Forget "Format c:" or that silly disk erasing software; get physical. [read more]
Can data stored on an SSD be secured?
Study finds the task to be very difficult; overwriting or crypto-erasure seem the best methods for sanitizing SSDs
Computerworld - Until a university study emerged last week, few experts suspected that it's more difficult to erase data stored on solid-state drives (SSD) than that on hard disk drives (HDDs).
Industry experts were taken aback by the study, but noted that there are SSDs with native encryption capabilities that can prevent data from being seen even after a drive's end of life, and that there are some SSD drive sanitation methods that are more successful than others.
"I don't think anyone ever knew about this," said security technologist Bruce Schneier.
The study conducted by researchers at the University of California at San Diego (UCSD), showed that sanitizing SSDs of data is at best a difficult task and at worst nearly impossible. While overwriting data several times can ensure data erasure on many SSDs, the researchers found they were still able to recover data on some products.
One surefire method for protecting your SSD data is cryptographic erasure, said Kent Smith, senior director of product marketing at SSD controller manufacturers SandForce.
Crypto-erasure involves first encrypting an SSD so that only users holding passwords can access its data. When the SSD is at end of life, the user can delete the encryption keys on the drive, eliminating the possibility of unencrypting or accessing the data.
"Unless you can break the 128-bit AES encryption algorithm, there's just no way to get to the data. The drive is now still a fully functioning drive and effectively able to begin writing again," Smith said. "That takes a split second."
The other security method SandForce-based SSDs afford is erasing all the NAND flash memory.
"We go through every single LBA, every single location ... that could have held user data, as well as performing the crypto-erase," Smith said. "That would take longer because you have to erase the flash. That could take a few minutes."
SandForce's controllers, used by most major SSD vendors, include native 128-bit AES encryption that allows users to set up passwords. But some SSDs don't come with native hardware-based encryption.
Data erasure can also be performed on the drive either through the Security Erase Unit (SEU) command, or the soon-to-be released addition to the serial ATA specification under Sanitize Device Set.
Secure Erase is imbedded SATA storage devices, and allows users to delete data from all areas in which it might be stored on a hard drive or a NAND flash product.
When a user chooses the SEU command, all LBAs are erased in the Device Configuration Identity, which is everywhere an SSD can store user data. Additionally, the encryption key is zeroed or destroyed, leaving any existing data scrambled, and all mapping data is erased so the drive cannot even locate the prior scrambled data. The controller automatically creates a new encryption key for any new incoming data.
"The effectiveness of cryptographic sanitization relies on the security of the encryption system used (e.g. AES), as well as the designer's ability to eliminate "side channel" attacks that might allow an adversary to extract the key or otherwise bypass the encryption," the UCSD researchers wrote in their paper.
AES or Advanced Encryption Standard, is the successor to the older DES (Data Encryption Standard). The standard is used by the U.S. government for using the 128-bit and 256-bit strengths to encrypt secret and top-secret-level documents, respectively.
But it's not enough to offer only AES encryption; much depends on how the encryption is deployed.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Data Warehouse Augmentation: The Queryable Data Store While organizations have, to date, been busy exploring and experimenting, they are now beginning to focus on using big data technologies to solve...
- Rebranded Quadmark revamps its IT solutions with Google Apps Switching to Google Apps halved Quadmark's IT admin costs while achieving 10% time savings per employee. The global consulting firm now spends 80%...
- CrashPlan PROe Security Because mobile laptops often are connected to unsecured networks, a very high standard of security is required to ensure privacy.
- Protecting Digitalized Assets in Healthcare Healthcare providers face an urgent, internal battle every day: security and compliance versus productivity and service. For most healthcare organizations, the fight is...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- Make or Break: New Auto Products Must Go To Market On Time This Webcast quantifies the value of time to market for the auto industry and highlights how Primavera Enterprise Portfolio Management can help organizations. All Data Storage White Papers | Webcasts