How to Prevent a Data Breach When Refreshing Your Server Equipment
November 12th, 2013 By: Industry Perspectives
Steve Skurnac is the president of Sims Recycling Solutions, the global leader in electronics reuse and recycling.STEVE SKURNAC
Sims Recycling Solutions
As more people leverage cloud computing, data centers play a more critical role in supporting our individual and corporate IT requirements. Operating in the background, today’s data centers are much larger and more ubiquitous than previous centers as they offer back-end support to our expanding daily IT demands and increased cloud computing.
In the last three years, 74 percent of data centers have added to their physical server count. In addition, sales figures for new server purchases rose from 8.9 million servers purchased in 2010 to 9.5 million purchased in 2011. However, more important than the purchase and growth of this new equipment, is the method of disposal for the old servers being replaced. With 88 percent of unsecured data being shared electronically according to IT News Online, responsible server disposal has proven to be a key component to IT security, environmental responsibility and corporate compliance.
What some companies overlook is that the security of this unwanted equipment can be as important as the security of the working equipment still in use. The following information offers guidance on how to responsibly manage end-of-life IT equipment to help prevent a data breach and avoid potential litigation.
Assignment of Responsibility
In an ever-changing technology environment, IT and data center executives are constantly challenged with ensuring 24/7 availability of data center equipment and services. These challenges can make it easy to allow old devices to pile up in a storeroom.
Assigning this responsibility to an individual within the workplace can help maintain continuous oversight of an ongoing technology and server disposal program, ensuring standardized and systematic processes are in place, and proper records are maintained regardless of who is physically conducting the disposal activities and tasks.
Understanding the complex process of IT asset disposal along with costs and services can be a lot of work and at times overwhelming, but when compared to the potential risk of corporate digital data ending up in the wrong hands or equipment being illegally “landfilled,” the payback always proves worthwhile. According to a survey, 66 percent of executives with purchasing authority are unaware of the financial implications of ignoring environmental regulations when disposing of IT equipment, and may not even realize the significance of this role.
Know Your Risks
Data arrays, data servers, hard drives, tape drives, routers and switches are just some of the data-rich IT assets that can potentially expose your company’s confidential, proprietary or network information if not handled securely during the disposal process.
Other factors to be mindful of when disposing of obsolete data bearing devices include regulatory compliance, data protection, fiduciary accountability and environmental stewardship. Specifically the Environmental Protection Agency (EPA) can hold the equipment owner personally liable if your equipment is improperly disposed of, even if this service has been outsourced. Legislation governing disposition of obsolete data center equipment varies by location.
There are many risks associated with equipment disposal and many reasons why it is critical to work with a disposal company who not only will protect you and your company’s data, but also will ensure you comply with the 550 U.S. laws that affect IT equipment disposal.
Consider Your Options
While the destruction of data residing in retired data center assets may occupy a small part of a company’s larger data security strategy, no policy is complete without it. If hard drives are to be reused, then digital data must be 100% overwritten, by use of commercially certified software. Data on hard drives that will not be reused can be erased via a degaussing method, which uses strong electromagnetic fields to destroy digital data. Hard drives that are degaussed cannot be reused, and are typically also physically destroyed. Shredding of hard drives is a common commercial solution to ensure destruction of digital data on hard drives. Special processing of solid state hard drives (SSHD) is required, as traditional data destruction methods are not effective for these devices.
IT asset disposal vendors such as Sims Recycling Solutions can perform these services on-site at the customer’s office leaving no question about 100% data destruction. Certificates of data destruction provide documented proof that assets have been properly managed and digital data destroyed.
Choose Your Vendor Carefully
Choosing a vendor to manage your IT assets can be a daunting task. It is important to take the time to ask questions, learn and understand the disposition process to know exactly where your IT assets and servers are ending up.
When navigating the selection process, you may want to consider a few things.
- Reliance on Subcontractors: Selecting an IT asset disposal vendor that doesn’t rely on subcontractors and manages every step of the process internally improves accountability, increases security and streamlines reporting.
- Data Security Standards: NIST-compliant data destruction and validation of that destruction through certificates of data and physical destruction can be offered, depending on the vendor.
- Certifications: Look for a company that operates in accordance with industry best practices that govern environmental, health, and safety management systems (R2, e-Stewards, ISO 14001, OHSAS 18001), but also look for standards that regulate information destruction (NAID) and the secure handling, warehousing and transportation of equipment (TAPA).
- Liability Insurance: An insured vendor is able to protect customers from and manage the potential financial risks associated with the proper disposition of obsolete electronics.
- Location of Business: Strategically located facilities will minimize freight costs, reduce greenhouse gas emissions and simplify logistics.
- Examine IT Asset Disposal Equipment: Conduct a site visit and evaluate the physical security measures in place. Determine if employees are background screened and drug tested.
It is important to remember that your organization will continue to be held accountable for the data in your IT equipment even after retirement. Data has never been more valuable or more vulnerable. By having a clear disposal plan for obsolete equipment, you make the security of the protected digital data entrusted to your organization a priority rather than a postscript.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
Good article and important to highlight what is, for many companies, a data security blind spot. Certainly a site audit is important but do IT Managers understand what they are looking for?
ADISA accredited ITADs can explain to their clients what their accreditation means, who recognises it and what is required to attain and keep this accreditation.
Excellent advice here. Robust processes including sanitisation and then secure destruction of old equipment is a total must have.
We encourage our clients to audit their data centre and or Cloud provider to find out about all aspects of the security of their information, including its physical security.
Cloud providers and Data Centres would do well to get independent advice on how best to structure policy and procedure in this area to ensure top flight reputation retention.