Historically, the most common storage device for a long period of time was spinning disks but as solid-state storage devices entered the stage, things got far more complicated when it came time for decommissioning hardware in a secure manner.
Current Guidance
A good starting point to investigate best practices for anything in the realm of cybersecurity is to look for what policies written by government agencies are saying.
NSA/CSS Policy Manual 9-12
NSA/CSS Policy Manual 9-12 ( Citation: NSA/CSS, 2014 NSA/CSS (2014). NSA/CSS POLICY MANUAL 9-12 . NSA/CSS Retrieved from https://www.nsa.gov/portals/75/documents/resources/everyone/media-destruction/storage-device-declassification-manual.pdf ) defines their requirements for storage device sanitization as:
| Storage Device | Sanitization Requirements |
|---|---|
| Hard Disk Drives | Degaussing, disintegration, or incineration |
| Solid-state Drives | Disintegration or incineration |
| Volatile Media | Power removal |
This is interesting as we can see that there is no way (according to the NSA) to safely erase any kind of common non-volatile media in a non-physically destructive manner.
NIST SP 800-88r1
NIST SP 800-88r1 ( Citation: Kissel, Regenscheid & al., 2014 Kissel, R., Regenscheid, A., Scholl, M. & Stine, K. (2014). Guidelines for Media Sanitization (NIST SP 800-88r1). National Institute of Standards and Technology Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf ) provides guidelines for commercial organizations. It also breaks its guidance into multiple methods:
| Method | Description |
|---|---|
| Clear | Logical erasure of user-addressable storage. |
| Purge | Erasure of all storage, often with effort made to further obscure previous data states and avoid missed regions. |
| Destroy | Physical or chemical changes to the storage such that it is no longer usable. |
With these new categories we are see the following guidance:
| Storage Device | Clear | Purge | Destroy |
|---|---|---|---|
| Hard Disk Drives | Overwrite | Overwrite using a secure erase feature on the disk | Shred, disintegrate, pulverize, or incinerate |
| Solid-state Drives | Overwrite | Overwrite using a secure erase feature on the disk | Shred, disintegrate, pulverize, or incinerate |
| Volatile Media | Power removal | Power removal | Shred, disintegrate, or pulverize |
Interestingly the hard disk and solid-state guidance are basically the same in this guidance.
Considerations for selecting a technique
Just because there is pre-existing guidance does not always mean there aren’t other considerations to be made in the context of real-world use.
Risk
The risk-level of the data on the storage device in question has potentially the highest level of bearing on erasure techniques selected. This is likely part of the difference in the guidance given by the NSA and NIST as the risk-level experienced by the NSA is much higher than most commercial entities.
Access
A storage device that you can easily put your hands on will be much easier to erase with physical destruction techniques than one you have to travel to or have shipped. This is a great argument for centralization of resources, however sometimes remotely deployed systems are absolutely necessary.
Time
When events make it immediately necessary to erase data, it could change the balance of the techniques available. Consider a remote system with an adversarial entity moving to seize the device. At this point the priority would be to impose cost on recovering that data. This may make it more worthwhile to use a non-physical destruction technique. Likewise, a locally deployed system with the same threat may be faster to just reduce to slag.
Storage Technology
Solid-state storage devices(SSDs) pose unique challenges when it comes to non-physical destruction techniques due to a lack of direct block-level access to the storage medium. This is due to a combination of over-provisioning and wear leveling. Over-provisioning is the inclusion of storage beyond the advertised capacity of the device which can be used internally by the device. Wear leveling is the technique of writing to different locations instead of repeatedly overwriting the same location on a device. Without special instructions, it is difficult to actually overwrite data on a device in a casual manner. Specifically, it makes it nearly impossible to overwrite an individual object opposed to a full disk erasure.
Future storage technologies using mediums such as DNA or Glass or whatever wild and wacky thing people come up with next will pose their own challenges as well for data erasure.
Common Techniques
The current techniques available typically fall into the buckets of either physical destruction or logical erasure. Typically physical destruction is preferred, but in some cases you may have need to reuse the equipment or may not have direct physical access. In these cases erasure techniques may be sufficient.
Physical Destruction Techniques
Physical destruction typically leaves the device completely unusable and often not even physically resembling the previously operational device. These leave the data irrecoverable due to damage to the data-storage medium. All of these techniques will require both physical access to the device and often requires that the storage media be extracted from devices prior to destruction. Across the board, physical destruction is the best way to go if you can as it can guarantee the absolute elimination of data within the context of current forensic techniques.
Shredding or Crushing
Shredding typically refers to the destruction of printed materials, but can also be used to destroy digital media. The equipment used for this often fairly expensive when it comes to digital media and looks far more like a wood-chipper. The waste produced from this process is typically inert and can be disposed of in the typical pipelines as other forms of e-waste.
Crushing is basically the same in that it breaks the media into pieces, but crushing does not necessarily reduce it to pieces as small as shredding.
Chemical Destruction
Chemical destruction is uncommon as it may produce hazardous byproducts, is slow, and typically must be combined with shredding to be reliable. A typical chemical solution would be nitric or hydrochloric acid at a high enough concentration to etch the platters/chips of the media.
Incineration
Incineration is heat applied to a piece of media to the point that it undergoes a physical change that would make the data contained unrecoverable. Despite the name, it does not require an open flame and some of the equipment used to perform this destruction will just resemble a kiln. This can also be performed using something like thermite, which burns hot enough to melt through most metals quickly and can potentially be pre-positioned for use.
Degaussing
Degaussing induces a very strong magnetic field through the storage medium to simultaneously overwrite all storage locations on a magnetic storage medium. This can either be done fully in one direction, or in reversing directions. While this is destructive to the data stored on the magnetic storage medium it doesn’t destroy it, so pure storage media like tapes are not actually destroyed. Unfortunately, most modern magnetic storage devices have onboard circuitry which will probably not survive.
Erasure Techniques
Erasure techniques remove data from a medium at the logical level. These are not as effective a physical mechanisms, however they do often have some utility as they do not require direct physical access and will leave the storage device in a usable state. They may even be used as a stop-gap to protect data until physical destruction is possible.
Overwrite
Overwrites are performed by writing some data, typically repeatedly, onto the storage device. Either a constant value, a pattern, random data, or a combination are used as the overwrite data. This is most effective on magnetic storage mediums if performed enough times. SSDs have the risk of missing data stored in over provisioned physical blocks. There are instructions that may be available to improve the security of SSD erasure, but they are not guarantees.
The best strategy for erasing an SSD with an overwrite operation is to overwrite the full device, multiple times, with random data. This does not guarantee that 100% of the data will be erased every time but it does have some benefits. This prevents internal disk compression from reducing area covered due to the randomness. It prevents wear leveling directing writes from interfering as with multiple overwrites it will most likely eventually direct writes to all of the internal storage media at some point. This does not reduce the risk that data that may be left behind on dead storage areas.
Key-erasure
The ideal erasure solution is to keep storage devices always encrypted and simply destroy the key, perhaps using an alternative form of media for key storage to make it faster or more reliable that the key is gone. There are a large number of SSDs these days that provide this as a built-in. Often using a battery and some form of volatile memory to store the key, so that just removing power from the volatile memory would erase the key. This can permit the device to operate without even knowing the disk is encrypted while providing an almost instantaneous disk erasure mechanism.
References
- Kissel, Regenscheid, Scholl & Stine (2014)
- Kissel, R., Regenscheid, A., Scholl, M. & Stine, K. (2014). Guidelines for Media Sanitization (NIST SP 800-88r1). National Institute of Standards and Technology Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
- NSA/CSS (2014)
- NSA/CSS (2014). NSA/CSS POLICY MANUAL 9-12 . NSA/CSS Retrieved from https://www.nsa.gov/portals/75/documents/resources/everyone/media-destruction/storage-device-declassification-manual.pdf