According to the National Association of Information Destruction (NAID), solid state drives (SSD) used in ultrabooks, tablets, smartphones, and other devices are proving to be a headache when it comes to end-of-life operations. Namely, the usual methods of deleting digital data – so that hardware may be discarded safely – are proving to be ineffective when it comes to flash-based storage media. This shouldn’t be news, however, at least not to NAID.
The solution to the above difficulty is at least 2 years old: place laptop disk encryption at the heart of your data destruction strategy.
SSDs an Unknown Quantity
According to a NAID conference that was held in Sydney, Australia, NAID chief Bob Johnson noted that:
SSDs are an unknown quantity when it comes to being sterilised for disposal at the end of their working lives.
“There is currently work being done at the University of California, San Diego, about the best ways to make sure these solid state drives are clean before they’re disposed of,” he said. “Unfortunately the information out there at the moment is very squirrelly.”
I’m not sure what information Johnson’s referring to, but I’ve known for at least two years that the best way to ensure that information is properly wiped is to encrypt it and lose the encryption key:
The researchers propose an approach called SAFE (Scramble and Finally Erase) that sanitizes the stored key:
The technique, called Scramble and Finally Erase (SAFE), stores encrypted data in the drive and uses a two step process for sanitization. First, it destroys the key. Then, SAFE erases every physical page in the SSD. After this step, veri?cation is a simple matter of dismantling the drive and verifying that the flash chips are actually erased.
Encryption is at the heart of this technique, you’ll notice, with attention given to the key’s destruction.
The above is from a post I wrote in 2011 on why media sanitation requires encryption, and is based on research done by a team at the University of California, San Diego.
If that looks like déjà vu to you, it’s because it’s the same San Diego team that Johnson is referring to.
Encryption Sometimes CANNOT be the Solution for SSD
And now that I’ve revealed how encryption software is the only way to secure devices during their EOL, here’s a kick to the head: under certain circumstances, encryption is not an option from a policy perspective. For example, under HIPAA.
HIPAA is a set of rules, overseen by the Department of Health and Human Services (HHS), that governs healthcare companies and their business associates. While the use of encryption is strongly encouraged to protect patient data (indeed, the director for the Office for Civil Rights at the HHS was quoted as saying “we love encryption, and those who use encryption love it, too”), there is one area where encryption is not to be used as a tool when it comes to medical data: when a device is being disposed of.
When a computer, external drive, flashdrive, or other data storage device that used to store health data is to be discarded – be it in a landfill or via a donation – the information on it has to be scrubbed. The usual methods include overwriting every sector of the storage device; degaussing it by placing the medium in a magnetic field; or physical destroying it, all of them procedures approved by NIST. Encryption, on the other hand, is not considered to be a reliable method of destroying data because it is designed to “recover” data when the correct key is applied.
This is problematic as organizations start to embrace BYOD, bring your own device. One wonders how the HHS will react as more and more devices that use SSDs – like smartphones and tablets – make their way into hospitals and other businesses that handle protected health information. Degaussing will not work, since SSDs don’t store data in a magnetic medium. Overwriting does not work due to SSDs’ internal workings. Destroying devices would work but is wasteful when they might still be useful to some.
Plus, I’ve got to assume that the owners of these devices would be quite against destroying their phones and tablets.
It seems that an exception will have to be made for flash-based devices, or that the use of encryption to “destroy” data will be accepted as a norm.
Related Articles and Sites: