SSD Destruction, In Context

In the United States of America, there is no current, explicit standard to which most industries must adhere when it comes to destroying data.  Instead, the National Institute of Standards and Technology, a non-regulatory agency of the US Department of Commerce, provides us with its Guidelines for Media Sanitization in Special Publication 800-88.  The use of the word "Guidelines" is very appropriate in this context, because it is not a "standard"; rather a guide to be used by organizations to aid in developing internal policy and operating procedure based on respective needs and circumstances. 

The freedom to develop internal policy, rather than a one-size-fits-all standard, is in my opinion a positive thing, but it does not come without the onus of added diligence.  Many times, decision-makers are left with more questions than answers, and in those cases, are often left to rely on 3rd party opinion and popular consensus for sources of information.  There is nothing wrong with collaboration when it comes to security-related decision-making, but it shares one fault with  the alternative blind "standards-following": It removes the need to ask "Why?" 

One area in which I've observed a gross absence of asking "Why?" is the destruction of storage media; a necessary evil in most electronics reuse operations.  When data bearing devices fail, we must destroy the media in an effort to protect the information it contains – that notion should spur very little debate.  When it comes to the methods of destruction, however, particle sizes and Tesla measurements are frequently deployed, often with insubstantive abandon.  Do ¾" cutters on a hard drive shredder offer greater security than 1.5" cutters?  Why?  How does the difference between the two affect an organization's real-world exposure to risk? 

When it comes to the destruction of solid state media, most of us know enough to realize that the technical differences between solid state media (SSDs, flash drives, etc.) and traditional rotating-platter hard disk drives (HDDs) necessitate different methods of media destruction in order to effectively eradicate data.  The most well-known example is the ineffectiveness of degaussing for eradicating data from solid state storage media, despite its merit as a sanitization method for HDDs.  That particular example is very straightforward: Degaussers just don't work for solid state media, so we mustn't use them for that purpose. 

As far as physical destruction for this type of media is concerned, there seems to be at least a general understanding that the average process used on HDDs may be inadequate for SSDs, but the facts that shape this conclusion are not as widely understood. 

  1. SSDs, flash drives, and mobile devices store data on NAND chips, each of which may contain logical (though encrypted), recoverable data, and each of them needs to be destroyed in order to constitute an effective physical destruction process on this type of media.  These chips are small enough to escape destruction from a traditional HDD shredder, which has cutters that reduce material to strips of, most commonly, 1.5" or 0.75". 

  2. Intact NAND chips can be removed from the circuit board and connected to chip readers fairly easily.  The largest challenges to data recovery lie in the care needed to remove the chips without destroying or damaging them, 

  3. Separating logical user data from firmware, and Circumventing encryption, likely with only small segments of data available to analyze 

The result is that, in practice, it requires a great deal of expertise in order to make a reasonable attempt at recovering data from intact NAND chips on an otherwise destroyed piece of storage media. 

  1. If a NAND chip is punctured or broken, extremely advanced laboratory techniques requiring costly equipment and highly exclusive expertise are needed in order to have any reasonable possibility of data recovery. 

These last two points are important because, if applied correctly, they can encourage a shift in how we evaluate the efficacy of a given method.  In most cases, we measure data destruction techniques in terms of a sliding security scale: The more "thoroughly" we destroy the data, the more security we manifest.  This approach of valuating data destruction is notoriously nondescript, and infinitely subjective.  A preferred way to regard the security level of any data destruction process is to define the profile of an entity that could make a reasonable attempt at data recovery on the media after a given sanitization or destruction method is used.  In other words, instead of asking "How tough would it be to recover data from this?", consider asking, "WHO could even possibly recover data from this?"  It's a much easier question to answer accurately, and frankly, is more relevant to the objective of protecting data. 

When we apply this logic to the physical destruction of solid state media, we can say confidently that there is an especially meaningful difference between A) those physical destruction processes that destroy the board and connectors and maybe some of the storage chips, and B) those processes that perform at least some degree of physical destruction to each chip on the storage device.  That difference lies in who can even bother to give a shot at recovering data.  If there are no intact chips remaining, recovery attempts are limited to forensics labs with specialized equipment – an achievement that should be satisfactory for any commercial data.  If, however, there are any NAND chips that remain intact, then anyone with a few hundred dollars in equipment and some time on their hands can at least give recovery a shot.  The likelihood of success is open for debate, of course, but difficult to measure.  By using this metric to rate the security level of a given process, we've essentially narrowed the discussion to two categories, or levels: 1) Procedures that would require forensic laboratory efforts to attempt recovery, and 2) Procedures for which recovery attempts could be made without forensics equipment. 

A natural follow-on question to this might be, within each of these categories, "How much more security can one process offer over another?"  For example, "How much more secure is 2mm SSD destruction than 12mm ?"  It's at this point that, in my opinion, the discussion has shifted more from security to academia.  A better question: "How does it affect my business if it takes a forensic laboratory 200 hours to recover data fragments instead of 2000 hours?"  It sounds a bit silly, now, doesn't it?  That's because rendering data recovery impossible outside of a forensic laboratory environment is an adequate and acceptable degree of security for the Electronics Reuse Industry, and the advantages of allocating budget and resources towards incremental differences above and beyond that are immaterial. 

In review, there is an important categorical difference between putting an SSD or flash drive through a traditional hard drive shredder, and putting one through a flash-specific destruction process. That difference is how data destruction professionals should distinguish effective physical destruction on unclassified examples of this type of media: Performing some level of destruction of 100% of storage chips on the media puts any recovery out of reach of any entity short of a professional forensics laboratory, and is an appropriate data protection posture for the Electronics Reuse Industry.