As an organization, you might have several data storage devices with sensitive information such as customers’ personal data and business intelligence. Effective erasure of this data is crucial to attain compliance with data protection laws and safeguard your business from data breach risks.
Considering this need, knowing the appropriate data erasure method(s) for specific storage media types is crucial in the overall data destruction strategy. Ideally, your organization would seek the best data erasure method for any storage media type such as rack-mount servers, RAID-configured Network-Attached Storage (NAS), laptops and workstation machines, standalone hard disk drives and solid-state drives, USB flash storage, etc.
Types of data erasure methods for the different media types
Before diving into the data erasure methods, based on using specific techniques and standards, be aware that “data erasure” technically means overwriting the memory locations on a storage media with binary patterns like ones and zeroes. In some instances, data erasure could also mean performing a device-specific Block Erase procedure or sanitizing the cryptographic key in Self-Encrypting Drives (SEDs). However, data erasure does not mean permanent deletion of files by pressing SHIFT + DEL keys on Windows or Option + Command + Delete keys on macOS. You can read our blog on difference between data erasure and data deletion.
The following are the different types of data erasure methods:
Method 1 – Overwriting
This method overwrites all the user-addressable memory locations, including logical storage locations like the file allocation table, on a storage media with non-sensitive data such as random binary patterns. Overwriting aims to replace the target data such that it is destroyed forever with no scope for recovery or retrieval. NIST SP 800-88 Guidelines [Table 5-1: Sanitization Methods] consider ‘Overwriting’ as a technique used within the Clear and Purge method. The Guidelines further mention the use of software or hardware products to perform the overwriting process using the standard Read/Write commands applicable for the device.
Application Scope of Overwriting
The Overwriting method or technique can erase the following data storage media:
- Floppies
- Magnetic disks and tapes
- Hard disk drives, including ATA, SCSI, and USB hard drives
- Solid-state drives, including NVM Express SSDs
- Memory cards
- Electronically Erasable Programmable Read-Only Memory (EEPROM)
Ways of Overwriting To Ensure Data Erasure
Data erasure through storage media overwriting is possible using device-specific commands and data erasure software based on the following methods:
- ATA Secure Erase command: The ATA standard defines a secure erase command for overwriting and erasing all storage drives having an ATA interface, including SATA, PATA, etc. The command can erase magnetic and flash storage media. It involves issuing a firmware-level command to rewrite and replace the target data on all sectors, including the reallocated units, when used as Enhanced Erase option. As per NIST SP 800-88 Guidelines, “the actual action performed by an enhanced erase varies by vendor and model, and could include a variety of actions that have varying levels of effectiveness. The secure erase command is not defined in the SCSI standard, so it does not apply to media with a SCSI interface”.
- Data erasure software: Data erasure software provide a viable “DIY solution” to overwrite a wide variety of storage media. For example, professional data erasure software such as BitRaser can erase SATA, PATA, NVM Express M.2, PCI, SCSI, serial-Attached SCSI, IDE, USB, Fiber Channel, and FireWire drives. The software-based overwriting (erasure) method typically involves plugging a bootable USB media (with data erasure software ISO burned to it) into the host computer that needs wiping of internal hard drive and/or additional storage devices attached to it. Unlike native commands like Secure Erase, data erasure software provide a wider choice to erase the media based on standards like NIST 800-88 Purge, DoD 5220.22, etc. And, it generates reports and certificates of erasure to act as audit trails for meeting regulatory compliance.
Method 2 – Block Erase
The Block Erase method performs data erasure by applying a substantially high voltage level to all NAND cells, including retired, reallocated, spare, and over-provision cells, in a solid-state drive. Block Erase uses device-specific commands to wipe flash memory-based storage media, and its results are typically 0s and 1s. NIST SP 800-88 Guidelines identifies the Block Erase technique as a Purge method, based on using dedicated and standardized commands to erase SSDs.
Application Scope:
The Block Erase method can erase the following types of data storage media:
- ATA Solid-State Drives (SSDs)
- Parallel Advanced Technology Attachment (PATA)
- Serial Advanced Technology Attachment (SATA)
- e-SATA SSD
- SCSI SSDs
- Small Computer System Interface (SCSI)
- Serial Attached SCSI
- Fiber Channel
- USB Attached Storage (UAS)
- SCSI Express
Method 3 – Cryptographic Erase
Cryptographic Erase (CE) or crypto scramble sanitizes the Media Encryption Key (MEK) used for encrypting the data stored on a Self-Encrypting Drive (SED), thereby leaving the drive with ciphertext or encrypted data. The method uses the CRYPTO SCRAMBLE EXT command to erase the MEK. Unlike overwriting and Block Erase methods, Cryptographic Erase does not work on the storage locations (i.e., sectors or blocks) and is therefore faster. The total erasure time difference for performing CE and other data erasure methods increases with the device’s data storage capacity. The NIST guidelines place Cryptographic Erase in the Purge category of media sanitization methods.
Important Do’s and Don’ts of Cryptographic Erase
Although Cryptographic Erase is an efficient data erasure method, any organization should use it with careful consideration of the following aspects:
Do’s
- Use CE only after ensuring that all the target data is encrypted prior to storage on the media.
- Consider using the method only if you know the encryption key’s location on the media to sanitize it later.
- Use CE after ensuring that all copies of the encryption key are sanitized.
- Ensure that the user responsible for performing CE is well aware of the command for the specific device.
Don’ts
- Do not use CE if encryption was enabled after storing sensitive data without prior media sanitization
- Do not use CE if you are unaware of sensitive, encrypted data on the storage media.
- Do not use CE on backed-up devices up because the encryption key might be retrieved from the backup copy.
Application Scope
The Cryptographic Erase technique can erase the storage media and devices that support native encryption (i.e., have media encryption key) and allow running the CE command. However, please check the manufacturer’s guide to ascertain the possibilities. The following are a few devices and media types with scope for Cryptographic Erase.
- Apple iPhone® and iPad®
- Supported Android® devices
- ATA hard disk drives
- ATA and SCSI solid-state drives
- NVM Express SSDs
- Externally attached hard drives such as USB, Firewire®
Comparison of Data Erasure Methods
The following table compares the Overwriting, Block Erase, and Cryptographic Erase methods for different storage media. The purpose is to provide objective points to help you understand the differences to choose the best data erasure method for a given media type.
| Comparison Parameter |
|
Block Erase | Cryptographic Erase | |||||
| Application Scope | Hard drives (HDDs and SSDs) with ATA interface | SATA, PATA, NVM Express M.2, PCI, SCSI, serial-Attached SCSI, IDE, USB, Fiber Channel, and FireWire drives. | ATA and SCSI solid-state drives | Drives and devices with MEK and support for running the CRYPTO SCRAMBLE EXT command. | ||||
| Effectiveness | May leave sensitive data on spare cells of an SSD. Considered effective for HDDs. | Overall, a highly effective method because data erasure software wipes all user addressable memory locations, including the hidden locations, and implements overwriting based on established standards like NIST and DoD. | Considered an effective and secure method for wiping SSDs. | Effectiveness depends upon the robustness of the media encryption key because this method only scrambles the encryption key without any action on the data storage locations. | ||||
| Efficiency | It is a SANITIZE command for substantially faster data erasure than using the native read/write interface. | Efficiency depends on storage media capacity and type. BitRaser can start wiping a storage device(s) in under 15 minutes. | It is a SANITIZE command for substantially fast data erasure. | Very fast, as CE can erase the MEK within a fraction of a second. | ||||
| Scalability | Not scalable. Can erase one storage device at a time. |
Highly scalable. BitRaser Drive Eraser can erase up to 65000 drives simultaneously. | Not scalable. Issues the command for one device at a time. | Not scalable. Scrambles the encryption key on one device at a time. | ||||
| Verifiability | No native provision to check the outcomes of Secure Erase. | BitRaser software supports verification method like total, random verification etc. Also, it generates tamper-proof audit trails (reports and certificate) for meeting regulatory compliance. | No native provision to verify or certify the results of Block Erase command. As per NIST SP 800-88, the results are likely 0s or 1s. | Manual verification is possible by reading the pseudorandom locations before Cryptographic Erase and comparing the results after running the procedure. However, this process could be hectic and needs an authentication token to allow media access. | ||||
| Ease of Usage & convenience | Requires issuing ATA Secure Erase command using Linux hdparm utility. High technical expertise is required. | Largely a DIY method based on using plug-and-play bootable USB media. Moderate expertise is required. | Uses the specific Block Erase command based on the SSD make and model. Requires high technical expertise. | Executed as per the specific device. Requires advanced technical expertise. | ||||
Closing Notes
This blog outlined the different data erasure methods based on the type of storage media and usage scenarios. The purpose is to offer a sweeping glance into the various options and help you make an informed decision on the best data erasure method. Although these methods co-exist and have relevance based on the situation, expertise, and needs, the comparison table juxtaposes the facts to facilitate the choice. Besides factors like effectiveness and efficiency, verifiability is a key consideration because having a certified solution can help your organization prove data protection and compliance according to the applicable legislation.
The post What is the Best Data Erasure Method For Any Storage Media type? appeared first on BitRaser.