Data Center Decommission 2.0 – The Shift from Trash To Security

Cybersecurity continues to make the headlines daily – from massive breaches like Equifax and Facebook to the lesser known NCIX and Dunkin’ Donuts. If you have ever wondered how information is hacked or leaked, you’re not alone. Bad actors drive relentless attacks, constantly probing for weakness within an organization. When proper security measures are not implemented or maintained appropriately, businesses leave the door wide open to poor outcomes, including massive fines and a tarnished reputation which can derail the business.

Likely the largest security exposure in business today is the retirement of data center IT hardware, where customer data, core financials and proprietary software are housed. Until recently, both businesses and decommission vendors have viewed retiring hardware as trash disposal – counting on Certificates of Destruction (CODs) to cover the risk. But IT professionals will tell you candidly that they are less than confident in the validity of CODs. So, how does a business overcome this mindset? Look at decommissions as a security risk first and trash second.

To be secure, decommissions require effective management of the entire process including a serialized audit of all data center equipment/drives, supervision of logistics teams that have been fully background-checked, sequestration of high-value hard drives, witnessed data destruction (whether onsite or offsite), documented chain of custody, timely CODs and ultimately, responsible disposition of assets (either sold or recycled). Decommissions are evolving.

There are four steps to a secure and successful decommission:

Step 1: Audit

It is rare that a company’s IT configuration management database (CMDB) matches exactly with what is onsite in the data center. It’s often off by five percent or more. A serialized audit of the equipment earmarked for retirement provides the business a true accounting of the gear sitting in the data center.

The audit ensures an accurate snapshot of the inventory in the facility to begin the decommission, which can be compared to the final COD and recycling certificates completed at the end. Without a full audit conducted at the outset, gear can vanish without trace and valuable data can be left unaccounted for – and the business will not know who is responsible. When combined with a documented chain of custody, this mitigates a tremendous amount of security risk.

Step 2: Logistics

Because decommissions don’t happen every day, IT departments often make their first call to Data Security firms to destroy their data. These firms don’t handle hardware moves and require all hardware be moved from the data center floor to the loading dock where it can be easily loaded onto their trucks and removed. More often than not, the in-house IT teams themselves are tasked with this moral-killing, physical labor, which is often completed in the final hour.

Data center moving companies handle much of this unappealing physical labor, but do not provide any of the audit work, can be slow to respond (2-3 month lead-times are not uncommon) and rarely background check their employees. Your IT teams will still be heavily engaged to produce their own audit of hardware/hard drives while supervising the moving teams.

Step 3:  Data Security

Data destruction is the heart of the decommissioning operation. Whether data is securely and permanently wiped from the hard drives or the equipment is physically destroyed, data destruction lies at the center of the IT Asset Disposition (ITAD) industry. Documentation, including Certificates of Destruction (CODs) and disposal/recycling certificates, is a hard and fast requirement. Be sure that decommissioning providers offer a host of physical and virtual data destruction methods, including, but not limited to, NIST-, DoD- and NSA-approved methods for wiping as well as crushing and shredding options that can handle all types of drives, including Solid State (SSDs). Depending on your risk profile, look for onsite or offsite destruction options as well.

Step 4: Disposition and Value Recovery

Often overlooked during a decommission is the opportunity to unlock cash value from the retiring assets at both the outset and termination of the process. You should only recover value from your hardware when you’ve effectively covered the first three steps above. It can be done in two ways: shifting hardware maintenance plans and reselling the hardware.

Original Equipment Manufacturer (OEMS) maintenance contracts cover break/fix, patching, software updates and access to engineering staff as part of their annual contracts, which do not discount at the termination of the original contract term. Many of the Fortune 1000 have begun to look at these hardware contracts (like Cisco SmartNet) more closely for any gear slated for retirement. They often shift these to 3rd party contracts upon renewal, which are much more cost-effective and have flexible contract terms. This can save significant OPEX in months, if not weeks.

Recovering value from gear itself is often overlooked in the company’s effort to remove gear from the facility. Retiring hardware can still hold some residual valuable, but time is the mitigating factor as value can drop dramatically in a very short time. Further, monetizing it can be a challenge, particularly if the business decides to sell it directly to an end customer, which requires the business be willing to issue refunds, replacements or repairs for equipment that doesn’t work after shipment. Further, if you’ve got large quantities of gear (thousands of square feet), you’ll need specialty firms that can deal with scale as very few vendors worldwide purchase at that volume.

Leverage effective value recovery as supplemental funding for your IT initiatives.

If your decommissioning provider is not able to provide audit, logistics, data security and value recovery under one-roof, you could be putting your company and customers at risk. 

Learn more about the Atomic Onsite difference by clicking here.