While solid state drives (SSDs) have been around in one form or another almost as long as their magnetic counterparts, it is only in recent years that their use has been adopted wholesale by the business enterprise. As a replacement for the magnetic drives used in usually in laptops and storage systems, the capacity and speed of solid state drives has increased while their price has decreased. Meanwhile, other forms of SSDs have become a standard feature in smart phones and tablet devices like iPads that have become indispensable business tools.

There are plenty of good reasons to use solid state drives, but they have presented new challenges at asset retirement.  Unlike magnetic drives, it has been difficult to guarantee the 100 percent destruction of data on SSDs. At the same time, the resale value for SSDs and devices containing them are quite high.  The uncertainty around data erasure for SSDs has been a source of concern for many enterprise IT Asset Management and Data Security teams. Physical destruction of the drives is also destruction of significant value at resale.

That’s why, as they take stock of their growing inventory of SSDs, IT asset managers are asking, “Is there any way to destroy the data on SSDs so I can be confident about letting them out of our control?” Fortunately for them, the answer is, in most cases, yes. You just have to look beyond the usual methods of data destruction, the ones used for magnetic drives.

A Tale of Two Drives

The most common method used for permanently erasing the data stored on magnetic drives is the process of overwriting, which means exactly what it sounds like: overwriting the data stored on the drive with other, meaningless data (and then going back to verify it worked). The process and verification can be done reliably due to the nature of the drives and how they write and re-write data.  Because of their unique architecture, this form of data erasure it not as reliable with SSDs. When you write new data to an SSD to replace older data, the SSD won’t necessarily put the new data in all the previously used physical locations. It will put the new data in another location and rewrite the “map” to the new location. The old data, though inaccessible through normal means, remains. This is why we say it’s possible to overwrite data on an SSD but impossible to verify the data no longer physically exists on the SSD.

Throwing Away the Key

One method of data erasure that is available on some devices, cryptographic erase, is effective with solid state drives with lower risk data.  This is the method Apple provides for its devices. When a drive is equipped with cryptographic erase, from the very first time it is used, every piece of information stored on it is encrypted. Then, when it comes time to secure the data on the drive, instead of overwriting it, all you have to do to render it unreadable is delete the encryption key.

It’s worth noting, however, that although, without the key, cryptographically erased data is unreadable using current technology, the data does remain on the drive. It’s unlikely, but who’s to say hackers won’t develop more sophisticated methods in the near future for cracking this encryption?

The risk-based approach

There are other methods for SSD erasure as well, which we will address in future posts.  While you may not be able to erase data from an SSD to a 100 percent degree of certainty, you can do it with a  degree of certainty very close to that,  making  it worthwhile in most cases to redeploy or resell the device. Solid state drives and the equipment that use them do have significant resale value and with the right process, tools and documentation, you can minimize risk and realize that value. We recommend assessing every retired SSD drive in terms of the sensitivity of the data it contains. Considering there’s a tiny (but real) risk the data could be recovered by those who would misuse it, classify every drive by risk and choose a data destruction method accordingly. If your company already has a solid process for data destruction and remarketing with magnetic drives, you can treat your solid state drives the same way (although not using the same wipe process). If your company doesn’t have such a process in place, a competent expert (a data destruction vendor) can help you set it up and determine for each drive and situation if the benefit of data erasure and remarketing outweighs the risk.