelines for Media Sanitization provides guidance and regulations on how citizens can conduct the secure and proper sanitization and/or destruction of media containing sensitive, classified, and top secret information. NIST 800-88 covers various types of media, including hard drives (HDDs), solid-state drives (SSDs), magnetic tapes, optical media, and other media storage devices. NIST 800-88 has quickly become the utmost standard for the U.S. Government and has been continuously referenced in federal data privacy laws. More so, NIST 800-88 regulations have been increasingly adopted by private companies and organizations, especially data centers. The main objective is to help data centers and organizations establish proper procedures for sanitizing media before its disposal at end-of-life.

When a data center facility or section is being decommissioned, equipment such as servers, storage devices, and networking gear must be properly sanitized and disposed of. NIST 800-88’s guidelines help data center operators develop procedures to securely handle the removal and disposal of equipment without risking future data breaches 

When it comes to sanitizing media, NIST 800-88 offers three key methods:

  1. Clearing: The act of overwriting media with non-sensitive data to prevent data recovery.
  2. Purging: A more thorough and comprehensive method that will render the stored data unrecoverable using advanced technology, such as cryptographic erasure and block erasing.
  3. Destruction: The physical destruction of a storage device either by way of shredding, crushing, disintegrating, or incineration. This often includes electromagnetic degaussing, a method that produces a buildup of electrical energy to create a magnetic field that scrambles and breaks the drive’s binary code, rendering it completely inoperable. The strength of the degausser is critical when eliminating sensitive information from magnetic media. Typically, degaussers evaluated and listed by the National Security Agency (NSA) are considered the golden standard. 

However, even these methods can come with their own drawbacks. For instance: 

  1. Clearing: For sensitive, classified, or top secret information, clearing or overwriting should never serve as the sole destruction method. Overwriting is only applicable to HDDs, not SSDs or Flash, and does not fully remove the information from the drive. 
  2. Purging: Unfortunately, purging methods are highly prone to human error and are a very time-consuming process.
  3. Destruction: Once the drive has been destroyed, it cannot be reused or repurposed. However, this method provides the assurance and security that the data is fully unrecoverable, the process can take mere seconds, and there is no room for human error.

The chosen destruction and/or sanitization method depends on the sensitivity of the information on the media and the level of protection required, so it is crucial that data centers and organizations take into account the classification of information and media type, as well as the risk to confidentiality. NIST 800-88 provides valuable guidance on media sanitization practices, which are crucial for data centers to ensure the secure disposal of data-filled devices while minimizing the risk of data breaches. Proper implementation of NIST guidelines allows data center officials to protect sensitive information and maintain data security throughout the lifecycle of data center equipment.

The Importance of Verification 

NIST guidelines, specifically NIST 800-88, have become the industry standard when it comes to secure data sanitization; however, they are not as definitive as other regulatory compliances. With NIST, the responsibility of data sanitization falls onto data centers’ or an agency’s chief information officers, system security managers, and other related staff.

As discussed above, the destruction and/or sanitization method depends on the sensitivity of the information on the media and the level of protection required, so it is critical to the security of the end-of-life data that organizations discuss the matters of security categorization, media chain of custody including internal and external considerations, and the risk to confidentiality.

Regardless of the method chosen, verification is the next critical step in the destruction and sanitization process. NIST verification typically refers to the process of validating or verifying compliance with standards, guidelines, or protocols established by the data center and/or organization. By NIST 800-88 standards, verification is the process of testing the end-of-life media to see if the stored information is accessible. 

For sanitization equipment to be verified, it must be subjected to testing and certification, such as the NSA evaluation and listing, and must abide by a strict maintenance schedule. For proper sanitization, the device must be verified through a third party testing should the media be reused. However, when media is destroyed, no such verification is necessary, as the pulverized material itself is verification enough. 

Since third party testing can be impractical, time consuming, and a gateway to data breaches, we at SEM always push for the in-house sanitization and destruction of media as the only choice to ensure full sanitization of data and the only way to mitigate future risks. When destroying data in-house, companies can be positive that the data is successfully destroyed. 

Conclusion

When it comes to data center compliance and security, there is no one-stop-shop. Adhering to both NIST 800-88 and 800-53 guidelines enhances the reputation of data centers by demonstrating a commitment to data security and privacy. This can help build trust with clients, customers, and stakeholders, leading to stronger business relationships. More importantly, these guidelines are necessary when collecting, storing, using, or destroying certain data. NIST provides educational resources, training materials, and documentation that help data center staff understand security concepts and best practices, empowering data center personnel to implement effective security measures.

At SEM, we have a wide range of NSA listed and noted solutions and CUI/NIST 800-88 compliant devices designed for you to securely destroy sensitive information. After all, the consequences of improper data destruction are endless and there is no statute of limitations on data breaches. No matter what the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment. Need us to craft a custom solution for your data center? You can find out more here. 

The Importance of the NIST 800-88 Standard for Media Sanitization in Secure Data Destruction

November 21, 2018 at 4:00 pm by Heidi White

pii-securityTrends in data storage are changing at an exponential rate. The past few years alone have seen the progression of data storage from large servers with magnetic media to cloud-based infrastructure with increasingly dense solid state media. Along with every technological advancement in data storage has come the inexorable advancement of data theft. As a result, the scope and level of responsibility for protecting sensitive and Personally Identifiable Information (PII) has expanded to include not only the originators of data, but also all of the intermediaries involved in the processing, storage, and disposal of data. To address these critical issues and to protect organizations and citizens of the United States, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has developed NIST 800-88 “Guidelines for Media Sanitization” to promote information system security for all other applications outside of national security, including industry, government, academia, and healthcare. NIST 800-88 has become the predominant standard for the US Government, being referenced in all federal data privacy laws, and has now been overwhelmingly adopted by the private sector as well.

NIST 800-88 assumes that organizations have already identified the appropriate information categories, confidentiality impact levels, and location of the information at the earliest phase of the system life cycle as per NIST SP 800-64 “Security Considerations in the Systems Development Life Cycle.” Failing to initially identify security considerations as part of the data lifecycle opens up the strong potential that the organization will fail to appropriately maintain control of and protect some media that contains sensitive information.

Confidentiality and Media Types

data-theftConfidentiality is defined by the Title 44 US Code as “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” FIPS 199 — NIST’s Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems — adds that “a loss of confidentiality is the unauthorized disclosure of information.” Bearing these definitions in mind, organizations must establish policies and procedures to safeguard data on used media. Common methodologies of illicit data recovery include basic acquisition of clumsily sanitized media either through third party sale or old-fashioned dumpster diving, or the more sophisticated laboratory reconstruction of inadequately sanitized media.

data-securityCurrently, two types of basic media exist: hard copy and electronic. Commonly associated with paper printouts, hard copy actually encompasses a lot more. In fact, all of the materials used in the printing of all types of media, including printer and fax ribbons for paper and foils and ribbons for credit cards, are considered hard copy. Electronic media consists of any devices containing bits and bytes, including but not limited to rotational and solid state hard drives, RAM, boards, thumb drives, cell phones, tablets, office equipment including printer and fax drives, server devices, flash memory, and disks. It is expected that, considering the rate at which technology is progressing, additional media types will be developed. NIST 800-88 was developed in such a way that sanitization and disposal best practices pertain to the information housed on media rather than the media itself, allowing the guideline to more successfully stay current with future innovations.

Media Sanitization – Methodologies, Responsibilities, and Challenges

Three methodologies of media sanitization are defined by NIST 800-88 as follows:

  • Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
  • Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory
  • Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of

Clear

One of the most commonly used clearing methodologies for data sanitization on magnetic media has traditionally been overwriting using dedicated sanitize commands. Note that basic read/write overwriting is never recommended as it does not address all blocks on the media. Drawbacks to overwriting using sanitize commands are two-fold: 1) it is only effective for magnetic media, not solid state or flash, and 2) this methodology is wide open to operator error and theft, as well as undetected failure.

Purge

SEM’s high security degausser can be used to purge data

A common form of purging used for magnetic media sanitization is electromagnetic degaussing, whereby a dedicated degaussing device produces a build-up of electrical energy to create a magnetic field that removes the data from the device when discharged. Degaussing has long been an acceptable form of media sanitization for top secret government information when used in tandem with a hard drive destruction device such as a crusher or shredder. Degaussing alone poses the same concerns as overwriting in that operator error or deceit remains a possibility. In addition, the strength of the degausser is critical when eliminating sensitive information from magnetic media. Typically, degaussers evaluated and listed by the National Security Agency (NSA) are considered the golden standard.

Destroy

While clearing and purging provide adequate media sanitization involving less sensitive data, destroying is the most effective and permanent solution for secure data applications. Organizations should take into account the classification of information and the medium on which it was recorded, as well as the risk to confidentiality. As the internet continues to expand and the switch from physical to digital document-keeping becomes the industry standard, more and more data holds PII information such as financials, health records, and other personal information such as that collected for databases or human resources. As a result, security-focused organizations are becoming more cognizant of the fact that comprehensive data sanitization — including destruction — must become a top priority.

ssd-2mm
SEM disintegrators shred particles to a nominal 2mm size

Industry-tested and accepted methodologies of secure data destruction include crushing, shredding, and disintegration, but even these secure end-of-life solutions require thoughtful security considerations. For example, shredding rotational hard drives to a 19mm x random shred size provides exceptional security for sensitive information. However, a 19mm shred size would not even be an option for solid state media, which store vast amounts of data on very small chips. Instead, sensitive solid state media should be shredded to a maximum size of only 9.5mm x random, while best practices for the destruction of highly sensitive or secret information is to disintegrate the media to a nominal shred size of 2mm2. In addition, some destruction devices such as disintegrators are capable of destroying not only electronic media, but also hard copy media such as printer ribbons and employee ID cards, providing a cost-effective sanitization method for all of an organization’s media.

Responsibilities and Verification

IT security officerWhile NIST 800-88 has become the industry standard for secure data sanitization, the guidelines do not provide definitive policies for organizations. Rather, NIST 800-88 leaves the onus of appropriate data sanitization to organizations’ responsible parties including chief information officers, information security officers, system security managers, as well as engineers and system architects who are involved in the acquisition, installation, and disposal of storage media. NIST 800-88 provides a decision flow that asks key stakeholders questions regarding security categorization, media chain of custody including internal and external considerations, and potential for reuse.

Regardless of the sanitization method chosen, verification is considered an essential step in the process of maintaining confidentiality. It should be noted that verification applies not only to equipment and sanitization results, but also to personnel competencies. Sanitization equipment verification includes testing and certification of the equipment, such as NSA evaluation and listing, as well as strict adherence to scheduled maintenance. Organizations should fully train personnel responsible for sanitization processes and continue to train with personnel turnover. Lastly, the sanitization result itself must be verified through third party testing if the media is going to be reused. When media is destroyed, no such verification is necessary, as the pulverized material itself is verification enough. Because third party testing can be impractical, time consuming, and costly, many organizations choose to destroy media to ensure full sanitization of data and in doing so, to greatly mitigate risk.

Conclusion

NIST-800-88NIST 800-88 was developed in an effort to protect the privacy and interests of organizations and individuals in the United States. Adopted by nearly all federal and private organizations, NIST 800-88 provides an outline of appropriate procedures for secure data sanitization that both protects PII and confidential information while reducing organizational liability. Determining proper policies is realized by fully understanding the guidelines, following the sanitization and disposition decision flow, implementing data sanitization best practices, and engaging in ongoing training and scheduled maintenance. Because NIST 800-88 guidelines do not provide a definitive one-size-fits-all solution and are admittedly extensive, working with a knowledgeable data sanitization partner is key to a successful sanitization policy.