As the pilot ejects inside enemy territory, the fighter jet triggers an automatic data-destruction sequence. Within 15 seconds, the highly classified mission data on the solid-state disk has been wiped out.
The storage device in this scenario didn't just burn up like the voice recorder in Mission: Impossible. Instead, the system's manufacturers simply took advantage of a key property of the flash memory chips that make up solid-state disks: Data can be erased much more quickly and thoroughly than it can with a magnetic, spinning hard disk. Solid-state disks, or SSDs, don't require six or seven passes to erase all traces of the bits on every track and sector. Once the bits have been reset in every flash memory cell, that data is gone forever, although meeting the most stringent government disk-sanitization requirements may still involve two or more passes.
The process is quick and efficient. "You're talking about seconds," says Gary Drossel, vice president of marketing at SiliconSystems Inc., a manufacturer of SSDs used in government systems. With a typical hard disk, just the process of getting every block on a drive of that size to spin under the read/write head would take almost an hour and a half, and the entire process could take three to four hours on a fast eSATA drive, according to experts at Texas Memory Systems Inc. and Kroll Ontrack Inc.
How Clean is Clean Enough?
Hard disks can leave behind a magnetic residue that, theoretically -- because of something called the hysteresis effect -- could be used to reconstruct the hard disk data. Whether in fact that's practical with today's disk drives is a matter of debate. But does this same potential weakness apply to solid-state drives? No, says Jamon Bowen, enterprise architect at enterprise SSD maker Texas Memory Systems Inc. If normal disposal processes are followed, your SSD data will be irretrievably erased, he says.
"With NAND [flash], you're storing a full amount of electrons on a floating gate, so there's no real way of telling what the value of that transistor used to be. Once you fully erase the drive, there is no ability to recreate the data," says Drossel.
"To my knowledge, a reprogrammed cell does not contain any previous data," says Sean Barry, senior data recovery engineer at Kroll Ontrack Inc. But not everyone agrees. BitMicro Networks Inc. claims that a hysteresis effect can also affect SSDs and has created a hardware-level secure-erasure function to deal with that. For all practical purposes, however, if data-recovery firms can't get the data back after a single secure-erase pass, most nongovernment users needn't worry about it.
Assuming, that is, that the erasure pass got everything. Unfortunately, some cells can be missed during the process. SSDs have extra memory cells beyond what is allocated to the file system. These are used by a "wear-leveling" feature that distributes data across that larger area to extend the life of the SSD. Those cells may be swapped in and out of the area used by the file system.
"Just using software that was designed for hard disk drives to overwrite data is not a viable data-destruction solution for flash-enabled storage," says Barry. Any secure erase that meets government disk-sanitization requirements must be executed at the controller level.
For government users, disk sanitization is about policy as much as it is about technology. While some government standards call for six passes, SSDs really only require two, says Marius Tudor, director of business development at BitMicro. Other vendors say one is sufficient. No matter: Government standards for SSDs are still based on what it takes to sanitize a hard disk drive, so four or five extra passes may be required just to satisfy the specification, Tudor says.
Instant Erasure
While "fast erase" features are available today for military use, SSD manufacturers hope that the technologies will catch on for business applications such as back-end SSD storage and executive laptops. For example, computers containing sensitive data need to be scrubbed before they can be disposed of or taken out of service for maintenance. "With SSD, you can do that very quickly with little power," says Patrick Wilkison, vice president of marketing and business development at STEC Inc.
While SSDs can typically be erased more quickly than magnetic media can be, the devices designed to meet government standards have been optimized to further speed up erasure. "We've created internal circuitry so that the host can send one command -- either in software or a push button -- and the drive will erase multiple chips in parallel," says Drossel. For example, it takes about 15 seconds to clear all of the chips on a 16GB SSD, he says.
Vendors have also created other schemes to meet government security requirements. BitMicro Networks Inc. offers a removable SSD with backup power that allows it to be erased up to six hours after removal from the host system.
Magic Bullet for Laptop Security?
Could so-called fast-erase technology someday appear in notebooks? Intel Corp.'s Anti-Theft PC Protection already provides hardware-level protection that disables a computer when certain conditions are met, such as after a series of failed password attempts. By combining that with a third-party service such as Absolute Software Corp.'s CompuTrace, some Lenovo laptops can be reported as stolen and then remotely disabled the next time the computer connects to the Internet. So why not allow secure erasure as well by adding rapid-erase or data hardware-destruct features used in SSDs built for secure government applications? "If your laptop went missing, you could take it to any Internet hot spot to report it, and it would disable that at the first point when it was connected to the Internet," says Jim Handy, an analyst at semiconductor market research firm Objective Analysis. But that's unlikely to appear in commercial applications, according to Intel. A spokesperson says vendors would probably add full disk encryption to protect the drive itself, since that renders the data inaccessible, even if the SSD is moved to another computer.
In contrast, SiliconSystems' fast-erase feature requires power, but disconnecting the drive won't kill the process: Erasure continues the instant that power is restored. "There's no way to stop it," says Handy. The technology can be applied to the whole drive or a preconfigured secure "zone" on the SSD that's also protected by a password.
SiliconSystems also offers an SSD self-destruct feature that applies an "overvoltage" to each of the flash chips, physically destroying them. The destruction can be triggered via software or a physical switch, says Drossel. SSDs can also be designed to self-destruct or erase if they are stolen and inserted into any unauthorized machine.
In the private sector, rapid-erasure techniques could be used in point-of-sale systems or kiosks that might contain sensitive customer or sales data. "The data may be gone, but at least it's not in the wrong hands," Drossel says.
More Costly Recovery
The flip side of the level of security SSDs offer is the fact that recovering data from them can be more difficult and expensive than for other media.
Each SSD vendor has its own proprietary method for mapping data from the file system to individual memory cells. "If you don't have the mapping table that records where everything is kept, you have random data distributed throughout the chips," says Bowen. "Everyone follows their own data-placement schemes. Without knowing the details of that, it would be next to impossible to piece all of that together."
That may be true for a hacker, but not for data recovery specialists, who can pull data even when an SSD has sustained physical damage. "Kroll Ontrack has developed methods to recover data without the controller chip available," says Barry. "We've been successful in discovering a number of data layouts for different manufacturers."
Another drawback is that data on SSDs can be far more costly to recover in the event of a physical failure, such as a broken circuit. "When an SSD becomes damaged, it's more difficult to get the data off the raw chips. We've had jobs go as long as three or four months," Barry says. Costs go up if the data is needed quickly and additional staffers are assigned to the project. "That jumps up the service level," he says, "and they pay accordingly."
WinTel and SSD
In the future, changes in how the Windows file system interacts with SSDs may improve both security and performance for end users. Today, when a user deletes a file on a Windows computer, the file system removes the pointers to the locations on disk where the data that makes up the file resides, but the data itself remains until the space is allocated to another file. Only then is it overwritten. That's why erased files can be recovered on hard disk drives, and SSDs operating under Windows are no different. But that may be about to change.
Writing data to an SSD is a two-step process. Every flash-memory cell must be erased first, before the file system can write to it again, and that slows down write performance. To remedy that, Intel is working with Microsoft Corp. to come up with a way to erase the cells associated with a deleted file in the background, as the system has processor cycles available. That will improve the performance for subsequent writes, but it has security benefits as well, since the data associated with deleted files will be overwritten sooner, says Troy Winslow, director of marketing at Intel's NAND Solutions Group.
Encryption: SSD's Missing Link
As with hard disk drives, hardware-based, full disk encryption hasn't gained much traction with SSDs. Most manufacturers don't offer full disk encryption yet, although several, including Intel, say they plan to offer it at some point in the future.
That may seem a bit strange, since the government market is focused so tightly on security. Indeed, the need for fast-erase and SSD destruct schemes would diminish with the introduction of full disk encryption using strong, 256-bit or even 1,024-bit AES algorithms. "If the disk does have encryption and the person who has stolen the disk doesn't have the key, then it might as well have been erased," says Handy.
Samsung Electronics Co. has taken the lead in this area, having recently introduced a 128-bit AES option for its latest SSD offerings. In this scheme, the SSD controller encrypts the key, which is stored in the flash chips.
One reason why more manufacturers don't offer SSD is that, while encryption algorithms themselves are standardized, there are no standard implementation methodologies for full disk encryption, so each vendor must roll its own proprietary solution. That adds to the cost. Drossel estimates that encryption would add 10% to the cost of its SSD products today.
The standards situation could change with the rollout of the Trusted Computing Group's Opal specification, which was finalized in January. However, that specification may not be stringent enough to meet the requirements of government users -- the customer base most interested in security, says Matt Bryson, an analyst at Avian Securities LLC.
Another issue is that most original equipment manufacturers -- vendors that integrate SSDs into their systems -- don't take advantage of the feature even when it's offered to them. "I don't know any large OEMs who have implemented SSDs with encryption. The functionality is there, but nobody is using it yet," says Wilkison.
That's because, outside of government, most users aren't demanding it yet. "It's still a limited interest. People would like to have it, but they're not willing to pay for it," says Tudor.
Wilkison says in the enterprise-class market, full disk encryption isn't always a requirement, even when sensitive data is involved.
"Hardware-level encryption may be unnecessary because data is being encrypted upstream," he says.
On the end-user side, most people simply don't care about full disk encryption -- on hard disk drives or SSDs. "On the consumer side, it's about reliability and ruggedness. On the military side, they want to encrypt data or destroy it immediately. There's no middle ground," says Bowen.
Eventually, full disk encryption may be offered with all SSDs. But it won't sell at a big premium, Wilkison predicts. Rather, as competition intensifies, he predicts that manufacturers will add it as just another differentiating feature.
But don't look for full disk encryption any time soon. While some vendors say we'll see some implementations in 2009, others say they don't expect to see systems with SSDs that offer full disk encryption until 2010 at the earliest.
Shredding the Evidence
While a fully overwritten drive is unrecoverable, the best way to ensure complete data destruction when disposing of SSDs is to physically destroy them, says Barry. "If you ran that through a grinder and completely chopped that up in quarter-inch chunks ... that is by far the get way to make sure the device is unrecoverable."
But every flash chip must be destroyed, and existing shredders may not be up to the job. "Shredders for disk drives might not be adequate for SSDs because the chips are so much smaller [than disk drive platters]," says Bowen. SSDs have arrays of tiny flash chips -- anywhere from eight to 30 per device. Any that are missed by the shredder would still be readable by data-recovery specialists such as Barry.
Next: QuickStudy: Extensible Access Method (XAM)
This story, "Solid-state disks offer 'fast erase' features" was originally published by Computerworld.