Frequently Asked Questions
The circular economy is an economic model that emphasizes the efficient use of resources by keeping them in use for as long as possible and minimizing waste. This is achieved through strategies like reuse, repair, remanufacturing, and recycling, which are designed to extend the life of products and recover materials at the end of their life cycle.
Here are some key principles of the circular economy:
- Use (life) extension: This involves keeping products in use for as long as possible, often through means such as firmware upgrades that improve reliability and decrease failures.
- Reuse: This involves a second or third user using a product after the first deployment. Secure transfer of ownership and data sanitization is required to ensure no private data is recoverable.
- Sharing: Resource sharing between organizations and divisions can facilitate reuse at a local scale.
- Repair: This involves replacing parts on a damaged product to allow it to continue to function. Hardware testing and verification should confirm that all key functions are working.
- Refurbishment: This involves testing and verifying products with no major defects, and loading them with a known working version of firmware or software.
- Remanufacture: This involves taking a product that has some damage or use and turning it into a new product of a different class.
- Disassembly, Recycle and Reuse Components: This involves disassembling the product to remove valuable components for reuse in another product or segment.
- Recycle Raw Material: Although often not as impactful as other areas of circularity, recycling raw materials prevents them from becoming e-waste and ensures they are properly disposed of or directed to recycling facilities.
By applying these principles, the circular economy aims to create a closed-loop system that reduces waste and environmental impact, while creating value from resources that would otherwise be discarded.
A process or method to render access to target data on storage media infeasible for a given level of effort. Purge media sanitization enables secure removal of data but keeps the device in a reusable state so that it can be reused.
Storage sanitization refers to the process of denying access to data from storage media, ensuring that the data cannot be retrieved or reconstructed. This is crucial when storage devices are transferred, become obsolete, or are no longer usable, to prevent unauthorized disclosure of data.
Why is storage sanitization important? Storage sanitization is critical to maintain data confidentiality, especially for sensitive or regulated data. If not properly sanitized, residual data may be recoverable, posing a risk of unauthorized data access or disclosure.
What does the sanitization process involve? The sanitization process often involves identifying the type of storage involved (logical or media), selecting the appropriate sanitization method (clear, purge, or destruct), executing the chosen sanitization techniques, verifying the results to determine the level of residual risk, and producing evidence of the sanitization for compliance purposes.
What types of data need to be sanitized? If sanitization is intended to remove all instances of specific data, then all media on which that data has been stored also requires sanitization. This includes data stored as a result of caching, replication, mirroring or other redundancy, backup or point in time copies, swapping, and paging.
What are some of the challenges in data sanitization? The concept of data sanitization is straightforward, but its practical implementation can be challenging due to the inconsistent use of terminology and the technical complexities of ensuring all data copies are identified and eliminated.
Our vision for the Circular Drive Initiative (CDI) is to foster a sustainable future by enabling the circular economy in data storage. We strive to ensure that data storage devices can be securely reused, significantly reducing e-waste and reducing carbon emissions linked to manufacturing new storage devices.
We are committed to revolutionizing the data storage industry by enabling circularity and to transforming the storage market by developing, promoting, and implementing standards, transparent reporting, and best practices centered around a circular economy.
We aim to:
- Develop circularity and reuse standards for storage: We strive to redefine the ecosystem by instituting guidelines prioritizing environmental responsibility.
- Foster circular business models: We’re dedicated to promoting business models that emphasize the reuse and recycling of storage devices
- Educate the industry: We are committed to educating stakeholders about the benefits and necessities of adopting sustainable practices in the storage industry and eliminating myths about storage security that have prevented reuse.
- Prevent first-use destruction: We aim to eliminate wasteful practices by advocating for the secure reuse of storage devices, minimizing the need for destructive sanitization methods.
- Drive impact and accountability: We’re committed to creating a positive environmental impact and holding ourselves and the industry accountable for the sustainable use and disposal of storage devices.
Storage security involves implementing safeguards and countermeasures to mitigate risks associated with storage systems and infrastructure. These may include system security hardening, storage sanitization, encryption, key management, and data protection measures among others. It aims to ensure the confidentiality, integrity, and availability of data, while taking into account the various technologies and methods used in storage.
Cryptographic erase is a data sanitization method that leverages encryption to delete data from storage media securely. Rather than physically erasing data, which can take considerable time and wear on the device, cryptographic erase makes the data inaccessible by changing or deleting the encryption keys. This process leaves only the encrypted data (ciphertext) on the storage media, rendering the data effectively sanitized as it becomes unrecoverable without the encryption key.
Key features and requirements of cryptographic erase include:
- Encryption: All data intended for cryptographic erase must be encrypted prior to recording on the storage media.
- Key Strength: The strength of the cryptographic algorithm used to encrypt the target data must be at least 128 bits, and the level of entropy of the encryption key used must also be at least 128 bits.
- Key Sanitization: All copies of the encryption keys used to encrypt the target data must be sanitized. If the target data’s encryption keys are encrypted with one or more wrapping keys, it’s acceptable to perform cryptographic erase by sanitizing a corresponding wrapping key.
- Speed and Efficiency: Cryptographic erase can provide significant benefits in both timeliness and assurance. It can facilitate rapid eradication of sensitive data (in seconds versus hours or days), reduce wear on the storage device, and make it easier to safely repurpose storage devices, instead of destroying them.
- Implementation: Cryptographic erase should only use a well-vetted cryptographic implementation to avoid potential errors or use of weak cryptographic algorithms.
- Inappropriate Use Cases: Cryptographic erase is not appropriate if the encryption was enabled after sensitive data were stored on the storage device without being sanitized first, or if it is unknown whether sensitive data were stored on the device without being sanitized prior to encryption.
While methodologies for carbon accounting in circular business models like storage reuse are still under development, they can offer valuable insights. Through comparative GHG impact analysis, these methods can highlight the environmental benefits of reusing storage devices versus manufacturing new ones. The concept of avoided emissions can be used to quantify the GHG reductions achieved through reuse. The use of a “functional unit” for comparison ensures a fair evaluation between new and reused storage devices. Two different approaches, attributional and consequential, can provide different perspectives on the impacts of storage reuse. However, these assessments may not fully account for indirect effects or future market and technology changes.
The environmental benefits of embracing circular practices in storage reuse are primarily centered around significant reductions in carbon emissions and e-waste. The Information and Communications Technology (ICT) industry, particularly the storage sector, contributes substantially to these global challenges. For instance, hard disk drives (HDDs) and solid-state drives (SSDs) account for a large portion of these emissions, with a significant majority occurring during the usage phase.
In any given year, the industry ships hundreds of millions of HDDs and SSDs, a large percentage of which are destroyed after their first use. This practice results in a substantial amount of shredded metal, which if recycled, still leads to a significant volume of carbon emissions. While this amount might seem inconsequential compared to the emissions of a single company, the cumulative impact over time is significant.
Moreover, the carbon emissions avoided by reusing HDDs and SSDs far outweigh those mitigated by recycling the raw materials. The avoided emissions from storage reuse could account for a significant portion of the ICT industry’s total carbon emissions per year.
As for SSDs, as their market grows and the capacity of these drives increases, the associated carbon footprint scales linearly, making reuse an even more crucial strategy for mitigating carbon emissions.
In conclusion, storage reuse, as part of circular practices, presents an effective strategy for reducing carbon emissions and e-waste in the ICT industry. This underscores the need for a transition towards a circular economy, emphasizing the importance of reuse and recycling over disposal.
Media sanitization, a process that irreversibly removes or destroys the data stored on a memory device, is a critical practice that aligns with various data privacy regulations. According to ISO 27040, an international standard providing detailed technical guidance on storage security and data sanitization, this practice plays a vital role in ensuring data privacy and security.
Firstly, incorporating storage into policies (OC-PLCY-G01) is important for data privacy. This includes addressing data destruction and storage media sanitization. This practice ensures sensitive and critical data, such as Personally Identifiable Information (PII), is properly sanitized, reducing the risk of unauthorized access.
Secondly, ensuring storage conforms with policies (OC-PLCY-G02) is crucial. This includes ensuring all elements of the storage ecosystem comply with policy (e.g., ISO/IEC 27001:2022, 5.2 and ISO/IEC 27002:2022, 5.1).
Thirdly, the guidance OC-CPLC-G03 stresses that storage should meet data retention and sanitization obligations. Proper data sanitization should be implemented prior to the repurposing or decommissioning of hardware, and correct sanitization of virtual server images, and their copies, should be implemented at their end of life.
Lastly, it’s also important to ensure storage meets privacy obligations (OC-CPLC-G04). The use of data and storage media sanitization mechanisms should not violate preservation requirements, and proper chain of custody procedures should be followed when evidentiary data (e.g., audit logs, metadata, mirror images, and point-in time copies) is handled (OC-CPLC-G05).
In summary, media sanitization is key to ensuring data privacy and aligns with the guidance provided by ISO 27040. Proper implementation of media sanitization techniques ensures that data privacy regulations are adhered to and that sensitive data is adequately protected (ISO/IEC 27040:2015, Clause 7).
Reference: ISO/IEC 27040:2015 Information technology — Security techniques — Storage security.
Now! See the resources page for a copy of the bylaws, and email [email protected] for more details about the bi-weekly call
NIST SP800-88R1: This document from the National Institute of Standards and Technology (NIST) contains guidelines for media sanitization and storage security, but does not define requirements. It is a product of the US government and commonly referenced by the NSA, other standards and US companies, but many countries will not refer to US security standards.
There are no CDI approved drives yet. In the future, CDI will list providers in the ecosystem that sell second-use and third-use storage devices. However, there are multiple resellers of recertified and used drives that are partners of our members that may be listed.
IEEE P2883: IEEE Approved Draft Standard for Sanitizing Storage, in IEEE P2883/D18 was published in June 2022. This is the latest and most comprehensive industry standard for storage sanitization, encompassing and superseding NIST SP800-88, ISO/IEC 27040 and other standards. IEEE P2883 has a strong focus on circularity. The scope of IEEE P2883 covers all physical and logical locations that currently contain user data, used to contain user data (e.g., deallocated data, data reallocated because of media errors),could contain user data (e.g., overprovisioning, unused capacity, spare pools),are able to contain data that discloses information about user data (e.g., data that is usable to direct forensic analysis.
Shredding was actually deprecated in the latest sanitization specification due to media density on the latest storage media, like hard disk drives. Small fragments of drives can actually still contain a lot of user data!