SamSchulman
asked on
Securely erasing files on AS/400
We are going through a PCI audit and they are asking us to ensure that when we delete any file that contains Card Holder Data (CC Number, Name, Exp Date, Etc) it is deleted in such a way the operating system or utility can not recover it - basically we need to delete the file and have it overwritten multiple times on our AS/400. This would be like the SRM (Secure Remove) in UNIX, Shred in Linux, and PGPShred in Windows.
How could I accomplish this on our AS/400 - both in a standard library and on the IFS?
Here is the PCI-DSS 2.0 section that we are trying to comply with:
How could I accomplish this on our AS/400 - both in a standard library and on the IFS?
Here is the PCI-DSS 2.0 section that we are trying to comply with:
9.10.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).
Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@daveslater - A couple of comments:
1) Even with single level store architecture and block-level RAID (including all of the the most common levels - 0,1,5,6,10) full blocks of contiguous data still get written out to physical disk units. So it is certainly possible to recover full rows or groups of rows, or small IFS files or chunks of larger files from a single decommissioned IBM i / iSeries / AS/400 drive (or from a SAN connected to the same) out of a RAID set that uses any of the block striping RAID methods.
RAID 2 & 3 use bit-level and byte-level striping. To recover usable data from these sets, all but one disk unit in the set is required.
IBM i and Midrange External Storage Redbook has some good diagrams:
http://www.redbooks.ibm.com/abstracts/SG247668.html?Open
2) Row-level data destruction doesn't apply to PCI DSS-2 9.10.2 compliance, which was the question, so I'm going a little off-topic here - apologies in advance.
Our DB2 row-level data destruction process is similar to yours, except we don't overwrite with ones (*HIVAL). Instead we use one of two selectable patterns: a randomly-generated overwrite pattern and the triple-pass method (zeros, then ones, then a random pattern).
In real world situations, anything more than a simple overwrite in my opinion is overkill (and a potential performance nightmare), but security people (and yes, that's one of the hats I wear) often write "conservative" specifications, since reducing risk is the name of the security game. So by enabling use of a single-pass of random data and the triple-pass method, you've got options available that cover most of the "soft" data destruction requirements that you are likely to get hit with.
Here's an interesting paper on the subject of data recovery from overwritten disks - it changed my mind about the need for complex or "multi-pass" drive wiping procedures.
http://privazer.com/overwriting_hard_drive_data.The_great_controversy.pdf
- Gary Patterson
1) Even with single level store architecture and block-level RAID (including all of the the most common levels - 0,1,5,6,10) full blocks of contiguous data still get written out to physical disk units. So it is certainly possible to recover full rows or groups of rows, or small IFS files or chunks of larger files from a single decommissioned IBM i / iSeries / AS/400 drive (or from a SAN connected to the same) out of a RAID set that uses any of the block striping RAID methods.
RAID 2 & 3 use bit-level and byte-level striping. To recover usable data from these sets, all but one disk unit in the set is required.
IBM i and Midrange External Storage Redbook has some good diagrams:
http://www.redbooks.ibm.com/abstracts/SG247668.html?Open
2) Row-level data destruction doesn't apply to PCI DSS-2 9.10.2 compliance, which was the question, so I'm going a little off-topic here - apologies in advance.
Our DB2 row-level data destruction process is similar to yours, except we don't overwrite with ones (*HIVAL). Instead we use one of two selectable patterns: a randomly-generated overwrite pattern and the triple-pass method (zeros, then ones, then a random pattern).
In real world situations, anything more than a simple overwrite in my opinion is overkill (and a potential performance nightmare), but security people (and yes, that's one of the hats I wear) often write "conservative" specifications, since reducing risk is the name of the security game. So by enabling use of a single-pass of random data and the triple-pass method, you've got options available that cover most of the "soft" data destruction requirements that you are likely to get hit with.
Here's an interesting paper on the subject of data recovery from overwritten disks - it changed my mind about the need for complex or "multi-pass" drive wiping procedures.
http://privazer.com/overwriting_hard_drive_data.The_great_controversy.pdf
- Gary Patterson
http://www.itjungle.com/fhg/fhg012010-story03.html