in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Media Sanitization (Data Erasing, Wiping) For SSDs Need Extra Care

Current best practices for digital media sanitization call for a hard disk drive to either be physically destroyed (hammers, blowtorches, pulverizers, etc.) or rewritten multiple times with random data.  Some claim that the use of disk encryption software, like AlertBoot, is as good as the above two methods, especially since it's tantamount to writing random data.

In principle, they cannot be the same since the objective behind encryption is to "recover" the data under a set circumstance, whereas rewriting data is about purging it completely.  For all practical purposes, however, they provide the same level of security.  That's why an organization that loses a portable computer with sensitive data can declare that their data is safe if it was protected with laptop encryption.

The relationship between encryption and data rewrites may not hold if you're dealing with flash-based solid-state drives (SSD), though.  SSDs are found in USB flashdrives; memory sticks; Secure Digital cards used in digital cameras; and, increasingly, in internal drives on computers: new research shows that SSDs will not get properly sanitized under certain circumstances, meaning that encrypting data may actually prove more secure!

Hard Drive-Oriented, Individual File-Sanitization Not Effective

According to a new paper published by Wei, Grupp, Spada, and Swanson at UC San Diego, file sanitization software designed for traditional hard disk drives is not effective on SSDs.  This is due to differences in flash-based storage media's data access and management algorithms.  Among the findings:

  • Built-in ATA and SCSI sanitization commands work splendidly, when they work.  The ones that don't can leave the data completely intact.
  • Software-based full-disk sanitization techniques generally work.  Writing random data twice over was found "sufficient to sanitize the drive" but not always.
  • Individual file sanitization techniques were ineffective.

It should be noted that data extraction by the researchers was done via a custom-built testing device that cost them $1,000.  They note, however, that a simpler version could be constructed for $200 and "a moderate amount of technical skill."  Whether they meant a moderate amount of technical skill for PhDs and PhD candidates, I don't know.

(Side note: In a way, their description of why file sanitization techniques in SSDs don't work reminds me of why "erasing files" in Windows doesn't work: because the file itself is not destroyed.  Instead, what's erased are the directions for finding the file.  Data recovery software can find it just fine, though, and this, too, seems to be the reason why file sanitization doesn't work on SSDs.)

Of the three techniques, full-disk sanitization required much testing due to the varied methods available: overwriting, degaussing, and encryption.  Overwriting was found to be a poor method overall.  Degaussing didn't work (at all, which is not unexpected; however, there was a theory that magnetic eddy currents could perhaps damage the chips found in SSDs).  Encryption works, it seems to be agreed, but with a huge caveat:

Encryption can be used as a data-wiping technique by losing the encryption key.  Without this key, the randomized data cannot be reconstituted to its original state, which is why it doesn't differ from random data rewrites.  However, deleting the key in an SSD falls into the problem of "individual file sanitization."  Since the key resides on the SSD, there is the potential danger of someone recovering the key, and using that to decrypt the contents.

The researchers propose an approach called SAFE (Scramble and Finally Erase) that sanitizes the stored key:

The technique, called Scramble and Finally Erase (SAFE), stores encrypted data in the drive and uses a two step process for sanitization. First, it destroys the key. Then, SAFE erases every physical page in the SSD. After this step, verification is a simple matter of dismantling the drive and verifying that the flash chips are actually erased.

Encryption is at the heart of this technique, you'll notice, with attention given to the key's destruction.

Nevertheless, there are (arguably, slightly) better methods for ensuring your data is, and remains, deleted.  The researchers seem to give two thumbs up to built-in sanitization, which requires some modifications to ensure that they work as advertised.

Don't Miss the Forest for the Trees - Data Security

Before I finish, I should point out that encryption has an advantage over the other methods above: it secures data while you're still actively using a device, whereas the other methods can only be used after you've decided to chuck it.

Regardless of how you're going to proceed with your data destruction / purging / erasure, chances are that if you're considering it, you ought to have encrypted it all along.


Related Articles and Sites:
http://cseweb.ucsd.edu/users/m3wei/
http://nvsl.ucsd.edu/sanitize/
http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf
http://www.truecrypt.org/docs/?s=wear-leveling
http://hardware.slashdot.org/story/11/02/17/1911217/Confidential-Data-Not-Safe-On-Solid-State-Disks#comments
http://www.truecrypt.org/docs/?s=wear-leveling

 
<Previous Next>

Hard Disk Encryption: St. Francis Broken Arrow Computer Stolen From Secure Room

Laptop Encryption Software And Ice-Melting Products Have Something In Common

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.