I have been in Business Development at ITRenew for nearly 10 years; which is a fancy way of saving that I’m a sales guy. That means every day I’m calling on data center operators to explore ways we can help improve physical data security and increase value recovery when IT equipment is being decommissioned. This is because my company’s specialty is in the data center, at the point of data and hardware decommission. Our data center decommissioning services come into play whether you are going through an IT refresh, consolidation project, returning leased IT assets at end-of-term, migrating facilities, or completely shutting down.

When I ask data center managers about their process for decommissioning IT equipment during any such technology change event, the first response invariably is, “we have a solution for that.” This response is often delivered with an air of confidence that tends to come from successful cloud companies and Fortune 100 organizations. It’s also an accurate statement, as nearly every major data center operation has some process to retire legacy hardware. It is also true regardless of how efficient or secure their asset decommissioning process is.

The conversation then shifts to the physical data security concerns at hardware decommissioning. This is an area where my company has a unique advantage over the competition, with our Teraware-driven onsite data center ITAD security services. A typical response to physical security is, “We have a shred only policy for decommissioned hard drives in our data centers, thus eliminating any data security-related issues.” Well, as we have established throughout our data center decommissioning blog series and specifically in this post, shredding hard drives as a policy is not a best practice and it merely helps to mitigate data breach risks, not eliminate them.

As a tenured Business Development executive in the data center IT services industry, I’ve been around the block enough times to know better than to immediately challenge the veracity of a prospective customers’ claims. So instead, I will often then take the path of least resistance and ask: “What is your process for managing RMA hard drives?”

For those who may not be aware, RMA stands for Return Merchandise Authorization. When hard drives fail in production in the data center, they are removed. However, even though they have failed, data remains on the hard drives and can often be recovered.

The response to this RMA break-fix management question is often the sound of crickets chirping. However, there was one recent customer exchange that stood out. This customer replied, “Oh, we just send them back to the OEM.” Again, spoken with an air of confidence.

So, I then asked, “Does the OEM erase the RMA drives and send a Certificate of Data Sanitization for each serialized hard drive?” This way, the customer could update their IT asset management records with the disposition status of each hard drive and be able to prove that data was managed properly in the event of a security audit. “No,” the customer said, seeming a little less comfortable and confident in the response.

We continued to discuss whether or not the OEM shreds the hard drives that cannot be erased, providing a Certificate of Destruction for auditing purposes. Suddenly the customer’s air of confidence shifted to alarm and uncertainty. It was clear that they weren’t sure at all what was happening with those RMA drives. Worse yet, they didn’t know what if anything was being done to ensure sensitive data was being managed in compliance with data privacy regulations. It was at that moment that I knew we were ready for a real discussion about their data center decommissioning needs and data security process.

RMA: The Weak Link in Data Center ITAD

While this customer’s situation may not be the norm, it’s far from being an anomaly. The unfortunate truth is that, when it comes to routine hard drive break-fix and RMA management, many companies—even the Fortune 500—have surprisingly undeveloped processes.

RMA hard drive management is an equally important part of the data center ITAD program as mass IT refresh and hardware decommissioning. Data center RMA management is the process of returning failed hard that are still under the manufacturer’s warranty in order to receive a refund credit, a replacement, or a repaired drive from the OEM. Roughly 10-15% of data center hard drives will fail in production, or will be flagged by the production host system for predictive failure. When these failures occur, the hard drives require immediate attention.

RMA hard drive management in the data center is no small undertaking. Some of the world’s largest data center operations may have upwards of one million servers throughout their global infrastructure. Each server may contain anywhere from several to a couple dozen hard drives. That means large data center operations must deal with potentially hundreds of thousands of RMA drives within their IT infrastructure. A vast majority of these hard drives are eligible for RMA credit.

No matter the size of a data center operation, how you manage RMAs can greatly impact your data security risk. Not to mention the total cost of ownership of your IT equipment, your IT labor productivity, and your IT sustainability. Collectively, these variables can significantly swing the Total Return ROI on your data center ITAD project. In this blog, we will touch on the common RMA processes and their pitfalls. Then, in the next blog, we’ll dive into those Total Return implications of data center RMA management and provide best practice recommendations.

Data Center RMA: Common Practices and Pitfalls

The following are the most common hard drive RMA management practices that I’ve run across in customer dealings over the years. In addition are the issues associated with each management practice.

  • Never return RMA drives to the manufacturer. Some companies may have a “no return warranty” that provides for a full or partial warranty credit without having to physically return the hard drives to the manufacturer. However, as the saying goes, there’s no such thing as a free lunch. Such provisions come at a hefty premium, so you’re paying one way or another. Many organizations will simply forgo the replacement value because they have no process for managing RMAs.
  • Always shred hard drives. It’s natural to assume that if you shred all hard drives onsite that you’ve mitigated your security risk. But unless you have video proof of every serialized drive running through the shredder, you don’t really know. In addition, data can be recovered from larger fragments of shredded hard drives, particularly from solid-state drives (SSDs). Plus, when you shred hard drive, you mostly likely shred the RMA warranty opportunity as well.
  • Stockpile failed RMA hard drives. Storing data-bearing IT assets is not a good data security practice, as hard drive data is at risk to hard drive theft or accidental misplacement. In addition, the longer hard drives sit in storage the more likely the warrant period will expire. These failed hard drives, and the data stored on them, must be securely managed at some point regardless. So, stockpiling failed hard drives in cages only delays the inevitable while also taking up high-value data center floor space.
  • Return failed hard drives to the manufacturer as is. Even if you use secure transport options, which are costly, shipping data-bearing hard drives is just as risky as storing them. Typically, when returning RMA hard drives to manufacturer, there’s no paper trail for auditing purposes and you have no idea what happens to your data.
  • Erase data from RMA hard drives onsite. This is our recommended approach. However, as ITRenew’s data security expert Matt Mickelson points out in this blog, erasing data onsite in the data center can be a very time-consuming, expensive, and risky endeavor if you don’t use the proper tools and processes. To cut costs, some organizations will use shareware applications to erase data onsite. But free data erasure tools are incapable of scaling up for large data center decommissioning projects and don’t come with third-party indemnification. For more insight on this topic, read Matt’s blog Data Erasure Certification: Don’t Just Take My Word for It.