Effectively erasing data from storage devices is a critical function of data security management. While the approach for erasing hard drives is widely understood, solid state disks (SSD) require different techniques to achieve sufficient data security. Because Solid State Disk (SSD) storage technology is inherently unique in the way data is stored, assuming that the erasure techniques that work for traditional hard drives will also work for SSDs is problematic.
There are some advances in SSD erasure solutions and their corresponding effectiveness based on recent testing. Utilizing a risk based approach to data security; the appropriate erasure method can be applied to SSD to defeat its corresponding threat.
What are Solid State Disks (SSD)?
A solid-state drive (SSD), sometimes called a solid-state disk or electronic disk, is a data storage device that uses NAND-based flash memory chips to store data.
Unlike traditional hard disk drives (HDDs), which are electromechanical devices containing spinning disks and movable read/write heads, SSDs do not employ any moving mechanical components.
Most advantages of solid-state disks over traditional hard drives come from the characteristic of data being accessed completely electronically instead of electro-mechanically. This makes SSD a very durable and reliable solution.
However, the reality is that SSD do not last forever. Flash memory can only be programmed and erased a finite number of times. The SSD manufacturers can effectively predict how long SSD can last with a lot of accuracy and they have specific functions to extend the longevity of SSDs.
What is the Data Erasure Challenge?
Traditional hard drives store their data in a linear, ordered manner.
Due to the nature of flash memory’s operation, SSD data cannot be directly overwritten as it can in a hard disk drive.
SSDs spend a great amount of effort on rearranging pieces of data and cataloging their new locations. The main reason for this is uniform wear-leveling of the SSD. This puts a big responsibility on the flash memory controller and its firmware to maintain data integrity.
The controller on the SSD manages the flash memory and interfaces with the host system. The controller uses a logical to physical mapping system known as logical block addressing (LBA) and that is part of the controller’s flash translation layer (FTL).
The ﬂash translation layer (FTL) acts as a traffic cop managing the mapping between logical block addresses (LBAs) that are visible to the user via the ATA or SCSI interface and the inaccessible, physical pages of ﬂash memory.
When new data comes in replacing older data already written, the SSD controller will write the new data in a new location and update the logical mapping to point to the new physical location. The old location is no longer holding valid data, but it will eventually need to be erased before it can be written again. As a result, the old version of the data remains in digital form in the ﬂash memory. This leftover data is referred to as digital remnants.
Since in-place overwriting is not possible in SSDs, the overwrite-based erasure techniques that work for hard drives may not work properly for SSDs. Those techniques assume that over writing a portion of the LBA space results in overwriting the same physical media that stored the original data. Overwriting data on an SSD results in logical sanitization where the data is irretrievable via the host interface. But overwriting does not necessary result in complete digital sanitization in all areas of the SSD.
Data Erasure Options
There are three methods to be considered for data protection for SSD:
- Cryptographic Erase
- Secure Erase
- Traditional Overwriting
Although not a method of data removal, cryptographic erase is where the encryption key on the SSD is deleted or destroyed so that the information on the SSD is no longer decipherable. The benefit of this method is that it is a quick action taking only minutes to complete and the data on the SSD, while present on the drive, is undecipherable without the original encryption key. This is an effective means of protecting data. For instance, the Apple iPad erases user settings and information by removing the encryption key that protects the data. This process takes just a few minutes. The disadvantages of cryptographic erase as a method is that not all SSD drives employ hardware encryption, so it cannot be uniformly utilized in all cases. Furthermore, technically, the data is still present on the storage drive. So, although there is wide spread belief the data cannot be deciphered and retrieved after this process, there is conjecture of what future developments in technology would be able to do to encrypted devices.
Secure erase is a built-in command that exists in a SSD drive and a traditional hard drive as firmware that erases all areas of the storage device. This is considered the best method of dealing with SSD data removal because the SSD manufacturer wrote this firmware and is in the best position to address all storage areas of the drive and the drive’s inner workings. The SSD manufacturer has the ability to utilize vendor unique commands unknown to outside parties. If secure erase worked flawlessly in all cases for all drives, then this method would be the solution of choice. Unfortunately, there have been some well-documented studies regarding the implementation of secure erase in drives and the results are that secure erase does not execute consistently in all cases.
Finally, traditional overwriting is a method where multiple passes of blank data are written to the drive over and over. An example of a traditional overwriting method is the US Department of Defense – 3 pass overwrite. This method of data removal will clear the logical data locations that are user viewable through your computer. However, this method will not effectively clear all digital locations in the SSD that reside beneath the firmware or flash transition layer. But, due to the characteristics of the SSD firmware, a multiple overwrite solution will populate this blank data to the digital spaces below the firmware level at the discretion of the SSD firmware code.
Risk Based Approach
There are options for data removal for SSD, but none of the options appear to be perfect. So, what’s the best way to approach the problem?
The correct choice of sanitization level or method for a particular application really depends on the sensitivity of the data that is being erased and the means and expertise of the expected threat. This approach is called a risk based approach.
Each method or combination of data removal methods can be tested for its effectiveness based on a defined threat. In kind, forensic testing can be set up to represent the defined threat capability and to qualify the data removal solution. In the Threat Capability Matrix in Table 1, provided by Asset Disposal and Information Security Alliance (ADISA), there are five (5) levels of risk from low to high where 1 is the lowest level of threat and 5 is the highest.
Once the risk level is defined, then the data removal method needs to hold up against a corresponding test level that mimics the risk or threat.
This risk-based approach allows risk management and security professionals to select data removal solutions that have been qualified (lab tested) against a categorized threat.
Currently, many selections for data removal or sanitization are made very subjectively in a one-size fits all policy. This one-size fits all may drive unnecessary cost or risk into a data sanitization event or companywide policy.
Take the earlier example of Apple’s iPad use of cryptographic erasure. This method of data removal may not be suitable for top secret government risk levels, but cryptographic erase may be very appropriate to apply to Apple consumers and their data.
Mitigating Risk for SSD
When looking at a risk-based approach for solid state storage, consider the following when formulating your data sanitization policy:
- Profile your threat
- Identify the product type that you are displacing
- Understand your tolerance to risk
- Place SSD into a managed and controlled asset disposal stream
- Have prescriptive means of sanitization
Solid State Drives (SSD) and flash storage are unique and complex devices that provide high value to users. As such, SSD will see a rapid and increased adoption in the marketplace. Moving forward, the mind set of data removal from the traditional hard drive is changing in how information is accessed and dealt with on a digital level.
While current government data erase standards do not uniformly agree on how to sanitize SSD, experts can agree on the effectiveness of certain solutions or combination of solutions based on testing methodology.
Ultimately, moving to a risk-based approach will marry the appropriate data removal solution to the corresponding threat level. Solutions that have been tested appropriately and qualified against defined threat levels should be utilized over one-size fits all solutions.
Government and industry standards on how to uniformly deal with SSD are still evolving; however, the ability to securely erase a SSD device is becoming a solvable problem.