Embed Size (px)
DESCRIPTION
Simplifying Compliance with Auditable Data Erasure. Presented at Data Center World 2012. By Markku Willgren. Why Erase Data?. …Privacy ...Compliance …Sustainability and ROI. When to Erase Data?. When equipment ownership changes To safeguard data migration - PowerPoint PPT Presentation
Citation preview
Simplifying Compliance with Auditable Data Erasure
Presented at Data Center World 2012
By Markku Willgren
Why Erase Data?
…Privacy
...Compliance
…Sustainability and ROI
When to Erase Data?
• When equipment ownership changes• To safeguard data migration• To safeguard component replacement
Enforce Security via Reporting
• Uniform reporting for all assets
• Audit trail for regulatory compliance• Acts as a release mechanism for end of
lifecycle assets
Erasure resultsErasure results
Windows licensingWindows licensing
Computer name, IP address, MAC address, Serial #, etc.
Computer name, IP address, MAC address, Serial #, etc.
HW configurationHW configuration
Hardware checkingHardware checking
Custom data fieldsCustom data fields
Click to open full size ->
Use Cases
I. RMA drivesII. EOL ServersIII. EOL ArraysIV. Selective Data Erasure
I. Failed Drives for RMA
• 10,000 HDDs• 40-50 SANs• 3% failure rate• 300 drives/y to replace• Now what?– Ignore your data– Keep the drives– Let OEM manage it– Rent or buy erasure appliance(s)
Problem
I. Sample RMA Drive Process
A solution
‘Failed’ drive is replaced by vendor
break/fix
‘Failed’ drive is replaced by vendor
break/fix
Vendor break/fix hands out ‘failed’
drives
Vendor break/fix hands out ‘failed’
drives
‘Failed’ drives are logged in and
secured into custody
‘Failed’ drives are logged in and
secured into custody
Failed drives are sanitized
Failed drives are sanitized
Erasure logs are generated and
matched to SN# for in-custody inventory
Erasure logs are generated and
matched to SN# for in-custody inventory
Sanitized drives are released for return
to vendor
Sanitized drives are released for return
to vendor
Vendor break/fix accepts sanitized
drives for RMA
Vendor break/fix accepts sanitized
drives for RMAVendor process
Chain of Custody
Erasure Process
I. Loose Drives Erasure Appliances
• Need to support FC, SAS/SATA, and SCSI
• Change of carrier vs. pigtail design
• Ease of use• Portability
Solution
• Erasure results, drive serial numbers, user info
• Return window for OEM
• Dead drives?
II. Server Erasure as a System
• End of service– Technology refresh
• End of subscription– Reuse in hosting
environment
• Data center relocation or consolidation– Secure for transit
Problem
II. Server Erasure as a System
Solution
• Access to all areas of the disk• RAID dismantle / pass through• Reporting
• How many hard drives per erasure?• Disable/bypass control units for enabling erasure of all areas
of the disk, including protected areas, remapped sectors, and bad sectors
• Need a server with HBAs connected to storage to run erasure software
III. Enterprise Array Erasure
Solution
ADDITIONAL ERASURE NEEDS IN THE CLOUD!- SELECTIVE DATA ERASURE FOR ENTERPRISE ENVIRONMENTS
IV. Erasing LUNs on Live Data Systems
IV. File Level Secure Erase
Who Should Erase and What ?
System Administrato
r
IT Operations 3rd Party Service
Provider
RMA Drives Yes YesEOL Servers Yes YesFull Arrays Yes YesSelective Erasure
Yes
Erasure Delivery Options
ISO-image(s) stored to USB ISO-image packed to MSI
ISO-image burned to CD ISO-image delivered via PXE
Erasure Method Options
• HMG Infosec Standard 5, The Baseline Standard• HMG Infosec Standard 5, The Enhanced Standard• Peter Gutmann's algorithm• U.S. Department of Defense Sanitizing (DOD 5220.22-M)• Bruce Schneier's Algorithm• Navy Staff Office Publication (NAVSO P-5239-26) for RLL• The National Computer Security Center (NCSC-TG-025)• Air Force System Security Instruction 5020• U.S. Army AR380-19• German Standard BSI/VSITR• OPNAVINST 5239.1A• NSA 130-1• DoD 5220.22-M ECE• NIST 800-88*• Extended NIST 800-88 *• Firmware based secure erase• Navy Staff Office Publication (NAVSO P-5239-26) - TOP SECRET for SSD• Navy Staff Office Publication (NAVSO P-5239-26) - SECRET or CONFIDENTIAL for SSD• U.S. Department of Defense Sanitizing (DOD 5220.22-M) for SSD
NIST800-88 vs. DOD5220.22M• What is Block Overwrite?• What is Secure Erase?
– Security Erase Unit, Enhanced Security Erase Unit, Format Unit, etc.
• NIST800-88 Clear vs. Purge– Purge: Rendering sanitized data unrecoverable by laboratory
attack methods• NIST800-88 Examples of acceptable methods
– Clear = e.g., 1 pass Block Overwrite is ok– Purge = e.g., 1 pass Secure Erase is ok– For ATA drives; Clear = Purge
• What about remapped sectors?• What should you use?
Erasing Solid State Drives (SSDs)
• What is the state of the market?
• Where is the challenge?
• What should you do?
The ERA ConceptERASE
REPORT
AUDIT
..Trust but verify !
Thank you for your time
[email protected] (678) 576 8140
