Once you’ve taken the decision to migrate storage, what does this mean for your legacy storage assets? What steps can you take to recover greatest value from retiring drives and related hardware?
It’s not sufficient to plan for what happens in the cloud. Companies must also plan for what to do with hardware and infrastructure left on-premise.
Can they be repurposed for other uses in the enterprise, or does it make financial and operational sense to retire hardware assets?
If the latter, you may be asking yourself: How comfortable am I with the necessary steps in decommissioning parts of my data center? Do I have a sufficiently robust checklist in place? And what will I do with the hardware, such as drives, I no longer need?
HDD Value Recovery
The case of what to do with retiring drives is particularly interesting and often overlooked. There are an estimated 19 to 24 million HDDs available for value recovery from data centers in North America, according to analysis from storage expert Tom Coughlin. That’s a lot of data to wipe securely but also a lot of potential value to extract from those hard drives where they can be remarketed.
Companies are often quick to miss this opportunity and rush to destruction when remarketing is possible. “Many fully functioning HDDs are destroyed because of data security concerns, even when the data on the HDDs is of low sensitivity or could easily be erased/sanitized,” experts for the International Electronics Manufacturing Initiative (iNEMI) wrote in a report on the important role HDDs can play in developing a circular economy for electronic hardware. “This significant loss of potential value is caused by a lack of understanding and knowledge of the full capabilities of modern data sanitization methods.”
So what to do with all the hard drives kicking about when it comes time for a refresh cycle or to decommission parts of a data center?
When responsible companies decide to upgrade and replace, or dispose of, outdated equipment, one of the considerations must be how to wipe the data from those devices, or otherwise sanitize the hard drives where the data resides. There are a number of approaches that can be used to delete data from hard drives, including deleting unwanted files; using software tools; encrypting the drives; or physically destroying the drive, by degaussing it (such that the drive is demagnetized by use of a strong magnetic field), drilling through it, or shredding it, to make it inoperable.
However you structure your IT, you need flexible and agile solutions and the ability to decommission assets securely and fire up new hardware elsewhere.
Reuse Before Recycle
To shift industry behavior toward greater consideration of reuse before electing for dismantling or destruction, data center operators must feel confident in the thoroughness of the data sanitization process for hard drives.
For some time, the “DOD standard”, officially known as DoD 5220.22-M, was widely touted as industry best practice. The problem is that the standard was never intended to be a standard, and—in its stipulation of three overwrite passes —represents too heavy-handed an approach for most data sanitization cases, requiring additional time and cost.
If the initial overwrite is sufficiently rigorous and thoroughly tested, isn’t that enough? Despite this, the DOD standard, which originated in 1995, continues to get used in ITAD marketing statements today.
By contrast, the U.S. National Institute of Standards and Technology (NIST) guidelines for computer media sanitization, known as NIST SP 800-88, are widely considered to be the actual go-to standard. NIST 800-88 provides rigorous and comprehensive guidance for companies and U.S. government entities to ensure they are following best practices for data destruction.
The NIST standard recommends that once organizations decide to embark on a sanitization project, clear steps are followed:
- Verification of personnel competencies—meaning that anyone doing the sanitizing is competent and trained on the equipment to be used.
- Verification of equipment—meaning that the equipment that’s being used is properly calibrated and that proper maintenance procedures are used on the equipment.
- Verification of results—ensuring that the data to be sanitized has actually been sanitized.
“Sanitization is a process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort. The level of effort applied when attempting to retrieve data may range widely,“ the NIST 800-88 guidance explains.
ADISA
Another standard that actively supports organizations seeking to achieve best-in-class control around data sanitization is offered by the Asset Disposal & Information Security Alliance (ADISA). ADISA conducts audits of companies that wish to become a part of the alliance.
Once it’s determined that the company is capable of meeting the organization’s criteria, the company is eligible to apply to be certified. ADISA has a rigorous process for certification, and conducts regular audits of at least two per year for its certified members. These may include unannounced operational audits of each company, involving forensic tests of a sample size of 10 pieces of media. Full audits are carried out at least every three years.
Researchers are already working to develop innovative ways of reusing and recycling otherwise failed HDD components into new hard disk drives. Storage leader Seagate, a member of iNEMI’s HDD working group, calls for the creation of “hard drives from hard drives.”
When reuse is not feasible and destruction of the drive is required, look for accreditations that establish a vendor’s credentials for responsible disposition.
R2, an industry-leading certification for responsible recyclers of electronic equipment, is a well-established standard in North America, with a growing presence internationally.
e-Stewards, which grew out of the Basel Action Network (BAN), also offers a rigorous certification program for e-waste recyclers, differentiating its accreditation by stipulating the prohibition of exports of e-waste to developing countries.
There’s a lot to consider when handling retiring IT assets, but with the right level of expert support and guidance you can maximize recovery value and return money to your IT budget.
To read our full report on planning your cloud storage migration, click here.
