A data center is the heartbeat of any organization. Successful upkeep of an on-premise data center requires constant maintenance from on-location staff. But with the world in lockdown for months on end, this is proving a challenge. The pandemic is prompting organizations to reimagine processes and rapidly find new solutions to suit today’s environment. Put simply, it is forcing their hands and accelerating digital transformation.
One common solution has been an unprecedented move to the cloud and resultant data center decommissioning. Projects that have been on hold for months have miraculously been completed in weeks.
For many organizations, however, taking the leap to the cloud is a daunting and complex process. Decommissioning a data center is more complicated than just shutting down servers and switches. One imperative element is to maintain data security. Many IT assets in the decommissioning process will inevitably bear sensitive data, which could be breached if care is not taken to sanitise each asset before disposal or recycling.
When embarking on data center decommissioning, organizations must be aware of some key considerations.
Choose your cloud provider wisely
Moving your data storage from on-premise to a cloud provider may feel like an unburdening of the headache that is data security, but data risks don’t cease when moving your data to the cloud. The data controller still maintains total accountability for the data in question throughout its lifecycle, including the risk this may entail. To reduce this risk, track all data assets from creation to end-of-life, with a fully auditable trail. And at end-of-life, these assets should be subject to certified data sanitization. Interestingly, recent research revealed two in five organizations that store their data in-house spend more than $100,000 storing useless IT hardware that could pose a security or compliance risk. Data sanitization solutions mean these old IT assets could instead be recycled, re-used or re-sold, so unfortunately most of this money is wasted. Clearly more education is required in how to handle old IT assets.
The same applies for cloud migration. Take responsibility for the risk that sensitive data poses and ensure you have a process for dealing with such data at end-of-life. A lack of responsibility and codified policy leads to confusion, resulting in an increased risk of human error and a potential data breach, or the omission of essential tasks. When decommissioning your on-premise data center, enact the same policy of tracking and sanitising all assets that could pose a security risk. Unfortunately, many organizations fail to recognise this responsibility. For example, the recent $60m fine levied at Morgan Stanley for improperly disposing of personal data was due to improper data center decommissioning. To avoid the same fate, establish clear internal ownership for the decommissioning and data migration processes. The chosen leader, most likely a Data Protection Office (DPO) or Head of IT, should be charged with identifying and documenting risks, ownership, and team roles. A lack of ownership, equates to liability for the whole organization.
A commonly overlooked aspect of data center decommissioning is what to do with the leftover IT equipment. As mentioned, holding on to it is an expensive mistake. Many businesses today are still opting for physical destruction both as a means of asset disposal, but also to protect sensitive data. This method is not only outdated, but incredibly wasteful - e-waste is the fastest growing waste stream. According to the U.N. just 20 percent of e-waste is formally recycled and more than 53 million metric tonnes of it was produced in 2019. In 2020, the UK was the worst offender in Europe for e-waste exports and the second biggest e-waste contributor in the world after Norway. While this can’t solely be blamed on the shredding or degaussing of old data center IT assets, the rate at which organizations are making the move to the cloud means the issue could worsen.
One solution is greater education in modern data sanitization methods, particularly important today where the global pandemic restrictions place strain on physical supply chain processes. For example, reducing the need for face-to-face interactions and frequent travel is important. Remote erasure and automation—combined with centralized auditability—is key to supporting security initiatives during these unprecedented times. Today, mature processes to remotely erase selected files and folders, entire desktops and laptops, as well as servers, Storage Area Networks (SANs) and VMs are a natural part of best practice implementations for large organizations with assets spread around the world. Not only does this protect data and reduce e-waste, but a sanitised IT asset can even be recycled, reused or resold, creating value for the organization too. As with all data sanitization activities, a certificate should be obtained for every erasure to prove compliance with a full audit trail.
Many organizations today are working towards e-waste reduction, Environmental Social & Governance (ESG) or Corporate Social Responsibility (CSR) targets. Faced with data center decommissioning, utilising data sanitization, remote or otherwise, over physical destruction to process old IT assets, can help achieve such targets.
Decommissioning a data center can be challenging, but data management and security must remain a top priority throughout the process. Research your potential cloud provider extensively to ensure your data management practices are aligned. Always take full responsibility for your data and track that data on all IT assets for the entire asset lifecycle. Look to modern data sanitization solutions, like remote erasure and reusing IT assets, instead of physically destroying old IT assets and harming the environment. Finally, it is crucial for your organization and chosen cloud provider to maintain compliance with the latest data privacy regulation.
With so many organizations globally moving operations to the cloud, data security concerns are universal. Take the extra precaution today and protect your organization’s data long term.