DATA PROTECTION METHODS

With more and more valuable or sensitive data being stored on Solid State Storage devices it is very important to make sure that you have the right level of protection. If you are concerned your data might be in danger of falling into the wrong hands or want to protect how and when the data you have saved is viewed, you should consider the following methods.

Write Protect Switch

As displayed in the image to the right this is a mechanism (plastic switch) that can be moved to set the devices as Read Only (No Writes) or left under normal operation of Read and Write. This a low level method that prevents modification or erasure of valuable data on a device. Examples of where you might use this technology include if data has been uploaded to the device for viewing purposes only and you did not want the file to be over written or deleted.

Software Encryption

  • Shares a computers resources to encrypt data with other programs on the computer – Only as safe as your computer
  • Uses the user’s password as the encryption key that scrambles data
  • Can require software updates
  • Susceptible to brute force attacks, computer tries to limit the number of decryption attempts but hackers can access the computer’s memory and reset the attempt counter
  • Cost-effective in small application environments
  • Can be implemented on all types of media

Hardware Encryption

  • Uses a dedicated processor physically located on the encrypted drive
  • Processor contains a random number generator to generate an encryption key, which the user’s password will unlock
  • Increased performance by off-loading encryption from the host system
  • Safeguard keys and critical security parameters within crypto-hardware
  • Authentication takes place on the hardware
  • Cost-effective in medium and larger application environments, easily scalable
  • Encryption is tied to a specific device, so encryption is “always on”
  • Does not require any type of driver installation or software installation on the host PC
  • Protects against the most common attacks, such as cold boot attacks, malicious code and brute force attacks

Hardware Based ATA Secure Erase

Most modern SSDs have built-in commands that instruct on-board firmware to run a standard sanitization protocol on the drive to remove all data. Sanitizing is the removal of sensitive data from a system or storage device with the intent that the data can not be reconstructed by any known technique. For data that resides on hard drives and solid state drives (SSD), a method known as ATA Secure Erase is the most effective. ATA Secure Erase is part of the ATA ANSI specification and when implemented correctly, wipes the entire contents of a drive at the hardware level instead of through software tools. Software tools over-write data on hard drives and SSDs, often through multiple passes; the problem with SSDs is that such software over-writing tools cannot access all the storage areas on an SSD, leaving behind blocks of data in the service regions of the drive (examples: Bad Blocks, Wear-Leveling Blocks, etc.) When an ATA Secure Erase (SE) command is issued against a SSD’s built-in controller that properly supports it, the SSD controller resets all its storage cells as empty (releasing stored electrons) – thus restoring the SSD to factory default settings and write performance. When properly implemented, SE will process all storage regions including the protected service regions of the media. Secure Erase is recognized by the U.S. National Institute for Standards and Technology (NIST), as an effective and secure way to meet legal data sanitization requirements against attacks up to laboratory level.

Secure Erase Standards

Protocols/Methods  Secure Erase Level 
Erase Only Simply erase all existing data on disk and overwrite with 0×00  1
DoD 5220.22-M Erase and overwrite disk with one Hex character (0×00 to 0×ff in setting.) Then erase again  2
NAVSO P-5239-26 Erase and overwrite with random characters twice on disk  3
Random Erasing I Erase all fill all blocks in disk.with random characters  4
Random Erasing II Erase all existing data on disk. Then,fill all disk with random characters N(1~99) times  5
Manual 130-2 Erase and overwrite disk with random characters twice. Then,erase and overwrite with one Hex character(0×00 to 0×ff in setting)  6
IREC(IRIG) 106 Erase and overwrite with 0×55 then 0×AA on disk  7
USA-AF AFSSI 5020 Erase and overwrite with 0×00.Erase and overwrite with 0×ff. Then,erase and overwrite with random characters on disk  8
NISPOMSUP Erase and overwrite with one Hex character(0×00 to 0×ff in setting) Then fill with random characters  9