Govern SSD data wipes in IT policies

As hard-disk sanitization typically won't work on solid-state drives, organizations should include SSD-specific policies and be able to verify data erasure is clean, researchers urge.
Written by Vivian Yeo, Contributor

Enterprises that use flash memory storage devices such as solid-state drives (SSDs) need IT policies and checks to ensure data erasure is done in an appropriate manner, say researchers.

Michael Wei, graduate researcher at the University of California, San Diego (UCSD), noted that most organizations outsource data destruction to service providers which claim to be compliant to standards associated with sanitization of hard disk drives (HDDs). Such standards, however, are not applicable to SSDs, he said in an e-mail interview with ZDNet Asia.

Wei is part of a team of researchers, who earlier this year released a study which concluded that none of the current techniques for individual file sanitization for HDDs are effective on SSDs. In addition, while SSDs come with built-in ATA or SCSI sanitization commands, they are not always implemented correctly by manufacturers, he added.

Pointing out that most commercial sanitization tools do not take into account SSDs, Wei said one tool the researchers tested, which claimed to be able to erase data on SSDs, "used an overwriting technique that left data" on the device.

According to a paper authored by the researchers, the way data is stored as well as how it is managed and accessed on SSDs are different from that in HDDs. The differences can "potentially lead to a dangerous disconnect" between user expectations and the flash disk's actual behavior, they warned.

"An SSD's owner might apply a hard drive-centric sanitization technique under the misguided belief that it would render the data essentially irrecoverable," they explained. "In truth, data may remain on the drive and require only moderate sophistication to extract."

Enterprises, Wei said, should consult with vendors to make sure the SSDs they are considering support the ATA secure-erase commands before commissioning the drives. The success of these commands should be independently verified, he added.

Ronnie Ng, systems engineering manager at Symantec Singapore, noted that organizations need to be mindful of protecting their data throughout its lifecycle of use which includes deletion.

"Information today is the crown jewel of all enterprises--the loss of critical business information can affect an organization's competitive advantage [and] reputation, as well as [lead to] legal or regulatory implications," Ng pointed out in an e-mail.

Where data sanitization is concerned, enterprises should have security policies in place to handle replacement of disks--whether HDD or SSD--as part of their datacenter operations and maintenance, he said. Data wiping techniques should be included in these policies to ensure data residing on retired disks cannot be recovered.

To that end, the IT department needs to mandate a sanitization procedure for the handling of storage media, and conduct regular audits to ensure the policies are followed, he noted.

In addition, IT personnel should carefully evaluate vendor-recommended sanitization tools and techniques and put in place a data encryption strategy to further enhance the security of data.

Ng, however, acknowledged: "[Such policies are] often difficult to enforce on-ground and organizations will need to depend on the due diligence of their IT administrators to carry out procedures in accordance to the corporate policies."

He suggested that one way to ensure data security, regardless of data sanitization or hardware replacement, is to encrypt data on the drives while it is in "at rest" state. "This way, it would be virtually impossible to extract the information on the disk if a strong encryption algorithm, such as 256-bit AES encryption, is used," he added.

Improve on standards
UCSD's Wei also noted that standards bodies need to encourage the adoption of secure erasure standards for SSDs, as well as formulate more specific standards.

For instance, the newest version of the ATA standard, or ATA ACS-2, specifies a command for sanitizing flash-based drives but none of the SSDs tested had implemented it, he pointed out. On the other hand, most had employed TRIM, a command that reduces data overhead to make flash-memory write operations more efficient.

Wei explained: "We suspect this is because performance is a first-class concern for consumers, while data security remains a second-class concern. Consumer awareness of data sanitization issues on SSDs will hopefully change this--there is no technical reason for whole-disk data sanitization commands not to be implemented yet."

Single-file commands are not present in the ATA specification, he said, although he noted the existence of a new feature known as "secure purge" under the EMMC (embedded multimedia card) standard. "Implementation of single-file sanitization will require action from consumers, SSD and SSD controller vendors as well as flash memory manufacturers," he said.

For the study, the UCSD researchers tested eight SATA (serial ATA)-based SSDs and 3 USB-key SSDs spanning five brands and several controller manufacturers.

According to Wei, the research team had been in contact with some SSD vendors before the paper was published. "They have been very interested in our results and have had varying opinions on how to fix current issues with drive sanitization," he said.

Western Digital, one of the manufacturers cited by Wei, did not address ZDNet Asia's queries. A Singapore-based spokesperson indicated in an e-mail that the company is planning to issue an official statement at a later date, adding that Western Digital is committed to innovation in the SSD market and toward ensuring its products are secure.

A spokesperson from Intel said the company provides a free utility for customers to securely erase Intel SSDs. For sanitization, both the ATA "Security Erase Unit" and the optional "Enhanced Erase Mode" commands can be executed to erase both the "user data area" and the "SSD reserve data area", she explained.

"Intel's 34nm (X25-V, X25-M) SSDs also randomize information stored in both the User Data Area and the SSD Reserve Area, providing an increased level of data protection which prevents reconstruction of data if the NAND is removed from the SSD," she said.

Editorial standards