Confidently erase data in active environments and from used IT assets.
Boost services throughout the device lifecycle—from first sale to end-of-life.
Expedite processes, recover more marketable product, and increase services.
Home » Resources » How to Securely Erase Enterprise SSDs
Securely erasing SSDs means using a software overwriting process, verifying that process and receiving a certificate of erasure to achieve compliance with data sanitization standards. Whether you outsource this to an ITAD or do it in-house, here’s how to make sure your data is safe and that you comply with government and industry regulations.
New practices and policies are required to ensure effective sanitization when these devices move from one use to another—whether reused within the organization, sold or recycled, or destroyed entirely. These practices must align with increasing data protection regulations and the expectations of internal or external compliance auditors.
These expectations aren’t only for highly regulated industries, either (financial, healthcare, government, etc.). As businesses grow in their capacity to harvest and use consumer data, an increasing number of data privacy and protection regulations touch virtually every data-dependent organization. With these new regulations has come an increased focus on corporate governance practices, user access controls, and third-party access to sensitive data.
Anytime SSDs move from a more protected area to a less protected one, the data on them should be securely erased to prevent unauthorized access to confidential business and consumer information later on. Even shredded drives put companies at risk of unintended data disclosure: Because the data is stored so densely on solid-state drives, traditional shred sizes are large enough to leave some data recoverable.
Many companies choose to entrust their final IT asset erasure, recycling or destruction to an external IT asset disposal vendor, or ITAD. Such vendors often have a successful track record with drive sanitization and destruction. However, many ITAD vendors base this record on legacy data destruction methods for traditional “spinning” hard drives. These methods include overwriting, degaussing, physical shredding of the media, etc.
Unfortunately, when it comes to newer media types like SSDs, many of these traditional destruction methods tend to fail, precisely because the underlying physical infrastructure of SSDs are so different from that of HDDs. As previously noted with shred size, these failures can leave sensitive data behind.
Also, outsourcing to an ITAD generally applies only to devices that are to leave your protection. If you are intending to reuse devices internally, you likely won’t use an ITAD. For that, it’s important for you to know that your data erasure processes are breach proof—and you’ll still need to have the paper trail to prove it to internal or external auditors.
So how do you ensure your SSD-stored data is safe and your methods stringent enough to meet regulatory requirements?
Make sure your ITAD provider is following data sanitization best practices, and ask about whether they:
There are several reasons you may want to take on SSD data erasure yourself.
For instance, you may want to:
In each of these cases (besides outright device destruction), there’s also the added benefit of extending the life of your devices in support of corporate social responsibility (CSR) programs, including those that involve conserving natural resources and reducing e-waste.
Organizations that wish to take on this type of device erasure should look to an independent erasure software provider that has been certified and proven to perform secure erasure of solid-state drives. The software used to erase enterprise SSDs should provide verification of reaching hidden areas or areas set aside for overprovisioning, and it should also be able to overcome the BIOS freeze locks that prevent firmware-based erasure commands from executing.
There are several questions you can ask to help find the right type of software vendor for secure SSD erasure:
When first introduced for mass use, SSDs were shoehorned in as direct replacements for HDDs. First-on-the-scene SSDs fit into traditional HDD SATA connections, easing the transition away from legacy systems. This allowed organizations to think of these drives interchangeably while enjoying the benefits of solid-state functionality.
These benefits include faster applications and more productive employees, partners and clients. Yet the new technology landscape—one that includes daily breach reports and data leaks—also amplifies organizational responsibility over that data.
For their own wellbeing and that of their stakeholders, organizations must take greater care to protect both the data and the systems on which data is housed. This brings up end-of-life questions like how to securely erase data on all data storage drives before their ultimate disposal or potential reuse. This must include being aware of the unique data destruction needs of SSDs.
As for regulation compliance, both internal and external audits of organizations’ data security and protection practices are more common than they once were. Whether for individual records or whole batches of drives, auditors look closely at how user access controls have been applied in key areas. They also favor comprehensive reports demonstrating untampered audit trails. In terms of secure erasure processes, organizations must have documentation that clearly shows who, where, when and how secure data erasure was performed on any company-owned system or device.
Sanitizing your SSD devices properly provides peace of mind. You’ll be confident that no sensitive data is available to anyone after your devices are securely erased, and you’ll have the documentation to prove that you’ve met or exceeded what regulations require.
Download our whitepaper, “How to Securely Erase Different SSDs: NVMe, PCIe and More.”