Occasionally, customers have requested my advice regarding which data erasure standard that we recommend, or the optimal amount of erasure rounds required to securely erase a hard disk. Well, that’s a complex question and depends on several factors, particularly technology changes, research findings and recommended procedures, which I will try to touch on in this post. First, let’s take a look at the target of all these concerns: the hard disk. Specifically, let’s look at what it means to overwrite a hard disk.
The magnetic Hard Disk Drive (HDD), introduced in 1956, didn’t gain prominence until the late 1980s. These days HDDs are by far the dominant medium for non-volatile data storage, and are expected to remain for some time despite the rise of faster flash-based storage, including SSDs.
The HDD retains data on magnetic platters, where it can be preserved even without electrical power for many years. Though HDD technology is a huge asset in our data-centric world because of its large capacity and decreasing cost and physical size, it is a potential liability because it has to be disposed of properly. The safest and most cost-effective way to make data disappear without having to destroy an HDD is to simply overwrite a hard disk.
The evolution of data removal procedures
The process of removing data from storage media has been examined by different government agencies and organizations during the past 20 years. Operating manuals usually specify two kind of procedures: clearing (to prevent recovering data using software) and purging/sanitizing (to prevent recovering data using laboratory techniques). While clearing procedures generally involve overwriting the HDD, purge procedures with higher security requirements can vary and range from overwriting techniques combined with the execution of internal HDD commands (firmware based erasure) to the degaussing or the physical destruction of media support. The nature of the data (confidential or not) as well as other considerations (drive leaving the organization or not) define which procedures your organization needs to follow.
Both clearing and purging techniques are satisfied by the erasure process, which involves a complete removal of data, including verification and certification that the erasure has been performed successfully. This software-based method securely overwrites data from any data storage device using zeros and ones onto all sectors of the device. By overwriting the data on the storage device, the data is rendered unrecoverable and achieves data sanitization.
As early as the mid-1990s, operating manuals were released for classified information handling and data sanitization, the main one being the US Department of Defense’s National Industrial Security Program Operating Manual. This document specified that rigid magnetic disks should be sanitized by writing some “character, its complement, and then a random character” and is known as the “DoD 5220.22-M” standard.
Mid to late 1990s
In 1996, Peter Gutmann published a paper that upset the status quo by affirming that some laboratories were theoretically capable of retrieving data from overwritten hard disks by using sophisticated tools such as magnetic force microscopes. As a result, he proposed an overwriting method consisting of 35 passes! No need to panic, however, this algorithm was meant to be used on older HDD technology from the 1980s and 1990s that used MFM/RLL line coding techniques. Also, this was a combination of three different algorithms to overwrite different line encoding schemes which partly explains the large amount of passes. The arrival of newer HDDs using PRML techniques in the late 1990s made the drives using MFM/RLL techniques obsolete, along with the Gutmann’s method. The same year security expert Bruce Schneier published a book containing a method for data overwriting using 7 passes.
Curiously enough, early in 2000, several national agencies released operating manuals that recommended the use of more than 3 passes. A good example is the VSITR method by the German information security agency, BSI, which applied 7 overwriting passes. It became popular in Europe to use overwriting methods that consisted of 4 to 7 passes.
2006 and onward
Later in 2006, the DoD 5220.22-M operating manual removed all text mentioning any recommended overwriting method, and now leaned towards each entity making its own decisions based on its own risk and threat assessment. The US NIST in its Guidelines for Media Sanitization of 2006 (now revised) stated that “for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media.“The HMG Infosec Standard 5 published by the British CESG currently defines two methods with 1 and 3 overwriting passes, the latter being almost identical to the 1996 “DoD 5220.22-M” standard. In 2012, the newer BSI GS/E standards were made public, combining 1-2 overwriting passes of random data with firmware based erasure.
Today: the SSD
Today’s storage technology of the moment is solid-state drives. And though the technology has been around for decades, it wasn’t until 2005 that Samsung declared SSD as a strategic market. Faster, more reliable and allowing for more storage capacity than their HDD counterparts, SSDs are highly efficient. However, they also come with data destruction concerns. SSDs are difficult to physically destroy to an acceptable level, and methods like degaussing don’t work on them. Fortunately, Blancco offers a patented erasure method to fully and securely overwrite different types of SSDs.
The technology changes in the last 15 years, such as the ever-increasing data density on disk platters, have made all attempts to recover data after overwriting unlikely. Multiple overwriting is not an absolute necessity anymore.
Regarding which algorithm to use, Peter Gutmann has stated that “for any modern PRML drive, a few passes of random scrubbing is the best you can do,” while the most recently revised version of NIST’s Guidelines for Media Sanitization states that “[t]he Clear procedure should consist of at least one pass of writes with a fixed data value, such as all zeros. Multiple passes or more complex values may alternatively be used.”
To summarize, safe trends recommend:
- Using an erasure standard with no more than 3 overwriting passes with at least one pass of random data
- When available, utilizing the drive’s firmware based erasure commands is a valuable addition and indispensable for erasing sensitive data
- Additionally, several guidelines recommend removing and erasing any hidden area on the HDD as part of the erasure process
- Finally, the best erasure is the one you can prove; therefore, a report proving verification and certification of the erasure of a media support is necessary.
Also note that the “optimal amount of rounds” should be a mixture of the security you want in your overwriting process and the time you actually decide to spend on each processed asset.
Blancco offers complete solutions to overwrite all of your company’s disposable assets. Our Blanccco Drive Eraser software, in particular, has been designed to support all kinds of HDDs and SSDs and provides all legacy and modern erasure standards, advanced security features and reporting capabilities to fulfill (and exceed) your clear/purge policies.