Secure-disposal-of-data

advertisement
Disposal of Disk and Tape Data by
Secure Sanitization
EECS711 : Security Management and Audit
Spring 2010
Presenter : Sara Mohseni
Instructor : Dr. Hossein Saiedian
Organization
•
•
•
•
•
•
•
•
Introduction
Federal Guidelines for Data Sanitization
Data Sanitization Laws
Data Sanitization through Media Physical Destruction
Data Sanitization through Drive or Tape Degaussing
Data Sanitization through Block Overwrite or SE
Enhanced SE through In-Drive Data Encryption
Conclusions
2
Introduction
• US laws require secure data sanitization to eradicate
data in disk and tape drives, but not all methods
offer the highest level of security.
• File deletion erases only file block pointers, links that
left a file system reassemble a file.
• File deletion is fastest and facilitates subsequent
restoration of files because data remains on disk, but
it isn’t secure.
• Erasure of both pointers and file data is example of
secure sanitization.
3
Introduction
• Federally approved methods to reliably sanitize data
from retired computer hard disk drives and tapes are
critical for both security and privacy reasons.
• In 2006, the US National Institute of Standards and
Technology issued guidelines for media
sanitization(NIST 800-88) to address this need.
• Data sanitization encompasses all data eradication
methods, including block-by-block over-write; drive
internal secure erase (SE); and physical chemical,
thermal, or magnetic destruction.
4
Federal Guidelines for Data Sanitization
• NIST 800-88 defines four distinct protocols for user
data sanitization:
–
–
–
–
Disposal
Clearing
Purging
Destroying
5
Federal Guidelines for Data Sanitization
• Disposal means discarding storage media without
employing any other sanitization or by deleting user
file directories in public operating systems such as
Windows or Linux. E.g., OS file deletion.
• Clearing includes computer software utilities that
overwrite user data blocks. Block overwrite is the
most common data sanitization technique.
• Clearing is considerably superior to disposal but can
result in incomplete sanitization.
6
Federal Guidelines for Data Sanitization
• Clearing might not erase user data blocks reassigned
to different disk locations.
• DBAN is an example of popular external block
overwrite open source program
(http://sourceforge.net/projects/srm).
• The US Defense Security Service today requires that
federal agencies using overwrite utilities have an
authorized DoD (Department of Defense) laboratory
evaluate them for proper functionality.
7
Federal Guidelines for Data Sanitization
• Purging is the next higher sanitization level in NIST
800-88. Approved methods include the in-drive SE
(Secure Erase) command and magnetic degaussing of
disk drives or tape reels.
• SE is faster than external-block-overwrite programs
such as DBAN because SE is overwrite with no hostto-drive data transfer of the write pattern.
• SE write pattern is predefined and originates from
inside the drive.
8
Federal Guidelines for Data Sanitization
• Destroying is the highest level of sanitization per NIST
800-88, meaning media physical destruction by
disintegration, incineration, pulverizing, shredding,
chemical attack, or melting.
• Users tend to select the method that provides an
acceptable security level in a reasonable time window.
• Many users avoid a high-security protocol that
requires special software and days to accomplish,
making such a protocol less used and thus less
practical.
9
Federal Guidelines for Data Sanitization
10
Federal Guidelines for Data Sanitization
11
Data Sanitization Laws
• Many users are aware of legal-compliance
regulations in data privacy laws regarding long-term
data retention. But they might not know that those
laws also specify requirements for data sanitization.
• Strict local, state, and federal legislation protecting
consumers, medical patients, investors, and the
environment specify that organizations must be
careful when disposing or repurposing digital
equipment.
12
Data Sanitization Laws
• US laws that address data sanitization for storage
devices include:
–
–
–
–
–
–
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (1999)
California Senate Bill 1386 (2002)
The Sarbanes-Oxley Act (2002)
The Care and Accurate Credit Transactions Act (2003)
SEC Rule 17a (1997)
• Users should meet these legal requirements at the
highest standards consistent with their operations.
13
Data Sanitization through Media Physical
Destruction
• For the highest security, tapes and disks removed
from drives should be destroyed.
• Disks and tape destruction involves breaking up or
shredding media, chemically or thermally destroying
media surfaces, or grinding media in to microscopic
pieces.
• Simple disk-bending provides more effective
destruction than many realize, because drive readand-write heads will either crash or fly high to read
data, and different heads can’t easily read the media.
14
Data Sanitization through Media Physical
Destruction
• Physical destruction doesn’t provide absolute
certainty against hypothetical exotic forensics data
recovery method if any remaining unerased disk
pieces are larger than a record block. (This would be
about 1/25 inch or 0.2 mm for 512-byte blocks in
most current disk drives.
• As drive linear and track densities increase, the
maximum allowable disk fragment size will become
even smaller.
15
Data Sanitization through Drive or Tape
Degaussing
• Degaussers are commercial instruments that bulkdemagnetize disk drives and tape reels.
• Degaussers use high-intensity magnetic fields to
erase magnetic media in a drive or tape, including
record headers and servo bursts – information
required for head positioning and data recovery.
• Older Degaussers might not be able to erase data on
higher-data-capacity disk drives which require higher
demagnetization fields (because of their higher disk
media coercivity).
16
Data Sanitization through Drive or Tape
Degaussing
• Older Degaussers also were designed for older
longitudinal recording drives and might not be able
to erase today’s perpendicular recording drives.
• Degaussing will remain entirely practical for tape
media because tape coercivity is far lower than disk
media and is expected to remain so for some time.
17
Data Sanitization through Drive or Tape
Degaussing
18
Data Sanitization through Block Overwrite or SE
• SCSI (Small Computer System Interface) and ATA
(Advanced Technology Attachment) interface drives
specifications support SE (Secure Erase) command.
• ATA SE writes binary 0s or 1s, conveniently allowing
an SE to be verified.
• SCSI specifications let users specify the SE pattern
and state that the command intent is “to render any
previous user data unrecoverable by any analog or
digital technique.”
19
Data Sanitization through Block Overwrite or SE
• Both the ATA and SCSI SE specifications require that a
drive overwrite all user areas that have ever been
accessible, up to the maximum native drive capacity.
• SCSI specifications additionally require erasing all
reassigned blocks.
• An ATA SE also sanitizes hybrid-drive flash memories.
20
Enhanced SE through In-Drive Encryption
• Computer OS data encryption is a common feature
but isn’t often used.
• Encryption in large enterprise computer systems
defeats the operation of many important data
management functions, such as incremental backup,
continuous data protection, data compression,
deduplication, archiving.
• Efforts to defeat these operations cause significant
data access speed and cost penalties to enterprise
storage.
21
Enhanced SE through In-Drive Encryption
• Recently , Seagate and Hitachi introduced 2.5-inch
secure disk drives for laptop computers. These
drives, called full disk encryption (FDE) or selfencrypting drives, internally encrypt user data before
magnetic recording.
• FDE drives provide data protection in case a laptop
or drive is lost or stolen.
22
Enhanced SE through In-Drive Encryption
• They also offer a new and virtually instantaneous
way to sanitize data by securely changing their
internal encryption key.
• FDE drives allow ESE (Enhanced SE) which
additionally requires a drive to overwrite all
previously written user data, including sectors no
longer in use due to reallocation.
23
Conclusion
• To provide the highest confidence in meeting
government laws protecting user privacy, use the SE
command in computer storage devices, where
possible. Otherwise, use block-overwrite utilities on
entire drives.
• Use secure physical destruction of devices that
contain data with the highest security classification
level (for example, top secret and above).
24
Download