7 steps to retiring storage hardware safely and efficiently

1. Evaluate when to retire the storage media

Retiring storage hardware too soon can incur unnecessary costs, but waiting too long can put data and applications at risk. Several factors contribute to determining when to retire storage media. If equipment is failing, it's time for it to go, but often it should be retired before then. For example, a vendor might no longer support a NAS system and has stopped providing software patches and firmware updates, leaving the system open to new security threats.

Enterprise-class storage hardware generally lasts three to five years, although lifespans can vary among products. The vendor's warranty is usually a good indication of what to expect. Workload types and data amounts also play a role. Many drives can run longer than their expected lifespans, but the probability of failure increases with each year. Older drives also take up more space, run less efficiently, require more maintenance and might not meet current performance and security requirements.

2. Plan how to retire and dispose of the storage media

A careful plan is essential for retiring and disposing storage equipment in a way that is efficient and cost-effective, while ensuring data security and adherence to applicable regulations. IT should develop a detailed plan that accounts for the remaining five steps: preparing for retirement and then decommissioning, protecting, sanitizing and disposing the asset.

For each step, the plan should define which tasks the storage team must take on, how it will perform the tasks, who will take them on and how to verify their completion. The plan should also identify each asset the organization is retiring and establish a timetable for retiring and disposing of that asset. Organizations often conduct the planning process in conjunction with their data governance framework, particularly regarding data retention and destruction, as well as any other storage asset management guidelines.

3. Prepare the storage media for retirement

Before decommissioning a storage device, IT should perform a final backup in accordance with internal requirements and data governance policies. The backup protects against the loss of critical and proprietary information, while providing evidence of what was stored on the device before it was decommissioned. IT should verify the backup to ensure the data is viable and secure.

IT teams should also take steps to prepare for decommissioning the media. For example, they might need to deploy new drives, redirect network traffic or reconfigure applications. Some tasks must be carefully orchestrated with the decommissioning process to ensure a smooth transition, while others can be performed in advance to prepare for the transition. If applicable, IT should also cancel any services related to the storage media, such as vendor maintenance contracts, to avoid paying for unnecessary services.

4. Decommission the storage media

This step is often what people are referring to when they talk about retiring storage hardware. It is perhaps the easiest one to carry out. It simply means taking the media offline, which might include disconnecting a system from the network, unplugging it from its power source, removing a drive from a blade server or any other tasks necessary to ensure the media has been removed from the normal workflow. The equipment might stay on site for a bit, but it won't participate in daily operations.

One careless act can result in compromised information and costly penalties.

The main concern with this step is to ensure nothing compromises data once the device has been decommissioned. For example, an administrator might remove a drive and then set it down in a less secure location, putting the device and its data at risk. Any storage asset that is removed from service still requires full security, which is why protecting the media is treated as a separate step.

5. Protect the storage media

It's not uncommon for an IT team to remove a storage device right after it has been decommissioned. They might even move it to a location designated for such devices, such as a storage room within the data center. Or the team might sanitize the device in place and then remove it for disposal. They might even leave it in place and do nothing with it for a while. Regardless of where the device resides or how it's transported, the team must ensure it's protected until it is fully sanitized and destroyed.

It's important to emphasize security at all times to safeguard the data and adhere to compliance regulations. One careless act can result in compromised information and costly penalties. At the same time, IT teams should be wary that this step isn't the last. They might store the media in a secure location and leave it sitting there indefinitely because of uncertainty about proper disposal. Protecting a device after it has been decommissioned should be part of the planning process, along with when it will be sanitized and decommissioned.

6. Sanitize the storage media

Before disposing of a device, IT should first sanitize it to prevent access to sensitive data. SSDs and HDDs should be treated differently, using tools and processes specific to the media type. It's also important to use the right sanitization techniques. Many techniques are costly, time-consuming and less than 100% effective. For example, using magnets to erase data (degaussing) doesn't work for SSDs and can be ineffective on some HDDs. Encrypting a drive and then deleting the encryption key is a popular approach, but the team must be able to ensure that a copy of the encryption key doesn't exist elsewhere and that the drive remains properly encrypted.

When deciding how to sanitize storage media, the IT team should evaluate sanitization techniques to determine the best approach for its media. This decision should be made during the planning stage. Any processes, tools and services used should adhere to the highest standards and be industry-certified where applicable. Guidance on standards and certifications is available from organizations such as the National Institute of Standards and Technology, which provides guidelines for media sanitation. The IT team should also have a way to verify and certify the sanitization.

7. Dispose of the storage media

Disposing of storage hardware can mean donating it, selling it, returning it to the vendor, recommissioning it or destroying it. The approach will depend on the data's sensitivity, how the device will be sanitized and whether it's an SSD or HDD. If an IT team can guarantee the drive never stored sensitive data and isn't subject to compliance regulations, the team has more flexibility with its disposal. If the drive stored highly sensitive data, destroying it might be the safest option. The specific circumstances will determine the best strategy.

An IT team that decides to destroy a device can do it itself or hire an outside firm to destroy it, either on or off site. HDDs are easier to destroy than SSDs, but in either case, an organization must ensure it's done properly.

If using an outside firm, the team should verify the company is certified in IT asset disposal and that it uses proper destruction techniques. For example, if the firm doesn't use the right size shredder to destroy an SSD, fragments of data could survive the destruction process. The team must also ensure it can provide an audit trail that shows the device's destruction.