《SNIA-SDC23-Suhler-Storage-Sanitization-Why-When-How_0.pdf》由会员分享,可在线阅读,更多相关《SNIA-SDC23-Suhler-Storage-Sanitization-Why-When-How_0.pdf(23页珍藏版)》请在三个皮匠报告上搜索。
1、1|2023 SNIA.All Rights Reserved.Virtual ConferenceSeptember 28-29,2021Storage Sanitization:Why,When,HowPaul SuhlerKIOXIA Corporation2|2023 SNIA.All Rights Reserved.AbstractOperators of data storage systems are legally obligated to protect customer data and can be subject to significant penalties for
2、 data breaches.This presentation will explore existing and upcoming standards to show the best practices for sanitizing customer data.3|2023 SNIA.All Rights Reserved.AgendaData breachesSanitization of storage devicesCustomer concernsCircularity and reuseThe standards environmentNew directions for sa
3、nitization4|2023 SNIA.All Rights Reserved.The PlayersVendor:The manufacturer of a storage device.Organization:The operator(and usually owner)of a storage device.User:The entity associated with the data stored on a storage device.May be the organization,storing their corporate data.May be a customer
4、of the organization,renting compute and storage from the organization.“User”can be recursive:A user may handle data private to customers of their own.5|2023 SNIA.All Rights Reserved.Avoiding Data BreachesOrganizations must ensure that user data does not escape their control.Data breach:User data is
5、accessible to an unauthorized entity.Device stolen or disposed of without removing user data.Attacker who has gained entry to the organizations system.An authorized user of the system who accesses another users data.Devices must be sanitized before being repurposed or discarded.6|2023 SNIA.All Right
6、s Reserved.What is Sanitization?Sanitization:Eradication of all user data from a storage device.Recovery of user data must be infeasible.Different methods of sanitization are resistant to different levels of attacks(See below.)Devices implement commands to sanitize user data.7|2023 SNIA.All Rights R
7、eserved.Sanitization Process Take device out of customers production environment.Must ensure that applications do not write it.If the device will be placed back in use,then it can be taken logically offline and sanitized in situ.If the device is being moved to a different system or discarded,then it
8、 may be moved to a workstation dedicated to sanitization.Issue sanitize command.NVMe Sanitize;SCSI SANITIZE;ATA has multiple commands.Confirm successful completion of command.If not successful,then try again.Verify that data was eradicated.Read some or all of device to confirm removal of known patte
9、rn.If sanitization failed or verification failed,then the device may be destroyed.Document sanitization of the device.8|2023 SNIA.All Rights Reserved.Sanitization Methods Different methods provide different levels of protection.Clear:Device remains usable,and user data cannot be read from the device
10、.Purge:Device remains usable,but user data cannot be recovered from media even if the device were to be disassembled and the media read at a low level.Destruct:Device is destroyed and data cannot be recovered from the remains of the media.Source:IEEE 28832022.9|2023 SNIA.All Rights Reserved.Techniqu
11、es for Clear and PurgeOverwrite:Sanitize command writes a specified pattern to all accessible media.Slow process for large capacity devices.Block Erase:Applies to solid-state media.One“erase block”is erased in a fixed time.Faster then Overwrite,but time can grow with the number of erase blocks.Comma
12、nd standard may specify data to be returned.Cryptographic Erase:All data is encrypted by the device as it is written.Erase is performed in constant time by changing the encryption key.Command standard may specify data to be returned.10|2023 SNIA.All Rights Reserved.Techniques for DestructDisintegrat
13、e:Decompose media or break into small pieces.Incinerate:Burn media until reduced to ashes.Melt:Liquefy media.11|2023 SNIA.All Rights Reserved.Verifying Results of Sanitization Verification:Read device to ensure that user data does not remain.Block Erase and Crypto Erase can leave media error correct
14、ion codes invalid.Read commands will fail(“media error”)until new data is written.Workarounds:Device front end fabricates read data and does not access media.Devices perform“additional media modification”to make media readable.Slow process.Help is coming:NVM Express is defining a mechanism for readi
15、ng media without reporting media errors.12|2023 SNIA.All Rights Reserved.Sanitization Behavior Varies among Device TypesThere is no single standard describing how sanitize commands and the destruct method work on different device types.Different standards organizations NVM Express,T10/SCSI,T13/ATA S
16、torage Interfaces have the same set of participants who try to align behaviors.IEEE Std 28832022 describes use of different devices commands.Help is coming:Proposed IEEE Project P3406(Standard for a Purge and Destruct Sanitization Framework).13|2023 SNIA.All Rights Reserved.Customer ConcernsLiabilit
17、y for a data breach can be in the tens of millions of dollars.Liability can exist in perpetuity.Is the storage device sanitization firmware buggy?Has an attacker compromised the firmware?Are there bugs in the software tool that issues the sanitization command?Did the technician correctly use the sof
18、tware tool?Without confidence in the entire process,the customer may decide to destroy the device,rather than risk a breach.14|2023 SNIA.All Rights Reserved.Circularity and ReuseWhy not destroy the device?Destruction of devices is wasteful and has an environmental impact.Device cannot be reused;a re
19、placement must be purchased.Destruction costs money(power,labor,facilities,etc.).Devices contain various metals and other chemicals that should not end up in landfills.Nevertheless,if the customer decides that the device must be destroyed,then disassemble it first.Component materials can be fed into
20、 different recycling streams.New standards are in development that will provide guidance.15|2023 SNIA.All Rights Reserved.The Standards EnvironmentIEEE Security in Storage Working Group(SISWG)IEEE Std 2883-2022(IEEE Standard for Sanitizing Storage)ISO/IEC 27040(Storage security)2nd edition is nearin
21、g publication.Has requirements and guidance for technologies and practices.Covers both logical and media-based sanitization.Defers to IEEE 2883 for specific sanitization techniques.Trusted Computing Group Storage Working Group(TCG SWG)Opal Subsystem Class and other SSCs.16|2023 SNIA.All Rights Reser
22、ved.The Standards EnvironmentNIST National Institute of Science and Technology Cryptographic Module Verification Program(FIPS 140-3).Testing is performed by certified testing labs.Special publications various aspects of cryptography and security.New research includes algorithms resistant to attacks
23、by quantum computers.EU Regulation 2019/424(“Lot 9”)Refers to“secure data deletion”standards;27040 and 2883 would fit this category.17|2023 SNIA.All Rights Reserved.New Directions VerificationThe Crypto Erase and Block Erase techniques invalidate error correction codes in the media,causing reads to
24、fail due to a media error.Existing devices can perform“additional media modification”to place readable data on the media this is very slow.New media verification mechanisms skip the media modification and allow reading the media without reporting media errors.Repeated reads of the same location must
25、 be allowed to return different data,otherwise proprietary media reliability characteristics can be inferred.18|2023 SNIA.All Rights Reserved.New Directions Sanitize SubcomponentsSanitization of subcomponents(e.g.,NVMe namespaces).One storage device may be shared by multiple VMs(users),each of which
26、 has a different namespace in the same storage device.Swapping a user out requires that their namespace must be sanitized.Other namespaces may continue to be written and read.Some other parts of the storage device must not be sanitized.A controller memory buffer(CMB)may contain a data buffer used fo
27、r I/Os to other namespaces.19|2023 SNIA.All Rights Reserved.New Directions Encryption at a Fine Granularity Example:A file with data for one person is written with a unique encryption key.This may be a small part of a namespace.NVM Express Key Per I/O functionality allows each Write to use a differe
28、nt key.TCG SWG has defined a standard interface for injecting keys into devices.Encryption keys are stored in key management appliances,but are ephemeral in the device.The Key Management Interface Protocol(KMIP)defines the interface between the host and the appliance.If the customer is ordered to fo
29、rget that persons data,then all copies of that key are deleted from the appliance.Complexities:How to prove that all copies of the key have been deleted?Purging the entire device may require a second-level key that can be changed.20|2023 SNIA.All Rights Reserved.New Directions Guidance Customers nee
30、d guidance on appropriate sanitization methods.What are the risks of exposure of different data?What are the appropriate sanitization methods?What are the effectiveness,economics,and environmental consequences?IEEE SISWG is developing new standards:IEEE P2883.1 Recommended Practice for Use of Storag
31、e Sanitization Methods How to use sanitization to meet your organizations needs.Analysis of value of data and risks from data breaches.IEEE P2883.2 Recommended Practice for Virtualized and Cloud Storage Sanitization How to implement sanitization for virtualized and cloud storage systems.Will address
32、 the concerns for storage at scale.21|2023 SNIA.All Rights Reserved.New Directions GuidanceIEEE SISWG is developing new standards:IEEE P3406(Standard for a Purge and Destruct Sanitization Framework)pending approval of project.Will provide requirements for standards organizations defining purge and d
33、estruct techniques.Especially important for new storage technologies(e.g.,DNA or crystal storage).Need to make data recovery“infeasible using state of the art laboratory techniques”.Some techniques will need to be deprecated.E.g.,if AES were to be broken,then Crypto Erase implementations that rely o
34、n it would be ineffective.22|2023 SNIA.All Rights Reserved.Compliance Testing and Device CertificationPrivate testing companies are usually engaged by buyers of storage devices.Most testing involves directly reading the media(HDD spin stands,NAND raw interface.Device vendors may or may not help by s
35、howing where user data is stored.Will device vendors pay for certification?Cost must be passed to customers;will it be overall higher?NIST FIPS 140-3 compliance testing has been paid for by vendors.IEEE SISWG is exploring using the IEEE Conformity Assessment Program to establish a media sanitization certification program.23|2023 SNIA.All Rights Reserved.Please take a moment to rate this session.Your feedback is important to us.