Risk
9/26/2013
12:44 PM
George Crump
George Crump
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Flash Storage Has Special Security Needs

Over-provisioning and bad-block marking can leave flash storage devices vulnerable to data theft. Here are workarounds.

7 Ways To Create E-Portfolios
7 Ways To Create E-Portfolios
(click image for larger view)
At some point, almost every storage system will be used for a role different than what it was purchased for. This could mean assigning it to a new department within the organization, transporting it to another office, or decommissioning the unit all together. In any of these scenarios the first step is typically going to be erasing the data to make sure that nothing sensitive on that storage system remains. Interestingly, when it comes to solid state disk (SSD) or flash arrays, erase might not always mean erase.

When flash is erased the process is actually a write. A block of data is read from flash, the block on the flash is cleared by writing zeros to it, then new data, if there is any, is written to that block. The flash controller knows that any block regions with zeros are eligible for new data.

Formatting an SSD, even repeatedly, might not actually erase the drive like it will a hard disk drive. There are two functions of flash that can cause a problem. The first is the very common technique of over-provisioning. Over-provisioning allows the flash to extend its life expectancy by reserving a certain percentage of flash capacity and hiding it from the operating system. It allows the flash drive to leverage wear leveling to distribute the write workload over a higher number of flash NANDs. In some drives this over-provisioning can be as much as 25% of the capacity.

[ How did thumb drives betray the National Security Agency? Read Thumb Drive Security: Snowden 1, NSA 0. ]

The problem is that a straightforward format utility won't know about these extra cells and data could still exist on them after formatting. Some flash vendors have created special utilities that are able to address these hidden areas as well as perform a destructive series of writes that includes a mixture of ones and zeros. These utilities are perfect except for one other problem: bad-block marking.

The flash system technique of bad-block marking might also trip up your attempt to destroy data. Everyone knows by now that flash storage wears out eventually. The problem is that some memory areas wear out much sooner than others. When that happens, that block area can no longer accept writes. And if it can't accept writes, you can't write to it in order to perform an erase. You can, however, still read from it and the data is still there. That means that someone with the right motivation could get to your data.

The good news is that in both of these situations, systems can be taken into a lab and read. For most organizations most of the data isn't valuable enough to be considered worth the effort. But the chance of an organization having some data that is of value to outside interests is increasingly likely.

In either case, getting to the data requires some work and some lab equipment. The problem is technology is driving the price of the equipment required to do this forensic work just like it is driving everything else down. In short, you should do something to protect the organization and its data in case it falls into the wrong hands.

At a minimum, you should make sure your SSD or flash-array vendor has some sort of erase function that allows you to get to both visible and hidden areas of flash storage. Ideally, this will also perform some sort of "one then zero" erase on the data.

For many environments, though, the answer might be always-on -- not optional -- encryption, so that the moment the flash storage is removed from the system or the key is destroyed, the data is useless. The problem with always-on encryption is that it might hurt performance, so your vendor might need to increase the system's processing power so it can perform encryption at line rate.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.