WHITE PAPER. Data Erasure for Enterprise SSD: Believe It and Achieve It

Transcription

1 WHITE PAPER Data Erasure for Enterprise SSD: Believe It and Achieve It

2 Solid state drives possess traits that make end of life data erasure absolutely necessary. But SSD data erasure also presents unique challenges. Here s how to overcome them. If you re like the majority of organizations, you have solid state drives (SSDs) in your desktops, laptops, servers and data center. Half of data centers had deployed SSDs by 2014, and the remaining half planned to consider them by 2015, according to IDC. In fact, global spending on enterprise SSD will more than double from about $5 billion in 2015 to nearly $11 billion in $11 billion Global spending on SSDs will more than double to nearly $11 billion in 2018 Data Erasure Drivers The need for data erasure, especially at equipment end of life, has been well-established. There are several key drivers of this imperative. First, organizations are managing more data, with global volume predicted to mushroom from 4.4 zettabytes (ZB) in 2013 to 44 ZB in Meanwhile, data thieves are becoming more sophisticated, with more cyber attacks backed by organized crime groups and sovereign governments. In fact, organizations suffered 79,790 documented data security incidents and 2,122 confirmed data breaches in And the financial burden of stolen data is rising, with the average cost of a data breach reaching $3.8 million in 2014, or about $150 per record, up 23 percent from $3.8 million Average cost of a data breach Source: IDC Like all data storage devices, SSDs need to be fully erased at key transition points in their life cycle, especially at end of life. To neglect erasing enterprise SSDs is to risk exposing sensitive corporate data, such as employee records, customer information, and intellectual property, when the devices are repurposed, resold or discarded. But SSD data erasure presents unique challenges and risks. To protect your data and your business, you need to understand the requirements of SSD data erasure and invest in an enterprise-class data erasure solution specifically designed for SSD. Source: IDC 44,000 EB Projected global data volume in 2020 Source: Ponemon In the face of data breaches, governments are ratcheting up regulations. At least 75 countries have data protection laws, as do most U.S. states from California to Massachusetts and from Alaska to Florida. Companies must now comply with both general and industry-specific regulations and guidelines, from the Sarbanes-Oxley information security standards, to the Health Insurance Portability and Accountability Act (HIPAA), to the Payment Card Industry Data Security Standard (PCI DSS). More regulations are on the way. The Obama Administration s Consumer Privacy Bill of Rights, proposed in 2015, would require industries to create privacy boards overseen by the U.S. Federal Trade Commission (FTC). Also in 2015, the European Union (EU) expects to complete an overhaul of its 1995 Data Protection Directive. The new regulation would strengthen citizen rights such as the so-called right to be forgotten, or erased from data records. 1 Building Data Centers for Today s Data-Driven Economy: The Role of Flash, IDC, July The Digital Universe of Opportunities, IDC, April Data Breach Investigations Report, Verizon, May Cost of Data Breach Study, Ponemon, May

3 Flash Requirements Whether you maintain enterprise data on SSDs or on traditional hard disk drives (HDDs), you need to employ data erasure at key transition points in the data and equipment life cycle, such as when the device which contains the SSD or HDD is repurposed or when it reaches end-of-life and leaves the organization. But data erasure for SSDs presents unique challenges. SSDs are simpler than HDDs in that they don t have moving mechanical parts. They re also smaller, lighter and less power intensive. But from a data erasure perspective, SSDs are more complicated. SSDs apply complex data management schemes to distribute data across their internal memory chips. They also contain a much larger pool of spare, or overprovisioned, memory capacity accessible only by the SSD. (See Figure 1.) These techniques prolong the performance and life of the drive. But they mean that certain data on the drive remains hidden from the host. HARD DISK DRIVE (HDD) SOLID STATE DRIVE (SSD) Now You See It, Now You Don t When do you need data erasure? There are six key situations where data erasure is necessary for enterprise SSD: At Equipment End-of-Life: When a server, storage device or other piece of IT infrastructure is retired, it s either resold or discarded. In either case, any data it contains must be erased so that it doesn t fall into the wrong hands. During Data Migration: Whenever data is moved from one location to another whether from a retired server to a new server or from one virtual machine to another the original data location must be erased. At Data End-of-Life: Many organizations manage virtual machines that are used by a line of business for a particular project that covers a specific period of time. When the project is complete, the data should be not just deleted, but completely erased. DATA #1 DATA #1 Employee Departure: Whenever an employee s DATA #3 DATA #4 contract is terminated or for whatever reason, all devices and drives - whether company-owned or DATA #4 BYOD - must be properly and completely erased. Data Block Old Hidden Data OS Visible Area Figure 1: SSDs apply complex data-management schemes and contain a large pool of spare memory capacity accessible only by the device. What s more, the rapid growth of the SSD market has meant that much of the technology has come to market before the standards have been defined to properly secure the data on them. While HDDs have been standardized by a handful of manufacturers over time, the SSD ecosystem has been proliferated by many different companies, flooding the market with a lot of models that vary in terms of quality and the technology used. While SSD standards are now emerging from the National Institute of Standards (NIST) and other governing bodies, erasure of data on SSDs that are just a few years old may involve various interfaces and command protocols. 3 When a Customer Demands It: In jurisdictions such as the EU, right to be forgotten rules dictate that if consumers ask you to remove their data from your servers, you must comply. It s not enough to simply delete the record; instead, it must be completely expunged. After Disaster Recovery: During a disaster, data is typically recovered at an offsite location. The same is true during disaster recovery exercises. In either case, once production systems are restored, any data left on recovery disks should be erased.

4 Tentative Techniques There are a variety of potential approaches to erasing data on SSDs, but each carries its own risks: Delete and Format Commands: These commands aren t an effective means of sanitizing SSDs. Delete and Format commands can leave data on the device, and that data can potentially be recovered. Degaussing: Degaussing applies magnetic fields to erase HDDs. But SSDs use integrated circuits to store data and these circuits are electrically programmed. Data stored on the NAND flash of an SSD is unaffected by degaussing. Physical Destruction: Destroying an SSD renders it inoperable. But a sophisticated data thief might still be able to recover data from it. 5 And destroying the device obviously lowers return on investment in a device that might otherwise be recycled or resold. Firmware: Firmware-based erasure techniques, such as ATA s Secure Erase, aren t universally reliable for SSDs, because SSD makers haven t adopted a standardized approach to data erasure. 6 Cryptographic Erasure: This approach modifies the key used to encrypt and decrypt data to sanitize the drive. But the data remains on the device. Improper implementation of the cryptographic system can leave the data vulnerable and it may be difficult to verify the sanitization. Live Environment Erasure: Erasure in a live environment may be required at various points in an SSD s life cycle; for example, to remove individual files. Live environment erasure is effective while the device remains in the desktop, laptop, server or data center. But once the device is removed, a sophisticated data thief might still be able to recover the data. So, live environment erasure is secure only till the end of life of the SSD. Traditional Overwriting: As mentioned before, SSDs apply complex data management schemes to distribute data across their internal memory chips. 6 Overwriting techniques designed for HDDs, such as the NIST SP800-88r1 or British HMG Information Assurance (IA) Standard 5, do not reliably remove data from solid state drives. Wear leveling is one reason for this in which data is spread out evenly over different sectors of the SSD to avoid heavy use of specific sectors. For example, if a PDF file should be overwritten, the SSD might decide to overwrite a different sector which does not contain the PDF simply to spare it from overuse. SSDs require specialized data erasure methods that verifiably remove all user data. (See Figure 2.) What You Need for SSD SSD data erasure calls for an enterprise-class data erasure solution specifically designed for solid state storage devices, backed by a solution provider committed to optimizing data erasure for SSDs. Look for these features and characteristics: Reporting: Your SSD data erasure solution should issue an auditable erasure report proving that data was thoroughly removed. The report should provide specific and customizable details such as the serial number of the device, when the device was erased, who performed the erasure and what data was removed. The report should also be digitally signed and stored, and include a change log to ensure its validity. TRADITIONAL ERASURE METHOD CONTROLLER CONTROLLER RECOMMENDED SSD ERASURE METHOD Figure 2: SSDs require specialized data erasure methods that verifiably remove all user data. Erased Area Erased Area 5 Destroying Flash Memory-Based Storage Devices, Steven Swanson, University of California, San Diego, Reliably Erasing Data From Flash-Based Solid State Drives, Michael Wei, et al., University of California, San Diego,

5 Third Party Validation: The solution provider should have its SSD erasure process tested and validated by an independent third party. For example, the Asset Disposal & Information Security Alliance (ADISA) has developed a methodology for testing SSD sanitization software. Only a vendor whose product has undergone recognized forensic testing can definitively claim to offer a solution effective at erasing SSDs. Removal of Freeze Locks: A key aspect of successful SSD erasure is gaining access to the device s internal erasure commands. The BIOS of most modern computers blocks access to these commands with a freeze lock on the drive s security feature set. Unless the freeze lock is removed, it s extremely difficult to conduct the necessary firmware-based erasure that scrubs SSD storage areas not accessible by software. An effective SSD data erasure solution applies automated techniques to remove freeze locks and ensure all data is erased. OEM Cooperation: Because there has been a lack of standards for solid state devices, providers of SSD erasure solutions should collaborate with SSD makers to share knowledge on solid state functionality. This cooperation ensures best practices in SSD security and data erasure. It also means solution providers can validate an OEM s internal erasure processes to ensure they meet the strictest security requirements. Pursuit of Standards: The SSD market requires an erasure standard that specifies erasure techniques designed to meet SSD-specific requirements. Research shows that a single erasure method isn t advisable for SSDs. The standard should specify a multilayered erasure approach that reflects the realities of SSD technology. It should also require the ability to detect any drive faults and perform the most stringent erasure verification. And it should cover processes designed to mitigate erasure false positives to ensure that data is effectively erased from SSDs. As SSDs play an even more prominent role in data centers, traditional servers, laptops and desktops, to name a few, you need to understand the unique data erasure requirements involved. You also need to invest in a data erasure solution specifically designed for SSDs. Doing so can tangibly improve your security profile, ensure compliance with escalating regulations, optimize your return on investment in SSDs, and mitigate the risk of data exposure. Ultimately, effective SSD data erasure will help protect your brand and ensure that IT is supporting your business goals. 5