The security pitfalls of SSDs: Important things to remember

Solid state drives (SSDs) are a compelling proposition for IT procurement, as they have several advantages over hard disk drives (HDDs). The lack of moving parts means they generally last longer and are more reliable. Their faster access speed enables programs to run faster. Plus, they use less power, which improves device battery life and generates less noise. Prices are dropping fast, making this less of a factor when evaluating the two technologies side-by-side.  

It’s no surprise that Gartner predicts 2017 will be the year revenue from enterprise sales of SSDs surpasses that from the older, more established technology. However, if organisations don’t want to run into substantial problems further down the line, a key question must be asked. Do IT and security teams have a good enough understanding of the technology to manage it appropriately? Take the data sanitisation process at the point when an SSD-based device is due to be recommissioned, recycled or resold. Are the correct methods for carrying out and validating the complete sanitization and erasure of data both known and understood? Unfortunately, our research proves they’re not.   

We surveyed over 300 IT professionals worldwide to understand the data security challenges and limitations organisations face with the management and storage of SSDs. We asked them to identify the correct definition of data sanitisation and gave them four multiple choice answers to choose from. 64% failed to pick the correct answer. This reflects how difficult it can be to understand what data sanitisation means. That’s before organisations tackle the bigger issue of knowing where and how data is being stored. In a rapidly changing technology landscape, it is difficult for experienced IT professionals to keep on top of the mix of underlying storage technology present in their IT equipment and devices.   

Where are things going wrong? Digging deeper into the results, we discovered an over-reliance on encryption and the reformatting of drives. When asked which methods organisations use to prevent data loss /theft from SSDs, 35% of those surveyed said they reformat drives. This is despite this method having been called out time and again as an ineffective means of data erasure. We, ourselves, discovered this to be true when we purchased 200 used solid state drives and hard disk drives from eBay and Craigslist. 67% of those used drives contained personally identifiable information and 11% contained sensitive corporate data. As if that weren’t scary enough, we were able to recover company emails, CRM records and spreadsheets containing sales projections and product inventories. 

Formatting a drive doesn’t erase data; it simply removes pointers in the file system allowing new data to be overwritten at a later date. It makes the data slightly harder to locate, but the information is still there just waiting to be rediscovered using freely available forensic tools. Think of it as deleting a library’s referencing system but leaving all of the physical books sitting on the shelves.   

Now let’s talk about encryption. It’s often seen as the perfect answer to data security but has its own flaws. If there’s an error in the encryption process or handling of the encryption key, then the data isn’t properly erased from the drive, which means it can easily be recovered and left exposed to a potential data breach. Also, encryption software doesn’t generally verify an asset has been erased and when it does, it tends to be as a single line of text on the log page. As a result, this approach may not be compliant with data security regulations that require certified proof that equipment has been properly sanitised before being discarded, repurposed or resold. Finally, in reality decryption is a real possibility and time is the enemy. Encryption has a ‘Use By’ date and will eventually succumb to attacks from faster computing technology. Despite these challenges, 62% believed encryption alone is sufficient to protect data from being accessed or breached. 

Another common risk we identified was that the loss/theft of drives and the prospect of employees leaking data for personal gain continue to rank low on IT professionals’ list of SSD security challenges. Although organisations may not consider these their biggest security threats, a growing number of data breaches have resulted from improper data removal and sanitisation. 

Take for example the health insurer Centene, who in January 2016 announced it had lost six hard drives containing the health information for 950,000 beneficiaries. According to the company, the drives were part of a data project using laboratory results to improve the health outcomes of members and the incident resulted from “an employee not following established procedures on storing IT hardware”.   

In March this year, a thief was reported to have stolen a hard drive containing the personal information of 2,200 LSU Health New Orleans patients from the Department of Neurology Research. The hard drive contained patient lists for research studies done between 1998 and 2009, including names, dates of birth and diagnosis and treatment codes. The organisation stated IT policies designed to protect health information, including the use of encrypted mobile devices had not been adhered to and that remedial action would be taken. Not that this was of much consolation to those impacted.   

Under the current legislative environment, the above two examples already proved severely damaging to the organisations involved. However, were they to be repeated in 12 months’ time once the EU GDPR comes into force, and were EU citizen and resident data to be involved regardless of the location of the company, then the financial and reputational damage would be significantly higher. 

The reality is that with the right safeguards in place there is no reason why increased use of SSDs within the enterprise should negatively influence overall security. Yet organisations cannot afford to be lax in how they manage and erase SSDs.   

This a summary of the Blancco Technology Group research study: Security limitations of SSDs. The full report is available here.   

Richard Stiennon, Chief Strategy Officer of Blancco Technology Group 

Image Credit: Pagefact / Pixabay