The data centre isn’t just a place of facilities, M&E, ICT and other services. It is the residential and royal abode for data. Data is, after all, the most valuable asset of any organisation.
Data centres can range from the smartphone and tablets in your hand, to a rack of servers and ICT, all the way to campi (vs campuses – jury is still out on this) of buildings filled to the brim with racks of ICT supported by the M&E systems serving the world with data. Where there is data there is a data centre. Where there is a data centre there must be IT hardware.
Today’s article is about end-of-life, end of use IT hardware within corporate data centres that no longer provides the IT service it was once provisioned for. Why? Well, everything comes to end-of-life and therein lies the issue. How do we decommission, discard or dispose of IT hardware whilst mitigating the risk of data loss, breach or leakage?
Blaming the disposal vendor or transferring risk for any losses will not suffice. To overcome and address the matter of end-of-life hardware, a robust IT asset disposition (ITAD) programme should be considered.
Introduction to IT asset disposition
IT asset disposition is the practice of retiring and recycling of IT assets. Data is stored, processed and transmitted on data processing systems – in other words computers, servers, network devices, handheld IT assets such as phones, tablets, personal digital assistants and so many others.
Data is significantly governed by legislation such as GDPR in EMEA and the Data Protection Act in the UK. Companies disposing of their assets have been fined and punished severely for loss of data, especially when it was negligent or even wilful. They have been punished even when the data breach was no fault of their own.
The problem
The issue may be that no one really cares or cared about end-of-life hardware as it may seem ‘to be someone else’s problem, where leaders and managers focus on the new and latest and greatest technology’. In other words, one turns a blind eye.
Another issue is as teams change, projects get spun up only to be wound down. The new hardware becomes old and assets get left behind in the rack or the storeroom, ignored, and when space availability becomes an issue, in haste the assets are decommissioned. They may be disposed of without giving due care for the data or the environment.
The company may make contact with a (disposal) vendor that claims they dispose of hardware and that they can take away their assets and do ‘what they need to do’ but the question is – is that enough? Blaming the vendor for not doing their job properly will not wash with the regulators. The company disposing of their assets must show they have appropriate risk controls in place.
Some risks to think about
When disposing of assets at end-of-life, there is a checklist of things you should consider:
- Is there an IT asset disposition team to manage end-of-life hardware and enforce controls over the vendor?
- What about orphaned, abandoned and obsolete hardware – who takes custody of these?
- Is your IT asset management system accurate and up-to-date? With data centre environments being bustling and busy, do the teams have time to update their systems and maintain the accuracy of their data?
- Data bearing assets versus non data bearing assets – the risk is carried by the data bearing assets such as hard disk drives, solid state drives and other storage media. How should these be processed?
- Wiped versus not wiped disks – is there a process to render the storage media to a non data bearing state through wiping? How do you really know it has been wiped? Is the proof conclusive?
- Is there a disk encryption policy in place to secure the data?
- How should physical assets be secured and stored?
- Who vets/validates the disposal vendors and how are they vetted?
- What about meeting Government legislation and WEEE directives – whose responsibility is this?
- On-site destruction versus offsite destruction – which is easier or preferable?
- Data classification – PII data, configuration data, stale data. Which data classification is riskier? How are these assets to be processed?
Data protection solution offering
The IT division must have a policy in place that directs the teams on how IT assets are managed throughout their lifecycle.
Within corporate data centre environments, the IT hardware owners and custodians need to have an accurate inventory and IT asset management system that records their IT assets on a one-record-per-one-asset basis. Each record must have at least a primary key identifier which they either use from the hardware, such as the manufacturer’s OEM serial number, or they issue their own unique identifier to the asset that matches a record in the approved IT asset management system.
When hardware devices are decommissioned, the data bearing component of the hardware must be separated from the parent host and secured in robust physical containers (again uniquely identifiable) and when the containers reach a certain mass (weight limitation) that container is sealed with – you guessed it – a uniquely identifiable one-time-use-only seal. It is essential to maintain the security of the data bearing asset until they have been disposed of.
Have a dedicated team to schedule, oversee, attest to the disposal event (validation and destruction or collection of the assets) and finally reconcile the final certificate of destruction against the assets disposed.
Schedule with a validated/vetted vendor frequent disposal events for the on-site destruction of data bearing assets and for the collection of non-data bearing assets – all governed by the policy and procedures of the department.
Evidence of a robust process and events supported with proof and evidential matter should be collected systematically to be able to show the risk teams, audit teams and any regulators whenever the process is audited to demonstrate that the process was followed and any risk of data loss was fully mitigated.
Protecting the most valuable asset
In summary, to ensure a company mitigates against the risk of data loss arising from end-of-life technology, they ought to have a robust physical IT asset management policy, process and effective risk controls in place so that once IT assets reach end-of-life, the IT asset disposition service can be invoked using an approved vendor.
Data bearing assets store the organisation’s data and that data is the real asset of any firm conducting business. The data centre is truly the residence and royal abode of data. The physical building is secured from intrusion and access to the hardware and the same thinking needs to be applied for the data on retired IT assets marked for disposal.
To ensure that data always remains secure, a robust IT asset disposition process should be available for both on-site destruction of data bearing media and the collection of non-data bearing assets. Transferring risk to the vendor is not sufficient.
The spirit of this article aims to assist organisations to prevent data loss or breach. Data is after all, the most valuable asset of any organisation.
