Ensuring Security and Privacy in Data Center Decommissioning: Comprehensive Steps and Key Considerations

Gone are the days when every organization needed dedicated data centers. With the rapid advancement of technology, there are now ample options available that negate the need for such facilities. Focused and dedicated services can be utilized in place of maintaining proprietary data centers. While certain organizations or sectors still require their own dedicated data centers, the percentage is quite low.

Considering this, many organizations are opting for cloud-enabled dedicated data center services instead of owning and maintaining their own. But what about organizations that already have data centers and wish to replace them with sophisticated services available in the tech market? This is where data center decommissioning comes into play.

There are various steps involved in data center decommissioning, and we will primarily focus on the security and privacy aspects, along with some other key elements of this important process. Let's first outline the basic steps involved in data center decommissioning before delving into the deeper security and privacy details. Understanding these steps is crucial for comprehending the security and privacy aspects of data center decommissioning.

Data center decommissioning involves several critical steps. Below are the general steps and related security and privacy aspects of data center decommissioning:

1. Assessment: Evaluate current assets, identify obsolete equipment, and assess data security requirements.

• Potential Security and Privacy Considerations:
  • Accuracy and completeness of the asset management tools in use.
  • Ensuring assets/equipment from the decommissioned data center are included in the overall asset management repository.
  • Identifying any missed security/privacy requirements for the data residing in these data centers.

2. Data Backup and Migration: Safely back up and transfer critical data to new systems or storage.

• Potential Security and Privacy Considerations:

  • Adequacy of data backup processes. 
  • Security and privacy concerns in migrating critical data from decommissioned data centers to target data centers. 
  • Security protocols/standards to be used for critical data migration.

3. Hardware Removal: Disconnect and remove servers, networking equipment, and other hardware, ensuring proper documentation.

• Potential Security and Privacy Considerations: 
  • Incomplete documentation on hardware components to be disconnected and removed, impacting security and privacy controls of the hardware. 
  • Lack of standardization in processes used to remove/disconnect the hardware components.

4. Data Destruction: Implement secure data erasure or destruction methods to safeguard sensitive information.

• Potential Security and Privacy Considerations:

  • Use of unauthorized and risk-prone tools to destroy the data (e.g., Log4j, a third-party API with critical security vulnerabilities, included in some industry-leading data destruction tools). 
  • Incomplete data erasure or destruction processes. 
  • Lack of quality assurance to ensure critical data is completely and permanently erased. 
  • Absence of standard operating procedures (SOPs) for data destruction.

5. Environmental Considerations: Dispose of electronic waste responsibly, adhering to environmental regulations.

• Potential Security and Privacy Considerations:
  • Inadequate emphasis on security and privacy controls while evaluating environmental regulations. 
  • Inaccurate identification and sequencing of security and privacy controls while implementing environmental regulations related to data center decommissioning.

6. Documentation: Maintain comprehensive records of the decommissioning process, including asset disposal.

• Potential Security and Privacy Considerations:
  • Inconsistencies in maintaining documentation, specifically around key security and privacy controls. 
  • Lack of documentation around detailed steps of the decommissioning process, including automation scripts, data eraser tools user manuals, etc.

7. Security Clearance: Ensure all access credentials, including physical and digital, are revoked or updated.

• Potential Security and Privacy Considerations:
  • Lack of pre-existing documentation around access management, such as types of accesses, credentials allocated, different access roles, etc. 
  • Unclear details around shared credentials, which may create confusion around access revocations. 
  • Omission of certain digital access rights, which can compromise security during data center decommissioning.

8. Communication: Inform stakeholders, users, and relevant parties about the decommissioning plan and its impact.

• Potential Security and Privacy Considerations:

  • Lack of clarity around contractual terms, leading to contractual violations. 
  • Risk of sharing critical and/or confidential information.

9. Infrastructure Audit: Verify that power, cooling, and other infrastructure elements are properly shut down or redirected.

• Potential Security and Privacy Considerations: This step typically has minimal direct correlation to security and privacy controls, as it is usually conducted after data, application, and IT infrastructure cleanup.

10. Legal Compliance: Comply with legal and regulatory requirements related to data privacy, disposal, and environmental standards.

• Potential Privacy Considerations: In data center decommissioning projects/programs, two types of legal and regulatory requirements need to be considered:

  • Requirements per organizational policies, standards, and practices.
  • Requirements per regional governmental policies, standards, and practices. Both categories must be incorporated to ensure legal compliance. These requirements should be evaluated and incorporated during the setup of data centers to avoid unnecessary and avoidable efforts and delays.

11. Final Validation: Perform a final assessment to confirm that all equipment and data have been appropriately decommissioned.

• Potential Security and Privacy Considerations:
  • Limited inclusion of security and privacy-related controls in the final assessment plan. 
  • Lack of detailed testing of the final assessment plan to verify the effectiveness and coverage of final validation activities, especially those focused on security and privacy.

12. Site Cleanup: Leave the physical space in a clean and orderly state, considering any lease or contractual obligations. Each step should be executed meticulously to ensure a smooth and secure data center decommissioning process.

Key Risks and Dependencies to Consider in a Data Center Decommissioning Program

• Inventory Lists and Data Accuracy: Inaccurate or incomplete data regarding assets, including site location, rack counts, rack locks/keys/combinations, device types, and circuit IDs, will require additional investigation, potentially involving onsite inventory of assets and circuits.
• Portal and Physical Access: Both virtual access via portal as an admin user and physical access to the site must be provided prior to hand-off for validation of assets.
• Lack of Detailed Documentation Around Key Steps: Standard Operating Procedures (SOPs) for all key steps of data center decommissioning need to be clearly and formally documented and regularly reviewed by qualified personnel.
• Site Closure Readiness: A larger data center decommissioning program is highly dependent on sites being handed off and ready for shutdown/closure by the appropriate lines of business.
• Resource Availability: Effective data center decommissioning requires the availability of technical resources, including logistics, network, and security, from both the source and destination data centers to perform necessary shutdown and decommissioning functions for specific hardware within the required time frame.
• Lack of Segregation of Duties Considerations: The lack of segregation of duties can result in errors or inaccuracies due to the absence of independent reviews. Therefore, the roles of data center operational teams need to be reviewed and adequately segregated.
• Site Contract Negotiations: Delays in contract termination, portability, and other negotiations with colocation (co-lo) providers can hinder the decommissioning process.
• Lack of Prioritization in Designing the Decommissioning Roadmap: A priority rating based on complexity and the termination date agreed with the colocation provider should be allocated to the data centers to be decommissioned. Failing to do so may result in complicated interdependencies, issues with customer and supplier contracts, overall delays, and potential financial and reputational damage.
• Purchase Order or Requisition Approvals: Delays in approving or signing any required purchase orders for decommissioning activities, such as media destruction or external vendor activities, can impede the process.
• Contracted Space Reduction: Post-migration, the ability to reduce contracted square footage and divide cages/suites without shared network, power, or cooling is essential. This ensures the co-lo provider can lease the space to new tenants as standalone cages/suites. Oracle would be responsible for the cost to divide the space and full MRC until the new space is leased. 

Conclusion

Security and privacy are of paramount importance in the world of data centers, and it is everyone's responsibility, not just that of the security and privacy teams. Appropriate considerations and actions oriented towards security and privacy during data center decommissioning need top attention, priority, and required resources. Failing to address these adequately may pose significant risks to the security and privacy landscape of an organization, both in its old and new infrastructure environments. 

References

[1] Horizon Technology. (n.d.). Data center decommissioning checklist. Retrieved July 3, 2024, from https://horizontechnology.com/data-center-decommissioning-checklist/

[2] Iron Mountain. (n.d.). Data center decommissioning. Retrieved July 3, 2024, from https://www.ironmountain.com/services/it-asset-lifecycle-management/data-center-decommissioning

[3] Google. (n.d.). Decommission a data center. Retrieved July 3, 2024, from https://docs.apigee.com/private-cloud/v4.51.00/decommission-data-center

About the Author

Vivek Shitole is an experienced professional with 18 years in Information Security and Privacy, Risk Management consulting, and performance improvement. He has led teams in data-driven risk management engagements and held leadership roles in Oracle's Business Assessment & Audit group. With an MBA in Operations & IT and an engineering degree, Vivek is also a dedicated athlete, completing a full-distance Ironman at IMTX 2023 and various marathons.