SSDs (Solid State Drives) are now used as storage media in business almost everywhere. According to a new survey conducted by Kroll Ontrack, a specialist in data recovery, IT departments are still challenged by error rates, data recovery and secure data destruction.
The results showed that 91% of the companies surveyed deploy SSDs, mostly on the client side (i.e. in desktop PCs and laptops). The survey further found that 51% of companies had to replace deployed SSDs due to a defect.
The high performance of SSDs is the most important reason to use them for businesses. Ninety-five percent of respondents said performance is the primary criteria for the acquisition of SSDs. Only 31% of respondents indicated that reliability was a factor. We expect the number of SSDs failing or needing destruction to increase significantly over the next couple years, as the adoption rate soars for enterprise use. Survey responses indicated that a total of 70% of companies have used SSDs since 2011 or 2012.
When a company replaces a number of solid state drives, there is a real need to ensure business continuity and protect confidential data from being lost. Data recovery and secure data destruction are critical needs that need to be addressed. However, most companies do not have an appropriate method for recovering data from failed drives or securely disposing of the media. Data recovery can be very difficult because proprietary encryption technologies are used.
Not immune to failures There is a perception that SSDs are very safe because the data is stored on flash memory chips rather than magnetic tapes or rotating disks. Thus, data loss typically associated with mechanical problems or hardware damage (i.e. damaged platters, defective heads or bad motors) can be avoided. Nevertheless, SSDs are not immune from defects. The survey has revealed that more than half of the participants (51%) already had to replace defective SSD media one or more times.
Erasure not always safe “Our survey shows that the first big wave of destruction of SSDs is still to come,” said Jim Reinert, senior director at Kroll Ontrack. “Assuming that the average drive lifecycle in business is about three years, many companies will be faced with the question of how they can dispose of their old SSDs safely without endangering their sensitive corporate data. Many companies are taking a residual risk – sensitive data remains on the plates, and can fall into the wrong hands. ”
In the case of a defect or in a regular exchange at the end of the lifecycle, SSDs usually leave the company without secure data destruction. To make sure there are no security gaps and compliance guidelines are followed, secure data deletion is essential. Conventional methods, however, cannot always get rid of all traces of data stored on SSD and flash. Because of the special technical architecture of SSD media data, each write operation stores data to a different physical location. Therefore, it is possible that even after several rewrites, traces of the original data remain in specific memory cells. Such methods are therefore not suitable for companies with high demands on data security.
The Kroll Ontrack survey shows that there is still no standard for SSD erasure. Forty percent of companies surveyed rely on the physical destruction of SSDs (typically by a shredder). Thirty-one percent use software for data deletion. Encryption methods, in which hardware or software keys are deleted before replacing the SSD to make the data unreadable, are used by a total of 22%. And, almost 20% of respondents have not decided nor have a method of data destruction.
Recommendation: To protect data on SSDs without residual risk So far, the physical destruction of SSDs is the only really safe method for data erasure of SSDs. However, if a drive is shredded, it cannot be re-used. This makes the resale or lease impossible and drives up the cost.
Alternatively, Kroll Ontrack recommends a multi-tiered business approach:
1) Do not use Self-Encrypting Drives (SEDs). This type of encryption is very secure, but ensures total data loss in the event of a failure. With SEDs, the encryption keys are only known to the hardware manufacturers and will not be released. What this means is in the event of a failure, the data is no longer accessible to professional data recovery companies. Thus, the use of this technology is strongly discouraged.
2) Since the use of SEDs is discouraged, Kroll Ontrack recommends the use of software encryption. This solution offers a combination of software and cryptographic erasure. This allows the data on the SSD to be in inaccessible without residual risk. Companies should require that all data stored on SSDs be stored in a software encrypted format.
3) Overwrite the SSD by professional erase software once the SSD has been decommissioned. Multiple overwrites with specialized software, such as Ontrack Eraser 4.0, is the first step. Professional software for data erasure that overwrites the data multiple times is the best way to ensure no data is recoverable.
4) Make residual data cryptographically inaccessible. Unlike traditional hard drives, erasure of SSDs cannot guarantee that no data traces are left in individual blocks. The best way to combat this is to delete the encryption keys or change the passwords when a SSD is decommissioned or at least on a regular basis. Removing the decryption key will make any residual data permanently inaccessible.
“At the moment, this is our recommended procedure, as there is no surefire alternative,” said Jim Reinert. “Our survey shows that many companies are still unsure how they can reduce the risk of residual data after deletion. Only 15% use encryption software so far and then delete the key; 40% rely on physical destruction. Moreover, we note that many SSD manufacturers still rely on controllers with proprietary encryption, which means that when a drive is damaged the data can be lost forever.”
Background to the survey Kroll Ontrack conducted this survey among 88 company representatives from Germany, Austria and Switzerland in April through June 2013. Fifty-two percent of respondents work in small companies with fewer than 50 employees and 31% in large companies with more than 500 employees.