joshky
asked on
Disk Sanitization on EMC CLARiiON
I know this is a fairly generalized question, without having the exact EMC model number(s), etc.
I need to securely erase several EMC fibre-channel drive arrays. (3 pass+verify)
The EMC is a platform that I am not familiar enough with to be confident with any standard tools, but I had read about the "symerase" tool that applies to EMC Symmetrix. Hoping there was a similar reasonably priced tool for the Clariion.
If not, I wonder if anyone has any experience erasing these drives using any alternative methods? For example, using an x86 server connected directly to the Fibre...
Any thoughts or suggestions are appreciated!
Thanks in advance!
I need to securely erase several EMC fibre-channel drive arrays. (3 pass+verify)
The EMC is a platform that I am not familiar enough with to be confident with any standard tools, but I had read about the "symerase" tool that applies to EMC Symmetrix. Hoping there was a similar reasonably priced tool for the Clariion.
If not, I wonder if anyone has any experience erasing these drives using any alternative methods? For example, using an x86 server connected directly to the Fibre...
Any thoughts or suggestions are appreciated!
Thanks in advance!
ChopperCentury
From navisphere, destroy LUNs and storage groups
FYI, the destroy option from navisphere or navicli from command line makes the destruction irreversible.
ASKER
Thanks for the quick responses, ChopperCentury. Does this process overwrite all addressable sectors, remapped sectors, and protected areas of the disk? The 3-pass / verify I referred to would require this. Correct me if I'm wrong (without the unit nearby to test) - but the steps you suggest sound like the equivalent of breaking a RAID group, leaving the members orphaned with the potential for reconstruction.
Does this process take quite a bit of time to perform? Can you provide any command line help provided by the tool on the console? (i.e. navicli /?)
Thanks again for your quick reply!
Does this process take quite a bit of time to perform? Can you provide any command line help provided by the tool on the console? (i.e. navicli /?)
Thanks again for your quick reply!
Most EMC documentation is inside the Powerlink website. However, the following link includes the CLI commands. http://www.datadisk.co.uk/html_docs/emc/emc_navisphere_cs.html
As for navisphere, you launch this java app from going to the SP ip address of e clariion. You then navigate to the LUNs and unbind each, then destroy the storage groups....that will eradicate everything. Navisphere is very easy to navigate once you have it launched.
As for navisphere, you launch this java app from going to the SP ip address of e clariion. You then navigate to the LUNs and unbind each, then destroy the storage groups....that will eradicate everything. Navisphere is very easy to navigate once you have it launched.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry for the delayed response. To answer your question, the method I gave does not perform a 3-pass. However, it does make the data non-recoverable due to the proprietary RAID system of the EMC.
If you are looking to decommission the storage system and provide proof of non-recover...simply drill the drives, this will save time and give peace of mind to stakeholders and make auditors smile.
Most large corporations simply drill the drives (i.e. Wells Fargo, etc..)
Other than that you need a prescribed destruction procedure from the vendor but EMC will generally tell you to unbind LUN and destroy SG.
If you are looking to decommission the storage system and provide proof of non-recover...simply drill the drives, this will save time and give peace of mind to stakeholders and make auditors smile.
Most large corporations simply drill the drives (i.e. Wells Fargo, etc..)
Other than that you need a prescribed destruction procedure from the vendor but EMC will generally tell you to unbind LUN and destroy SG.
"Drilling" the drives is not satisfactory. It does not meet any compliance standards such as HIPAA. I can not believe that any stakeholders/share holders will smile if you do not meet compliance. Anybody can go dumpster diving and grab gigabytes of data from a "drilled" disk with the proper equipment.
Degaussing with proper equipment and grinding the platters so that no piece of the media is large enough to handle a block of data are the 2 methods that work assuming the NIST CLEAR or NIST PURGE or DOD 5220-M methods of secure are not viable options.
Degaussing with proper equipment and grinding the platters so that no piece of the media is large enough to handle a block of data are the 2 methods that work assuming the NIST CLEAR or NIST PURGE or DOD 5220-M methods of secure are not viable options.
Yes, you can recover some data from a single hole, possibly.
Disagreed, this will and has satisfied HIPAA, PCI and federal regulators. The platter shatters with impact from a standard hammer after a few holes. Standard validated with sending drives to firms to attempt recovery.
Given shred is preferred but the equipment is expensive.
I'm out until the author is back in the conversation.
Disagreed, this will and has satisfied HIPAA, PCI and federal regulators. The platter shatters with impact from a standard hammer after a few holes. Standard validated with sending drives to firms to attempt recovery.
Given shred is preferred but the equipment is expensive.
I'm out until the author is back in the conversation.
ASKER
Thanks to both of you, and apologies for my absence. ChopperCentury, physical destruction of the drives isn't an option. And the data must not be recoverable.
dlethe, I appreciate your thorough responses! Sounds like you've gotten your hands dirty a bit with drive erasure. So, it sounds like I can keep all of the drives in the enclosure but it would work best with a separate server/HBA. Would you recommend any particular Fibre Channel HBA to use in conjunction with the smartmon-ux utility?
I may have a follow-up question or two for you, if you don't mind! Aside from that, I consider this question very well answered...
dlethe, I appreciate your thorough responses! Sounds like you've gotten your hands dirty a bit with drive erasure. So, it sounds like I can keep all of the drives in the enclosure but it would work best with a separate server/HBA. Would you recommend any particular Fibre Channel HBA to use in conjunction with the smartmon-ux utility?
I may have a follow-up question or two for you, if you don't mind! Aside from that, I consider this question very well answered...
Chopper - not to put you on the spot, but I have seen standards on HIPAA, NIST, and others, and have done things with my day job actually working with developers to test products. Changes were made to HIPAA in 2009 and "punching" is no longer compliant.
You have to read up on the HITECH act which was passed in 2009. Here is something on NIST (There are several variations, but NIST PURGE, NIST CLEAR and DoD-522M are variations on secure erase, and the only government standards that are, well, standards.
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
Now I'm not perfect, so if you have an official government document that says drilling is acceptable that is dated after the passing of the HITECH act, then i would be interested in knowing about it.
==============
Anyway, whatever fibrechannel HBA you have today will be fine. There aren't any HBAS that have embedded RAID, and that is what will mess you up.
You have to read up on the HITECH act which was passed in 2009. Here is something on NIST (There are several variations, but NIST PURGE, NIST CLEAR and DoD-522M are variations on secure erase, and the only government standards that are, well, standards.
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
Now I'm not perfect, so if you have an official government document that says drilling is acceptable that is dated after the passing of the HITECH act, then i would be interested in knowing about it.
==============
Anyway, whatever fibrechannel HBA you have today will be fine. There aren't any HBAS that have embedded RAID, and that is what will mess you up.
Good info, thanks. The standard I was referring to is an internal company standard for data destruction, not external.
My experience comes from the financial sector and HIPAA is not as paramount as PCI and federal examiner guidelines. Given there are FI's involved in medical banking that may fall under the crazy HIPAA rules.
As long as examiners were satisfied with drilling then I was as well.
I never feel on the spot, this is a learning tool even for those giving answers.
However, I openly offer you a challenge to come reconstruct data from one of my drilled drives. The casing sounds like a sack of rocks :)
Have a good night fellas.
My experience comes from the financial sector and HIPAA is not as paramount as PCI and federal examiner guidelines. Given there are FI's involved in medical banking that may fall under the crazy HIPAA rules.
As long as examiners were satisfied with drilling then I was as well.
I never feel on the spot, this is a learning tool even for those giving answers.
However, I openly offer you a challenge to come reconstruct data from one of my drilled drives. The casing sounds like a sack of rocks :)
Have a good night fellas.
ASKER
Awesome!
Chopper - I assure you that data can be reconstructed from a tiny piece. I won't take you up on the challenge, because I don't have the equipment. But consider that with areal density of 1Gbit per square mm on latest technology, then you can do the math and see how many GBytes worth of data can be recovered from just bits and pieces. I have done some time with certain national security sites, and they don't use any of the techniques even mentioned here. They have to basically turn the HDD into dust .. using equipment onsite.