Data retention policies vary from organization to organization and are generally determined by legal requirements, the value of the information, and the cost to maintain the data. Data needs to be retained and accessible for a specified period of time. After that time has expired, the data needs to be deleted and be completely irretrievable.
The US DoD, including all branches of the military, requires vast amounts of sensitive data to ensure operational efficiency and combat readiness. Data must be protected regardless of how and where it is created, used, stored or transferred. But when it is time to delete the data, the deletion process must be extremely thorough. When sensitive data is stored on a hard drive or SSD (solid state drive), the device must be completely destroyed to ensure the data is destroyed.
Military grade storage SSDs are often ruggedized and not easy to destroy. They can also be specialized and costly to replace. Some are located in larger data acquisition systems which are deployed in remote locations and nearly impossible to service. As an alternative to destroying the entire SSD, the media (NAND flash) within the SSD can be completely erased clean of data and returned to its pristine state. This can be done by placing the SSD in a system designed to sanitize SSDs or within the host system if it is properly configured. Properly sanitized SSDs can be reused and repurposed to reduce costs, procurement expenses, complex replacement procedures, and is better for the environment.
But wiping or “sanitizing” media within an SSD isn’t easy and without its own challenges. Simply deleting data is not enough, some or all of the data may remain readable. The data is usually still intact and only the location of the data has been deleted. Or the data may indeed be erased (partially or completely overwritten) but residual data signatures may remain that can be read with special tools and used to reconstruct the original data.
Another challenge specific to SSDs is over-provisioning. An SSD generally has more raw capacity then what the operating system reports. This is because the SSD can’t directly overwrite old data with new data. The old data must first be deleted and then the new data can be written. The requirement to delete old data prior to writing new data causes a great deal of latency during write operations. To mitigate this challenge, the SSD has additional capacity hidden from the operating system. The new writes are re-directed and written to the additional capacity which is empty and ready to receive new data without requiring old data deletion. The old data remains intact until a process called “garbage collection” removes the old data, and returns the space to the pool of capacity ready to receive new data. Because of this issue old data awaiting garbage collection is invisible to the operating system, is difficult to delete, and can be read with special tools. In some cases up to 25% of an SSD’s capacity is invisible to the operating system and can be storing old data. On a 4TB SSD that could be nearly 1TB of old sensitive data that is retrievable and can present a security threat if maliciously used.
Military grade sanitization standards were created to irretrievably erase sensitive and top secret data from SSDs. The sanitization process overwrites all of the media where data is or would be stored. After the process is complete, all the media is void of all data including all residual data signatures, data stored in over-provisioned capacity, and old data awaiting garbage collection. With the exception of wear, the SSD is returned to its original “fresh out of the box” state.
It is also important to note that not all storage devices can perform military sanitization. The actual sanitization functions are performed internally by the SSD controller. Many commercial and enterprise SSDs do not support some or any military grade sanitization commands and cannot be used for DoD applications.
Proper execution of military sanitization processes ensure that data on the SSD has been erased, is irretrievable, and the device has been sanitized to comply with agency standards. If needed, there are a few tools available that can be used to confirm there is no recoverable data on the SSDs. As an example, WinHex, made by X-Ways Software Technology AG of Germany, is a powerful application that you can use as an advanced hex editor, a tool for data analysis, editing, and recovery, and a forensics tool used for evidence gathering. Many large US companies and institutions use WinHex to help verify that data cannot be recovered.
If a certificate of destruction is required, there are third-parties that provide data sanitization and verification services. These services often include clearly documented, monitored and audited processes and can provide a certificate of destruction.
Process and Custody
In some instances the loss of control of SSDs containing protected and sensitive information can be considered equivalent to disclosing that information. It can, and often is, considered a security breach and dealt with accordingly. It is critical that SSDs containing sensitive data be tracked though the entire sanitization process. Personnel handling the SSDs should be classified to handle the security level of the data being sanitized. Technicians performing the sanitization process need to be well trained to follow established procedures and have a means to verify the sanitization process was properly completed. Devices need to documented and logged before and after the sanitization process.
There is no single standard or process for military sanitization. Sanitization standards and methods vary depending on the branch of the military, type of device, and classification of the data being erased. The following matrix describes many of the popular DoD standards and the sanitization methods used on SSDs:
Sensitive military data must be protected regardless of how and where it is created, used, stored or transferred. When it is time to delete the data, the deletion process must be extremely thorough. Military grade sanitization standards were created to irretrievably erase sensitive and top secret data from SSDs. Standards and procedures have been created to ensure sensitive data remains secure and is never exposed to unauthorized personnel where it can be used to compromise our military efficiency and combat readiness. Sanitization standards and processes for the various departments of the DoD must be adhered to and followed to ensure our national security.
Writer: Zophar Sante, Business Development