Admin Alert: Erasing i5/OS Disk for Fun and Compliance
January 20, 2010 Joe Hertvik
When decommissioning iSeries, System i, or Power i systems, there may be legal considerations in erasing disk drive data. Decommissioning can occur when removing disk drives from a system; when completing a Disaster Recovery Test on an outside provider’s machine; or when an i5/OS machine is sold or returned to a leasing company. The problem is that decommissioning disk drives can easily violate legally mandated compliance standards.
Compliance and Decommissioned Disk Drives
Like most systems, i5/OS data doesn’t necessarily disappear when you reinitialize your disk drives. Clever and determined hackers may be able to reconstruct supposedly erased data if they use the right tools and methods. To complicate matters, your organization may be required to securely erase data from decommissioned disk drives to maintain compliance for several different standards, including:
Erasing data on decommissioned disks can be a big deal, even if there is little chance of the information falling into the wrong hands. Here’s an overview of disk cleansing techniques, what they do, and where they may give you problems.
Protecting Drive Data Through Power i Architecture
To improve disk performance, i5/OS objects are scatter loaded among various drives on the system. Pieces of any given object are stored over multiple drives, allowing the OS to quickly retrieve objects through multiple access paths. For example, i5/OS may store File A over several different disk drives with part of the file residing on Drive 1, another part on Drive 2, another on Drive 3, etc. Scatter loading speeds up bulk data retrieval, because read-write arms on multiple drives can retrieve several records from the same file at the same time, delivering records back to the program faster than if all the data only resided on one drive. With scatter loading, critical files are protected from data theft because all the data for an individual object usually isn’t loaded on the same drive.
To protect an operating system from catastrophic failure when a single disk dies (taking many operating system objects with it), i5/OS disk drives are usually grouped into redundant arrays of inexpensive disks (RAID) sets. When a RAID-ed drive fails, the operating system uses information from the other RAID set drives to recreate the information on the failed drive. This allows processing to continue without incident until the failed drive is replaced by a new drive that is added back to the RAID set.
Building the system with scatter loaded files and RAID technology makes it harder for a hacker to recreate sensitive files if a single i5/OS disk drive falls into the wrong hands. However, if you have legal requirements to track and dispose of removed drives containing financial data, customer personal data, medical records, etc., IBM Maintenance Services offers a hard drive retention option for any failed hard drives that it replaces. For a fee, IBM allows you to keep any drive that is replaced under your maintenance contract so that you can dispose of the drive according to your organization’s compliance policy.
But what if you are returning a replaced system to a vendor or selling an old System i box to another organization? How do you protect system data when the entire system moves out of your organization’s control?
Erasing Disk Drives
To erase all data on an i5/OS machine or partition, IBM offers a technique to initialize all system disk drives, which you can review here. There are two different sets of instructions for clearing your system. The first set clears data on secondary partitions, such as when you want to clear a partition that you’ve just completed a disaster recovery test on. The second technique removes all partitions from your system and erases all data on the partitions.
IBM’s technique performs a manual IPL off media containing either a System Save (SAVSYS); a full system save (GO SAVE, Option 21); or the Licensed Internal Code (LIC) CD that ships with the operating system. A manual IPL brings up the system in Dedicated Service Tools (DST) mode. In DST, you follow IBM’s instructions to install the Licensed Internal Code and initialize the system or partition. Using either technique, the system writes one complete pass of zeroes on the disk drives before installing the system LIC, which should make your data unreadable.
The problem with the one pass cleansing technique is that it isn’t good enough for many compliance standards that require disk drives to be cleared to the United States Department of Defense’s 5220.22-M standard (DoD 5220.22-M), which provides guidelines for preparing media to be re-used for agencies handling national security concerns. Other U.S. laws, such as HIPAA, require that data on re-purposed and discarded drives is securely erased according to this specification before the drives are disposed of.
In a document on initializing System i disk units to the DoD 5220.22-M standard, IBM specifies that one complete initialization pass (writing zeroes to the disk) does not meet the DoD standard, which requires all addressable disk locations to be overwritten with three different data patterns. And because disk initialization occurs on a manual IPL where there is no access to other programs, there are no third-party programs that can perform DoD-style initialization on your disk drives.
There are two techniques to perform DoD 5220.22-M cleansing before decommissioning and disposing of Power i disk drives.
Physically destroying disk units can be massively expensive, requiring you to trash all disk drives on your old machine before purchasing all new drives for your replacement machine.
The IBM Disk Sanitizer is a licensed product that allows you to meet the DoD standard for non-configured disk units. (IBM refers to the process as “sanitizing.”) But there are two downsides when fulfilling this task.
First, the Disk Sanitizer must be run from your load source so it cannot sanitize any disk that belongs to the load source IOP. Secondly, sanitizing is a write-intensive process they can take many hours to complete, so plan a large block of time if you’re going to use this technique. Even with these drawbacks, the Disk Sanitizer may be your best (and only) option for providing DoD 5220.22-M compliance for decommission disk drives.
Not The End
This is an overview of some of the techniques that are available for cleansing i5/OS disk drives. If you’re in need of a cleansing solution for your installation, use this information as a starting point to accomplish these tasks yourself or to work with an IBM business partner to get the job done.