The next frontier in data security
Solid-state hard drives, once considered a luxury, are now standard issue on mobile devices and many laptop computers. Unfortunately, conventional data destruction methods don’t work with this new technology. The National Association for Information Destruction outlines its strategy for dealing with this disruptive technology and offers insight into the major issues processors need to consider.
When the National Association for Information Destruction (NAID), the non-profit trade association for the secure data destruction industry, recently announced it was forming a task force to develop standards for the sanitization of information on solid-state memory devices (SSDs), the news was greeted by a number of predictable responses.
Those aware of the scant academic research on the subject of data purging from SSDs suggested the initiative was misguided and unwarranted. The research they cited had indicated data on SSDs could not be effectively sanitized.
Security purists, advocating that the physical destruction of media is the only data disposal method offering certainty, were similarly dubious about the study. From their perspective, if there were even a hint that any data would remain, it was not worth investigating.
On the other hand, there were plenty of responses in support for the research project, including many information technology asset-management (ITAM) services and mobile phone refurbishers were in this category. In some cases these service providers had been sanitizing SSDs for a number of years. As far as they were concerned, their internal forensic quality control processes had long validated the efficacy of SSD sanitization. Many felt victimized by the doubt resulting from the aforementioned academic studies and welcomed the potential for vindication.
Those defending SSD sanitization shared two misgivings on the limited research available. First, they argued that the recovery methods used by the researchers were so advanced and heroic that it was unreasonable that anyone would or could go to those lengths on a random device returned to the second hand market. Further, many expressed a concern that what the researchers were calling recovered data was, in fact, meaningless data. They would argue that an isolated “the” or “you” from among randomly generated characters is not data.
So, it was amid this controversy and confusion that NAID will attempt to establish some clarity.
What are SSDs?
An SSD is defined as any transistorized, semiconductor or thin film memory that contains no mechanical parts, which distinguishes them from traditional magnetic disks such as hard disk drives (HDDs) with spinning disks and movable read/write heads. SSDs can retrieve information more quickly than an HDD and are also more compact relative to the amount of data they can store. They can also survive significantly rougher treatment and operate silently.
Today we find SSDs in the form of microchips and circuits. These can be as small as a fingernail or the size of a pack of cigarettes. The larger units are worth tens of thousands of dollars. SSDs are used in everything from automobiles to cameras to washing machines, but generally enter the ITAM space in computers and mobile phones. Mobile phones deploy them as the common SIM card but also as removable memory cards. SSDs used in laptops are usually a bit bigger though still quite small, appearing much like a conventional multi-pin circuit chip.
The architecture of an SDD consists of “controller” that assigns and retrieves the data to and from memory, among other functions. Though technically beyond the scope of this article, the intricacies of the deposition and retrieval architecture is usually credited as the reason SSDs cannot be sanitized.
Of course, the motivation for turning to sanitization as a destruction option for SSDs is economics; they can have significant resale value.
NAID’s current SSD certification
NAID’s interest in SSD sanitization is more than academic. In fact, it is decidedly practical. The association is already certifying companies for it based on internal research it has already conducted.
Four or five years ago, when NAID rolled out its certification for HDD sanitization operations, the program was built on two pillars. One validating the organization’s security and procedural integrity, the other forensically establishes the integrity of the sanitization operations.
For purposes of the latter, NAID considers conventional recovery of data from HDDs as the forensic opposite of sanitization. In other words, if one of the most highly respected data recovery services in the world cannot recover the data, it is taken as evidence of effective HDD sanitization.
When NAID was urged to expand its certification to operations sanitizing SSDs, the first pillar – the integrity of the security and procedures – remained the same. The validation of the sanitization process, however, was not as directly translatable.
The recovery of data from HDDs was a well-established procedure. Competitive forensic labs and software developers may disagree, but within certain bounds, when dealing with the upper echelon of service providers, it is extremely reliable.
On the other hand, detecting remaining meaningful data on allegedly sanitized SSDs was not as clear. In short, NAID had to find its own way. As a result, the association invested in technically advanced equipment and talent to develop its own process for detecting the presence of meaningful data on SSDs.
Now eighteen months into the program, NAID maintains it has established a reliable procedure for detecting remaining data on sanitized SDDs, and based upon this process is awarding (and denying) NAID Certification of SSD Sanitization Operations.
To date, NAID Certification for SSD sanitization has only been awarded to firms where it can verify that all data is completely removed.
Of the projects where the NAID SDD Task Force will commission research, one is to continue to improve the processes developed by NAID. Ultimately, hopefully in the not-too-distant future, those processes will be published publicly so SSD sanitization operations can use them in their internal quality controls procedures.
The work of the NAID SSD Task Force
First, as discussed, research claiming that SSDs cannot be reliably sanitized must be reconciled against NAID’s current public stance on the issue. Early speculation on this incongruity boils down to several factors which will be investigated.
There is the possibility is that the “data” being recovered by the researchers is not meaningful data, but rather indiscriminant and unusable remnants that could not cause harm. The other possibility is that the sanitization utilized by the researchers was limited to the secure erase function with the SSD itself. The SSD operations currently certified by NAID do not rely on these reportedly unreliable SSD secure erase functions.
Whatever the outcome, confusion on these issues will be minimized by the fact that the NAID SSD Task Force will turn to these scientists who generated the original conclusions when commissioning the research. The task force simply felt it was the best way to have everyone on the same page.
There is another area where both research and conventional practices are seemingly at odds – an area that will be receiving considerable attention by the NAID SSD Task Force – the partial sanitization of SSDs.
Some sanitization operations purposely leave some data on the device. In these cases, the goal is to surgically remove the “user data” while leaving the unit’s operating system intact. Though theoretically possible, the task force seeks to determine just how practical and reliable this is or could be. The question becomes even more complex since some research has indicated that partial SSD sanitization is problematic because the data effectively becomes a moving target within the device.
Again, the NAID Task Force will commission research to determine the accuracy and risks of such surgical data removal.
This brings us to one of the more difficult, and most important goals of the NAID SSD Task Force: the question of reasonableness.
Wrestling with reasonableness
Compliance with every data protection regulation in the develop world is based on the principle of “reasonableness.” Regulations require organizations take reasonable steps to fulfill the data protection requirements. To determine what is reasonable, an organization would have to evaluate the practicality and probability that data would be compromised and then balance those factors against the risk or severity of consequences should there be a breach. According to the reasonableness principle, once these factors have been evaluated, the data custodian would make a choice that best fits their needs.
For instance, it may well be determined that some highly advanced data recovery technique could possibly recover data from sanitized SSDs but that it would require incredibly specialized training and equipment. In this case, an organization (or individual) could reasonably maintain that the risk of someone going to such heroic lengths on the hope of recovering some meaningful data is so impractical and improbable that is it not really a reasonable risk.
The point is that the regulations expect and accept that these types of decisions are being made when data is destroyed.
Some suggest that allowing every organization to determine what is reasonably secure for its needs is a weakness. But, in fact, the reasonableness approach actually challenges an organization to put a lot of thought into their particular compliance strategy. In one respect, a reasonableness approach also acknowledges that it would be impossible to design any data destruction scenario where the risk is zero. Even with physical destruction, there is the chance the process can be circumvented, intentionally or negligently, by employees and contractors.
The key ingredient to good “reasonable” decisions is proper information.
Over the years, NAID has built a high degree of credibility among regulators and compliance officials around the world. Ongoing research, such as that of NAID SSD Task Force and Secondhand Hard Drive Study currently underway, continue to enhance that reputation.
As a result, the work of the task force will actually help shape what is considered “reasonable.”
To that end, NAID’s work must meet the highest standards of integrity and transparency. As the project assembles sufficient research to begin debate and consensus, the process will be opened to more stakeholders. For instance, as hybrid drives, incorporating both HDD and SSD technology become more ubiquitous and less distinguishable from conventional drives, OEMs will likely be called on to help. Eventually there will be a period for public comment.
Since 1994, NAID has maintained that the best way to create a healthy marketplace for information destruction services was to create educated customers capable of recognizing the good operator from the charlatan. Certainly, this project will produce some conclusive results and consensus. But more importantly, it will give all processors and their customers the information they require to determine what is best for them.