December 10, 2020
1878
An important part of the storage hardware life cycle is the scrap and disposal of equipment. If the company does not handle it properly, it may endanger sensitive data and expose itself to compliance risks.
The goal here is to eliminate storage assets at an appropriate time, taking into account costs, workload requirements, and data security. Then, the IT team should dispose of the equipment as efficiently and securely as possible without leaking data. To this end, the storage team must carefully plan how to enable and dispose of storage devices. They can decompose this complex process into the following seven steps:
1. Evaluate when to abandon storage media
Retiring storage hardware too early may cause unnecessary costs, but waiting too long may put data and applications at risk. When deciding when to eliminate storage media, several factors need to be considered. If a device fails, it should be replaced, but the device should generally be discarded before then. For example, the supplier may no longer support NAS systems and has stopped providing software patches and firmware updates, thereby exposing the system to new security threats.
Enterprise-level storage hardware can usually be used for three to five years, although the product life span will vary. The supplier’s warranty usually gives a good indication of the expected life span. The type of workload and the amount of data will also affect the life of the product. The service life of many drives may exceed their expected life, but the probability of failure increases every year. Older drives also take up more space, operate less efficiently, require more maintenance, and may not meet current performance and safety requirements.
2. Make a plan to guide the abandonment and disposal of storage media
In order to effectively and cost-effectively eliminate and dispose of storage devices, while ensuring data security and complying with applicable regulations, careful planning is essential. IT staff should develop a detailed plan to cover the next five steps: prepare for decommissioning, then decommission, protect, clean up, and dispose of assets.
For each step, the plan should define the tasks that the storage team must perform, how to perform the tasks, the relevant personnel, and how to verify their completion. The plan should also identify each asset that the company will eliminate, and establish a timetable to eliminate and dispose of the asset. Companies usually implement the planning process in conjunction with their data governance framework, especially planning for data retention and destruction and any other storage asset management guidelines.
3. Prepare for the abandonment of storage media
Before decommissioning storage devices, IT should perform final backups based on internal requirements and data governance policies. This backup prevents the loss of critical and proprietary information, while providing evidence of the data stored before the device was abandoned. IT should verify the backup to ensure that the data is feasible and safe.
The IT team should also take steps to prepare to decommission storage media. For example, they may need to deploy new drivers, redirect network traffic, or reconfigure applications. During the decommissioning process, some tasks must be carefully orchestrated to ensure a smooth transition, while other tasks can be performed in advance to prepare for the transition. Where applicable, IT should also cancel any services related to storage media, such as supplier maintenance contracts, to avoid paying for unnecessary services.
4. Disable storage media
People usually refer to this step when talking about abandoning storage hardware. This is perhaps the easiest step to perform. It usually just means taking the storage media offline. This may include disconnecting the system from the network, cutting off the power supply, removing the drive from the blade server, or other necessary tasks to secure storage The medium has been removed from the normal workflow. The device may stay on site for a short time, but will not participate in daily operations.
The main focus of this step is to ensure that there is no data leakage when the device is disabled. For example, an administrator might remove the drive and place it in a less secure location, putting the device and its data at risk. For any storage assets removed from the service, it is still necessary to ensure its complete security, which is why protecting storage media is considered a separate step.
5. Protect storage media
It is not uncommon for the IT team to remove the storage device immediately after it is deactivated. They even move it to a location designated for such equipment, such as a storage room in a data center. Or, the IT team may clean up the equipment in place and then remove it for disposal. They may even be placed somewhere and do nothing for the time being. No matter where the equipment is located or how it is handled, the team must ensure that it is protected until it is completely cleaned up and destroyed.
It is important that security must be emphasized at all times to protect data and comply with regulations. Careless behavior can lead to information leakage and high fines. At the same time, the IT team should note that this step is not the last step. They may store the media in a safe location and leave it there indefinitely because they cannot determine the correct way to handle it. Therefore, in the planning stage, you should consider how to protect the equipment after it is abandoned, and when to clean up and dispose of it.
6. Clean up storage media
Before disposing of the equipment, the IT department should first clean it up to prevent others from accessing sensitive data. SSDs and HDDs should be treated differently, and tools and processes specific to the media type should be used. It is also important to choose the correct cleaning technique. Many technologies are expensive, time-consuming and less than 100% efficient. For example, the use of magnets to erase data (demagnetization) is invalid for SSDs, and may also be invalid for some HDDs. Encrypting the drive and then deleting the encryption key is a popular method, but the team must be able to ensure that no copy of the encryption key exists elsewhere and the drive remains in the correct encryption state.
When deciding how to clean the storage media, the IT team should evaluate the cleaning technology to determine the best method for its media, which should be determined during the planning phase. At the same time, any processes, tools and services used should comply with the highest standards and, where applicable, obtain industry certifications. Companies can obtain guidelines on standards and certification from organizations such as the National Institute of Standards and Technology, which provide guidelines for media cleanup. The IT team should also have methods for verification and certification cleanup.
7. Handling storage media
Disposing of storage hardware may mean donating it, selling it, returning it to the supplier, re-commissioning or destroying it. Which method you choose will depend on the importance of the data, how to clean up the device, and whether it is an SSD or HDD. If the IT team can guarantee that the drive never stores sensitive data and is not subject to compliance constraints, then the team will have greater flexibility in processing. If the drive has stored highly sensitive data, destruction may be the safest option. The specific situation will determine the best strategy.
When deciding to destroy the equipment, the IT team can do it by themselves or hire an external company to destroy the equipment on site or offsite. HDDs are easier to destroy than SSDs, but in either case, companies must ensure that they are completed correctly.
If an external company is selected, the IT team should verify that the company is certified in the disposal of IT assets and has used appropriate destruction technology. For example, if the company does not use a suitable shredder to destroy the SSD, data fragments may be left after the destruction process. The IT team must also ensure that external companies can provide audit records to show equipment damage.
