SSD Erasure: What Enterprises Need to Know

Solid-state drives (SSDs) can be used alone in a single device, such as in a laptop. Often, however, they are used in tandem with hard disk drives (HDDs) in single machines, or alongside them (in data centers, for instance) to meet the data storage needs of an entire enterprise. This mixed environment can introduce confusion over how to address data destruction for these two very different types of drives.

Russ Ernst As Blancco CTO, Russ drives product strategy and execution across our Blancco solutions suite. At IT and data security industry conferences, he addresses data lifecycle management, end-of-life IT management, and data sanitization best practices. He also covers how organizations can reach their sustainability goals and fuel the circular economy through secure disposal processes. In addition to the Blancco website, you'll find his insights in Recycling Today, Security Boulevard, Data Center Knowledge, Business Insider, and The Fast Mode, as well as in the upcoming book, Net Zeros and Ones: How Data Erasure Promotes Sustainability, Privacy, and Security.

Since the beginning of personal computing, tech enthusiasts have been interested in expanding and innovating how data is stored. Traditional hard disk drives (HDDs) have essentially remained the same since they appeared on the market in the 1950s. But while HDDs are still popular, newer, faster and more efficient technologies are being used in everything from personal notebooks to large data center servers.

The most prevalent of these new technologies are solid-state drives, or SSDs. According to Transparency Market Research’s SSD market research, the global solid-state drive (SSD) market is expected to reach $229.5 billion by 2022—more than the entire 2018 gross domestic product of Iraq, Peru, or Greece.

SSDs can be used alone in a single device, such as in a laptop. Often, however, they are used in tandem with their HDD counterparts in single machines or alongside them (in data centers, for instance) to meet the data storage needs of an entire enterprise. This mixed environment can introduce confusion over how to address data erasure for these two very different types of drives.

Pros & cons of SSDs (and how HDDs compare)

SSDs are available in a variety of interface formats, but the three most popular are SATA, PCIe and NVMe.

• SATA drives are available in terabyte instances. And because most traditional HDDs use the SATA interface, an SSD with a SATA connection allows an easier transition from legacy HDD technology.
• PCIe drives connect to the PCIe lane of a motherboard, enabling high-performance speeds and efficiency. They are suitable for buffering and caching applications and loading databases quickly and are popular due to the increasing demand for video.
• NVMe drives are strictly flash-based and provide vastly greater speeds than SATA or PCIe drives. They have seen increasing use as resource-intensive needs for real-time analytics, rapid Internet of Things data processing, and robust gaming applications have grown. They are known for being highly scalable and being well suited to handle the exponential rise of data collection and data handling.

SSDs are more expensive than HDDs, but they are getting more affordable each year. For enterprises, New Egg Business reports that a terabyte of storage on an SSD can easily be five or six times as much as as the same capacity on an HDD. SSDs can lower overall total cost of ownership, however: They have lower latency, faster read/writes, and support more IOPS (input/output operations per second). They also use less power (leading to lower operating costs), weigh less and, because they have no moving parts, are more durable.

When it comes to SSD erasure, though, there are some risks.

Data destruction risks with SSDs

Unlike hard disk drives, SSDs do not use a spinning disk to store data. Instead, they store on flash memory chips. While this leads to both greater durability and data density, it means they’re more difficult to sanitize through traditional methods. In fact, their unique data sanitization requirements can cause data security issues when it comes time for data erasure or destruction.

Types of data destruction and how they affect SSD erasure

• Degaussing, a tried and true data destruction technique that rearranges the magnetic fields on electronic media, is not effective on most flash-based memory devices, including SSDs. This is because SSDs use integrated circuit (IC) assemblies (interconnected flash memory chips) to store data instead of storing it magnetically. So, if care is not taken to separate SSDs from HDDs during degaussing, the data stored on SSDs will be left behind.
• Crypto Erase, or cryptographic erasure, is a newer form of data sanitization. Technically speaking, however, it does not destroy the data itself. Instead, it is a highly efficient way of sanitizing disks that have encrypted data. It deletes all of a drive’s encryption security keys and replaces them with new ones, effectively obscuring the data that remains. However, users can impact the quality of encryption and the resulting success of cryptographic erasure during key generation. Also, if sensitive data is saved to the disk before encryption occurs, the unencrypted data will still be recoverable. The use of Crypto Erase is inconsistent from SSD manufacturer to manufacturer, too, which further complicates the process. This further introduces risk when using cryptographic erasure as a primary data sanitization method. See our white paper, “The Crypto Erase Conundrum: What’s Your Organization’s Risk Tolerance?” for more on this topic.
• Physical destruction such as shredding or crushing is the ideal form of data destruction for many storage mediums; however, SSDs are not fully destroyed by standard hard disk drive shredders. The common shred sizes of these machines fail to fully destroy the data chips on high-density SSDs, which can require shred sizes as small as 2 millimeters (per the U.S.’s National Security Agency (NSA)). And, with data storage density continually increasing, the result of shredding at larger sizes is that SSD IC chips can remain fully intact, and information can still be recoverable by hackers.
• File shredding or wiping destroys data on individual files and folders by data overwriting, but typically doesn’t reach the hidden or overprovisioning areas of an SSD. For SSDs, overprovisioning is the practice of including extra storage capacity on a disk to spread out read/write wear across a larger data storage area. Even with this tactic, repeated binary overwriting shortens the lifespans of SSDs by increasing wear overall. Also, unless you can independently confirm that data has been deleted, most “pre-installed” data wiping utilities aren’t secure or reliable. This is important because of technical hindrances to overwriting, such as the presence of BIOS freeze locks. Freeze locks can prevent some low-level, firmware-based erasure commands from being executed successfully, causing the erasure to fail.

Each of these methods vary greatly in the kind of verification they can provide, with many providing little to no verification at all. This is a critical piece for enterprises across industries, as many regulations require verification of erasure to comply with data privacy, protection and security policies.

A note on disk defragmentation and SSDs

Disk defragmentation software typically comes pre-installed on personal computers and is promoted as a way to increase a machine’s performance. Running disk defragmentation on HDDs will allow you to see a distinct difference in performance because data is rearranged to move related file fragments closer together. This technique is only for HDDs and does not delete data in the sense of making it unavailable. Regardless, disk defragmentation isn’t effective for SSDs and can seriously damage them over time.

Why secure data erasure is the answer for SSDs

Disk management tools, along with the other data destruction and erasure methods above, must evolve to meet the needs of SSDs even as they continue to evolve.

As your organization integrates SSD technologies into your data storage and processing infrastructure, it’s critical to consider how you will protect that data once your SSDs are ready for reuse, recycling, or another end-of-life destination. Secure SSD erasure overwrites the data as many times as required, erases the data all the way down into the over-provisioned cells, and provides verification that complete sanitization has occurred.

Questions to ask when choosing a vendor for SSD erasure

SSDs are the leading storage technology when it comes to speed and processing, and are expected to surpass HDD global shipments by 2021. You need to ask the right questions to ensure your SSD-stored data is protected from unauthorized access all along its lifecycle, including at the end.

Use the questions below to gauge the effectiveness of your selected end-of-life data protection method, no matter which you choose.

Want more information on SSDs and their unseen destruction risks? Download the whitepaper now.

Originally published January 26, 2017, updated and expanded September 27, 2019.

You may be interested in:

What is Common Criteria Certification, and Why Is It Important?

Understanding the financial risks of cybersecurity complacency

The New Jersey Privacy Act: What You Need to Know

The newly signed New Jersey Privacy Act impose new obligations on businesses when it comes to handling consumer data. Here is what you need to know to stay in compliance.

IBM® Launches Infrastructure Data Erasure—And These 5 Storage Network Benefits Come With It