Skip to main content

How to hit the security sweet spot with solid state drives

Until recently, hard disk drives prevailed as the dominant storage device on desktop computers, laptops, smartphones, tablets, servers, and data centres. But thanks to the drop in price for solid state drives (SSD), that has changed. SSDs are more popular among both individual users and businesses. But for all of the advantages, they also possess unique traits that present some difficulties in wiping data from them.

Unfortunately, knowledge of the proper solid state drive erasure methods has not been anywhere near as fast or as ubiquitous as the SSD adoption rate. So you will often see methods that are assumed to be reliable – such as reformatting and factory resets – being performed on solid state drives. But that doesn’t mean it’s impossible to properly erase data from SSDs – it just means users need to understand all of the technical features, the key situations when data has to be absolutely erased and the most reliable data removal method that needs to be used.

Know the basics of how solid state drives work

Solid state drives are simpler than HDDs in that they don’t have moving mechanical parts. They’re also smaller, lighter and less power intensive. But as I said, SSDs are more complicated when it comes to wiping data from them. They apply complex data management schemes to distribute data across their internal memory chips. They also contain a much larger pool of spare memory capacity accessible only by the SSD. In turn, this prolongs the performance and life of the drives. But it also means that certain data on the drive remains hidden from the host.

Proactively plan to remove data in key situations

The reality of the world we live in today is that inordinate amounts of information are created, stored, tracked, and transferred within the digital universe. But nothing lasts forever – that includes SSDs. That means these drives will eventually hit their end of life when a server, storage device or other piece of IT infrastructure is retired, then the drive has to retire along with it. And any data contained on them must be erased too.

Most businesses don’t have the capacity to store all of their data on their own premises – so they tend to move it from one location to another – be it to data centers, cloud storage environments or elsewhere. When this data is being moved to its new location, it needs to be wiped clean from its original location. This often gets overlooked – and it’s something that more companies need to prepare for because of how common it is to move data between locations.

Another situation to be cognisant of – and plan for – is data that doesn’t need to live forever. This could be data that was created and stored for a particular time-sensitive project that involves confidential information and parties. When the project ends, the data needs to be erased permanently so that it doesn’t fall into the wrong hands.

Now it’s important to remember the varying types and amounts of corporate data that employees create and store on their laptops, desktop computers, smartphones and tablets. And a growing number of these devices are equipped with solid state drives. But it’s become so rare for employees to stay long periods of time at one company. So when employees leave the company – for whatever reason – all of that data must be erased before they leave. This is extremely important when you consider it’s not just personal information they’re storing on them; it’s often confidential and sensitive company information and files. If that data isn’t erased in the proper manner, it could jeopardise the business in multiple ways.

Following the EU’s passing of the General Data Protection Regulation in December 2015, it’s important to be able to securely, reliably, and verifiably remove data from SSDs when regulation demands that customer data is removed – or ‘forgotten.’ In order to prove compliance with this type of legislation – and those being imposed by other governing bodies – simply ‘deleting’ the data isn’t good enough. It must be completely expunged, forever.

One of the least desirable situations is the time after a major disaster hits, such as an earthquake, a hurricane, or a tsunami. In the same Red Cross and other charitable organisations are dispatched to deploy disaster recovery services. Part of that disaster recovery should include recovery of the data and storage at an offsite location. But once production systems are restored back to normal, any data left on the recovery drives need to be erased.

Know the most reliable way to erase data from solid state drives

Although upkeep of SSDs can be complicated and difficult, it’s not impossible by any means. It just means users need to use the right data removal method that meets certain criteria. The method should accommodate the functionality differences of SSDs regardless of the manufacturer. Second, it’s critical to use an automated technique to remove system BIOS freeze locks – that allows users to have better access and control over their internal data erasure processes.

More importantly, users can’t simply assume the method and tool used to remove data from SSDs are reliable. They need to be able to benchmark both the method and tool against industry testing and validation standards. Without this, there is no true way to determine if the method and tool can be trusted. Following this same logic, anyone erasing data from SSDs – whether it’s an end user or an enterprise user – should demand physical proof that verifies all data has been completely erased. I often use the filing taxes analogy – users need to be able to show proof if the IRS comes knocking on their door. The same goes for data removal – proof will protect you from having data leaked and violating regulatory standards.

Pat Clawson, CEO, Blancco Technology Group