Standards compliance is a very complex topic and though many MSPs want to offer compliance services to their clients, they often don’t know where to begin. The first step is to understand what area(s) of compliance your clients need, after all there is no point in offering a service that none of your clients want. Once you have identified an area, the next step is to figure out which standard(s) are relevant to that area.
This blog will cover one instance of compliance–media sanitization. Read on to learn how it affects you, and your clients. You can also read about the NIST Cybersecurity Framework 2.0 to get a feel for different aspects of compliance.
A compliance service you can begin offering your clients right away
Rather than speak abstractly, I am going to provide a concrete example of a compliance service you can begin offering your clients right away—even if you are already offering it, keep reading, there may be a better way. It can also serve as a blueprint for other areas of compliance that you might venture into. The specific area is called “media sanitization” but can be simply thought of as “endpoint erasure.” In other words, providing your clients with a service whereby endpoints that have reached their end of life or are being recycled, or disposed of, are handled in a manner such that no sensitive data is compromised.
For this service you need look no further than NIST SP-800-88 or “Guidelines for Media Sanitization.” It is the definitive data sanitization standard within the U.S. Federal government and is used by countless private businesses and organizations around the world. If you follow the best practices as outlined in this document, your clients will be confident that you are offering them a valuable and compliant solution.
One of the key definitions in NIST SP 800-88 is the three categories for types of media sanitization: Clear, Purge and Destroy.
Purge and Delete definition on page 9 of the NIST 800-88 document:
- Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
- Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques.
- Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.
Help Your Client Choose the Right Endpoint Sanitization Solution
There are a few key decisions you must help your clients make for each endpoint they want to erase and that will help identify which category (i.e. clear, purge or delete) of solution is most appropriate. Here are a few parameters to consider:
- How sensitive is the data on the endpoint? For example, is it ok if some data is recoverable?
- Is proof of the erasure (i.e. a receipt) required? If so, you will have to provide a certification of erasure/destruction.
- Is it important that the endpoint be reusable?
- Is it ok for the endpoint to leave the client’s possession in order to be sanitized?
Based on the answers to these and other questions you can help guide your client to the best solution which can range from the most basic clear solution, Windows Reset, to the opposite extreme, physical destruction, which is obviously in the destroy category. The middle ground or purge category is occupied by software products that run well known sanitization methods such as single pass of zeros, DoD 5220.22-M and PSID Revert.
One purge solution that MSPs should consider is FirmGuard SecureWipe. We believe SecureWipe is the best choice for endpoint erasure.
Preparing to Offer Data Sanitization Services
To prepare yourself to formally offer data sanitization services to your clients, a good place to start is within your own MSP. Find some endpoints in your organization that need to be erased and test a clear, purge and destroy solution on them. Ideally you want to standardize on one solution for clear, one for purge and one for delete. The clear solution could be a Windows Rest issued from your RMM tool or Microsoft Intune. The purge solution could be SecureWipe and the destroy solution could be picking a reliable local vendor that can physically destroy endpoints on your behalf.
Best of luck as you venture out to offer compliance services to your clients. If you are new to these services, start out slow by offering one service at a time. You could start with data sanitization or some other services. But do get going and soon you may find that compliance is your path to higher value clients.
