Comments on: How much data deletion is enough?

By: Bruce Stimon

Bruce Stimon — Wed, 25 Jul 2007 17:59:37 +0000

There is no Protection Profile created for any software overwrite or Secue Erase tool. I’m not sure what this FDRERASE tool is…I do not see it listed in the CCEVS nor assigned to any CCTL site. Since no where in 5220.22-M is it mentioned that software overwrite is recommended or available (clealrly no one here has actually read the NISPOM!), all that is left is theNIST SP 800-88 and the Clearing and Saitization matrix published by DSS. Remember that clearing technologies like software overwrite are at a lower level than Puging technologes. Firmware purge is viewed as “…the best option for an organization” Page 30 800-88….
check out http://www.deadondemand.com

By: Thomas J Meehan

Thomas J Meehan — Thu, 14 Jun 2007 14:43:44 +0000

The comment from Barry Burke is right on… Readers should seriously consider the issue of insuring that multiple overwrites are effective. That is often as the article states what differentiates, a “Professional” solution like FDRERASE and a user program. The CCEVS Common Criteria Evaluation of the FDRERASE design reviews this as explained in the following paragraph extracted from the CCEVS material

3.5.8 Hardening of data
On modern disk subsystems, all WRITE CCWs actually transfer data into subsystem cache memory before writing the data to the back-end disks. Data is written asynchronously from the cache to the back-end disk. If a subsequent WRITE modifies the same track before it is “hardened” from cache to disk, the previous data is discarded and never written to disk. The proper operation of FDRERASE requires that the program insure that the data is hardened to disk at the end of each pass.
• On IBM and HDS subsystems, a COMMIT CCW is supported. COMMIT will insure that all cached data for a range of track addresses on a given device has been written to the back-end disks before any new I/O is accepted.
• On EMC subsystems, COMMIT is not supported but unique EMC query commands will return the number of writes which are pending in the cache for a given disk device. This can be queried repeatedly at intervals until it reaches zero.
• However, all of these vendors guarantee that write data will eventually be hardened to the back-end disk, even if a power failure occurs.

For ERASE and SECUREERASE operations, FDRERASE issues the appropriate commands to insure that the data is hardened “at the end of each pass”. When multiple passes are made on a disk special techniques are used to improve performance for example:
• The first pass will write on all cylinders of the device, from the highest-number cylinder to cylinder 0.
• A COMMIT will be issued for the top half (highest-numbered cylinders) of the device, since that data has probably already been hardened by the subsystem.
• The next pass starts by writing the top half of the device with the next pattern.
• A COMMIT will be issued for the bottom half of the device.
• The pass continues to erase the bottom half of the device.
• At the end of the last pass, the entire volume will be committed.

By: Barry Burke

Barry Burke — Thu, 14 Jun 2007 10:36:27 +0000

It is perhaps important for your readers to understand that host-based secure erase / data shredder applications can actually have little or no effect on data stored in external cached storage arrays. In many cases, these arrays buffer writes so effectively that only the final pattern is written to the disk. As you say, overwriting the old data with multiple patterns may in fact be overkill, but with cached arrays it may also be impossible.