SSDs: Flash Technology with Risks and Side-Effects
Businesses everywhere are now using SSDs (Solid State Drives) as storage media. According to a new survey by Kroll Ontrack, IT departments are still find error rates, data recovery and secure data destruction to be challenging.
The results showed that 91% of the companies surveyed deploy SSDs, mostly on the client side (i.e. in desktop PCs and laptops). The survey further found that 51% of companies had to replace deployed SSDs due to a defect.
The high performance of SSDs is the most important reason to use them for businesses. Ninety-five percent of respondents said performance is the primary criteria for the acquisition of SSDs. Only 31% of respondents indicated that reliability was a factor. We expect the number of SSDs failing or needing destruction to increase significantly over the next couple years, as the adoption rate soars for enterprise use. Survey responses indicated that a total of 70% of companies have used SSDs since 2011 or 2012.
When a company replaces a number of solid state drives, there is a real need to ensure business continuity and prevent losing confidential data. Data recovery and secure data destruction are critical needs that need addressing. However, most companies do not have an appropriate method for recovering data from failed drives or securely disposing of the media. Data recovery can be very difficult because of the use of proprietary encryption technologies.
Not immune to failures
There is a perception that SSDs are very safe because of the storage of data on flash memory chips rather than magnetic tapes or rotating disks. Thus, data loss typically due to mechanical problems or hardware damage (i.e. damaged platters, defective heads or bad motors) is avoiadable. Nevertheless, SSDs are not immune from defects. The survey has revealed that more than half of the participants (51%) already had to replace defective SSD media one or more times.
Erasure - not always safe
"Our survey shows that the first big wave of destruction of SSDs is still to come," said Jim Reinert, senior director at Kroll Ontrack. "Assuming that the average drive lifecycle in business is about three years, many companies will be faced with the question of how they can dispose of their old SSDs safely without endangering their sensitive corporate data. Many companies are taking a residual risk – sensitive data remains on the plates, and can fall into the wrong hands. "
The Important of Secure Data Deletion
In the case of a defect or in a regular exchange at the end of the lifecycle, SSDs usually leave the company without secure data destruction. To make sure there are no security gaps and that there is compliance, secure data deletion is essential. Conventional methods, however, cannot always get rid of all traces of data on SSD and flash. Because of the special technical architecture of SSD media data, each write operation stores data to a different physical location. Therefore, it is possible that even after several rewrites, traces of the original data remain in specific memory cells. Such methods are therefore not suitable for companies with high demands on data security.
The Kroll Ontrack survey shows that there is still no standard for SSD erasure. Forty percent of companies surveyed rely on the physical destruction of SSDs (typically by a shredder). Thirty-one percent use software for data deletion. Encryption methods that delete hardware or software keys before replacing the SSD to make the data unreadable occur about 22% of the time. Additionally, almost 20% of respondents have not decided nor have a method of data destruction.
Recommendation: To protect data on SSDs without residual risk
So far, the physical destruction of SSDs is the only really safe method for data erasure of SSDs. However, shredding a drive deems it unusable. This makes the resale or lease impossible and drives up the cost.
Alternatively, Kroll Ontrack recommends a multi-tiered business approach:
1) Do not use Self-Encrypting Drives (SEDs). This type of encryption is very secure, but ensures total data loss in the event of a failure. With SEDs, encryption keys are of knowledge to the hardware manufacturers. What this means is in the event of a failure, the data is no longer accessible to professional data recovery companies. Thus, the use of this technology is strongly discouraged. 2) Since the use of SEDs is discouraged, Kroll Ontrack recommends the use of software encryption. This solution offers a combination of software and cryptographic erasure. This allows the data on the SSD to be in inaccessible without residual risk. Companies should require that all data on SSDs be in a software format that utilizes encryption.
3) Overwrite the SSD by professional erase software once the SSD is no longer functioning. Multiple overwrites with specialized software, such as Ontrack Eraser 4.0, is the first step. Professional software for data erasure that overwrites the data multiple times is the best way to ensure no data is recoverable.
4) Make residual data cryptographically inaccessible. Unlike traditional hard drives, erasure of SSDs cannot guarantee that no data traces are left in individual blocks. The best way to combat this is to delete the encryption keys or change the passwords when a SSD is non-functioning or at least on a regular basis. Removing the decryption key will make any residual data permanently inaccessible. "At the moment, this is our recommended procedure, as there is no surefire alternative," said Jim Reinert. "Our survey shows that many companies are still unsure how they can reduce the risk of residual data after deletion. Only 15% use encryption software so far and then delete the key; 40% rely on physical destruction. Moreover, we note that many SSD manufacturers still rely on controllers with proprietary encryption, which means that when a drive has damage, the data can be lost forever."
Background to the survey
Kroll Ontrack conducted this survey among 88 company representatives from Germany, Austria and Switzerland in April through June 2013. Fifty-two percent of respondents work in small companies with fewer than 50 employees and 31% in large companies with more than 500 employees.