SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Data centre decommissioning: Risks of getting it wrong
Fri, 24th Nov 2023

The global data centre market is on track to become a half-a-trillion-dollar sector with buoyant growth projected into the 2030s. With the growing trend of data centre consolidation and the shift to cloud computing, IT leaders and data centre managers are facing increased pressure to decommission data centre assets safely, securely and efficiently, all while minimising the impact on the environment.
 
This process needs to be completed swiftly to protect sensitive data, free up data centre space and resources, minimise disruption to the effective running of the data centre and maximise the value of retiring assets. But decommissioning is not without its challenges and pitfalls - the process can be expensive and time-consuming. It requires significant resources and has the potential to put sensitive data at risk if not managed correctly.
 
The data centre is the beating heart of an organisation, where the different strands of IT infrastructure come together to power a business. Any lapse in compliance or security, such as non-secure disposal of an asset, can affect operational continuity and put businesses at risk of significant financial and reputational consequences if a data breach occurs. This year, the average cost of a data breach was $4.45 million, a 15% increase over the past three years, according to IBM.

A strategic approach to decommissioning
The first stage of any decommissioning project is to undertake an audit of all equipment to ensure that all assets can be tracked throughout each step of the process. Implementing a strategic Asset Lifecycle Management (ALM) process will facilitate an accurate inventory of all assets, including servers, storage hardware, networking equipment, rack power distribution units (PDUs), patch panels and applications.     
 
Each element on the ALM asset register is individually recorded and monitored, with regular updates on the age, performance, and security protection status of each component. The key benefit of such surveillance is that it allows businesses to be aware in real-time of security vulnerabilities in their systems, and to identify any equipment that should be upgraded to optimise the data centre's performance. For example, any piece of equipment that is no longer supported by its manufacturer with patch updates poses a potential security risk and should be securely decommissioned. Only by implementing an ALM process can organisations ensure effective and compliant data security and protect themselves, their customers and stakeholders.
 
Establishing a secure, trusted and trackable chain of custody
From the time it is created until it is securely destroyed, a company's data will be valuable to competitors and cybercriminals. The importance of protecting and securely erasing your data goes beyond the stage where an asset is in inventory.

Any asset leaving a customer's possession should be placed in a secure, trusted, and trackable chain of custody. This defines what happens to each element of the asset across the decommissioning process, such as servers, hard disks, tapes, and other media. Recent research shows that 29% of Small and Medium Businesses (SMBs) admit to throwing such equipment away in a non-secure manner - a significant data security risk.
 
This is where real-time asset tracking plays a key role, as it enables businesses to track, view and share the location and status of their unwanted data-bearing assets. Throughout the process, each item is scanned onto a tracking system and assigned a unique identifier code. The item is then repeatedly scanned and logged throughout the journey until the full data is destroyed or if applicable, successful repurposing of the asset has been recorded.
 
Furthermore, it is also important to ensure that any processing facilities of assets go through adequate fire protection, power, HVAC and communication systems, as well as utilising security guards, secure entry systems (i.e., key card entry) and video surveillance. Not only does this process ensure that equipment is not misplaced during the process, but it also adds a layer of assurance against third-party interference.
 
Sanitisation and value recovery
With the chain of custody in place, the next stage is sanitisation. Despite what many believe about disposing of an IT asset, a piece of data-bearing media equipment is not 'dead' simply because it has had its files deleted, drive reformatted and been thrown away. The importance of protecting and securely erasing your data, therefore, travels far beyond the stage where an asset is still in your inventory, along with your organisation's regulatory responsibilities for ensuring that data is not leaked.
 
Criminals can easily recover data from assets that have not been properly wiped. Efficient sanitisation can only be achieved reliably with the use of certified and compliant data wiping software, specifically designed for data centres, which uses automated discovery, erasure and reporting to eliminate the possibility of missed drives, minimise manual operations and generate audit-compliant records.
 
Then, as quickly as possible, each asset should be redeployed, recycled, or remarketed to recover a proportion of its value. Through this process of redeployment, reengineering and the harvesting of components, IT leaders can divert waste from landfills, recover valuable metals and avoid greenhouse gas emissions. If recycling is not possible, however, assets should be physically destroyed.
 
The improper disposal of IT assets during data centre decommissioning exposes an organisation to unnecessary risks with significant reputational and financial damage. Ensuring a compliant disposal procedure for sensitive data across all mediums and physical devices also allows businesses to more accurately keep track of their environmental impact and long-term sustainability.
 
As data protection legislation continues to tighten across the globe, ensuring that all data is fully removed in a secure, compliant manner – within a proven chain of custody – is the critical final stage of the data centre lifecycle.