Wednesday 23 July 2008

Recycling Drives - Update

Last week I posted about wasted hard drives, removed from arrays and crushed to prevent the leak of sensitive data.

I contacted HGST and Seagate to get some additional background. Here are their responses, slightly edited to correct any spelling mistakes but otherwise intact.

Seagate

(a) when will the technology be deployed in Enterprise FC drives? Our OEMs are currently developing with the Cheetah 15K.6 FDE, a drive that Seagate has already in production.

(b) is the technology proprietary to Seagate? - No, this will becompliant with the Trusted Computing Group's spec. All hard drive vendors are participating in this Trusted Computing Group and we expect that they will have self-encrypting drives that will be inter-operable with ours.

(c) is DriveTrust accepted by the US Government and other similar organisations as secure enough to treat a drive as "wiped" if the encryption keys are removed? Endorsement from National Security Agency (NSA) has already been received for the 1st Self-Encrypting Drive Model-the Momentus(r) 5400 FDE hard drive, for protection of information in computers deployed by U.S. government agencies and contractors for national security purposes.

(d) are any of the "big" manufacturers (EMC/HDS/IBM) looking to deploy DriveTrust enabled drives in storage arrays? IBM and LSI have both publicly announced that they will do so. Note that Hitachi has also just announced a self-encrypting drive, the Deskstar E7K1000, a drive designed for business critical storage systems.

(e) Where do the drives go when they're wiped for final disposal? Extra shipping is involved to ship a drive to a special data destruction service facility, where it can be degaussed or shredded, and then the drive must be shipped to [be] environmentally disposed of. Alternatively, a drive may be over written, a process that takes hours and hours, using energy and tying up system resources, and then may be re-purposed.


HGST

My name is Masaru Masuda, working on product planning for Hitachi GST. Let me try to answer your question. Like Raj mentioned below, we have already supported bulk encryption feature for 2.5" and 3.5"and will support it to Enterprise product next year. With the bulk encryption feature, user data on the HDD media is automatically and always encrypted by the SoC inside [the] HDD. The security feature has two basic functions. One is active protection of data (encryption with secret key) and secure erase of the drive by deleting the encryption key for repurposing or disposal. As you pointed out, Standardization is a key for security. Therefore, a non profit security organization called TCG (Trusted Computing Group) was formed as described in the page 5 and 6 of the attached package. We have been very actively involved in the activities of TCG and plan to pick up security feature based on TCG standards which will be implemented from next year.The security market is still small but it has been growing steadily due to the data security concern and also as a fast and cheap solution for repurposing of drives in Server applications or disposal of failed drives. Also we have had a recycling process for drives failed in the internal testing and for drives returned from the field.

Thanks to both companies for their responses.

So it seems to me that in the future there will be no excuse for scrapping drives. I think the retirement process for HDDs should form part of the "green measurement" of storage.

8 comments:

the storage anarchist said...

Although there are/will be encrypting drives from Seagate and HGST, this does not mean that they will become ubiquitous across storage platforms.

When it comes to encrypting data stored on disk drives, there are numerous considerations beyond the drive suppliers' perspectives, including:

1 - Encrypting drives are today being offered at a price premium to standard drives;

2 - The drive-based encryption implementation is not identical across drive suppliers (or drive types within a supplier), and there are no standards (yet)

3 - none of the drive vendors are offering identical encryption capabilities across their entire product lineups (SATA/SAS/FC, 7200/10K/15K rpm, capacity points, etc.)

4 - most of the current encrypting drive algorithms store the actual keys within the device itself, in a manner that can (at least theoretically) be accessed given physical access to the drive

5 - some of the current encrypting drives also include a "back door" manufacturer's key to protect against accidental loss of the end-user keys (a real no-no in crypto-land),

6 - none of the encrypting drives have successfully attained security certification or approvals (such as FIPS-140, etc.)

7 - US Federal Government procurement and security standards do NOT acknowledge Key Destruction as sufficient to protect against data theft for ANY class of information stored on disk (or tape, for that matter). This is partially because it is known to be impossible to prove a) that all copies of the keys have been destroyed and b) that a given security algorithm is unbreakable given access to the device with unlimited time and/or CPU power

8 - a company's liability for data loss and information security is currently not reduced or abdicated through the use of encrypting disk drives. The disclosure and liabilities are the same for an encrypted and an unencrypted disk.

As a result of these consideration, the approach of drive-based encryption merely adds end-user cost, increases drive supplier margins and reduces the customer's flexibility to use multiple different tiers of storage. In return, there is no significant improvement or change to the risks of unintended access to information.

Chris M Evans said...

Barry, I assume from your comments that EMC don't endorse drive recycling? :-)

the storage anarchist said...

Actually, EMC offers their customers comprehensive recycling services for every bit of their equipment. Most manufacturer's are in fact required to do so in most countries, especially if they contain any contaminants (like lead, etc.).

EMC also offers Secure Drive Erase within the Symmetrix, which performs a DoD-compliant erase of all data on a failed drive before it is removed from the system (if possible). EMC also offers an on-site drive erasure appliance that can DoD secure erase a drive removed from the array (if it will still spin, that is).

Still, most financial (and all DoD) customers tend to retain all failed drives - some don't even believe grinding them up into little pieces is sufficient. So they store failed drives in secure warehouses somewhere.

But your post really wasn't about all that now, was it :>)

Chris M Evans said...

Barry, read into my post what you choose to.

I don't disagree with any of your points, however like all technologies, there must be a starting point and not all organisations need the level of paranoia protection the DoD prescribe to.

the storage anarchist said...

Actually, I'm just pointing out that there are much less expensive ways to protect information while recycling the disk drives - ways that perhaps don't depend upon a limited selection of higher cost disk drives.

And while I can't argue that some customers may want to protect their information out of sheer paranoia, the financial, government, retail and health care industries are actually mandated to do so, and they are required to adhere to specific requirements in doing so.

So far as I am aware, encrypting disk drives and key destruction BOTH are not an approved protection in any of those industries at this time, while secure erasure is approved for at least some classes of protected information. And it's not that these technologies are new and not yet approved - they have actually been evaluated and deemed insufficient by the organizations setting the requirements.

Your goal is inarguably commendable, but the actual solution may not be encrypting disk drives as you propose.

Andreas W. Kuhn said...

Dell today (Latidude notebooks D630, 830 and D531) already offer self encrypting hard drives from Seagate (MOMENTUS FDE.2 FDE). The Dell notebooks come bundled with Eave System's client management software (EMBASSY "Trusted Drive Manager).

Additionally Wave System's (and Dell) provide Wave system's ERAS server. This is an nterprise class server for the central management of the Seagate trusted drives as well as for the management of all brands of Trusted Platform Modules (TPM).

TPMs are standard equipment of practically all enterprise class notebooks.

Ryk Edelstein said...

I have done extensive research on best practice for the destruction of digital data residing in EOL hard drives and have poured through thousands of pages of guidance from a variety of sources, including academic, industry, and Government.I have also spent many hours discussing policy and practice wit ha variety of HDD industry management, academics, and government security resources. The resulting product was intended to be a white paper, but at 55 pages, it is a bit more comprehensive than most white papers.

To shed light on a few issues presented....

When handling secret and top secret level data, decommissioning must assure absolute destruction of the data beyond reconstruction by any means. Accordingly, key destruction is not considered acceptable in this situation as a key can decrypt the encrypted data. Yes, I appreciate that complex key lengths make this virtually impossible but as long as a key can exist, it is not acceptable.

The other issue is enterprise key management. Hardware based encrypted drives offer a good means to protect data. However, if the key is lost, so is the data. I am sure that you can envision hte vulnerabilities here. WE do not need another San Francisco.

Statement #4 from the Storage Anarchist is incorrect. Drives with embedded encryption features are compliant to government encryption specifications that require the key to reside in a device that has no accessible or externally addressable circuitry. Rather, you can not connect a logic probe to any pins to intercept the key. Reference the Center for Magnetic Recording Research at the UCSD.

The folks at Seagate see embedded encryption as the panacea of security, despite the fact that the inability to implement enterprise key management will be a real show stopper for most enterprises. They refuse to believe that encrypted hard drives will be anything more than a great feature for consumer PC's and notebooks.

BTW, according to the CMRR and the US government, when physically destroying a hard drive, the particles from the media must be of a diameter no larger than the space to accommodate a single data block. This specification was 1/125 of an inch up to early this year. However, due to higher media densities, the spec is now 1/250th of an inch. Many shedding facilities are capable of attaining the 1/125th of an inch screen size. The new spec caused a lot of consternation from the folks at a couple major service providers and at the RCMP in Canada, as the procedure to handle EOL top level classified drives must be updated.

One concept that has been put up for consideration is decommissioning the devices with Secure Erase (in ATA compliant devices), and then sending it in for shredding to the 1/125th screen size. Alternately, attaining the 1/250th spec will require the much more costly process of disintegration.

If anyone wants a copy of the best practices guide, please e-mail me at ryk@converge-net.com and I will be glad to forward a copy.

Ethan @ M80 said...

Hi Chris,

This is a clearly serious issue and I'm going to forward this thread over to the bloggers at blogs.cisco.com/datacenter to see if they have some input.

Cisco recently produced a 60 minute show on data center efficiency that will feature APC, VMWare, and John Morley of EMC at the end of the month.

It's more focused on energy efficiency but I thought I would let you know about it.

Thanks and best regards,

Ethan Bauley
ethan /at/ m80im.com
M80 (on behalf of Cisco)