SSD’s and the Importance of Encryption

Thursday, May 12, 2011

Emmett Jorgensen


Co-authored by Emmett Jorgensen and Matthew Losanno

Recently there has been a lot of coverage regarding the security (or lack thereof) of Solid State Drives (SSD); in particular the difficulties in wiping data from them.

Due to the difference in technology between flash based SSD's and platter based HDD's, currently accepted methods for sanitizing HDD's such as multiple pass disk wipe and degaussing are not effective for securely removing data from SSD's.

The difficulty in safely wiping SSD's stems from the fact that SSD's, and their cousin the flash drive both utilize solid state memory and a data writing technique known as wear-leveling. Wear-leveling is a method of controlling which flash cell has data written to it.

This method of writing data has both benefits and drawbacks. On the plus side, wear-leveling extends the life of the entire drive, ensuring that all the cells on the flash wear down equally. On the negative side, this same technique makes it much more difficult to fully erase data from the drive.

Rather than writing continuously to a block of cells, wear-leveling picks cells spread out over the entire capacity of the flash memory and writes bits of data here and there.

Although it sounds arbitrary, it is a necessary method when utilizing flash memory due to its ability to provide even wear over, and extend the life of, the flash. (Standard write-cycle life is 10,000 writes for MLC flash, while SLC has around 100,000 write-cycles.)

Think of an SSD like the puzzle game Jenga. You pull a block of data out of the bottom, and then place it on the top. Copy and repeat. The data is still there, just spread out in different locations.

Standard erasure methods only write over a file location, while the SSD wear-leveling technology may specify that a write operation (of all zero's) is written somewhere else entirely. The data, unbeknownst to the end user, is still there and able to be recovered by those with the right resources.

With data privacy issues becoming increasingly important, state, federal and business regulations have tightened on information security. Regulators often impose fines and sanctions for data breaches as outlined in more and more state laws (Ex. - Massachusetts Data Privacy Law 201 CMR 17).

These new regulations bring added importance to the need to securely erase data from an SSD (or any other storage medium) to both increase customer confidence and prevent data breaches and fines.

A simple yet effective way to make sure that data is unrecoverable from an SSD is to utilize encryption. Using full disk encryption has a twofold effect. The first obvious effect is it will secure the contents of the data on the SSD.

Adding encryption, preferably at the hardware level, adds a layer of security to all your data and is a step towards meeting many of the security requirements currently needed in the financial, healthcare and public sectors.

Second, and equally important, when it comes time to retire the drive, the encryption key can be deleted, leaving the data inaccessible.

By using a well-regarded industry standard such as 256-bit AES encryption on all of your files, or the entire memory media, the only thing that needs to be erased is the AES key for the data to be useless.

Once the AES key is destroyed, it would take longer than the useful lifespan of the information, (and likely longer than the lifespan of the person attempting to break it) to crack the AES key directly from the encrypted data.

What does this mean? By using encryption on the drives, there is no need to attempt traditional erasure/wipe methods (even those specified in the DOD 5220-22.M Standard) since they are unreliable as far as SSD's are concerned anyway.

Essentially by zeroizing the encryption key there is no need to worry about the data ever being recovered.

Simple enough, right? Encryption should be an essential part of any security policy and this provides another reason to use it. The use of encryption really can't be emphasized enough!

Matthew Losanno is a senior product manager at Kanguru Solutions specializing in security, integration, and development.

Possibly Related Articles:
Information Security
Encryption data destruction Hardware SSD Secure Erase HDD
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.