Security Challenges of Solid State Device (SSD) Hard Drives in the Enterprise

In 2011, University of California San Diego (UCSD) researchers released a series of white papers revealing the security flaws found in solid state drives. These whitepapers discuss how, in the race for hard drive OEM’s to get new solid state devices to market, OEM’s haven’t all abided by security protocols set forth by industry standards groups. Because of these oversights in the development process, many drives do not have built in safeguards to perform modern data sanitization and still more concerning is the lack of success of traditional data sanitization methodologies on the drives.

The lack of security is disturbing:

Fig. 1 Data Sanitization method and amount of data recovered
Filesystem delete 4.3 – 91.3%
Gutmann 0.8 – 4.3%
Gutmann “Lite” 0.02 – 8.7%
US DoD 5220.22-M (1996) 0.01 – 4.1%
RCMP TSSIT OPS-II 0.01 – 9.0%
Schneier 7 Pass 1.7 – 8.0%
German VSITR 5.3 – 5.7%
MSR-TR-2005-176 5.6 – 6.5%
British HMG IS5 (Enh.) 4.3 – 7.6%
US Air Force 5020 5.8 – 7.3%
US Army AR380-19 6.91 – 7.07%
Russian GOST P50739-95 7.07 – 13.86%
British HMG IS5 (Base.) 6.3 – 58.3%
Pseudorandom Data 6.16 – 75.7%
Mac OS X Sec. Erase Trash 67.0%
Figure From “Reliably Erasing Data From Flash-Based Solid State Drives”

As far back as 2008, LifeSpan has been collaborating with UCSD’s Center of Magnetic Recording and Research (CMRR) and Temple University to test the efficacy and practicality of data sanitization methods. Over the years, we have found that many standards and practices are unique in their process and implementation. The case of SSD hard drives is even more complex. With SSD hard drives, a different procedure is required for effective sanitization and disposal.

These idiosyncrasies are caused because solid-state drives (SSDs) are comprised of flash-based memory chips. The complexity occurs when an intermediate level of technology called a “flash translation layer,” is introduced between the drive controller and the flash memory. Data can be accessed in blocks; however it is translated in flash “pages”. Each of these “flash translation layer” designs is unique to its manufacturer and date.
In contrast, modern day magnetic hard drives have an onboard controller that manages access to information stored on the hard drive. Data is stored in blocks and is typically sanitized with block over-write or SECURE ERASE technology. There are many readily available and reliable software tools available for sanitizing or “wiping” magnetic hard drives.

While internally using a fundamentally different technology, SSDs interface to traditional host interfaces including: SAS, SATA, SCSI and Fiber Channel. All of these are now common to mobile, desktop, and server-based computing and SSD’s can be installed in your current devices without being readily noticeable. With this challenge, a process which has a specific component for identifying SSD’s is important.

In the research paper titled “Reliably Erasing Data From Flash-Based Solid State Drives”, scientists from the UCSD Nonvolatile Systems Laboratory (NVSL) identified weaknesses in existing data destruction techniques. In their research, scientists identified SSDs where SECURE ERASE techniques were employed and data sanitization failed completely. They also found many drives where typical overwrite operations, such as DoD5220-22-M, were employed and the drives still afforded data recovery. As an additional level of complexity, since SSD’s are not magnetic based, degaussing techniques were always ineffective at data destruction.

Over the last several months, LifeSpan has met with researchers at UCSD’s Non-Volatile Systems Labs (NVSL) to discuss these security issues in order to develop commercially viable solutions for drive sanitization and data destruction. In the future, we would like to see a consistent method for sanitization and disposal but because of current market conditions each case needs to be diagnosed individually.
Enterprises and government organizations must assess data breach risks and select the most appropriate process for data sanitization, destruction and disposal for each type of drive. Based on your current distribution of drive manufactures and types, a plan of action needs to be implemented.

Whether you do it yourselves, have a vendor do it for you on site, or have it done at a vendor’s facility, IT Security and Asset Management need a secure and reliable process specifically for SSD’s.

LifeSpan has created an executive briefing that reviews in more detail the technical issues on how data can be recovered as well as destroyed for magnetic and solid state drives, and offers a variety of compliant, data security options to address this new challenge. Click HERE to request more information or call 888-720-0900.

Hold a Sucessful Employee Recycling Event

Corporate electronics recycling events can help build a sense of community, sustainability, and cultural focus with your employees if done the appropriate way.  On the other hand, they can be a drain on resources and dollars if poorly executed.  Having participated in a few from both sides of the equation, successful events boil down to the following:

•  Preparation
•  Recycler Partnership
•  Internal Awareness & Communication
•  Understanding the $$

Employees Drop off Electronics in the Parking Lot

To start off with, give yourself enough time to plan the event and get the necessary “buy-in” from the corporate stakeholders who will approve the program.  Determine possible dates (including rain dates if collection is to be outside), location, traffic flow, departments to be advised, resources needed, etc and put together a checklist.  If the dates can correlate with national awareness days like Earth Day or America Recycles Day, all the better.

Next, engage an electronics recycling partner that has the best practices, third-party audited certifications (R2, RIOS, ISO 14001, NAID, etc), insurance coverage, and skill sets that meet your corporate standards.  Thorough collaboration with your recycling partner in advance will help insure that company and employee expectations are met.  You should be able to communicate to your employees 100% confidence that your selected vendor will handle the material collected in an environmentally responsible way and guarantee the security of data bearing assets while onsite and the destruction of these assets back at their facility.

The next step is to internally market the event to your employee base several times prior to the established date.  If feasible, ask your vendor to come in for a “lunch and learn” presentation to department heads about the event, how it will be run, and the benefits to the community, environment and the individuals.  Finally, try to get a gauge on the amount of electronic equipment you might expect and share this with your vendor.  Nothing is worse than expecting 2 trailer loads of material and actually getting 4 pallets or conversely underestimating the turnout and being ill prepared to handle the volume.

Make sure you also understand the dollars and cents of the material to be recycled.  The reality is that there is a cost for responsible recycling and compliance with environmental laws.  Work with your vendor to determine the cost centers involved (recycling, labor, materials, transportation) and determine who bears this expense.  Corporations that subsidize the expense of recycling for their employees obtain the greatest internal and external PR benefit and establish a tone of commitment to sustainable best practices and a focus toward the community at large. Have your vendor prepare an environmental impact report that indicates the positive effects of your event and share it with your personnel and local media outlets.  It is worth the effort.

LifeSpan has helped many companies put on successful electronic recycling events.  Let us know if we can help you plan one at your location.