Secure SSD Erasure: Data Security, False Positives & Keys to Outsourcing SSD Disposal

Sep 23, 2019 Technical Article

Highly-regulated organizations are used to the regulatory microscope. A growing spate of international, national, regional and state regulations now prescribe the secure handling and disposition of sensitive information. What they don’t always cover, however, is a seldom-discussed subset of secure data disposal: the secure SSD (solid state disk) erasure process used at an SSD drive’s end-of-life.

To address this subset of secure data disposal, this article poses two valid questions: “Is your ITAD vendor’s SSD erasure process really secure?” and, “Why should you care?”

Why Should I Care About a Secure SSD Erasure Process?

While the price decreases for SSDs have stabilized, recent market trends continue to show these types of drives are widely used in global enterprise companies. SSDs can be found in PCs and laptops, servers (using various forms, such as PCIe cards, etc.) as well as hybrid or all-flash arrays. Database systems that require fast processing also rely more on underlying SSDs to replace or augment slower, “spinning” hard disk systems.

On the other hand, many highly-regulated organizations are in the midst of a technological paradigm shift. Most are now transforming their approach to data storage and operations, moving sensitive information systems to the cloud. This leaves their IT teams faced with decommissioning on-premise storage devices, including those using SSDs.

Many IT or IS teams trust their IT asset disposition (ITAD) vendors to take care of such secure, end-of-life disk sanitization and disposal for them. Unfortunately, many ITAD service providers are not always clear about how well various methods work to securely erase the contents of an SSD.

Is Your ITAD Vendor’s SSD Erasure Process Really Secure?

Person holding two drives

It pays to take a closer look at whether your ITAD’s data erasure process used for SSDs is truly secure. Unfortunately, in too many cases, the answer is “No.”

Many ITAD vendors rely on common industry practices for sanitizing or wiping data. These practices are based on traditional hard disk drive (HDD) systems. However, because SSD technology differs so much from HDD technology, most traditional HDD erasure and disk wiping methods are ineffective with SSDs. These and other ineffective methods for sanitizing SSDs are listed below:

Even NIST’s SP 800-88 Rev. 1 “Guidelines for Media Sanitization” draws attention to the “variability of implementations” when it comes to SSD sanitization issues, as well as the concurrent need for additional verification of secure deletion for any specific methods used (See our NIST Quick-Start Guide here).

Conversely, secure SSD erasure methods remove data completely.

Building a Better Mousetrap: How to Avoid False Positives in SSD Erasure

As the SSD market matures, new standards will ultimately help refine or correct many issues, including those surrounding secure erasure of SSDs. But, in the crowded SSD market with multiple iterations of current and legacy SSD products, discrepancies between manufacturer implementations (and vendor algorithms) will remain.

So what can enterprises or their ITAD providers do to ensure secure erasure of their SSDs? It helps to start looking to external, third-party software vendors to do much of the heavy lifting for you.

Software vendors should be able to demonstrate proof of their successful erasure process via independent testing by data forensics or recovery organizations and groups like the Asset Disposal & Information Security Alliance (ADISA). Or, go the extra step and choose a vendor with a patented and secure SSD erasure process (PDF) that covers all common SSD interfaces, such as Blancco Drive Eraser.

Learn more about SSD end-of-life risks and Blancco’s patented process.

Download the whitepaper: A Look Inside SSDs and the Unseen Data Destruction Risks.