Data erasure and mobile device diagnostics specialist Blancco has slammed IT departments over data protection on SSD drives. It’s latest report has found that companies have an over reliance on encryption to protect data. In addition, many still believe that simply reformatting an SSD is sufficient to remove all the data. With the growth of SSD inside devices, Blancco believes that many companies are heading for data breaches.
Richard Stiennon, Chief Strategy Officer of Blancco Technology Group said: “Our study’s findings underscore the difficulty many organizations face with managing, storing and protecting data on SSDs and are symptomatic of a larger data security problem. Many organizations and individuals place a great deal of their trust and reliance in encryption and reformatting to prevent data loss/theft from SSDs and minimize their exposure to a potential data breach.
“But there are certain data security challenges with encryption that are often overlooked when it comes to protecting data stored on SSDs. And we know from our own analysis of 200 used drives purchased from eBay and Craigslist that reformatting of SSDs could result in various types and amounts of personal and corporate information being left exposed and recovered. Organizations cannot afford to be lax in how they manage and erase SSDs – or they could find themselves hit by a data breach.”
Poor drive disposal techniques are nothing new
Recovering data from drives being sold on eBay, Craigslist and other places is nothing new. Security researchers and hackers have been doing this for years. Reformatting a drive has never been a foolproof way of destroying data. Some utilities simply overwrite the table at the beginning of a drive. This table helps the operating system find where a piece of data is located.
Others will attempt to overwrite the entire drive with 1’s and 0’s. For this to be effective against some of the recovery tools on the market it needs to be done several times. This creates a problem for most organisations. It takes time and a proper disk disposal process to ensure that drives are overwritten enough times to make data recovery impossible. Despite this 35% of organisations still persist with this approach.
Over half of companies (56%) sell and send their SSD to IT Asset Disposition (ITAD) vendors and recyclers. Companies believe that this means drive will be professionally wiped and cleaned prior to resale. This is not always the case. According to Stiennon: “49 percent of organizations consider efficiency and cost to be the most important factors when selecting an IT asset disposition vendor. Yet, only 16 percent factor in the vendor’s ability to permanently remove all data and 13 percent prioritize certifications and recommendations from governing bodies and institutions into their decision-making process.”
This lack of process is dangerous. Stiennon says it: “could put their organization – and their sensitive data – at serious risk of being exposed to a data breach.”
What should you be asking your ITAD partner?
A company cannot outsource responsibility for their data security. When using an ITAD partner they should ensure they have the capability to safely erase or destroy drives and data. Stiennon provides a checklist for organisations to validate their ITAD partner. This list is designed for choosing an ITAD partner but it could provide a basis for a disposal contract. Any resulting data breach would, at least, give the company some recourse against the ITAD vendor.
The questions Stiennon believes should be asked are:
- Can your vendor support your organization wherever you operate?
- Does your vendor have the necessary certifications and approvals from governing bodies and industry organizations to ensure adequate and appropriate data security safeguards are in place?
- Does your vendor support the widest array of SSDs?
- Does your vendor use multiple write passes every time they overwrite data?
- Does your vendor use truly random data during overwrites or a predictable series?
- Does your vendor offer reliable, fail-safe verification of data erasure?
- Does your vendor check for and remove BIOS Freeze locks?
- Does your vendor’s product work across the cloud, onsite servers, virtual machines and mobile devices?
- Can your vendor provide independent benchmarks and testing results?
- Does your vendor offer you cloud, software and hardware solutions?
- Does your vendor track IT assets in real-time and maintain records to ensure all SSDs are accounted for and managed properly?
- Does your vendor store IT equipment in physically secure storage locations prior to disposition? Does your vendor have adequate controls in place for who can access such storage areas?
- If your vendor relies on multiple partners, can your vendor vet those partners against data security standards and best practices?
- Does your vendor minimize the environmental impact when discarding or recycling SSDs?
What does Blancco mean by encryption is not enough?
It’s a good question. The last few years have seen increasing amount of encryption used to protect data on devices. Most of that encryption is strong and difficult to break. The problem is that strong encryption requires compute cycles to do its calculations. Software-based Full Disk Encryption (FDE) is limited and often leaves some part of the disk unencrypted. This is used for system and boot tasks. It also requires compute cycles to carry out the encryption.
The alternative is Hardware FDE which are called Self-Encrypting Disks. These have circuits built into the drive that do the encryption when data is moved to and from the drive. It removes the impact of software FDE on the CPU. This means that the user does not see any performance penalty from using SED. One of the big advantages of SED, according to Stiennon is that: “…SEDs can be erased quickly just by changing or deleting the encryption key – this is called crypto erase.“
But there are other issues that need to be considered. The crypto key needs to be kept secure. More importantly, there are now demonstrable hacks that show SEDs can be broken in to. The same hacks that work against software FDE also work against SED. This was demonstrated at Black Hat Europe in 2015. Two members of staff from KPMG Canada recovered data from laptops using SED.
It is this type of risk that Stiennon is referring to when he says: “There’s quite bit of over-reliance on encryption as an end-all and be-all to data protection among both individuals and businesses. There’s this belief that by simply encrypting drives, businesses can protect and prevent themselves from being hit by a data breach.“
Data has to be decrypted to be used
If data was encrypted as soon as it was created and stayed encrypted it would be different. This is what Fully Homomorphic Encryption looks at. Data is encryption at point of creation and any action, such as searching, querying and other manipulation would be done while the data stayed encrypted. The only time data is unencrypted is when it is displayed to the user. Such an approach requires massive computing power and scientists at IBM say we could still be a decade away from this.
For now, all data gets encrypted and decrypted whenever it is used. As Stiennon says: “when that happens, the data is left exposed and accessible to a cyber attacker, which could lead to a data breach of business information as well as fraud and identity theft for the employees.”
Conclusion
The problem with disposal of data on disk is not new. In many ways this report by Blancco just reiterates what has been a problem for decades. The only real way to ensure complete disk destruction is to chop it up with an angle grinder. For the absolutely paranoid the pieces of platter can be put into an acid bath to complete erase them. Given current Health and Safety rules in the workplace this isn’t going to happen anytime soon or ever.
The key message here from Stiennon is that enterprises must have effective disk disposal and destruction processes. There is nothing to prevent the use of ITAD vendors but only if they meet strict standards. Even then there is a need to verify and prove that they are adhering to those standards.
There is a bigger issue here. Stiennon is talking about the corporate market but the rise of Bring Your Own Device (BYOD) opens up a wider threat. End users upgrade their hard disks and then throw the old ones away. Even if they hand them to their local computer recycling plant there is no evidence they will be properly wiped. With many of those disks containing corporate data, breaches are happening that are outside of the IT departments control. This cuts no ice with the regulator.
Stiennon and the report avoided saying it but it’s time for companies to offer a disk recycling service to their own staff.
