Every year IT teams supporting a modest-sized enterprise (2500 devices) will retire about 23% of its devices each year. That’s 575 machines a year containing sensitive information. As many companies like to take advantage of re-purposing these machines, they first must go through an end-of-lifecycle transition; from storage of data to reassignment, resell or donation. If the device is being reassigned from one department to another, it might require a new image; so the previous image with its specific rights and application selection needs a fresh tableau on which to build upon. If the device is leaving the organization, there can’t be any trace of its prior usage left. NIST agrees:
NIST Special Publication 800-88 Guidelines for Media Sanitization mandates that “in order for organizations to have appropriate controls on the information they are responsible for safeguarding, they must properly safeguard used media.” Taking control of old electronic media means disposing of it in a safe, secure, and compliant fashion.
The decommission process can be lengthy and, with all the daily fires requiring attention, considered a lower priority. This is why many companies ether have a stack of old devices waiting for retirement in some storage room or outsource to companies that specialize in data sanitization and hard disk destruction.
This year, IT teams will be potentially inundated with retiring devices considering the sunsetting of Windows XP last April. Because of the cost, many companies have simply opted to invest in brand new machines with Windows 7 preinstalled rather than face the battle of OS migration. This leaves them to face the problem of decommissioning their old PCs in a way that prevents any significant leakage of sensitive information.
As noted, many companies use outside organizations to handle this aspect of their business. Using our modest-sized enterprise as a model, decommissioning 575 devices can be expensive. Based on industry research, this costs between $30 and $50 per device. For our example company, that is a budget line item in excess of $23,000 for the year. Unfortunately for this company, an additional 12% of their machines, still within their industry-accepted 4-year lifecycle, were XP machines. They opted for new units rather than upgrade. Another 300 machines; that’s an additional $12,000. According to Microsoft (The Enterprise PC Lifecycle: Seeing the Big Picture for PC Fleet Management), the breakdown of the service is basically $46 (or as high as $375 per PC) including $12 for archiving data, $12 for sanitizing the hard drive, $8 for reloading the operating systems, and $12 to test the PCs. Granted some of this cost is deferred by the potential resale of these units. However, with older, unsupported OS’s, donation is more likely.
To validate these numbers, I spoke with the VP of IT of a well-known health care plan provider. They routinely spent $25,000 on top of the cost to recycle decommissioned machines to ensure the sensitive data that may still reside on hard drives was removed. This company is bound by very strict HIPAA compliance requirements in addition to the mandates of a dozen or more accreditation agencies.
If cost is prohibitive, the other option is to do it yourself. Without getting into soft costs and personnel time, there are two other potential hurdles that make this option complicated. First, it can be a fairly lengthy process. This means a resource has been reassigned from higher value tasks; not to mention the aforementioned daily emergencies. Secondly, it requires a degree of expertise. Every IT pro worth their salt knows simple file deletion or partitioning is insufficient. Companies must take action that will leave no trace of the previous image or data on a device.
Okay, one last thorn. Your company has the will and bandwidth to re-purpose/ decommission end-of-lifecycle devices. Now you must invest in a unique software license to run shredding/removal process. Besides having another SLA to manage, does the product actually make the process easier? Does it use recognized best practices to remove data, sanitize drives and replace old images with an approved, “clean” version? Can it accommodate multiple drives simultaneously (such as in a RAID) without having to break it apart first? And, does it allow you to provide certified evidence of data destruction?
It’s almost enough, as one IT pro wrote in a tech forum, “to take a sledge hammer, thermite, and go Office Space on 200 old hard drives. But I have other things to do.”
Whether re-purposing for use in another department, donating, reselling or smashing it to bits with a baseball bat, “wiping” the hard drive is a definitive part of the PC lifecycle. For companies that maintain any sensitive data on the drives (that’s most of them!), it rises to the level of necessity. Companies can reduce the financial impact if their sanitization process is included as a part of another indispensable infrastructure maintenance solution such as configuration or change management. For example, deploy one central solution that handles your entire automated configuration initiative: self-healing restoration, recovery, imaging and patching/updating.
But to make the whole thing effective and worth unifying sanitization with other configuration functions, it has to be fast (at least 10 seconds per gigabyte). It has to be thorough. It must use one of the two recognized destruction techniques: degaussing or making every shred of data permanently unreadable by overwriting it. In terms of repurpose and donation, you can now apply a proper clean and approved image on the “wiped” machine with confidence.
Unification makes a great deal of sense since it leverages other components important to compliance and security. The ability to image/reimage a re-purposed machine without having to expend any more capital is a huge boon. It goes back to that often repeated CIO mantra, try to do more for less.
Persystent Suite, which currently facilitates restoration, recovery, imaging and patch/update migration capabilities in a single centralized solution, recently added “wipe” functionality to its suite in order to help larger enterprises fulfill compliance mandates related to data security and device control. See it here.