Sensitive Data Protection: Media Hysteria or a Call to Action?

by Thomas J. Meehan
September 1, 2006

A more SECURE ERASE is necessary to satisfy the requirements specified in the ASD(C3I) memo of June 4, 2001. This would be similar to the single overwrite ERASE except it would write a minimum of three passes using special data patterns; the initial pass using an overwrite pattern of a random value (other than 00, FF, 01 and FE), the second pass using the complement of the first pattern, and the third pass using a new random value (different from the first two). If additional passes are necessary, a fourth pattern would be a complement of the third, and so on.

This SECURE ERASE will be slower; it always writes to every track multiple times. It also will wait at the end of a pass to ensure the data is hardened before continuing with the next pattern overwrite, which takes more time. Overwriting with an alternating two’s complement data pattern makes it highly unlikely that any data can be recovered even if the drives are subject to special hardware analysis. This method is appropriate for disk subsystems containing your most sensitive and highly classified data.

A comprehensive secure erase solution also would have a verification function. Many DoD directives require independent confirmation of an erasure by a second user. A VERIFY function reading a sampling of a volume’s tracks, rather than every track on a volume, enables a subsequent user to determine that a z/OS DASD volume has been overwritten in a practical amount of time.

Minimize Contention for the Best Possible Performance

Select a comprehensive secure erase solution designed to achieve the best possible performance. Elapse times to erase multiple disks will depend on the hardware vendor, subsystem model, type of channel (ESCON vs. FICON), and workloads in the system, and on the channels running concurrent with the erase. The large capacity SCSI disks in mainframe disk subsystems emulating the virtual CKD disk are usually in Redundant Array of Independent Disks (RAID) configurations for protection against hardware failures. Erasing multiple virtual CKD disks that are physically on the same underlying SCSI disk or in the same RAID rank will cause contention in the RAID array and excessive head movement on the physical disks. The consequence is the total elapsed time to erase a large number of CKD disks may be much greater than if the same number of disks were run in smaller groups or spread across different physical resources.

A comprehensive erase solution will solve the contention problem by managing the process, employing special commands (which vary by hardware vendor) that identify the underlying physical disk or RAID group associated with each CKD disk to control the order of selection to prevent (or at least balance) starting an erase for multiple virtual CKD volumes residing on the same underlying disk or in the same RAID group. Using this technique, it’s possible to erase multiple terabytes per hour.