Security Challenges of Solid State Device (SSD) Hard Drives in the Enterprise

In 2011, University of California San Diego (UCSD) researchers released a series of white papers revealing the security flaws found in solid state drives. These whitepapers discuss how, in the race for hard drive OEM’s to get new solid state devices to market, OEM’s haven’t all abided by security protocols set forth by industry standards groups. Because of these oversights in the development process, many drives do not have built in safeguards to perform modern data sanitization and still more concerning is the lack of success of traditional data sanitization methodologies on the drives.

The lack of security is disturbing:

Fig. 1 Data Sanitization method and amount of data recovered
Filesystem delete 4.3 – 91.3%
Gutmann 0.8 – 4.3%
Gutmann “Lite” 0.02 – 8.7%
US DoD 5220.22-M (1996) 0.01 – 4.1%
RCMP TSSIT OPS-II 0.01 – 9.0%
Schneier 7 Pass 1.7 – 8.0%
German VSITR 5.3 – 5.7%
MSR-TR-2005-176 5.6 – 6.5%
British HMG IS5 (Enh.) 4.3 – 7.6%
US Air Force 5020 5.8 – 7.3%
US Army AR380-19 6.91 – 7.07%
Russian GOST P50739-95 7.07 – 13.86%
British HMG IS5 (Base.) 6.3 – 58.3%
Pseudorandom Data 6.16 – 75.7%
Mac OS X Sec. Erase Trash 67.0%
Figure From “Reliably Erasing Data From Flash-Based Solid State Drives”

As far back as 2008, LifeSpan has been collaborating with UCSD’s Center of Magnetic Recording and Research (CMRR) and Temple University to test the efficacy and practicality of data sanitization methods. Over the years, we have found that many standards and practices are unique in their process and implementation. The case of SSD hard drives is even more complex. With SSD hard drives, a different procedure is required for effective sanitization and disposal.

These idiosyncrasies are caused because solid-state drives (SSDs) are comprised of flash-based memory chips. The complexity occurs when an intermediate level of technology called a “flash translation layer,” is introduced between the drive controller and the flash memory. Data can be accessed in blocks; however it is translated in flash “pages”. Each of these “flash translation layer” designs is unique to its manufacturer and date.
In contrast, modern day magnetic hard drives have an onboard controller that manages access to information stored on the hard drive. Data is stored in blocks and is typically sanitized with block over-write or SECURE ERASE technology. There are many readily available and reliable software tools available for sanitizing or “wiping” magnetic hard drives.

While internally using a fundamentally different technology, SSDs interface to traditional host interfaces including: SAS, SATA, SCSI and Fiber Channel. All of these are now common to mobile, desktop, and server-based computing and SSD’s can be installed in your current devices without being readily noticeable. With this challenge, a process which has a specific component for identifying SSD’s is important.

In the research paper titled “Reliably Erasing Data From Flash-Based Solid State Drives”, scientists from the UCSD Nonvolatile Systems Laboratory (NVSL) identified weaknesses in existing data destruction techniques. In their research, scientists identified SSDs where SECURE ERASE techniques were employed and data sanitization failed completely. They also found many drives where typical overwrite operations, such as DoD5220-22-M, were employed and the drives still afforded data recovery. As an additional level of complexity, since SSD’s are not magnetic based, degaussing techniques were always ineffective at data destruction.

Over the last several months, LifeSpan has met with researchers at UCSD’s Non-Volatile Systems Labs (NVSL) to discuss these security issues in order to develop commercially viable solutions for drive sanitization and data destruction. In the future, we would like to see a consistent method for sanitization and disposal but because of current market conditions each case needs to be diagnosed individually.
Enterprises and government organizations must assess data breach risks and select the most appropriate process for data sanitization, destruction and disposal for each type of drive. Based on your current distribution of drive manufactures and types, a plan of action needs to be implemented.

Whether you do it yourselves, have a vendor do it for you on site, or have it done at a vendor’s facility, IT Security and Asset Management need a secure and reliable process specifically for SSD’s.

LifeSpan has created an executive briefing that reviews in more detail the technical issues on how data can be recovered as well as destroyed for magnetic and solid state drives, and offers a variety of compliant, data security options to address this new challenge. Click HERE to request more information or call 888-720-0900.

Hold a Sucessful Employee Recycling Event

Corporate electronics recycling events can help build a sense of community, sustainability, and cultural focus with your employees if done the appropriate way.  On the other hand, they can be a drain on resources and dollars if poorly executed.  Having participated in a few from both sides of the equation, successful events boil down to the following:

•  Preparation
•  Recycler Partnership
•  Internal Awareness & Communication
•  Understanding the $$

Employees Drop off Electronics in the Parking Lot

To start off with, give yourself enough time to plan the event and get the necessary “buy-in” from the corporate stakeholders who will approve the program.  Determine possible dates (including rain dates if collection is to be outside), location, traffic flow, departments to be advised, resources needed, etc and put together a checklist.  If the dates can correlate with national awareness days like Earth Day or America Recycles Day, all the better.

Next, engage an electronics recycling partner that has the best practices, third-party audited certifications (R2, RIOS, ISO 14001, NAID, etc), insurance coverage, and skill sets that meet your corporate standards.  Thorough collaboration with your recycling partner in advance will help insure that company and employee expectations are met.  You should be able to communicate to your employees 100% confidence that your selected vendor will handle the material collected in an environmentally responsible way and guarantee the security of data bearing assets while onsite and the destruction of these assets back at their facility.

The next step is to internally market the event to your employee base several times prior to the established date.  If feasible, ask your vendor to come in for a “lunch and learn” presentation to department heads about the event, how it will be run, and the benefits to the community, environment and the individuals.  Finally, try to get a gauge on the amount of electronic equipment you might expect and share this with your vendor.  Nothing is worse than expecting 2 trailer loads of material and actually getting 4 pallets or conversely underestimating the turnout and being ill prepared to handle the volume.

Make sure you also understand the dollars and cents of the material to be recycled.  The reality is that there is a cost for responsible recycling and compliance with environmental laws.  Work with your vendor to determine the cost centers involved (recycling, labor, materials, transportation) and determine who bears this expense.  Corporations that subsidize the expense of recycling for their employees obtain the greatest internal and external PR benefit and establish a tone of commitment to sustainable best practices and a focus toward the community at large. Have your vendor prepare an environmental impact report that indicates the positive effects of your event and share it with your personnel and local media outlets.  It is worth the effort.

LifeSpan has helped many companies put on successful electronic recycling events.  Let us know if we can help you plan one at your location.

The myth of the 3-pass DoD data destruction policy.

Over the last 17 years we have all heard of DoD 5220.22-M 3-pass.  It has been touted as the standard for data sanitization.  The problem that I see with this is that it is a standard that the technology has outgrown.  The exact verbiage used in the matrix in the original document that has everyone stuck is “Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.” This was designed to verify that non top secret information on “Non-Removable Rigid Disk and Removable Rigid Disk” had been sanitized. By 2012 we have already had multiple revisions of this document and many others yet the 3-pass “rule” still seems to endure. I propose that security sanitization practices are not rules but guidelines to follow based on an organizations risk / threat analysis.

During the creation of the original 5220.22-M it is speculated that the primary basis for data sanitization practices were floppy disks and their data storage characteristics. Policies were written to take into consideration both the longevity of information on this medium as well as the physical process by which it could be verified as sanitized. The electronic data sanitization industry had not yet been created, with some of the largest software data sanitization brands of today not even formed until a few years later. Therefore the process at the time was manual and by that virtue allowed for 3 instance of human verification during the sanitization process.  This allowed for both software and human error to be checked, and in my opinion this was the original basis of standard. That being said even the government took into consideration that with all else being equal there are still certain instances where physical destruction was a better solution based on the risk assessment.

As time progressed and the data destruction industry developed the standards started to respond to industry trends.  An entire industry had been created to automate and control the process that was laid out in a few lines of a government document.  Software had been created to bypass the human interaction with each step of the process and arguably increase the success rate of 3-pass systems (as it was now more time/cost effective to complete) while at the same time removing the human aspect of verification.  By the mid 2000’s manufacturing, testing and analysis of media had come a long way.

In 2006 NIST SP-800-88 stated that “Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.” That same year DoD 5220.22-M removed all verbiage on single vs multiple pass.  The standards were now leaning towards each entity making its own decisions based on its own risk and threat assessment. Essentially the message was “one pass is as good as multiple as long as it is verified complete.  If you are in doubt or have something that is of a sensitive nature physically destroy it.”

Six years after the revisions and more research and data on sanitization, we still hear people ask if we do DoD 3-pass sanitization.  The truth of it is at this point it doesn’t exist.  The DoD has decided that secure information that must remain secure must be destroyed.  NIST has restated in clear terms that a two person rule (read human verification) shall be implemented, but no guidelines as to what method of sanitization (it could be a single wipe with dual human verification, or a single destruction with the same.).

In todays data rich environment companies and individuals should take into consideration there unique risk vs value propositions.  The tools are available to address any level of security issue.  As a company we provide many levels of service from destruction only to sanitize and resell.  Even as the service provider we are taking into consideration what risk we take when we place a program for our clients.  Not only do we help interpret the guidelines but we too have to make the same decisions that our clients do everyday.  Does this process provide enough value to balance the risk?  It seems like an easy question but an entire industry has been created over the last 17 years over what is a low enough risk.  What the industry is focusing on now is an educated opinion when putting together your program, with best practices and policies that can be implemented into your own data risk mitigation practices.

World Leasing News Post: Compliant Data Destruction and Proper Disposal of IT Equipment

“Is the risk of improper disposal becoming the key driver in asset disposition in today’s regulated environment?”

Read this recent post on the WLN Blog by LifeSpan’s Jim Noyes.

Raytheon and LifeSpan – Celebrating America Recycles Day

Raytheon and Lifespan celebrated Americas Recycles Day in Denver.  Raytheon sponsored an employee recycling event for their employees and contractors at their Denver campus.

Chris from LifeSpan unloading Raytheon Employee Car

“We were extremely lucky with the weather!  It was a beautiful 60 degree day for the event – last week we had close to six inches of snow on the ground here in the Rockies,” said Kristi Tirone, Sales Associate.

While Raytheon sponsored just the first 50 employees with free recycling, many employees were relieved that could have the convenience of bringing electronics to work to have proper data destruction and electronics recycling.

Started in 1997, America Recycles Day is the only nationally recognized day dedicated to the promotion of recycling in the United States.

“LifeSpan is committed to working with its customers to offer creative data destruction and e-recycling programs to meet the needs of their business and their employees.   Earth Day is in the spring and we hope to continue to support additional events then as well,” said Dag Adamson, President of LifeSpan.

If you are interested in conducting an Earth Day event in the spring please contact LifeSpan at 888 720 0900.  Its never to soon to start planning!

Third Party Certifications: Best Practices in Electronics Recycling

Many companies have become increasingly concerned with sustainability and environmental stewardship as the “green” movement has swept over corporate America. At the same time, both Federal and State governments have passed comprehensive legislation to both protecting the environment and ensure data privacy. The increasing volume of end-of-life electronics, coupled with the proliferation of product “take-back” programs, have boosted market demand for IT asset disposal services. In response, the number of electronics recyclers has increased dramatically.

However stringent the restrictions, the evening news is still full of horror stories of broken equipment winding up in overseas landfills and sensitive data inadvertently released to the public by careless or unscrupulous recyclers. How then can a consumer achieve peace of mind knowing that a company’s end-of-life electronics are being disposed of in a secure and environmentally responsible manner?

One answer to this problem is insisting on having the electronics recycling vendor be certified by an accredited third party. While these certification programs have variations, they all share the following characteristics:

1. The ability to provide an all-encompassing “seal of approval”
2. An emphasis on Total Quality Management (“TQM”) and/or ISO9001
3. The presences of an Environmental Management System and/or ISO 14001
4. Compliance with Health, Safety, and Security standards
5. Periodic audits by an independent third-party

Firms seeking RIOS certification must undergo a formal, objective examination by an accredited third-party auditor. Participating companies are evaluated on a variety of criteria related to environmental management systems, quality programs, business performance and financial stability, employee health and safety programs, security systems, and overall operations management. The audits are performed by SGS, a company involved in registration to international quality and environmental standards. SGS employs more than 59,000 employees and operates over 1,000 offices and laboratories worldwide.

Another certification specifically focused on electronics recycling best practices and facilitated by the EPA, is R2 – “Responsible Recycling”. Initially started in 2006, R2 has an unmatched open and multi-stakeholder development process. Representatives from the manufacturing sector (Dell/HP), electronics recyclers, asset recovery/ITAD firms, state and federal government agencies, and trade associations (including the Consumer Electronics Association, and International Association of Electronics Recyclers) were all involved in developing the next generation electronics recycling standard.

The R2 standard emphasizes reuse before recycle, prohibition of illegal exports, domestic, implementation of an environmental management system, and the identification and proper management of “focus materials” that pose a potential threat to the environment. R2 is a fully vetted and accredited standard that is audited by registrars that perform ISO auditing services such SGS, and Perry Johnson Registrars.

A final standard worth noting is the AAA Certification that is managed by the National Association for Information Destruction (“NAID”). This standard was developed by NAID specifically for companies that provide computer hard drive destruction and sanitization services. The program’s auditors verify the physical security of sanitization facilities, chain of custody, and audit trail. In addition, a separate independent forensic testing lab verifies the effectiveness of the quality control and overwriting process. To date NAID has certified more than 360 member locations that provide physical destruction of media, but has only recently developed a separate certification program for companies who sanitize computer hard drives.

Dag Adamson, President