How to Securely Erase Enterprise SSDs

Securely erasing SSDs means using a software overwriting process, verifying that process and receiving a certificate of erasure to achieve compliance with data sanitization standards. Whether you outsource this to an ITAD or do it in-house, here’s how to make sure your data is safe and that you comply with government and industry regulations.

When to Securely Erase Data on SSDs

New practices and policies are required to ensure effective sanitization when these devices move from one use to another—whether reused within the organization, sold or recycled, or destroyed entirely. These practices must align with increasing data protection regulations and the expectations of internal or external compliance auditors.

These expectations aren’t only for highly regulated industries, either (financial, healthcare, government, etc.). As businesses grow in their capacity to harvest and use consumer data, an increasing number of data privacy and protection regulations touch virtually every data-dependent organization. With these new regulations has come an increased focus on corporate governance practices, user access controls, and third-party access to sensitive data.

Anytime SSDs move from a more protected area to a less protected one, the data on them should be securely erased to prevent unauthorized access to confidential business and consumer information later on. Even shredded drives put companies at risk of unintended data disclosure: Because the data is stored so densely on solid-state drives, traditional shred sizes are large enough to leave some data recoverable.

But, Wait! Can’t Our ITAD Vendor Take Care of All This for Us?

Many companies choose to entrust their final IT asset erasure, recycling or destruction to an external IT asset disposal vendor, or ITAD. Such vendors often have a successful track record with drive sanitization and destruction. However, many ITAD vendors base this record on legacy data destruction methods for traditional “spinning” hard drives. These methods include overwriting, degaussing, physical shredding of the media, etc.

Unfortunately, when it comes to newer media types like SSDs, many of these traditional destruction methods tend to fail, precisely because the underlying physical infrastructure of SSDs are so different from that of HDDs. As previously noted with shred size, these failures can leave sensitive data behind.

Also, outsourcing to an ITAD generally applies only to devices that are to leave your protection. If you are intending to reuse devices internally, you likely won’t use an ITAD. For that, it’s important for you to know that your data erasure processes are breach proof—and you’ll still need to have the paper trail to prove it to internal or external auditors.

So how do you ensure your SSD-stored data is safe and your methods stringent enough to meet regulatory requirements?

How to Securely Erase Enterprise SSDs Using an ITAD

Make sure your ITAD provider is following data sanitization best practices, and ask about whether they:

• Sanitize SSDs onsite. Give preference to vendors who can destroy data onsite rather than moving them to their facilities. While some vendors have processes in place to transport intact SSDs, you are fully entrusting your intact data to a third party with little to no recourse if your devices are accessed inappropriately. With onsite data erasure (as well as onsite physical destruction) fully available in most cases, there’s no reason to take such risk. Keep in mind that you may have to dedicate internal resources to supervise the process, however.
• Erase SSDs completely. SSD data destruction methods should comply with a respected data sanitization standard. This means using an overwriting method that reaches all sectors of the SSD, including overprovisioning areas. Your ITAD vendor should be able to confirm this with recommended verification methods and a certificate of erasure.
• Reinforce cryptographic erasure through data erasure. While physical destruction and erasure are permanent, cryptographic erasure is not. If your ITAD providers use this method, adding on secure data erasure processes mitigates against the potential for data to be recovered after cryptographic erasure.
• Destroy SSDs adequately. If you are asking your ITAD to physically destroy your drives, make sure the shredder uses a shred size of less than .5″, and if highly sensitive, even as little as 2mm (the size recommended by the U.S. National Security Administration). As data storage continues to become more compact, more data is available in smaller areas. Also, chips are hardening to the point of causing damage to shredders, and shredders will continue to need to innovate to compensate. For particularly sensitive data, erasing data before shredding guarantees that data is completely beyond recovery, even as data storage and recovery technologies advance.
• Provide audit-worthy documentation. For each of the scenarios above, insist upon a certificate of erasure or destruction for every asset, along with a tamper-proof audit trail for all data destruction projects. Documentation should list every device involved, the sanitization method used, and other relevant details. The National Institute of Standards and Technology (NIST) lists pertinent details to include in their NIST Special Publication 800-88, Rev. 1, “Guidelines for Media Sanitization.” Our free NIST SP 800-88 “Media Sanitization Guidelines” Quick-Start Guide also lists these requirements.

How to Securely Erase Data on SSDs Yourself: Use the Right Software

Why “DIY” is Valuable

There are several reasons you may want to take on SSD data erasure yourself.

For instance, you may want to:

• Erase enterprise SSDs for internal use. Data storage can be expensive. Getting the most out of your investment can include reusing once top-of-the-line data storage devices in other departments with less demanding processing needs—but only if the previous data has been erased.
• Erase enterprise SSDs for external use. Whether donating, reselling, or returning to the manufacturer, data never transfers to another user, even though your devices do.
• Erase enterprise SSDs before outsourcing. Erasing your data before sending directly to an ITAD for destruction or resale means you have control over where, when, and how your devices are sanitized before a third party takes over.

In each of these cases (besides outright device destruction), there’s also the added benefit of extending the life of your devices in support of corporate social responsibility (CSR) programs, including those that involve conserving natural resources and reducing e-waste.

Finding the Right Tools for Secure Data Erasure

Organizations that wish to take on this type of device erasure should look to an independent erasure software provider that has been certified and proven to perform secure erasure of solid-state drives. The software used to erase enterprise SSDs should provide verification of reaching hidden areas or areas set aside for overprovisioning, and it should also be able to overcome the BIOS freeze locks that prevent firmware-based erasure commands from executing.

There are several questions you can ask to help find the right type of software vendor for secure SSD erasure:

• Which methods or algorithms does the vendor’s software use to perform secure erasure of SSDs?
• How does the vendor’s software verify it has securely erased a device’s data?
• Is there a way to automate the secure erasure of multiple devices simultaneously? Can this process be done remotely via a computer network or via a cloud interface?
• What types of centralized reporting, auditing, and user access controls are available in the software?
• How well do reports and audit features aid in compliance with key data protection regulations or guidelines?
• How customizable are the reports?
• How easy is it to share, save, export or send erasure reports to others?
• Does the vendor’s erasure software allow for integration with existing management systems?
• Does the software overcome BIOS freeze locks that may result in incomplete data destruction?
• How well can the software help fulfill industry standards (ADISA) or comply with guidelines (NIST) that specifically recommend SSD sanitization?

Addressing Data Regulations and Security with SSD Erasure

When first introduced for mass use, SSDs were shoehorned in as direct replacements for HDDs. First-on-the-scene SSDs fit into traditional HDD SATA connections, easing the transition away from legacy systems. This allowed organizations to think of these drives interchangeably while enjoying the benefits of solid-state functionality.

Solid-State Drive Benefits Require Caution at End-of-Life

These benefits include faster applications and more productive employees, partners and clients. Yet the new technology landscape—one that includes daily breach reports and data leaks—also amplifies organizational responsibility over that data.

For their own wellbeing and that of their stakeholders, organizations must take greater care to protect both the data and the systems on which data is housed. This brings up end-of-life questions like how to securely erase data on all data storage drives before their ultimate disposal or potential reuse. This must include being aware of the unique data destruction needs of SSDs.

As for regulation compliance, both internal and external audits of organizations’ data security and protection practices are more common than they once were. Whether for individual records or whole batches of drives, auditors look closely at how user access controls have been applied in key areas. They also favor comprehensive reports demonstrating untampered audit trails. In terms of secure erasure processes, organizations must have documentation that clearly shows who, where, when and how secure data erasure was performed on any company-owned system or device.

Be Confident that You’ve Covered Your Bases

Sanitizing your SSD devices properly provides peace of mind. You’ll be confident that no sensitive data is available to anyone after your devices are securely erased, and you’ll have the documentation to prove that you’ve met or exceeded what regulations require.