Effective Privacy and Security in Data Centre Decommissioning

By Vivek Shitole

Gone are the days when every organization needed dedicated data centres. With the rapid advancement of technology, ample options are available that negate the need for such facilities. Focused and dedicated services can be utilised instead of dedicated data centre. While specific organisations or sectors still require dedicated data centres, the percentage is relatively low.

Considering this, many organisations opt for cloud-enabled dedicated data centre services instead of owning and maintaining their own. However, what about organisations that already have data centres and wish to replace them with sophisticated services available in the tech market? This is where data centre decommissioning comes into play.

Various steps are involved in data centre decommissioning, and we will primarily focus on the security and privacy aspects, along with some other critical elements of this vital process. First, Let us outline the basic steps in data centre decommissioning before delving into the deeper security and privacy details. Understanding these steps is crucial for comprehending the security and privacy aspects of data centre decommissioning.

Data centre decommissioning involves several critical steps. Below are the general steps and related security and privacy aspects of data centre decommissioning:

• Assessment: Evaluate current assets, identify obsolete equipment, and assess data security requirements.
  • Potential Security and Privacy Considerations:
    • Accuracy and completeness of the asset management tools in use.
    • Ensuring assets/equipment from the decommissioned data centre are included in the overall asset management repository.
    • Identifying any missed security/privacy requirements for the data residing in these data centres.
• Data Backup and Migration: Safely back up and transfer critical data to new systems or storage.
  • Potential Security and Privacy Considerations:
    • Adequacy of data backup processes.
    • Security and privacy concerns in migrating critical data from decommissioned data centres to target data centres.
    • Security protocols/standards to be used for critical data migration.
• Hardware Removal: Disconnect and remove servers, networking equipment, and other hardware, ensuring proper documentation.
  • Potential Security and Privacy Considerations:
    • Incomplete documentation on hardware components to be disconnected and removed, impacting security and privacy controls of the hardware.
    • Lack of standardisation in processes used to remove/disconnect the hardware components.
• Data Destruction: Implement secure data erasure or destruction methods to safeguard sensitive information.
  • Potential Security and Privacy Considerations:
    • Use of unauthorised and risk-prone tools to destroy the data (e.g., Log4j, a third-party API with critical security vulnerabilities, included in some industry-leading data destruction tools).
    • Incomplete data erasure or destruction processes.
    • Lack of quality assurance to ensure critical data is completely and permanently erased.
    • Absence of standard operating procedures (SOPs) for data destruction.
• Environmental Considerations: Dispose of electronic waste responsibly, adhering to environmental regulations.
  • Potential Security and Privacy Considerations:
    • Need more emphasis on security and privacy controls while evaluating environmental regulations.
    • Inaccurate identification and sequencing of security and privacy controls while implementing environmental regulations related to data centre decommissioning.
• Documentation: Maintain comprehensive records of the decommissioning process, including asset disposal.
  • Potential Security and Privacy Considerations:
    • Inconsistencies in maintaining documentation, specifically around crucial security and privacy controls.
    • Lack of documentation around detailed steps of the decommissioning processes, such as automation scripts and data eraser tools user manuals.
• Security Clearance: Ensure all access credentials, including physical and digital, are revoked or updated.
  • Potential Security and Privacy Considerations:
    • Lack of pre-existing documentation around access management, such as types of accesses, credentials allocated, and different access roles.
    • Unclear details about shared credentials may need to be clarified regarding access revocations.
    • Omission of certain digital access rights, which can compromise security during data center decommissioning.
• Communication: Inform stakeholders, users, and relevant parties about the decommissioning plan and its impact.

• • • Lack of clarity around contractual terms, leading to contractual violations.
    • Risk of sharing critical and confidential information.
• Infrastructure Audit: Verify that power, cooling, and other infrastructure elements are properly shut down or redirected.
  • Potential Security and Privacy Considerations: This step typically has minimal direct correlation to security and privacy controls, as it is usually conducted after data, application, and IT infrastructure cleanup.
• Legal Compliance: Comply with legal and regulatory requirements for data privacy, disposal, and environmental standards.
  • Potential Privacy Considerations: In data centre decommissioning projects/programs, two types of legal and regulatory requirements need to be considered:
    • Requirements per organisational policies, standards, and practices.
    • Requirements per regional governmental policies, standards, and practices. Both categories must be incorporated to ensure legal compliance. These requirements should be evaluated and incorporated during the setup of data centres to avoid unnecessary and avoidable efforts and delays.
• Final Validation: Perform a final assessment to confirm that all equipment and data have been appropriately decommissioned.
  • Potential Security and Privacy Considerations:
    • Limited inclusion of security and privacy-related controls in the final assessment plan.
    • Lack of detailed testing of the final assessment plan to verify the effectiveness and coverage of final validation activities, especially those focused on security and privacy.
• Site Cleanup: Leave the physical space clean and orderly, considering any lease or contractual obligations. Each step should be executed meticulously to ensure a smooth and secure data centere decommissioning process.

• Inventory Lists and Data Accuracy: Inaccurate or incomplete data regarding assets, including site location, rack counts, rack locks/keys/combinations, device types, and circuit IDs, will require additional investigation, potentially involving onsite inventory of assets and circuits.
• Portal and Physical Access: Before hand-off for asset validation, both virtual access via the portal as an admin user and physical access to the site must be provided.
• Lack of Detailed Documentation Around Key Steps: Standard Operating Procedures (SOPs) for all critical steps of data centre decommissioning must be clearly and formally documented and regularly reviewed by qualified personnel.
• Site Closure Readiness: A more extensive data centre decommissioning program is highly dependent on sites being handed off and ready for shutdown/closure by the appropriate lines of business.
• Resource Availability: Effective data centre decommissioning requires the availability of technical resources, including logistics, network, and security, from both the source and destination data centres to perform necessary shutdown and decommissioning functions for specific hardware within the required period.
• Lack of Segregation of Duties Considerations: The lack of segregation of duties can result in errors or inaccuracies due to the absence of independent reviews. Therefore, the roles of data centre operational teams need to be reviewed and adequately segregated.
• Site Contract Negotiations: Delays in contract termination, portability, and other negotiations with colocation (co-lo) providers can hinder the decommissioning process.
• Lack of Prioritisation in Designing the Decommissioning Roadmap: The data centres to be decommissioned should be allocated a priority rating based on complexity and the termination date agreed with the colocation provider. Failing to do so may result in complicated interdependencies, issues with customer and supplier contracts, overall delays, and potential financial and reputational damage.
• Purchase Order or Requisition Approvals: Delays in approving or signing any required purchase orders for decommissioning activities, such as media destruction or external vendor activities, can impede the process.
• Contracted Space Reduction: Post-migration, the ability to reduce contracted square footage and divide cages/suites without shared network, power, or cooling is essential. This ensures the co-lo provider can lease the space to new tenants as standalone cages/suites. The organisation would be responsible for the cost of dividing the space and the full MRC until the new space is leased.

Conclusion

Security and privacy are paramount in the world of data centres, and it is everyone’s responsibility, not just that of the security and privacy teams. Appropriate considerations and actions for security and privacy during data centre decommissioning need top attention, priority, and required resources. Failing to address these adequately may pose significant risks to an organisation’s security and privacy landscape, both in its old and new infrastructure environments.

About Author

Vivek Shitole is an experienced professional with 18 years in Information Security and Privacy, Risk Management consulting, and performance improvement. He has led teams in data-driven risk management engagements and held leadership roles in Oracle’s Business Assessment & Audit group. With an MBA in Operations and IT and an engineering degree, Vivek is also a dedicated athlete, having completed a full-distance Ironman at IMTX 2023 and various marathons.