CISSP Data Remanence – Bk2D2T8

Module Objectives

  1. Understand data remanence and its impact to the value of assets.
  2. Explain the various options in addressing data remanence, including clearing, purging, and destruction.
  3. Explain methods used to clear, purge, and destroy data.

Data Remanence

Data remanence is defined as the residual data remaining on some sort of object after the data has been deleted or erased. The problem related to data remanence is that there may some physical characteristics of that data remaining on the media even after we’ve tried to securely erase it.

Depending on the value of the data, it may be very important to securely erase the data so that there are no residual characteristics remaining that may allow anyone to recover the information.

On a typical hard disk drive (HDD), the data is represented onto the  hard drive by using magnetic technology. In other words, the zeroes and the ones are represented by using magnetic technology. This type of technology can be used to re-record new data onto the drive as we can alter the magnetic field so that we can overwrite and erase any data that may have been represented onto the data previously.

Solid-state drive (SSD) technology, which is newer technology, does not use magnetic fields to represent the information, instead, it uses flash memory to store data. Flash technology uses electrons that change the electronic “charge” in a “flash” to represent  the  information.  That  is why it is called “flash” technology. Flash memory, such as SSD, does not require power as moving parts are not required to access any  stored data.

Data remaining on media that use magnetic technologies, such as HDDs, become an issue if the value of the data that was stored on that media is high. Since there may be methods to recover the original data, sanitizing the information must be done effectively by using secure methods.

Secure methods to address data remanence (data remaining on the media after erasure) can be summarized by three options. These options are clearing, purging, and destruction.

Clearing

Clearing is defined as the removal of sensitive data from storage devices, using methods that provide some assurance that the data may not be reconstructed using most known data recovery techniques. The original data may still be recoverable but typically not without special recovery techniques and skills.

Purging

Purging, sometimes referred to as sanitizing, is the removal of sensitive data from media with the intent that the sensitive data cannot be reconstructed by any known technique.

Destruction

This is exactly as it sounds. The media is made unusable by using some sort of destruction method. This could include shredding, or melting the media into liquid by using very high temperatures. We must note, however, that the effectiveness of destroying the media varies. For example, simply drilling a hole through a hard drive may allow most of the data to still be recovered, whereas, melting the   hard drive into liquid would not. The destruction method should be driven by the value of the sensitive data that is residing on the media. To summarize, destruction using appropriate techniques is the most secure method of preventing  retrieval.  Destruction of the media is the best method as it destroys the media and also the data that is on it. However, the destruction method must be a very good one to prevent the recovery of the data. If we ensure that the data cannot  be reconstructed, we refer to that as defensible destruction of the data. In other words, we ensure that the data is not recoverable.

Related Product : Certified Information Security Manager | CISM

Data Destruction Methods

As we have discussed, the three options available to address data remanence are clearing, purging, and destruction. Destruction is thought of as being the best option, as long as the destruction method is a good one. The following methods may fit into the three categories as described above:

  • Overwriting: One common method used to address data remanence is to overwrite the storage media with new data. We can overwrite with zeroes or ones. This is sometimes called wiping. The simplest overwrite technique is to write zeroes over the existing data, and depending on the sensitivity of the data, this might need to be done several times.
  • Degaussing: During the mainframe days, a technology called degaussing was created. This technique uses a degausser that basically erases the information on the magnetic media by applying a varying magnetic field to the media to erase the information that was stored using magnetic The media is basically saturated with a magnetic field that erases all of the information. Since this uses a magnetic field to saturate the media, it can be useful for any technology that uses magnetic technology to represent the data, including mainframe tapes and also HDDs. While many types of older magnetic storage media, such as tapes, can be safely degaussed, degaussing usually renders the magnetic media of modern HDDs completely unusable, which may be ultimately desirable to address remanence properly.
  • Encryption: Encrypting data before it is stored on the media can address data remanence very But this is only true if the encryption key used to encrypt the information is then destroyed securely. This would make it very difficult, if not impossible, for an untrusted party to recover any data from the media. The industry refers to this process as crypto-erase or in some cases, crypto-shredding. This method of addressing data remanence may be very useful in cloud environments.

Media Destruction – Defensible Destruction

As we have discussed, destruction of the media and the data on it is the most desirable way to address data remanence. But this is only effective based on the method used for destruction. Defensible destruction implies that the method used will not allow the reconstruction and recovery of that data contained on the media device itself through any known means. The following may be examples of effective defensible destruction methods:

  • Physically breaking the media apart, such as hard drive shredding, etc.
  • Chemically altering the media into a non-readable state by possibly using corrosive chemicals.
  • Phase transition, which means using temperature and pressure to change the state of something into something else.
  • For media using magnetic technology, raising its temperature above the Curie Temperature, which is at the point where devices lose their magnetic properties.

Solid-State Drives (SSDs)

Solid-State Drives (SSDs) use flash memory for data storage and retrieval. Flash memory differs from magnetic memory in one key way: flash memory cannot be overwritten. When existing data on an HDD is changed, the drive overwrites the old data with the new data. This makes overwriting an effective way of erasing data on an HDD. However, when changes are made to existing data on an SSD, the drive writes that data, along with the new changes, to a different location rather than overwriting the same section. The flash translation layer then updates the map so that the system finds the new, updated data rather than the old data. Because of this, an SSD can contain multiple iterations of the same data, even if those iterations are not accessible by conventional means. This is what causes data remanence on SSDs.

Solid-State Drive (SSD) Data Destruction

SSDs have a unique set of challenges that require a specialized set of data destruction techniques. Unlike HDDs, overwriting is not effective for SSDs. Because the flash translation layer controls how the system is able to access the data, it can effectively “hide” data from data destruction software, leaving iterations of the data un-erased on different sections of the drive. Instead, SSD manufacturers include built-in sanitization commands that are designed to internally erase  the data on the drive. The benefit of this is that the flash translation layer does not interfere with the erasure process. However, if these commands were improperly implemented by the manufacturer, this erasure technique will not be effective.

Another technique, called cryptographic erasure or crypto-erase, takes advantage of the SSD’s built-in data encryption. Most SSDs encrypt data by default. By erasing the encryption key, the data will then be unreadable. However, this approach relies again on being able to effectively erase data despite interference by the flash translation layer. If the flash translation layer masks the presence of any data pertaining to the encryption, the “encrypted” drive may still be readable.

Due to the unique complexities of SSDs, the best data destruction method is, in fact, a combination of techniques such as crypto-erase, sanitization, and overwrite. SSDs require the careful data destruction techniques to effectively prevent data remanence on SSDs.

The use of cloud-based storage today also presents a data remanence challenge for the organizations moving to the cloud. As more and more data is being moved to the cloud, the ability    to address data security issues in general can become much more difficult for the enterprise.

Cloud-Based Data Remanence

Among the many challenges that face the security practitioner in this area is the ability to authoritatively certify that data has been successfully destroyed upon decommissioning of cloud-based storage systems. Due to the fact that a third party owns and operates the system and the enterprise is effectively renting storage space, there is little to no visibility into the management and security of the data in many cases.

While the challenge is a big one for the enterprise, the use of Platform as a Service-based (PaaS) architectures can actually provide a solution for the issues raised by data remanence in the cloud. The security practitioner and the cloud vendor have to be willing to work together to architect a PaaS solution that addresses the daunting issues of media and application-level encryption via a platform offering. There are many parts that have to be properly set up and synchronized for this solution to work, such as messaging, data transactions, data storage and caching, and framework APIs. In addition, the platform has to be set up in such a way, with appropriate safeguards available, to ensure that no unencrypted data is ever written to physical media at any time during the data lifecycle, including data in transit.

Standards

There are several standards pertaining to data lifecycle management in general and data remanence in particular from different industries and governments:

  • The NIST Guidelines for Media Sanitization, Draft Special Publication 800-88 Revision 1 is the most recent version of the guidance provided by NIST in this area. It was updated in September of 2012, replacing the original guidance published in September of 2006.
  • The United States Air Force Systems Security Instruction 8580, dated 17 November, 2008, on Remanence Security. This replaced Air Force System Security Instruction 5020, dated 20 August, 1996, on Remanence security.
  • The United States Department of Defense, Defense Security Service National Industrial Security Program (DSS NISPOM).
  • The Communications Security Establishment Canada, Clearing and Declassifying Electronic Data Storage Devices – ITSG-06, published July 2006.
  • The United States National Security Agency (NSA) Central Security Service (CSS) Media Destruction Guidance.
  • The New Zealand Information Security Manual, 2010.
  • The Australian Government Department of Defense Intelligence and Security, Information Security Manual 2014.

Summary

Asset Security is all about the protection of valuable assets to an organization as those assets go through their lifecycle. Protection will always be done based on value.

The value of the asset is expressed by its classification level that is initiated by the owner. The value must be monitored as the asset goes through its lifecycle.

Classification, therefore, protects the asset based on its value. To protect the asset based on its classification, we need to implement baselines of minimum levels of security for each of the classification levels.

To properly protect valuable assets, such as information, an organization requires the careful and proper implementation of ownership and classification processes that can ensure that assets receive the level of protection based on their value to the organization.

The enormous increase in the collection of personal information by organizations has resulted in a corresponding increase in the importance of privacy considerations, and privacy protection constitutes an important part of the asset security domain.

Individual privacy protection in the context of asset security include the concepts of asset owners and custodians, processors, remanence, and limitations on collection and storage of valuable assets such as information. This also includes the important issue of retention as it relates to legal and regulatory requirements to the organization.

Appropriate security controls must be chosen to protect the asset as it goes through its lifecycle, keeping in mind the requirements of each of the lifecycle phases and the handling requirements throughout. Therefore, understanding and applying proper baselines, scoping and tailoring, standards selection, and proper controls need to be understood by the security professional. This also requires the protection of data in different states, these states being data at rest, data in motion, and data in use. Encryption can be an effective tool in protecting all states.

The asset lifecycle should end with the asset and data being destroyed securely, this is referred to as defensible destruction.

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/