In today’s world, it is common to find that most companies begin with a small, rented data center due to the high costs of purchasing servers and other equipment necessary for running their business. These data centers are mostly racks used to house servers, switches, storage devices, etc.
However, this situation may start changing soon. Nowadays, many organizations choose not to renew their leases on these rented data centers because they have found another model that provides better costs and performance benefits while complying with their current needs.
This new model consists of having all critical equipment housed in owner-operated facilities while renting only non-critical infrastructure from third-party providers or trading partners who provide power, cooling, and physical security. This is commonly called a “third-party data center,” “co-location facility,” or simply a “co-lo.”
In either of these cases, when the contract on the leased data center expires, it becomes necessary to return the equipment to their supplier or transfer them to an alternate site while decommissioning its former location.
Although some companies may ignore this task, thinking it does not have any significance in their business operations, there are several reasons why it is essential to follow a process that will guarantee all assets are properly handed over and that no sensitive information remains behind.
In addition to ensuring that all hardware has been checked before being sent off for refurbishing or recycling, it can provide the opportunity to properly erase all data stored on the servers, network devices, and storage media.
This will ensure that unauthorized individuals can recover no sensitive information and provide proof of compliance before making the final payment.
What is Data Center Decommissioning?
Data Center Decommissioning consists of dismantling equipment used to store, process, or transmit electronic information while ensuring that no sensitive data remains behind, which could be exploited by hackers or other cyber criminals once decommissioned equipment enters back into the market as refurbished products.
The idea is to prevent the reuse of any assets involved in an organization’s critical business processes without erasing all data from them not to threaten the confidentiality, integrity, or availability of information.
Since most companies have a limited budget and IT resources, all hardware must be checked for reuse or appropriately recycled according to their organization’s policy and industry standards.
And because decommissioned equipment can potentially be used by unauthorized persons if mishandled, there is a need to properly erase all data stored on them before returning them to suppliers, manufacturers, or partners involved in this process.
Why is it Important?
Most modern companies who rely heavily on technology create large amounts of sensitive information such as customer credit card numbers, personal contact details, and intellectual property rights which could put business operations at risk if exploited by hackers once products enter the market.
If these devices are refurbished and resold without rendering them non-functional, someone can buy them and use them for malicious purposes.
According to the Federal Trade Commission (FTC), when companies choose not to follow proper procedures when decommissioning equipment involved in processing, storing, or transmitting electronic data, they can be fined up to $16000 per violation depending on the severity of the situation.
This means that organizations that choose to ignore these guidelines if they are breached could be in serious financial trouble and legal troubles, including criminal charges in some cases.
Following proper procedures will help companies prevent any security incident that could lead their organization out of business because lost sensitive information has become publicly available through unauthorized access by hackers abusing previously decommissioned equipment.
Data Center Decommissioning Checklist
A data center decommissioning checklist should include items such as:
1. Shut down computer servers in an orderly manner to be properly powered off. This applies to UPS units, too. If you have multiple UPS units in your data center, shut down each one individually instead of powering them down simultaneously.
2. Removing all equipment from the data center that is not necessary for storing in a warehouse. This includes computer servers, monitors, storage devices, and networking equipment.
3. As per the security policy of your company, you need to remove any media from your servers such as CD/DVD’s, floppy disks, or tape cartridges. You also have to degauss or shred devices such as hard disk drives so data cannot be recovered from them.
4. Another essential step in shutting down a computer network is removing any software licenses you own. If you cannot find the original license agreement with which you bought the software, most companies allow you to transfer it under an End User Licence Agreement or buy a new one.
5. Return all equipment to the company it belongs to. This includes network switches, UPS’es, or other types of equipment that you do not own. You can also contact your service provider (Internet Service Provider) if you are no longer using the services they provide you with.
6. Tag any hardware in storage with an inventory number for future reference when needed again in the future.
7. Fill out a Data Center Decommissioning Form that your company’s records department will use. Use this form to determine which computers require hard drive sanitization and degaussing media recycling services before removal from the site. This is necessary if your company has a secure data policy.
8. Keep a log of all shutdown servers and any problems you face during the decommissioning process.
9. Complete the data center shutdown checklist as soon as possible so that your company can store equipment in a secure place.
10. To prevent physical damage, avoid storing any equipment near entrances where people walk through regularly. Instead, keep it in a cooler area with limited traffic flow, such as the warehouse floor.
11. Fill out an Environmental Review Form before you begin shutting down your computer network. This helps inform others about how many hazardous material items (labels that read “corrosive,” “flammable,” etc.) will be present on-site while decommissioning is taking place.
These forms are extremely valuable in helping companies meet requirements under the Resource Conservation and Recovery Act (RCRA), a federal law regulating the management of solid and hazardous wastes.
12. Fill out an Equipment Disposal Form for any hard drives (servers, disk arrays, etc.) that may contain sensitive information. Then request clearance from the computer department responsible for maintaining your data center to ensure all software has been removed or wiped clean entirely if necessary.
If you choose not to hire a company for this service, keep in mind it can take up to 20 hours (or more depending on size and complexity) to wipe every drive clean.
13. Use a Warehouse Inventory Form whenever you receive any items. This way, the warehouse will know how many items they have received and where to store them when they are not in use. As an alternative, the warehouse manager could implement a system that has all this information at their fingertips.
14. Once you are finished decommissioning your company’s data center, consider conducting a post-mortem review with key stakeholders to determine whether or not it was successful. This will help you make necessary improvements before taking on future projects or planning for next year’s budgeting process.
Today’s technology industry is becoming more and more tightly knit as the market is becoming more and more competitive.
Organizations that want to stay afloat in an industry where competition for customers never sleeps must consider the need for decommissioning data centers or other business units involved in processing or storage of sensitive information, which could pose a risk to their company if not disposed of properly.
Proper automated solutions will help IT managers remove equipment from their network following guidelines created by industry experts, creating best practices for security standards for IT infrastructure management.