Flash based storage systems are now the “go to” option for improving the response time of performance sensitive applications. Some applications that require high performance are also storing extremely sensitive data that needs to be completely sanitized if the flash device is replaced. Is erasing the data on a flash device enough to satisfy the standard methods for data destruction?
For many data centers simply erasing the data may be enough. It is well known that data erased on flash media can still be accessed, but there are limits to the extent a hacker will go to gain access to that information. Essentially, the value of the data has to exceed the level of effort expended to pilfer it.
The exception to this rule is data that is stored by the military, intelligence agencies and their contractors, as well as data gathered by financial institutions. Health organizations may also be added to the list, as HIPPA regulations and privacy concerns may require increasing levels of data security. In short, all of these data sources may in fact be worth going to extreme lengths to extract from “securely erased media”.
Hard Drive Security
When data was stored on hard disks, the process of securely erasing data was straightforward. Typically, the hard disk was formatted and the files were permanently cleared by overwriting each block on the hard disk several times with different patterns of data.
Typically the typical erase of a flash cell writes 1‘s to the cell. This is done to make the cell ready for new data. When it comes to a secure erase type of functionality a vendor utility, executed from an operating system command line, could set every NAND cell is set to 1 and then in a subsequent operation, every cell is set to 0. In this article, Storage Switzerland will point out areas of concern when using these methods and provide suggestions on the proper way to securely erase flash based storage systems.
Over-provisioning Problems
The first area of concern relates to a method that almost all flash devices use to increase the long term durability of the flash media — over-provisioning. This technique is used to increase flash life by providing extra flash cells that can be used to spread out flash NAND wear. It can account for as much as 10-25% of the overall flash capacity on a device or in any array, however, this extra capacity is hidden from the operating system. The problem is those “hidden” cells are used by the device to store data.
This means that an erase utility like the one described above may not even know the cells existed and the data on those hidden cells would remain intact after an erase operation was performed. Conceivably, a hacker in a lab could access these cells and potentially piece together data that might unlock information that would compromise a nation’s security or jeopardize a financial institution’s well-being.
The erase utility would have to specifically be designed to not only erase cells that the operating system sees but also cells that are hidden from it due to over-provisioning. Most SSD vendors, if they know the flash controller firmware has this capability simply choose not to implement the functions needed to properly erase all the cells in the device. Even if they do have special erase utilities, they often do not account for cells hidden by over-provisioning. Again, this is should be something that SSD vendors should be able to do but they don’t spend the development effort required.
If the environment needs to securely erase data, it is important that the capabilities, if they are even offered, of the secure erase functions provided by the SSD vendors are clearly understood.
Bad Block Problems
Another issue with secure erase utilities is the way that flash devices handle bad blocks. Flash NAND cells are read, written and erased by charging electrons. Writes and erase are the most common source of failure since they require the highest charge of energy. When a cell can no longer accept a charge it is marked as bad and will be ignored in future write operations. As described above, the way to erase a flash cell is to write ones to it. If it can’t receive a charge it can’t be erased but because reads are lower voltage data could still be read.
Under normal operation, the inability to re-program a cell is not a problem. The data from that cell is simply copied to a new cell and the un-programmable cell is marked bad. The key issue here is the cell CAN BE READ; it just can’t be re-programmed. Once again, as was the case in over-provisioned flash cells, it would take a data hacker and a lab to get to these cells. If government secrets or financial security is at stake, however, the data gained could be well worth the effort.
It is impossible for even well written secure erase utilities to handle The Bad Block problem. Even if the utility could get to these cells, data can’t be erased if the cells can’t hold a charge.
SSD/Flash Replacement
The unique challenges that flash presents and are described above assume some attempt is being made to erase the data on the device. Unfortunately the most common form of data exposure is when a flash module or drive is replaced. There are countless stories of storage systems being purchased on e-bay with their data still intact. The situation is caused by IT being stretched so thin they simply forget to try any level of data security when a device is being replaced or upgraded.
The Encryption Solution
The solution to this dilemma is to use encryption. There are host side software encryption utilities but these require installation on every server and encrypted data from one host may not be able to be read on another server. Furthermore, they consume server resources that will likely impact application response times. Keep in mind that the whole reason for selecting a flash based storage system in the first place, was to improve application response time.
The ideal way to encrypt data is to have the encryption circuitry be an integral part of the flash based system. This allows all data to be encrypted universally and inline before it is ever stored on the flash storage system. For example Skyera, in their skyHawk product, has 256-bit AES encryption built directly into their system.
An integrated encryption design allows for data to be inaccessible by simply removing the encryption keys or physically removing the encryption chip itself. Once the keys or chip is gone, data cannot be read regardless of the laboratory techniques employed.
Why Doesn’t Everyone Encrypt?
Since encryption seems like an obvious solution to the problem, it begs the question – why doesn’t every vendor invest in the technology? There are two primary reasons for this. First, the vendor may simply not be focused on the markets where this level of data security is needed. Frankly, this may be a short-term view of reality. High data security is needed by an increasing number of industries and the ability to hack secured data becomes increasingly easy with each leap in technology. Tomorrow’s home office may have more forensic horsepower than today’s lab. The ability to pull data from flash storage devices that have been “securely” erased will become increasingly easier.
Second, the flash controller technology selected may not have the compute resources to drive an additional process, one that is involved in every write and read, without impacting performance. For example, some SSD vendors leverage host based CPUs to perform their flash management functions. Loading a potentially heavy workload like inline encryption may not only hurt flash performance, it may impact host performance.
Conclusion
Destroying sensitive data is an important need for government agencies and financial institutions, but the industries that need this level of protection are increasing rapidly. At the same time, these agencies and organizations need the performance that flash based storage systems can provide.
Flash storage and hard disk storage cannot be treated the same when it comes to data destruction. In-line, always-on encryption of data as it is being written to a flash storage system, seems to be the only reliable way to ensure the future destruction of sensitive data in these environments.
Skyera is a client of Storage Switzerland
George Crump is the Chief Marketing Officer at VergeIO, the leader in Ultraconverged Infrastructure. Prior to VergeIO he was Chief Product Strategist at StorONE. Before assuming roles with innovative technology vendors, George spent almost 14 years as the founder and lead analyst at Storage Switzerland. In his spare time, he continues to write blogs on Storage Switzerland to educate IT professionals on all aspects of data center storage. He is the primary contributor to Storage Switzerland and is a heavily sought-after public speaker. With over 30 years of experience designing storage solutions for data centers across the US, he has seen the birth of such technologies as RAID, NAS, SAN, Virtualization, Cloud, and Enterprise Flash. Before founding Storage Switzerland, he was CTO at one of the nation's largest storage integrators, where he was in charge of technology testing, integration, and product selection.
StorageSwiss.com - The Home of Storage Switzerland 