US DoD approved data cleansing?

[yasuda]

We have a client that runs Exchange in house because they are a government contractor supporting classified projects. None of their corporate infrastructure, including Exchange, hold classified data, but, on more than one occasion, a federal employee has accidentally sent a classified attachment to their employees. Their understanding of the data cleansing requirements was that any media containing backups had to be wiped by DoD approved methods.

We set up Backup Exec with daily full backups going to separate iSCSI drives so they could do their data cleansing without wiping all their backups. Maybe there are better solutions, but this was simple enough for their Data Security Officer to do without assistance - because once the server was know to have been tainted with classified data, only the DSO was allowed to log in.

Their new Exchange servers will be entirely virtual. Does Veeam B&R have a DoD approved method of cleansing backups in the event they are contaminated with classified data?

[foggy]

Without going into details of what approved cleanup methods are, they can use the same approach they did with BE, if applicable - i.e. schedule daily fulls.

[PTide]

Hi,

As per nsa.gov pdf manual the DoD-accepted ways of cleansing HDD are:

a) Automatic Degausser

b) Degaussing Wand

c) Disintegration

d) Incineration

each of which makes an HDD unusable.

None of the mentioned can be performed by Veeam's backup deletion mechanisms.

[tsightler]

I think those methods are what are support for disposal of media, which I'm sure isn't the case here. They just need a partial santize so that they can reuse the media.

As far as I know there is actually no such thing as a "DoD Approved" method, though you do seem this marketing claim, usually in reference to DoD 5220.22-M, which many products continue to claim compliance with, even though I don't believe this was never technically an "approved" standard. I believe that all of this has been superseded by the recommendations in NIST 800-88 Rev 1, specifically the methods listed in Appendix A. The document covers the need to "partially santize" disk in some cases, and offers sanitize options that are as simple as overwriting the exiting data with all zeros (although more passes or different patterns can be used as well). If I'm wrong on this and there is some other document that is "DoD Approved" then please feel free to provide a link to those procedures.

Veeam does not perform any type of wipe, however, I agree you should be able to use a technique similar to what you were using with Backup Exec. Provide a separate iSCSI target for storing backups of this system, and a separate job to write there, and if they need to be wiped you can use Windows SDELETE to securely overwrite the data with zeros or a pattern. Then remove the backups from the Veeam console and allow the next pass to be a full.

Please feel free to share more details about the current process or ask any additional questions.

[dellock6]

If procedures like sdelete or multipass zeroing of blocks is ok, you can chain a script that runs these tools as a post-job operation to any backup, so as soon as a old restore point is deleted by retention kicking in, the script can safely delete the dirty blocks. And you do not have to remove the device, this is done online and the free-d space can be reused (which actually is another overwrite).

The listed procedures are indeed physical operations against disks, not software based ones. I'm pretty sure that no software solution, neither Symantec, can degauss a disk... The listed procedures (not even the only existing ones: https://en.wikipedia.org/wiki/Data_eras ... rentiators) talks about several passes and they make them sound like more secure, but if I change a bit from 1 to 0, the original data is technically already modified even after just one pass. Writing zero on the entire free space has already the effect of deleting existing data.

PS: and those docs where written 10 years ago, when disks where some GB and it took some minutes to erase them. zero-ing out a 8TB disk is going to take several hours, if not days.

[yasuda]

Alexander - Good point. I would prefer to avoid daily full backups, but at least B&R would have the advantage of being able to use the AD, Exchange and SharePoint explorers.

Pavel, Tom and Luca - My information came from my client's Data Security Officer. Interpreting the rules was his responsibility, and it was his neck on the line, and I got the impression that the rules were not really well defined, short of shredding disks. He did say there were some applications approved for wiping disks by overwriting them, so he was okay with cleansing by wiping the iSCSI disks that held contaminated backups.

They would want to wipe the backups as soon as contamination was discovered, so the script wouldn't be needed. But if they are okay with deleting contaminated backup files and then wiping only the free space, we would be able to use forward incrementals and delete only the most recent, contaminated Vibs. Would that work? Would B&R detect that the vibs are missing, and fill in the missing data when the next backup runs?

Given the amount of error correction required to read data you didn't delete from modern hard drives, I realize the rules are obsolete, but the rules change slowly.

I know Veeam is widely used in government, and I was hoping someone had direct experience with this issue, but maybe those people are not allowed on public forums.

Thanks again for all your input.

[foggy]

But if they are okay with deleting contaminated backup files and then wiping only the free space, we would be able to use forward incrementals and delete only the most recent, contaminated Vibs. Would that work? Would B&R detect that the vibs are missing, and fill in the missing data when the next backup runs?

No, you would need to start the chain anew with the active full after that, otherwise the job will fail on the next run (since the deleted restore point will still be present in job metadata).

[yasuda]

We can live with that. Thanks for the clarification.