2. General Information

Top - Help
Copyright(c), 1996 Management Analytics - All Rights Reserved


An AIS and its storage media should be safeguarded in the manner prescribed for the highest classification of information ever processed by the AIS. That is, until the AlS and its associated storage media are subjected to an approved purging procedure and administratively declassified. There should be continuous assurance that sensitive information is protected and not allowed to be placed in a circumstance wherein a possible compromise can occur. There are two primary levels of threat that the protector of information must guard against: keyboard attack (information scavenging through system software capabilities) and laboratory attack (information scavenging through laboratory means). Procedures should be implemented to address these threats before the AlS is procured, and the procedures should be continued throughout the life cycle of the AS.

2.1 USE OF THIS GUIDELINE

Designated Approving Authorities and Information System Security Officers (ISSOs) may refer to this guideline when selecting or evaluating specific methods to clear, purge, declassify, or destroy AIS storage media. DoD components may include the information provided in this guideline in their security training and awareness program; however, they should not use this guideline in lieu of existing policies.

Guidelines in this document have two degrees of emphasis. Those that are most important to the secure handling of AIS storage media have such wording as "the 1550 should . . . .,, Guidance of lesser criticality has such wording as "it is good practice" or "it may be." Thus, the word "may" denotes less emphasis or concern than the word "should."

2.2 IMPORTANT DEFINITIONS

This section provides definitions and their amplification critical to understanding the issues in remanence. A comprehensive glossary follows Section 7.

Clearing: The removal of sensitive data from an AIS at the end of a period of processing, including from AlS storage devices and other peripheral devices with storage capacity, in such a way that there is assurance, proportional to the sensitivity of the data, that the data may not be reconstructed using normal system capabilities, i.e., through the keyboard. (This may include use of advanced diagnostic utilities.) An AS need not be disconnected from any external network before a clear. [t, draft version]

Clearing can be used when the secured physical environment (where the media was used) is maintained. In other words, the media is reused within the same AIS and environment previously used.

In an operational computer, clearing can usually be accomplished by an overwrite of unassigned system storage space, provided the system can be trusted to provide separation of the storage space and unauthorized users. For example, a single overwrite of a file or all system storage, if the circumstance warrants such an action, is adequate to ensure that previous information cannot be reconstructed through a keyboard attack. Note: Simply removing pointers to a file, which can occur when a file is simply deleted in some systems, will not generally render the previous information unrecoverable through normal system capabilities (i.e., diagnostic routines).

Purging: The removal of sensitive data from an AlS at the end of a period of processing, including from AlS storage devices and other peripheral devices with storage capacity, in such a way that there is assurance, proportional to the sensitivity of the data, that the data may not be reconstructed through open-ended laboratory techniques. An AlS must be disconnected from any external network before a purge. [17]

Purging must be used when the secured physical environment (where the media was used) will not be maintained. In other words, media scheduled to be released from a secure facility to a non-cleared maintenance facility or similar non- secure environment must be purged.

Note: The purging definition allows a hierarchy of data eradication procedures, although current standards do not take advantage of this. That is, removing data with "assurance, proportional to the sensitivity of the data, that the data may not be reconstructed" implies that standards can be developed to be applied hierarchically. For example, a standard could be developed that allowed a security officer to degauss CONFIDENTIAL tapes by 80 db, SECRET tapes by 90 db, etc. Practice has shown, however, that this is not a feasible approach. Authorized clearing and purging procedures are detailed in DoD 5200.28-M and sometimes further amplified in DoD component regulations.

1 Declassification: A procedure and an administrative action to remove the security classification of the subject media. The procedural aspect of declassification is the actual purging of the media and removal of any labels denoting classification, possibly replacing them with labels denoting that the storage media is unclassified. The administrative aspect is realized through the submission to the appropriate authority of a decision memorandum to declassify the storage media.

Whether declassifying or downgrading the storage media, the memorandum should include the following:

a. A description of the media (type, manufacturer, model, and serial number).

b. The media's classification and requested reclassification as a result of this

action.

c. A description of the purging procedures to include the make, model

number, and serial number of the degausser used and the date of the last

degausser test if degaussing is done; or the accreditation statement of the

software if overwriting is done; or the description of and authorization to use

the purging procedure if the purging procedure is different from the

preceding procedures.

d. The names of the people executing the procedures and verifying the

results.

e. The reason for the downgrade, declassification, or release.

f. The concurrence of the data owner that the action is nece,ssary.

g. The intended recipient or destination of the AIS and storage media.

Coerclvlty: Measured in oersteds (Oe), is a property of magnetic material used as a measure of the amount of applied magnetic field (of opposite polarity) required to reduce magnetic induction to zero from its remanent state, i.e., taking the media from a recorded state to an unrecorded state. Coercivity values are available from the manufacturer or vendor.

Type I Tape: Magnetic tape with coercivity not exceeding 350 Oe (also known as low-energy tape), for example, iron oxide coated tape. Note: The maximum coercivity level has changed from 325 Oe to 350 Oe.

Magnetic disks, i.e., oxide particles on a metal substrate, also have varying coercivity levels. Research has shown, however, that the physical remanence properties of disks are easier to address. Because of this, disks are treated as Type I media and are discussed in more detail later.

Type II Tape: Magnetic tape with coercivity ranging from 351 to 750 Oe (also known as high-energy tape), for example, chromium dioxide coated tape.

The determination of the Types l and II definitions was largely a result of the tape manufacturing industry. Low-energy tapes were developed first, and they have coercivities around 300 Oe + 10%. The next generation tape was high-energy tape, whose coercivity is around 650 Oe + 10%. There have been no naturally occurring plateaus for which to define a Type Ill tape. As a practical matter, there are no degaussers that can yet meet the requirements of National Security Agency/Central Security Service (NSA/CSS) Specification Ll 4-4-A for tapes above Type Il. [13]

Type 111 Tape: Magnetic tape with coercivity above 750 Oe, for example, cobalt-modified iron oxide coated tape and metallic particle coated tape. This definition is provided so these media may be discussed.

Degausser: A device that can generate a magnetic field for degaussing magnetic storage media. A Type l degausser can purge Type I tapes and all magnetic disks. A Type Il degausser can purge both Types IA and Il tapes. There are, at present, no Type III degaussers. Currently, all Type 1,11, and Ill tapes may be cleared with a Type l degausser. However, Type Ill tapes with higher than the current maximum coercivity may be developed that would not be clearable with a Type I degausser. Refer to the DPL for Type Ill degausser availability. Section 3 discusses degaussers further.

Permanent Magnet Degarn$$er: A hand-held permanent magnet that has satisfied the requirement to degauss floppy disks, disk platters, magnetic drum surfaces, bubble memory chips, and thin film memory modules. It is not used to degauss magnetic tape.

2.3 OBJECT REUSE AND DATA REMANENCE

The issue of data scavenging on multiuser systems was recognized to be an area of concern long before the DoD 5200.28-STD, Trusted Computer System Evaluation Criteria (TCSEC),[20] became the metric with which to evaluate trusted systems. The TCSEC reflects this concern with its requirement that a Trusted Computing Base (TCB) have a mechanism that enforces an object reuse policy. This mechanism must ensure that no user can use the TCB interface to recover another user's data from recycled storage media (e.g., memory or disk pages). Object reuse in trusted computing systems is comparable (in most respects) to "clearing."

Object reuse can be implemented so that the address space that contained the object (file) is cleared upon deallocation (the net result is that unallocated address space is cleared) or upon allocation (the net result is that unallocated address space may contain data residue). (Note: There are other ways to implement object reuse which do not involve clearing.) Information from a common data storage pool cannot normally be retrieved through the keyboard.

Some comparisons have been made between trusted systems that satisfy the object reuse requirement and overwrite programs that do only clearing or purging; however, it should be noted that overwrite programs cannot be trusted in the same sense as trusted systems. This is primarily because of the environment in which overwrite programs must operate.

Trusted systems are designed with an object reuse mechanisn'i( that is protected and supported by the TCB, substantiating the degree of trust placed in the object reuse mechanism. Commercially available overwrite programs are usually designed to operate on several different systems and are not evaluated with the same rigor as trusted systems; however, any overwrite program should be protected from unauthorized modification. These two security features provide a similar aspect of data confidentiality but satisfy different computer security requirements.