How to decommission a data center: A step-by-step guide

Taking control of planning, inventory and data security

Data center decommissioning involves the controlled shutdown and removal of IT infrastructure from a designated facility. C-suite and IT leaders often have different reasons for making the decision, including consolidating multiple compute resources into a single data center to cut costs, expanding the cloud presence or upgrading aging infrastructure with modern equipment.

Decommissioning a data center may not seem relevant in the age of AI and the rapid expansion of data center construction. However, hyperscale data centers are becoming more popular than standard data centers. Synergy Research Group projects that on-premises data center capacity will fall to as little as 30% by 2027. Administrators and C-suite personnel must understand how to properly decommission a data center if faced with this decision.

Planning

Preplanning can avoid serious downtimes and mitigate service disruptions, and thorough goal planning more accurately projects decommissioning costs and timelines. These variables depend on data center size, equipment volume, data sensitivity and, where applicable, asset remarketing. Preplanning also involves network scans to determine which systems are in use, interviewing application owners to uncover dependencies, understanding environmental liabilities and regulations, and projecting appropriate timelines.

A well-developed timeline should include milestones for each step along with contingency plans for unexpected issues, such as equipment failures, unaccounted-for dependencies or data recovery challenges.

Cross-functional teams that will guide the process include IT administrators, facilities personnel, security personnel and project management personnel. However, coordination between teams can often become a sticking point and require more effort than expected.

Inventory

Documenting all hardware, software and network components in the data center will provide a comprehensive inventory. This summary not only provides a blueprint detailing the relationships among racks, servers and drives, but also charts the movement of assets to other locations. Discovery reports can help avoid future headaches by providing a clear record of server components and drive attributes, based on CPUs, memory modules and serial numbers to corroborate inventory lists. These records also provide a visual map of network connections, storage systems and applications.

In some instances, organizations may want to resell equipment. Value assessments are based on the condition and resale potential of hardware, as well as whether devices such as servers, storage arrays and network switches can be reused or recycled. Resale values can vary dramatically based on equipment type and age. Organizations can also partner with IT asset disposition companies for resale or recycling.

For example, servers purchased within the last two years offer high resale numbers, while four-to-six-year-old, middle-aged servers can still offer potential, and servers older than seven years have recycling value in the metals and components that can be recovered. In complex decommissions, detailed documentation with records of serial numbers and condition will help track valuable equipment, designate recycling for older equipment, or destruction of devices to avoid the loss or exposure of sensitive information.

Data Security

Data handling is both high-risk and closely regulated. Penalties include regulatory fines for mishandling, breach of notification costs, litigation expenses and possible brand damage from data exposure or theft. For data that will be preserved, cloud services or a colocation facility provide safe, interim environments. Data that will be destroyed must follow the NIST 800-88 data sanitization standard, including multi-pass overwriting that renders data forensically unrecoverable -- this is performed on-site or by a recognized provider.

Storage devices designated for shredding should be reduced to pieces small enough that any recovery is impossible. The required certificates of destruction attest to the procedure date, including device serial numbers and, if using an external service, the regulated provider responsible for the procedure.

To preserve data, the 3-2-1 backup principle ensures that all sensitive data is adequately backed up and secured. The process stipulates maintaining three copies locally, with one backup connected to the production network and one copy stored in a secure off-site facility.

Certificates are also required to meet compliance audits and to demonstrate due diligence. NAID AAA certification is an internationally recognized accreditation for data destruction service providers. Organizations can use these providers with confidence that they comply with regulatory requirements and provide comprehensive security for asset management. Compliance standards, such as GDPR, HIPAA and ISO 27001, cover the E.U. and U.S. healthcare system, and the IT sectors, respectively. Each one has its own security requirements, but overall, they stipulate a clear chain of custody, legal certificates of destruction, and verifications that the targeted data is unrecoverable.

Steps to manage hardware

Decommissioning hardware requires rigorous asset tracking to prevent equipment loss, misplacement or unaccounted-for transfers that were not fully tracked.

Decommissioning hardware requires rigorous asset tracking to prevent equipment loss, misplacement or unaccounted-for transfers that were not fully tracked.

Before moving, a detailed asset inventory should include all servers, storage devices and networking equipment. Functioning as a critical record, the inventory provides a blueprint of all relationships among racks, servers and drives, and will be useful for uncovering discrepancies between discovered assets and the established inventory list. Organizations can also employ external chain-of-custody management firms that offer secure transportation and automated tracking of all assets.

Systematically removing servers and network equipment from the top of a rack to the bottom will help ensure stability. However, the weight of storage arrays can be substantial and arrangements for loading docks, moving dollies and forklifts should be arranged in advance. Cabling removal can also be complicated. In addition to coordinating access to restricted facility areas, removal typically involves overhead cable trays, underfloor cables and wall-mounted cable management, all of which need to be removed to restore a facility to its original condition.

When choosing to recycle equipment, R2 (Responsible Recycling) or e-Stewards certifications ensure that rejected hardware is handled responsibly. These standards prohibit landfill disposal and adhere to established protocols for handling hazardous materials, preventing export to countries without e-cycling infrastructure. For C-suite and IT leaders who prioritize sustainability, these recognized environmental certifications are essential to ensure proper disposal and recycling.

Facility decommissioning

Maintaining business continuity during a decommission requires advance planning to avoid service disruptions. Detailed runbooks help document system-wide dependencies and the shutdown order. Administrators and IT teams use these step-by-step guides to determine the status of workload migrations and to perform the tests necessary to safely power down infrastructure without causing widespread impacts.

In contrast to a total decommissioning, where the entire facility is shut down at once, some organizations keep minimal systems running for a certain period -- typically 30 to 60 days. Administrators can use this "pilot light" approach to ensure that all decommission steps were followed or to determine whether any assets were overlooked. Once they've disconnected utilities, shut off power and ensured all connections are safely terminated, organizations need to restore the facility to its original condition, repairing any damage caused during decommissioning.

Post-decommissioning steps

Once a data center has been decommissioned, administrators and IT leaders should undertake a final audit to ensure all equipment and data have been accounted for. For example, it's common to assume that deleting data or formatting hard drives is all that's needed to destroy data. However, using specialized software that passes Test Level 2 of the Asset Disposal and Information Security Alliance Threat Matrix will ensure that all hardware has been thoroughly sanitized and no sensitive data remains on decommissioned systems.

Conducting a post-decommissioning review will identify areas for improvement and lessons learned to inform future IT strategy. Moreover, every step of the decommissioning process produces documentation. Safeguarding these records is critical, as they include asset inventories, data destruction certificates, recycling documents and chain-of-custody logs. A final walk-through will help to confirm that the facility is left in good condition and that no assets are left behind. Following these critical steps will ensure a smooth transition to the following IT deployment phase.

Final takeaway

A structured approach to data center decommissioning demonstrates the benefits of planning and implementing a measured strategy. Administrators and IT teams should conduct a final review to evaluate success and shortcomings. In addition to identifying lessons learned and areas for improvement, IT leaders should incorporate these insights into future strategies and develop a plan for regular reviews and updates.

Just as the data center decommissioning process requires detailed planning, so too does the next phase of ensuring that the IT infrastructure can continue to support business goals. By following these critical steps, C-suite leaders can benefit from the effective management of decommissioning and its aftermath.

Kerry Doyle writes about technology for a variety of publications and platforms. His current focus is on issues relevant to IT and enterprise leaders across a range of topics, from nanotech and cloud to distributed services and AI.