Security Challenges of Solid State Device (SSD) Hard Drives in the Enterprise

In 2011, University of California San Diego (UCSD) researchers released a series of white papers revealing the security flaws found in solid state drives. These whitepapers discuss how, in the race for hard drive OEM’s to get new solid state devices to market, OEM’s haven’t all abided by security protocols set forth by industry standards groups. Because of these oversights in the development process, many drives do not have built in safeguards to perform modern data sanitization and still more concerning is the lack of success of traditional data sanitization methodologies on the drives.

The lack of security is disturbing:

Fig. 1 Data Sanitization method and amount of data recovered
Filesystem delete 4.3 – 91.3%
Gutmann 0.8 – 4.3%
Gutmann “Lite” 0.02 – 8.7%
US DoD 5220.22-M (1996) 0.01 – 4.1%
RCMP TSSIT OPS-II 0.01 – 9.0%
Schneier 7 Pass 1.7 – 8.0%
German VSITR 5.3 – 5.7%
MSR-TR-2005-176 5.6 – 6.5%
British HMG IS5 (Enh.) 4.3 – 7.6%
US Air Force 5020 5.8 – 7.3%
US Army AR380-19 6.91 – 7.07%
Russian GOST P50739-95 7.07 – 13.86%
British HMG IS5 (Base.) 6.3 – 58.3%
Pseudorandom Data 6.16 – 75.7%
Mac OS X Sec. Erase Trash 67.0%
Figure From “Reliably Erasing Data From Flash-Based Solid State Drives”

As far back as 2008, LifeSpan has been collaborating with UCSD’s Center of Magnetic Recording and Research (CMRR) and Temple University to test the efficacy and practicality of data sanitization methods. Over the years, we have found that many standards and practices are unique in their process and implementation. The case of SSD hard drives is even more complex. With SSD hard drives, a different procedure is required for effective sanitization and disposal.

These idiosyncrasies are caused because solid-state drives (SSDs) are comprised of flash-based memory chips. The complexity occurs when an intermediate level of technology called a “flash translation layer,” is introduced between the drive controller and the flash memory. Data can be accessed in blocks; however it is translated in flash “pages”. Each of these “flash translation layer” designs is unique to its manufacturer and date.
In contrast, modern day magnetic hard drives have an onboard controller that manages access to information stored on the hard drive. Data is stored in blocks and is typically sanitized with block over-write or SECURE ERASE technology. There are many readily available and reliable software tools available for sanitizing or “wiping” magnetic hard drives.

While internally using a fundamentally different technology, SSDs interface to traditional host interfaces including: SAS, SATA, SCSI and Fiber Channel. All of these are now common to mobile, desktop, and server-based computing and SSD’s can be installed in your current devices without being readily noticeable. With this challenge, a process which has a specific component for identifying SSD’s is important.

In the research paper titled “Reliably Erasing Data From Flash-Based Solid State Drives”, scientists from the UCSD Nonvolatile Systems Laboratory (NVSL) identified weaknesses in existing data destruction techniques. In their research, scientists identified SSDs where SECURE ERASE techniques were employed and data sanitization failed completely. They also found many drives where typical overwrite operations, such as DoD5220-22-M, were employed and the drives still afforded data recovery. As an additional level of complexity, since SSD’s are not magnetic based, degaussing techniques were always ineffective at data destruction.

Over the last several months, LifeSpan has met with researchers at UCSD’s Non-Volatile Systems Labs (NVSL) to discuss these security issues in order to develop commercially viable solutions for drive sanitization and data destruction. In the future, we would like to see a consistent method for sanitization and disposal but because of current market conditions each case needs to be diagnosed individually.
Enterprises and government organizations must assess data breach risks and select the most appropriate process for data sanitization, destruction and disposal for each type of drive. Based on your current distribution of drive manufactures and types, a plan of action needs to be implemented.

Whether you do it yourselves, have a vendor do it for you on site, or have it done at a vendor’s facility, IT Security and Asset Management need a secure and reliable process specifically for SSD’s.

LifeSpan has created an executive briefing that reviews in more detail the technical issues on how data can be recovered as well as destroyed for magnetic and solid state drives, and offers a variety of compliant, data security options to address this new challenge. Click HERE to request more information or call 888-720-0900.

Hold a Sucessful Employee Recycling Event

Corporate electronics recycling events can help build a sense of community, sustainability, and cultural focus with your employees if done the appropriate way.  On the other hand, they can be a drain on resources and dollars if poorly executed.  Having participated in a few from both sides of the equation, successful events boil down to the following:

•  Preparation
•  Recycler Partnership
•  Internal Awareness & Communication
•  Understanding the $$

Employees Drop off Electronics in the Parking Lot

To start off with, give yourself enough time to plan the event and get the necessary “buy-in” from the corporate stakeholders who will approve the program.  Determine possible dates (including rain dates if collection is to be outside), location, traffic flow, departments to be advised, resources needed, etc and put together a checklist.  If the dates can correlate with national awareness days like Earth Day or America Recycles Day, all the better.

Next, engage an electronics recycling partner that has the best practices, third-party audited certifications (R2, RIOS, ISO 14001, NAID, etc), insurance coverage, and skill sets that meet your corporate standards.  Thorough collaboration with your recycling partner in advance will help insure that company and employee expectations are met.  You should be able to communicate to your employees 100% confidence that your selected vendor will handle the material collected in an environmentally responsible way and guarantee the security of data bearing assets while onsite and the destruction of these assets back at their facility.

The next step is to internally market the event to your employee base several times prior to the established date.  If feasible, ask your vendor to come in for a “lunch and learn” presentation to department heads about the event, how it will be run, and the benefits to the community, environment and the individuals.  Finally, try to get a gauge on the amount of electronic equipment you might expect and share this with your vendor.  Nothing is worse than expecting 2 trailer loads of material and actually getting 4 pallets or conversely underestimating the turnout and being ill prepared to handle the volume.

Make sure you also understand the dollars and cents of the material to be recycled.  The reality is that there is a cost for responsible recycling and compliance with environmental laws.  Work with your vendor to determine the cost centers involved (recycling, labor, materials, transportation) and determine who bears this expense.  Corporations that subsidize the expense of recycling for their employees obtain the greatest internal and external PR benefit and establish a tone of commitment to sustainable best practices and a focus toward the community at large. Have your vendor prepare an environmental impact report that indicates the positive effects of your event and share it with your personnel and local media outlets.  It is worth the effort.

LifeSpan has helped many companies put on successful electronic recycling events.  Let us know if we can help you plan one at your location.

LifeSpan supports Colorado E-Waste Law Signed April 20

LifeSpan's Matt Hansen, far right, looks on as Governor Hickenlooper signs the bill.

LifeSpan’s Environmental, Health & Safety Manager Matt Hansen joined other industry leaders in Colorado as Governor John Hickenlooper signed into law a ban on disposing of electronic waste in landfills.  Colorado joins 17 other states with such a ban.  Despite the proliferation of organizations and municipalities that offer free or very low-cost collection of e-waste, hundreds of thousands of pounds still get sent to landfills.   Companies like LifeSpan can ensure that almost 100% of e-waste material is recycled.  So now Coloradan’s have to do it.  Too bad it takes a law to make that happen.

The myth of the 3-pass DoD data destruction policy.

Over the last 17 years we have all heard of DoD 5220.22-M 3-pass.  It has been touted as the standard for data sanitization.  The problem that I see with this is that it is a standard that the technology has outgrown.  The exact verbiage used in the matrix in the original document that has everyone stuck is “Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.” This was designed to verify that non top secret information on “Non-Removable Rigid Disk and Removable Rigid Disk” had been sanitized. By 2012 we have already had multiple revisions of this document and many others yet the 3-pass “rule” still seems to endure. I propose that security sanitization practices are not rules but guidelines to follow based on an organizations risk / threat analysis.

During the creation of the original 5220.22-M it is speculated that the primary basis for data sanitization practices were floppy disks and their data storage characteristics. Policies were written to take into consideration both the longevity of information on this medium as well as the physical process by which it could be verified as sanitized. The electronic data sanitization industry had not yet been created, with some of the largest software data sanitization brands of today not even formed until a few years later. Therefore the process at the time was manual and by that virtue allowed for 3 instance of human verification during the sanitization process.  This allowed for both software and human error to be checked, and in my opinion this was the original basis of standard. That being said even the government took into consideration that with all else being equal there are still certain instances where physical destruction was a better solution based on the risk assessment.

As time progressed and the data destruction industry developed the standards started to respond to industry trends.  An entire industry had been created to automate and control the process that was laid out in a few lines of a government document.  Software had been created to bypass the human interaction with each step of the process and arguably increase the success rate of 3-pass systems (as it was now more time/cost effective to complete) while at the same time removing the human aspect of verification.  By the mid 2000’s manufacturing, testing and analysis of media had come a long way.

In 2006 NIST SP-800-88 stated that “Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.” That same year DoD 5220.22-M removed all verbiage on single vs multiple pass.  The standards were now leaning towards each entity making its own decisions based on its own risk and threat assessment. Essentially the message was “one pass is as good as multiple as long as it is verified complete.  If you are in doubt or have something that is of a sensitive nature physically destroy it.”

Six years after the revisions and more research and data on sanitization, we still hear people ask if we do DoD 3-pass sanitization.  The truth of it is at this point it doesn’t exist.  The DoD has decided that secure information that must remain secure must be destroyed.  NIST has restated in clear terms that a two person rule (read human verification) shall be implemented, but no guidelines as to what method of sanitization (it could be a single wipe with dual human verification, or a single destruction with the same.).

In todays data rich environment companies and individuals should take into consideration there unique risk vs value propositions.  The tools are available to address any level of security issue.  As a company we provide many levels of service from destruction only to sanitize and resell.  Even as the service provider we are taking into consideration what risk we take when we place a program for our clients.  Not only do we help interpret the guidelines but we too have to make the same decisions that our clients do everyday.  Does this process provide enough value to balance the risk?  It seems like an easy question but an entire industry has been created over the last 17 years over what is a low enough risk.  What the industry is focusing on now is an educated opinion when putting together your program, with best practices and policies that can be implemented into your own data risk mitigation practices.

Technology Recycling – Social or Legal Responsibility

Rocky Mountain Chapter HDI members get a tour of LifeSpan's warehouse facility.

The Rocky Mountain Chapter of HDI met at LifeSpan for their February meeting.  It included a tour and a presentation from company President Dag Adamson.  They featured the meeting in their quarterly newsletter, which you can view here.  LifeSpan was delighted to host the group!

US Government IT – Message from the former CIO

Vivek Kundra, former CIO of the United States, was the opening keynote at AFCOM’s Data Center World Conference in Las Vegas on Tuesday (March 20).

He spoke about a lot of things, like when he started the job how many projects were millions of dollars over budget and years behind schedule (sadly, not a surprise from the federal government).  Two other things I found interesting as he spoke about encouraging federal agencies to use The Cloud:

First, that he thinks security is better in most Cloud services, and this is largely because the private sector has been able to attract and retain the best and brightest security technical expertise.  Private sector offers better pay and more interesting work.  He implied that if the government could have these people, there would not be this gap.  I am not convinced that it’s just the quality of the people that has made the government years behind the private sector in information technology security.

Second, and more of a unique perspective, is that the Government has for years outsourced networks and data centers to large third parties.  What’s the difference, he asked, between that and The Cloud?  In both cases the government doesn’t own or directly control the networks and systems.  So why not use third party services that are now called The Cloud, and save money, increase time to “market” and improve innovation?

The one really practical thing I learned was about Data.gov.  Mr. Kundra takes credit for it (no idea if that’s warranted).  All kinds of data, from many departments, is available for anyone to search or analyze.  I didn’t know about it before.  So I looked at the number of Federal Information Technology Management employees.  The last data point is from December 2011:  81,242 people.  (wow!  That doesn’t count contractors!)  Check it out!  www.data.gov

Thailand Floods Impact Now – Hard Drive Shortages

The hard drive manufacturing shortage has created opportunity for some manufacturers that have weathered the floods in Thailand better than others, namely Seagate.

This shortage has affected PC industry shipments, which were down 1.4 percent for the fourth quarter 2011 compared to the previous year. Some analysts don’t attribute this to the Thailand floods and the subsequent hard drive shortage, accrediting the decline to competition from tablets, phones and e-readers.

Other notable impacts:

• The hard drive shortage will have a market impact into the third and fourth quarters of 2012.
• Hard drive prices have increased between 30 and 40 percent but have somewhat stabilized.
• Possible increase in demand for solid state drives.
• Impacting revenue at dependent companies like Intel and Nvidia.
• Speculators have bought up large lots of inventory, leading to early shortages.
• An additional effect is PC prices remaining stable when they would typically have become cheaper and the future possibility of higher pricing for PC and Laptops.

The reuse market for hard drives has also seen an impact from the Thailand floods. This shortage has increased pricing and resale opportunities in the secondary market for recyclers who process loose drives.

• Hard drive prices have increased between 30 and 60 percent depending on the size and manufacturer.  Larger, newer, drives especially have increased in value and demand.
• Speculators have taken positions on some inventory. As the pricing stabilizes this inventory is being sold.
• Enterprises with hard drives slated for disposition (re-marketing – reuse), have pulled back some inventory for internal use.

Organizations that pull hard drives or destroy them but still want to resell the assets likely are seeing even lower offers than usual for these drive-less systems.  The refurbisher needs to replace the drives with what is now a more expensive, or less available, drive.

Now is a good time to retire storage systems, servers, PCs and Laptops to maximize value.  Just be sure to utilize a NAID Certified partner to wipe the hard drives.

LifeSpan Super Bolt Champion

LifeSpan’s Denver plant recently held a competition – the Super Bolt.

Theevent involved the timed de-manufacture of a single PC, including sorting each of the components into the proper bins, one lap around the bins, and then set up of the next PC.  All Denver team members were invited to compete.

Super Bolt Champion!

Winner Chris Oliver, shown with the Golden Drill Trophy, was able to beat his colleagues with his time of 2 minutes-11seconds.

Plant manager Matt Hansen says the next event will be in June, when he expects a new record time to be posted.

World Leasing News Post: Compliant Data Destruction and Proper Disposal of IT Equipment

“Is the risk of improper disposal becoming the key driver in asset disposition in today’s regulated environment?”

Read this recent post on the WLN Blog by LifeSpan’s Jim Noyes.

Raytheon and LifeSpan – Celebrating America Recycles Day

Raytheon and Lifespan celebrated Americas Recycles Day in Denver.  Raytheon sponsored an employee recycling event for their employees and contractors at their Denver campus.

Chris from LifeSpan unloading Raytheon Employee Car

“We were extremely lucky with the weather!  It was a beautiful 60 degree day for the event – last week we had close to six inches of snow on the ground here in the Rockies,” said Kristi Tirone, Sales Associate.

While Raytheon sponsored just the first 50 employees with free recycling, many employees were relieved that could have the convenience of bringing electronics to work to have proper data destruction and electronics recycling.

Started in 1997, America Recycles Day is the only nationally recognized day dedicated to the promotion of recycling in the United States.

“LifeSpan is committed to working with its customers to offer creative data destruction and e-recycling programs to meet the needs of their business and their employees.   Earth Day is in the spring and we hope to continue to support additional events then as well,” said Dag Adamson, President of LifeSpan.

If you are interested in conducting an Earth Day event in the spring please contact LifeSpan at 888 720 0900.  Its never to soon to start planning!