Data is more than just information these days; it’s an asset. And enterprise businesses are managing a lot more data, particularly on solid state drives (SSDs).
According to IDC, half of data centers had deployed SSDs by 2014 and the remaining half planned to consider them by 2015. In fact, data from MarketsandMarkets found that global spending on enterprise SSDs was valued at $13.29 billion in 2015 and is expected to grow at a compound annual growth rate of 9.5 percent between 2016 and 2022. So if you’re like the majority of organizations, you use SSDs in many of your newer desktops, laptops, servers and data centers.
Given all these statistics, securely erasing data from SSDs is even more necessary. But it’s also complicated, as security threats and cyber criminals get more sophisticated. If you look at Verizon’s 2016 Data Breach Investigation Report, disposal error was listed as one of the top five threat action varieties within the “miscellaneous errors” category of attacks.
As we’ve seen in the past, improper disposal of drives has led to serious data breaches. This was evidenced when a 2015 state audit of 12 US state agencies responsible for handling taxes, programs for people with mental illness and driver’s licenses used inadequate methods to attempt to wipe information from drives.
Like all data storage devices, SSDs need to be fully erased at key transition points in their lifecycle, including when they hit end-of-life. So when it comes to erasing data from the SSDs, it’s just as simple as erasing data from hard disk drives (HDDs). Right? Wrong. Companies are headed for disaster if they continue to wipe SSDs in the same way as HDDs.
SSD vs. HDD erasure
Whether a company maintains data on SSDs or HDDs, it’s critical to employ data erasure at key transition points in the data and equipment lifecycle.
The good news is that SSDs are simpler than HDDs in that they don’t have moving mechanical parts. They’re also smaller, lighter and less power-intensive. But from a data removal perspective, SSDs are more complicated.
Reformatting and degaussing don’t work because SSDs apply complex data management schemes to distribute data across their internal memory chips. They also contain a much larger pool of spare, or “overprovisioned,” memory capacity accessible only by the SSD. These techniques, in turn, prolong the performance and life of the drive. It also means that certain data on the drive remains hidden from the host and could be recovered.
While SSD standards are now emerging from the National Institute of Standards (NIST) and other governing bodies, secure and permanent removal of data from SSDs that are just a few years old may involve various interfaces and command protocols. There are, however, a variety of potential approaches to erasing data on SSDs, but each carries its own risks and benefits:
Physically destroying – think taking a hammer to a drive – and sending the fragments off to a landfill might seem like the best way to prevent sensitive information from ever coming back to haunt you – and your company. In the physical sense, this works and is a good guarantee.
But according to the Environmental Protection Agency, the average U.S. household owned 28 consumer electronics in 2013 and in that same year, the country generated 3.14 million tons of electronic waste. That is no small figure – and every one of us, individuals and businesses, should be thinking about how we can reduce environmental waste.
This approach modifies the key used to encrypt and decrypt data to “sanitize” the drive. But the data remains on the device. Improper implementation of the cryptographic system can leave the data vulnerable and make it difficult to verify the method of “sanitization.”
So what’s the right way to purge data completely and permanently remove data from SSDs? There isn’t one single answer. A better question is – which scenarios make data removal from SSDs absolutely necessary?
One scenario is what I call the ‘live environment’ – essentially, when users are creating new files on their desktops and laptops. We create files everyday. And we ‘delete’ files everyday too for a number of reasons – when documents are no longer needed, to free up storage space on a drive or to get rid of sensitive information that falls into the category of intellectual property.
But how the files are deleted is what matters. When you delete a file, drag it to the ‘Recycle Bin’ or even reformat the drive, the information isn’t really gone. The right way to get rid of files in this live environment is to overwrite the data using approved regulatory standards.
This brings me to a second scenario – when the SSD has outlived its purpose and is ready to be discarded, recycled or resold. This could happen because the drive itself has hit its end of life, a user buys an additional drive for storage or a user simply has decided to buy the latest and greatest laptop model from Apple, Samsung, Dell or a number of other manufacturers. Whatever the case, the data on that SSD absolutely must be removed completely and permanently before it goes off to its next place – be it the trash, a recycling plant or into the hands of a second-hand reseller/buyer.
Neglecting to erase SSDs is a huge risk, especially for enterprise businesses that use high volumes of SSDs to store sensitive and confidential corporate information, such as employee payroll records, financial earnings, Salesforce data, customer contracts and product development details.
No matter what type of SSD erasure method a company adopts, it’s vital to receive an auditable report proving that data was completely and permanently removed and can never resurface. The report should provide specific and customizable details, such as the serial number of the device, when the device was erased, who performed the data removal and what specific types of data were removed.
Because proof is something that can oftentimes be tampered with, it’s equally important for the report to include a change log to prevent any such tampering from occurring. Doing so can tangibly improve a company’s security profile, ensure compliance with escalating regulations, optimize the return on investment in SSDs and mitigate the risk of data exposure.
Ultimately, effective SSD data erasure will help protect the brand, employees and will ensure that the IT practices are supporting the company’s business goals.
(About the author: Pat Clawson is CEO of Blancco Technology Group, a leading provider of data erasure and mobile diagnostics solutions.)
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access