Gordon Hughes, UCSD CMRR (gfhughes@ucsd.edu)
Tom Coughlin, Coughlin Associates (tom@tomcoughlin.com)
Summary: user data is left on disk drives removed from computers and storage systems, creating a data security vulnerability that many users are unaware of. Recent Federal and state laws requiring secure erasure of user data expose companies to fines of $250,000 and responsible parties to imprisonment for 10 years.
Complete eradication of user data off drives can be accomplished by running data Secure Erasure utilities such as the freeware “HDDerase” downloadable here. It executes the Federally-approved (NIST 800-88) Secure Erase command in the ATA ANSI standard, which is implemented in all recent ATA drives greater than 15-20 GB. A similar command in the SCSI ANSI standard is optional and not yet implemented in drives tested. Normal Secure Erase takes 30-60 minutes to complete. Some ATA drives also implement the standard Enhanced Secure Erase command that takes only milliseconds to complete.
Table of Contents
Introduction 1
Data Loss is Rampant 2
Legal Data Sanitization Requirements 3
Data Eradication on Hard Disk Drives 5
Physical Drive Destruction 6
Disk Drive Degaussing 6
Nondestructive Data Erasure 7
Fast Secure Erase Error! Bookmark not defined.
Data Encryption Secure Erase 9
Computer Forensics Data Recovery 10
Secure Erasure Implementation and Certification 11
Data Sanitization in the Real World 12
About the Authors 12
Glossary 13
Data security has risen to be one of the highest concerns of computer professionals. Tighter legal requirements now exist for protecting user data from unauthorized use, and for both preserving and erasing (sanitizing) records to meet legal compliance requirements. This Tutorial document will address concerns and developments in the sanitization and protection of user data.
Overall data storage security entails protection at different levels and locations:
· Data at rest - drive data erasure
· Secure erase of all data blocks on disk drives
· Single file erasure
· Drive physical or magnetic destruction
· Data in motion - data encrypted during transport
· Protection of data and crypto keys during transport
· Transparency to users (automatic encryption)
· Drive internal encryption (data encrypted by storage device)
· Access level dependent upon key or password used to decrypt data
· Drive data sanitization
· Secure erasure of user data for drive disposal or reuse
The following table (Table 1) outlines comparative times to execute various approaches for data sanitization (erasure) as well as level of data sanitization security.
Table 1. Comparison of Various Data Sanitization Approaches
Type of Erasure
Average Time
(100 GB)
Security
Comments
Normal File Deletion
Minutes
Very Poor
Deletes only file pointers, not actual data
DoD 5220 Block Erase
Up to several days
Medium
Need 3 writes + verify, cannot erase reassigned blocks
Secure Erase
1-2 hours
High
In-drive overwrite of all user accessible records
NIST 800-88 Enhanced Secure Erase
Seconds
Very high
Change in-drive encryption key
The cardinal rule of computer storage design has been to protect user data at all costs. Disk drives supply primary mass storage for computer systems, designed to prevent accidental erasure of data. Techniques such as “recycle” folders and “Unerase” commands are common ways that operating systems try to prevent accidental sanitization of user data. Deletion of file pointers is standard to speeds data writing, because actual overwriting of file data is far slower. Drives use elaborate error detection and correction techniques to make sure that they don’t return incorrect user data.
All this means that true computer data erasure is an abnormal event. These measures taken to protect and speed access to user data can make that data vulnerable to recovery by unauthorized persons.
Following are some statistics on computer loss and theft[1]:
· Statistics show that 1 of every 14 laptops is stolen, and over 2,000 computers are stolen every day in this country. ((Information Week)
· A computer is stolen every 43 seconds
· Over 98% of stolen laptops are never recovered. (FBI)
· A survey of 769 corporate IT managers revealed that 64% had experienced laptop theft. (Tech Republic)
When a computer is lost or disposed of, active and discarded data typically remains stored on its hard disk drive. Even if users “delete” all their files, they can be recovered from “recycling” folders or by special utility programs such as Norton Unerase.
If data is not erased beyond recovery, data on disk drives that leave the physical control of owners can and often does fall into the hands of others. Data can be recovered with little effort, from discarded, warranty repaired, or resold disk drives. Many reports have been written on data recovered from discarded disk drives.[2],[3] Each year hundreds of thousands of hard disk drives are retired. Some of these hard disk drives find their way back into the market and their data can be recovered unless it is erased securely.
There is an urgent need for a capability to reliably erase data and prevent access to data from retired computer hard disk drives for security and privacy reasons. Data sanitization needs arise differently depending upon the user application. Even consumer drives could use data sanitization to protect user privacy or for DRM purposes.
While most people are aware of legal compliance regulations requiring long term retention of data, the same regulations also specify the need for protection of data for privacy and other reasons. Many of them also specify conditions and requirements for the sanitization of data. Strict local, state and Federal legislation protecting investors, consumers and the environment specify that organizations must be extremely careful when disposing of IT equipment that has outlived its usefulness.
There are several laws and regulations that relate to data retention and data sanitiz...
marcinvx