Not long ago, I hosted a prospective client for a tour of our facility. As we sat around the table and began to discuss their data sanitization and security needs, they had that air of confidence that tends to emanate from successful Fortune 100 organizations.
As we exchanged information about our respective processes, they smiled and politely stated: “We have a shred policy in our data centers, thus eliminating any security-related issues.” As a tenured business development manager in this industry, I knew better than to immediately challenge and instead inquired: How about your RMA drives? To which they replied, “Oh, we just send them back to the OEM.” So they wipe the drives and send you a certified data destruction report then, I asked? “No,” they said, looking a little less comfortable. Do they shred the drives they can’t erase, I asked? Suddenly that air of confidence shifted to fear and uncertainty, and it was then I know we were ready for a real discussion about their data security needs.
RMA: The Weak Link
While this clients’ situation may not be the norm, it’s far from rare, either. Where mass decommissioning of data center gear—be it from refresh, lease return, consolidation, migration or shutdown—gets all the attention, when it comes to routine break/fix and managing RMA, many companies have shockingly immature processes.
RMA, which stands for return merchandise authorization, is a part of the process of returning a hard drive that failed in order to receive a refund, replacement or repair during the product’s warranty period. Roughly 2-3% of data center hard drives will fail in production, and when they do, will require immediate attention. Some of the world’s largest data center operations (like the ones that ITRenew services) may have upwards of one million servers (or more) throughout their global data center infrastructure. With six drives on average per server, that’s more than 6 million hard drives in their enterprise; 180,000 of which may fail at any time (assuming a 3% failure rate).
How you manage these RMA volumes can greatly impact your security risk, financial returns, IT productivity and sustainability, all of which collectively can swing your “Total Return” significantly.
Common Practices and Pitfalls
Let’s look at the most common practices I’ve run across in my dealings with prospective customers over the years, and the issues associated with each:
- Never return to the manufacturer. Some customers may have a “no return warranty” that provides for full or partial warranty without returning the hard drives, but these come at a hefty premium. Others organizations will simply eat the replacement value.
- Always shred. It’s natural to assume that if you shred all drives onsite that you’ve mitigated your security risk, but unless you have video proof of every serialized drive running through the shredder you don’t really know. Plus, you’ve just shredded the warranty value.
- Stockpile. Storing data-bearing assets is not a good security practice, and the longer they sit in storage the less value they have. Plus, you have deal with them eventually anyways.
- Return to manufacturer or vendor as is. Even if you use secure transport options, which are costly, shipping data-bearing drives is just as risky as storing them. Typically, when returning to manufacturer there’s no paper trail and you have no idea of what happens to your data.
- Erase onsite. This is our recommended approach. But this can be a very time-consuming, expensive and risky endeavor—if you don’t use the proper tools and processes. To cut costs, some organizations will use shareware applications to erase, but these tools are incapable of scaling up for large projects and don’t come with third-party indemnification.
Total Return Implications
Let’s explore Total Return impact from RMA in terms of the three main pillars of ITAD:
- Security. When an erasure fails the most common practice is to shred the drive. But unlike sanitization, it’s not auditable and there’s no paper trail verifying with full certainty the data was actually destroyed. So, where my prospective client thought they were eliminating security risk by shredding drives, they were actually creating it. Considering it costs companies $3.5 million per data breach, that’s a big chance to take.
- Financial. In addition to security costs are the warranty values of the RMA drives themselves, which can range from as little as $200 per drive to as much as $2,500 or more for enterprise, high-capacity solid state drives. Let’s say, for example, that you have “only” 1 million hard drives in your data center operations. At a 3% failure rate, the RMA values can range from as little as $6 million to as much as $75 million. But that’s hardly all the financial considerations. As we address in Part 2, when a drive is unable to be erased, it’s typically shredded onsite. At an average cost of $7 per shred, you can add another $210,000 to this financial scenario.
- Environmental. It’s widely reported that reusing computer equipment is up to 20 times better for the environment than recycling. If the security and financial considerations aren’t enough, see how your environmental, health & safety and sustainability teams feel about shredding drives, 75-85% of which could be reused.
Our Suggested Best Practices
Regardless of the size of your data center infrastructure, we recommend taking the following actions:
- Review your RMA process and make sure no one is making unwarranted assumptions about the process. Document who is responsible for each step and identify your security gaps.
- Sanitize RMA drives immediately—preferably while in-cabinet. Only erasure provides 100% auditable certainty that data was eradicated. So even if you ultimately shred the drives for extra security, erase them first so you have a Certificate of Sanitization and a Certificate of Destruction with the serial number for each RMA drive that has failed.
- Measure the Total Return opportunity. ITRenew has developed a proprietary calculator to make this quick and easy, and we are offering free appraisals to those who contact us.