Disposal of Disk and Tape Data by Secure Sanitization EECS711 : Security Management and Audit Spring 2010 Presenter : Sara Mohseni Instructor : Dr. Hossein Saiedian Organization • • • • • • • • Introduction Federal Guidelines for Data Sanitization Data Sanitization Laws Data Sanitization through Media Physical Destruction Data Sanitization through Drive or Tape Degaussing Data Sanitization through Block Overwrite or SE Enhanced SE through In-Drive Data Encryption Conclusions 2 Introduction • US laws require secure data sanitization to eradicate data in disk and tape drives, but not all methods offer the highest level of security. • File deletion erases only file block pointers, links that left a file system reassemble a file. • File deletion is fastest and facilitates subsequent restoration of files because data remains on disk, but it isn’t secure. • Erasure of both pointers and file data is example of secure sanitization. 3 Introduction • Federally approved methods to reliably sanitize data from retired computer hard disk drives and tapes are critical for both security and privacy reasons. • In 2006, the US National Institute of Standards and Technology issued guidelines for media sanitization(NIST 800-88) to address this need. • Data sanitization encompasses all data eradication methods, including block-by-block over-write; drive internal secure erase (SE); and physical chemical, thermal, or magnetic destruction. 4 Federal Guidelines for Data Sanitization • NIST 800-88 defines four distinct protocols for user data sanitization: – – – – Disposal Clearing Purging Destroying 5 Federal Guidelines for Data Sanitization • Disposal means discarding storage media without employing any other sanitization or by deleting user file directories in public operating systems such as Windows or Linux. E.g., OS file deletion. • Clearing includes computer software utilities that overwrite user data blocks. Block overwrite is the most common data sanitization technique. • Clearing is considerably superior to disposal but can result in incomplete sanitization. 6 Federal Guidelines for Data Sanitization • Clearing might not erase user data blocks reassigned to different disk locations. • DBAN is an example of popular external block overwrite open source program (http://sourceforge.net/projects/srm). • The US Defense Security Service today requires that federal agencies using overwrite utilities have an authorized DoD (Department of Defense) laboratory evaluate them for proper functionality. 7 Federal Guidelines for Data Sanitization • Purging is the next higher sanitization level in NIST 800-88. Approved methods include the in-drive SE (Secure Erase) command and magnetic degaussing of disk drives or tape reels. • SE is faster than external-block-overwrite programs such as DBAN because SE is overwrite with no hostto-drive data transfer of the write pattern. • SE write pattern is predefined and originates from inside the drive. 8 Federal Guidelines for Data Sanitization • Destroying is the highest level of sanitization per NIST 800-88, meaning media physical destruction by disintegration, incineration, pulverizing, shredding, chemical attack, or melting. • Users tend to select the method that provides an acceptable security level in a reasonable time window. • Many users avoid a high-security protocol that requires special software and days to accomplish, making such a protocol less used and thus less practical. 9 Federal Guidelines for Data Sanitization 10 Federal Guidelines for Data Sanitization 11 Data Sanitization Laws • Many users are aware of legal-compliance regulations in data privacy laws regarding long-term data retention. But they might not know that those laws also specify requirements for data sanitization. • Strict local, state, and federal legislation protecting consumers, medical patients, investors, and the environment specify that organizations must be careful when disposing or repurposing digital equipment. 12 Data Sanitization Laws • US laws that address data sanitization for storage devices include: – – – – – – Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (1999) California Senate Bill 1386 (2002) The Sarbanes-Oxley Act (2002) The Care and Accurate Credit Transactions Act (2003) SEC Rule 17a (1997) • Users should meet these legal requirements at the highest standards consistent with their operations. 13 Data Sanitization through Media Physical Destruction • For the highest security, tapes and disks removed from drives should be destroyed. • Disks and tape destruction involves breaking up or shredding media, chemically or thermally destroying media surfaces, or grinding media in to microscopic pieces. • Simple disk-bending provides more effective destruction than many realize, because drive readand-write heads will either crash or fly high to read data, and different heads can’t easily read the media. 14 Data Sanitization through Media Physical Destruction • Physical destruction doesn’t provide absolute certainty against hypothetical exotic forensics data recovery method if any remaining unerased disk pieces are larger than a record block. (This would be about 1/25 inch or 0.2 mm for 512-byte blocks in most current disk drives. • As drive linear and track densities increase, the maximum allowable disk fragment size will become even smaller. 15 Data Sanitization through Drive or Tape Degaussing • Degaussers are commercial instruments that bulkdemagnetize disk drives and tape reels. • Degaussers use high-intensity magnetic fields to erase magnetic media in a drive or tape, including record headers and servo bursts – information required for head positioning and data recovery. • Older Degaussers might not be able to erase data on higher-data-capacity disk drives which require higher demagnetization fields (because of their higher disk media coercivity). 16 Data Sanitization through Drive or Tape Degaussing • Older Degaussers also were designed for older longitudinal recording drives and might not be able to erase today’s perpendicular recording drives. • Degaussing will remain entirely practical for tape media because tape coercivity is far lower than disk media and is expected to remain so for some time. 17 Data Sanitization through Drive or Tape Degaussing 18 Data Sanitization through Block Overwrite or SE • SCSI (Small Computer System Interface) and ATA (Advanced Technology Attachment) interface drives specifications support SE (Secure Erase) command. • ATA SE writes binary 0s or 1s, conveniently allowing an SE to be verified. • SCSI specifications let users specify the SE pattern and state that the command intent is “to render any previous user data unrecoverable by any analog or digital technique.” 19 Data Sanitization through Block Overwrite or SE • Both the ATA and SCSI SE specifications require that a drive overwrite all user areas that have ever been accessible, up to the maximum native drive capacity. • SCSI specifications additionally require erasing all reassigned blocks. • An ATA SE also sanitizes hybrid-drive flash memories. 20 Enhanced SE through In-Drive Encryption • Computer OS data encryption is a common feature but isn’t often used. • Encryption in large enterprise computer systems defeats the operation of many important data management functions, such as incremental backup, continuous data protection, data compression, deduplication, archiving. • Efforts to defeat these operations cause significant data access speed and cost penalties to enterprise storage. 21 Enhanced SE through In-Drive Encryption • Recently , Seagate and Hitachi introduced 2.5-inch secure disk drives for laptop computers. These drives, called full disk encryption (FDE) or selfencrypting drives, internally encrypt user data before magnetic recording. • FDE drives provide data protection in case a laptop or drive is lost or stolen. 22 Enhanced SE through In-Drive Encryption • They also offer a new and virtually instantaneous way to sanitize data by securely changing their internal encryption key. • FDE drives allow ESE (Enhanced SE) which additionally requires a drive to overwrite all previously written user data, including sectors no longer in use due to reallocation. 23 Conclusion • To provide the highest confidence in meeting government laws protecting user privacy, use the SE command in computer storage devices, where possible. Otherwise, use block-overwrite utilities on entire drives. • Use secure physical destruction of devices that contain data with the highest security classification level (for example, top secret and above). 24