Challenges and Solutions for Effective SSD Data Erasure

Transcription

1 Challenges and Solutions for Effective SSD Data Erasure Blancco White Paper Published 8 October 2013 First Edition

2 Table of contents Introduction...3 The Simplicity And Complexity Of Ssds...4 Traditional Erasure Approaches Carry Risks For Ssds...5 External Factors Complicating Ssd Erasure...6 Key Requirements For Secure Ssd Erasure...7 Summary: Professional Tools Bypass Ssd Erasure Barriers...9 References

3 AMOUNT OF SSDs SOLD 239 million =40% of the HDD market Size of the HDD market 83 million 39 million Introduction A versatile and reliable mass storage device, the Solid State Drive (SSD) has transitioned from a boutique product to one of mainstream consumer and enterprise use, functioning as a direct replacement for the traditional Hard Disk Drive (HDD). Driven by the SSD s improved performance, reliability and small size with high density, SSD shipments are predicted to reach around 83 million units in 2013 a more than 100% increase in drives sold during As SSDs grow in popularity, information technology (IT) asset managers and IT asset disposal specialists (ITADs) will face several challenges with securely erasing data from SSDs set for retirement, reassignment or disposal. Unlike its mechanical disk counterpart, the HDD, an SSD employs flash memory that complicates the full removal of data using methods established for HDDs. Also, because the SSD market has grown so rapidly, it has been saturated by a large number of vendors, each with its own array of SSD models that often vary in terms of their operational processes. This lack of standardization further complicates erasure, especially given the speed at which SSDs continue to evolve. For enterprise IT asset managers, as well as thirdparty recyclers and the ITADs that support them, it is important to understand SSD technology, why SSD erasure is challenging, and the importance of choosing an effective erasure product with detailed reporting capabilities. Effective and efficient data erasure software is developed by a vendor who can apply techniques exclusively designed to erase SSDs, as well as achieve third-party verification of erasure software effectiveness and provide access to significant R&D resources to keep pace with emerging technology. This expertise prevents false positives from occurring due to use of an ineffective erasure technology or process, which could result in a costly data breach. 3

4 HARD DISK DRIVE (HDD) SOLID STATE DRIVE (SSD) DATA #2 DATA #2 DATA #4 DATA #2 DATA #2 DATA #4 DATA #4 DATA #4 Data Block Old Hidden Data OS Visible Area The simplicity and complexity of SSDs From a physical standpoint, SSDs are simple in that they do not have moving mechanical parts, unlike electromechanical HDDs, which have spinning disks and movable read/write heads. In comparison SSDs are smaller, quieter, faster and less susceptible to physical shock. SSDs are about half the size of a hard drive, weigh half as much, and use half the power, making them an especially good fit for data centers and other mass storage environments. From another perspective, SSDs start to become more complex. Flash memory, similar to what SSDs use, has been employed for years in USB drives, portable music players, mobile phones, memory cards and more. However, the way data is managed in these simple devices differs in many ways when compared to the processes performed by an SSD and its flash memory controller. The internal memory chips in SSDs called NAND flash are very similar to those found in other devices; the difference is that an SSD applies complex data management schemes to distribute data across the memory. SSDs also contain a much larger pool of overprovisioned (spare) memory capacity that is only accessible by the SSD. These and other processes are necessary to prolong the performance and lifespan of the drive key benefits of SSDs. However, they are hidden from the view of the host computer and, therefore, the user. Such differences separate SSDs from the rest of flash based storage and provide the motivation for a distinct approach to erasing them. 4

5 TRADITIONAL ERASURE METHOD RECOMMENDED SSD ERASURE METHOD CONTROLLER CONTROLLER DATA #4 Erased Area Erased Area Traditional erasure approaches carry risks for SSDs Because of the difference in how flash memory operates in SSDs, their erasure carries additional requirements compared to smartphones, USB drives, and other more simple devices. SSD erasure requirements also differ significantly from those for HDD erasure, which has been effectively performed by software for many years. There are a variety of approaches for erasing data on SSDs, but each carries its own risk factors: Delete/Format commands are not effective as a means of sanitization on an SSD as it is possible that data will remain on the device, which can be recoverable by data recovery/forensic experts. Physical destruction renders a drive inoperable and denies the opportunity for a return on investment or to exhibit sustainable, environmentallyfriendly practices. More importantly, the improper destruction of SSDs may present opportunities for highly skilled adversaries to recover data from flash chip fragments.2 Degaussing is successful for HDDs, but SSDs use integrated circuits to store data, and these circuits are electrically programmed and erased. Therefore, the data stored on the NAND flash of an SSD is unaffected by the application of a magnetic field. Overwriting data on an SSD using standards designed for HDDS such as DoD M or HMG presents potential issues with reliably removing all user data. This is due to the specific properties of an SSD and how it manages data on a device a claim supported by empirical results.3 Firmware-based erasure techniques like ATA s Secure Erase are not universally reliable for SSDs. This is because SSD manufacturers have not adopted a standardized approach to data erasure.4 Cryptographic erasure sanitizes a drive through modification of the key used to encrypt/decrypt data, but the data effectively remains on the device, as it is susceptible to improper implementation of the cryptographic system. Issues may also arise when attempting to verify the erasure. Selective erasure may be required at different stages in an SSD s lifecycle to securely sanitize individual files on a drive. However, SSD controllers tend to write data to new locations, instead of in-place, making it difficult to ensure that all stale copies of the file are also removed. 5

6 External factors complicating SSD erasure In addition to internal technical complexities, there are external factors prompting those who need SSD erasure to choose a provider capable of applying effective data erasure techniques. These factors include manufacturer variations in technology, along with legal and regulatory requirements. Lack of OEM standardization The swift adoption of SSDs has resulted in a large number of SSD original equipment manufacturers (OEMs) looking to engage this emerging market. With so many OEMs pursuing the market at once, there has been a lack of standardization in the elements surrounding SSD technology. Industry-wide acceptance of criteria, including approaches to data erasure, has been something of an afterthought.5 The assortment of SSD models, with their variations in hardware and processes, has added to the complexity of choosing the best approach for handling end-oflifecycle management. It is not possible to assume the behavior of one SSD will match that of the next, which is why an erasure software provider s knowledge and expertise are so critical. Increase in data privacy legislation and standards Data privacy and protection is an ongoing issue and a number of stringent industry-specific standards and regulations exist to protect data. At the same time, new legislation is also being implemented. In 2012, the US introduced the Consumer Privacy Bill of Rights,6 which provides strong privacy protection for consumers, including a requirement for deletion of data. In Europe, changes in data protection have been proposed, including requirements for the deletion of online data, use of auditable procedures, and recommendations for the use of certified data erasure tools.7 Violators can incur fines of up to 2% of global annual turnover. Choosing a data erasure provider with technology that provides detailed reports and a certificate of erasure is critical to complying with regulations and standards throughout the world. While regulations and standards may vary from country to country and industry to industry, one common requirement exists verifiable proof of data erasure. Choosing a data erasure provider with technology that provides detailed reports and a certificate of erasure is critical to complying with regulations and standards throughout the world. 6

7 Key requirements for secure SSD erasure Businesses and organizations depend on the processes presented by professional data erasure companies to provide security for their data. Failure to understand the challenges presented by SSDs will result in the increased potential of a breach. There are some key requirements that professional data erasure software must address to ensure successful erasure of SSDs. Third-party testing and validation When developing an SSD erasure process, it is essential for a software vendor to have an independent third party with data recovery and forensic expertise verify and analyze its data erasure processes. This is the most effective and unbiased way to determine the robustness of the erasure process. Only those data erasure providers with technology that has undergone such stringent and recognized forensic testing can definitively claim to offer a solution effective for erasing SSDs and other emerging technologies. SSD erasure providers should seek any validation schemes available to validate their solution independently. The Asset Disposal and Information Security Alliance (ADISA) has developed a methodology designed to test SSD sanitization software.8 The testing, led by a data security expert, verifies SSD erasure against the requirements of a defined set of forensic standards. When developing an SSD erasure process, it is essential for a software vendor to have an independent third party with data recovery and forensic expertise verify and analyze its data erasure processes. 7

8 To benchmark the erasure process adhering to the most advanced tactics known in the industry, erasure processes should also be tested utilizing the expertise of world class data recovery experts. Data recovery companies with years of experience and tailored recovery tools that have been developed in-house can provide the most accurate processes for judging erasure success. Advanced data erasure software should apply automated methods to remove these freeze locks and ensure that the essential firmware erasure methods are accessed. Pursuit of SSD erasure standardization Erasure software must apply erasure techniques specifically designed to provide the best security possible. Ideally, the software should incorporate an SSD erasure standard requiring erasure processes that have the capacity to counteract SSD specific behaviors, as well as the ability to expose all available security measures on a drive. Published research has already shown that reliance on one specific erasure method is not advisable or universally suitable for SSDs.9 This SSD erasure standard must provide a multilayered erasure approach, be able to detect any drive faults and perform the most stringent possible verification. The processes performed on an SSD must include elements that are designed to mitigate any false positives these drives may communicate when reporting erasure success. Removal of freeze locks A key aspect of successful SSD erasure is gaining access to the device s internal erasure commands. The BIOS of most modern computers blocks access to these commands through the application of a lock on the drive s security feature set (known as a freeze lock). The existence of freeze locks can present a significant challenge to efficient and secure erasure of SSDs, as manual intervention and physical access to the hard drive is often the only way to remove a freeze lock. Because SSDs apply the use of storage areas that are not accessible by software, firmwarebased erasure techniques are critical to a secure sanitization process. However, without access to automated freeze lock removal, this process becomes significantly more difficult. Gaining physical access to the SSD is impractical and inefficient in environments where large volumes of assets are being processed, necessitating more time and effort to undertake operations, particularly in laptops where SSD access is difficult and time consuming. It also presents the opportunity for errors and even damage to the technology through mishandling. Advanced data erasure software should apply automated methods to remove these freeze locks and ensure that the essential firmware erasure methods are accessed. Vendor-OEM cooperation The current lack of standardization surrounding SSDs indicates the need for erasure providers and SSD OEMs to cooperate in building an effective knowledge base regarding SSD functionality. These kinds of partnerships ensure that best erasure practices are adopted so that OEM security functions are accessed and undertaken appropriately. Continued cooperation also means that data erasure providers can act as a third party to validate an OEM s internal erasure processes and ensure they meet the highest security requirements. 8

9 Summary: Professional tools bypass SSD erasure barriers In the future, SSDs will become an even more prevalent storage alternative for both consumers and enterprises, further impacting the dynamics of the data erasure industry. To adhere to robust data security policies and practices, IT asset managers and ITADs need to understand the differences between HDD and SSD data erasure requirements so they can choose an effective erasure tool, especially as SSD technology continues to evolve. When selecting a data erasure tool that can effectively process SSDs, it is essential to look for one developed by a vendor who understands the many caveats involved with SSD technology. Otherwise, a less advanced erasure tool or method may result, presenting the potential for data breach and removing the possibility of lucrative resale opportunities. Professional data erasure software removes the barriers to erasure by bypassing freeze locks, detecting errors in the drive and reporting the inability of the SSD to effectively fulfill erasure operations so that alternative procedures can be used to mitigate risks. The software s comprehensive erasure report also supports compliance with various regulations and standards and supplies hardware details necessary for device remarketing. Ultimately, advanced data erasure software provides the peace of mind that sensitive data will not fall into the wrong hands. 9

10 References 1 Zhang, Fang, IHS isuppli, Hard Disk Drive Market Revenue Set for Double-Digit Decline This Year, February 4, 2013, Decline-This-Year.aspx 2 Swanson, Steven, Destroying Flash Memory-Based Storage Devices, University of California, San Diego, CA, 2011, 3 Grupp L., Spada F., Swanson S., Wei M., Reliably Erasing Data From Flash-based Solid State Drives, Grupp et. al, Belkasort, Why SSD Drives Destroy Court Evidence, and What Can Be Done About It, 6 Obama Administration, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, February 2012, 7 European Commission, January 2012, 8 ADISA Product Claims Testing, 9 Grupp et. al, The information contained in this document represents the current view of Blancco Oy Ltd on the issues discussed as of the date of publication. Because of changing market conditions, Blancco cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. Blancco makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Blancco. 10

11 For further information, please visit Blancco - UK Stansted Business Centre Parsonage Road, Takeley Essex CM22 6PU, United Kingdom uksales@blancco.com Tel Fax