Harvard Business Review published an interesting article several years ago titled Why You Should Focus on “Worst Practices”. HBR asserts in the article that if you want to be disruptive to your industry, find its worst practices and take giant steps towards bettering them. If you subscribe to this way of thinking, then I suspect you’re finding this blog series of interest as we have been clear to point out the major pitfalls of using traditional ITAD solutions for data center decommissioning.
Worst practices may seem a bit critical. However, borrowing a line from HBR, these practices are “baked into the tired, toxic assumptions of business as usual” for traditional ITAD.
The DON’Ts in Data Center ITAD
Where last we covered Best Practices in Data Center Decommissioning, conversely, avoid these practices when decommissioning IT equipment from the data center:
- Don’t bundle data center ITAD with corporate ITAD in RFPs and bids. Data center IT asset disposition is in its development years compared to its corporate IT counterpart. Cloud companies or cloud-based IT operations launched within the past five or so years could even be preparing for their first major technology refresh. These companies may have absolutely no defined policies or procedures in place for IT equipment decommissioning and data security in the data center.
Even before the cloud explosion, data centers were an island—often left to their own discretion on how to manage data at decommission and safely retire IT equipment. And, in many organizations, they still are.
However, we are starting to see companies bundle data center ITAD requirements in with general corporate ITAD requirements in their proposal requests (RFPs, RFIs, and buy bids). On the surface, this appears to make sense. Corporate IT asset management departments most likely have mature operations and vetted vendor relationships, processes, and pricing structures already in place. Through professional associations like IAITAM, many IT asset management staffers are trained and certified in hardware and software asset management best practices. Some are even Six Sigma Black Belt certified in ITAM processes. So, why not leverage these resources and bundle all ITAD requirements?
Well, simply because data center is a different kind of ITAD and needs to be played by its own set rules. This is not to suggest that you must have a completely different RFP process or bid request for data center IT, managed by completely different resources, but don’t lump all ITAD under the same set of criteria, pricing structure, and SLAs (service level agreements). Here are just a few reasons why:
- Corporate ITAD is traditionally fee-based whereas data center ITAD is not. Accordingly, revenue share splits will—or at least should—differ depending on whether ITAD costs are being passed through or included. If forced to provide a single commission share or pricing structure, most ITAD vendors will always err on the side of caution, which is to say in their favor.
- Imagine trying to provide a price-per-asset fee to recover, wipe, and process a data center rack versus an employee’s laptop computer. Even when this is broken out by asset type, the pricing structure to wipe and transport different kinds of IT equipment can vary significantly. This can greatly skew your ITAD performance evaluation depending on the mix, volume, and location of IT assets.
- As we addressed earlier in this blog series, there are unique operational challenges, IT asset security challenges, and onsite data security challenges that differentiate data center ITAD and corporate ITAD. A recommended security practice for one may not be nearly as practical for the other. Allow for these differences so you can most accurately assess the appropriate service.
- Don’t rely on secure shipment as a data security method. Data centers are filled with racks and servers that can each contain tens or even hundreds of hard drives. If you rely on secure transport for data security in data center decommissioning, the gap is how you manage hard drive and data accountability: at the point of IT asset recovery, during transit, and upon receipt.
Internal hard drives may turn over several times during a server’s lifecycle. Many fail or will be pulled for predictive failure, some will be upgraded, and others will be consolidated. The exact data storage configuration of the server at the time of decommission may be distinctly different than what it was at the time of deployment, when hardware asset management records were established.
If hard drives remain in servers at data center decommission, yet the secure logistics protocol calls for tracking assets simply at the host/rack level, how do you account for every internal hard drive change that occurred during the asset’s lifecycle? For example, say you thought a server had 20 hard drives but find out weeks later, after the equipment is processed by the ITAD vendor and reporting is provided, that it only had 18 hard drives. Furthermore, of those 18, six serial numbers do not match the asset management records, meaning you now have eight of the original hard drives unaccounted for. What then? There are several important questions to consider:
- Do you launch a full-blown breach investigation?
- If you don’t know how many drives and the serial numbers of each before it left your facility, how do you reconcile variances?
- Who do you hold accountable if you cannot find the missing hard drives?
- How will these lost drives be accounted for if you are subject to a security audit?
If you remove hard drives from the server racks for secure transport, you also immediately create data security and asset accountability risk, as we discussed earlier. Let’s also not forget that all the while you’re shipping “dirty drives” with sensitive data fully intact—at quite a premium, too.
Secure transport may be a viable alternative in select instances for corporate ITAD. However, it pales in comparison as a best practice to sector-verified data erasure with systematic, serialized hard drive discovery and reconciliation onsite at the data center. Beyond this, a tool like Teraware will capture the host-to-disk relationship to verify upon receipt that equipment was not tampered with while in-transit.
- Don’t deploy a shred-only policy for hard drive data security. When I attend ITAD industry trade events, vendors preach one of two storylines for protecting data at data center decommission:
- Don’t trust data erasure to anyone but the experts. Instead, pay to securely ship your IT equipment to us, and we’ll take care of it for you.
- Or, don’t trust data erasure at all and just shred all your hard drives. We’ll gladly come onsite and do this for you.
Both arguments are hollow on their own merits, but this much is true. ITAD service providers have struggled to make onsite data erasure a viable solution, especially in the data center. Therefore, many infosec departments mandate that all hard drives be removed and shredded onsite. However, if you’re shredding hard drives because you think it provides better data security, then I regret to inform you that is does not. Our Matt Mickelson explains in To Erase or Not to Erase: Never the Question in Data Security Best Practices, that certified data erasure is the only method that eliminates data security breach risk. All other methods of data security, including hard drive shredding, simply mitigate risks.
Beyond data security, which should be the top priority for any data center decommission project, shredding poses financial, social, and environmental issues.
When you shred drives, you also shred their remarketing value, RMA credit opportunities for failed drives under warranty, and any other form of reusability which can include internal redeployment, donation, lease return, or trade-in. Also, the per-drive charge to shred hard drives onsite at the data center is typically more than it is to certifiably erase the hard drive.
Shredding hard drives as a policy is not good for the environment either, and the process itself can be harmful to humans if not properly managed. Shredding systems must have proper ventilation and air filtration as well as environmental and worker safety oversight to protect workers and others in close proximity to the work zone. Plus, considering the level of intense scrutiny that data centers are under regarding their carbon footprint, why destroy perfectly reusable hard drives when there’s no valid data security or financial incentive to do so?
Shredding drives or some other form of physical destruction is necessary when data erasure fails, or for data-bearing devices that cannot be sanitized. However, as a policy, shredding is not a data security best practice. If you must shred, then do so after data has been erased to remove all doubt about data security.
This concludes the Do’s and Don’ts in Data Center Decommissioning. In our next blog, we’ll discuss a different way to measure the success of your data center ITAD program. By using a proprietary methodology that enables data-centric organizations to take a more holistic approach to measuring the results of data center decommissioning, including break-fix and RMA activity.