Assets to ashes, data to dust – Gartner's Rob Schafer on legacy systems

29 November 2016

With any digital transformation project comes the need to dispose of obsolete legacy systems. But IT asset disposition that protects data, the environment and all-important brand reputation, while ensuring value for money, is far from an easy task. Sarah Williams speaks to Rob Schafer, research director at Gartner, about identifying and avoiding its many pitfalls.

Reputational damage, weakened security and litigation from affected employees would follow, but as details of a major security breach at Coca-Cola first emerged in January 2014, the gravity of the situation and the simplicity of its cause were distinctly at odds. The personal data of up to 74,000 employees was at risk, news reports revealed, including driver’s licence details and social security numbers. But the data had slipped from Coca-Cola’s clutches not as the result of a complex and unforeseen cyberattack, but because a number of laptops were stolen from its Atlanta headquarters by a former employee whose role, a company spokesperson revealed, had involved the disposal of equipment.

The incident stands as a potent reminder of the old maxim: a chain is only as strong as its weakest link. In IT asset management (ITAM) that chain extends not simply to the end of life of a machine, network or drive, but to what happens next: where does it go, how is data sanitised, how is each step of that process monitored and who is responsible?

It’s an awareness that should be at the forefront of a CTO’s agenda as banks and businesses continue to refresh IT equipment, undertaking the enormous task of replacing and – crucially – disposing of legacy systems.

According to Rob Schafer, research director at Gartner, getting IT asset disposition (ITAD) right relies on first recognising what he calls the “two big buckets of risk”. The first – as Coca-Cola learned to its detriment – is data security, while the second relates to improper environmental recycling. However, both principally concern reputational damage.

“If these assets end up in a landfill somewhere in Africa, the serial numbers can easily be traced to whoever used those assets, and then you end up in the press,” Schafer explains. “Or, on the data security point, if the proverbial 0.5TB drive falls off the truck and is not encrypted, all of a sudden your customer data or your healthcare data is on the internet for sale.

“Certainly, you want to know that your service supplier is giving you good value for money, but if your brand ends up in the press, that can do incalculable harm and, really, there’s no price on that.”

Mitigating these risks as best as possible requires an overview of the ITAD process and a careful management of the chain of custody through which assets pass.

Meeting the various regulatory frameworks in place in each country can itself be a complex task and, where available, certified companies can provide a good starting point. On the environmental side, non-profit organisation SERI audits its own R2 electronics recycling standards, with 600 certified facilities across 21 countries, while the Basel Action Network (BAN) implements the e-Stewards standard in North America.

Data sanitisation standards are also governed through a handful of independent schemes, including ADISA in the UK, and NAID, a worldwide but North-America-centric organisation.

End to end

As the end state of ITAM, the ITAD process starts as soon as a decision is made to replace and decommission an asset. For most companies, such assets are not removed immediately, but instead stored for quarterly or biannual disposition.

This means, Schafer says, that the storage of those assets in the period before removal and data sanitisation takes place is also vital; they must be safely locked away so that unauthorised employees cannot access them.

What happens next naturally depends on the location, budget, regulatory and security requirements of the company in question, as well as the age and potential onward value of the assets concerned. At one end of the spectrum is a paradigm that Schafer likes to refer to as “Joe and his truck”: the cheap provider that promises to ‘take care’ of the disposal with no questions asked. Needless to say, it’s not an approach that guarantees compliance with the necessary regulation or the safety of brand reputation.

“One extreme would be that your ITAD service supplier hires a furniture transporter and throws your IT equipment in with a whole bunch of furniture, makes 11 stops between you and the facility, and you’re lucky if you know that 98% gets there,” Schafer explains. “That’s one extreme. The other is what we call point to point, where the truck is sealed at your location and it goes straight to the facility, and it only unseals when it arrives there.”

Encryption of assets before they leave the site can offer further protection in the scenario of loss or theft en route to the ITAD facility, but Schafer says that a third option – on-site data sanitisation – is often deemed the most appropriate for very data-sensitive industries such as healthcare and finance. Even with encryption followed by point-to-point sealed delivery, the risk of an asset falling into the wrong hands is perceived as too great to trust the chain of custody beyond the company’s own premises, and so on-site data sanitisation by a reliable supplier makes a great deal of sense.

How that data is sanitised, though, is another quandary. One of the simplest solutions, data wiping software (such as Blancco or ITRenew’s teraware), allows IT managers to remove data from hard drives locally before they are picked up and conveyed for resale or disposal.

“If you do the wiping on site then you don’t have to worry about your chain of custody as much,” Schafer says. “But there are people who say, ‘I don’t believe in wiping drives; the data is just too valuable to our brand – we are going to crush the drives’. Again, it comes back to the brand risk.”


Crushing drives may provide the most sure-fire method of sanitisation, but it’s certainly not the most cost-effective, and as banks and businesses strive to operate within tighter margins, it’s not an inconsiderable factor.

Not only is crushing more expensive to carry out in the first place, but it also comes close to erasing the residual value of the asset at hand, pivotal in determining whether companies should expect to receive or hand over a cheque when commissioning an ITAD supplier. Selling an item with a crushed drive requires either substitution with a second-hand replacement, or reducing the asset down to its component parts (a process known as demanufacture) or even to its base metals. These factors affect the return the ITAD supplier can obtain from resale, and hence the quote they will give their client.

If you do the wiping on site then you don’t have to worry about your chain of custody as much.

For low-value assets such as five to six-year-old PC desktops or laptops, demanufacture may be the best course of action in any case, but the lost value of a crushed hard drive could have a greater financial impact on the highest-value assets. In general, these are complete, well-maintained PC desktops and laptops that are no more than three or four years old.

Exceptions exist, however, with networking equipment having a longer useful life and value in the marketplace. What’s more, Schafer reveals, there is a growing awareness from manufacturers for the need for simpler end-of-life turnaround, designing in easy demanufacture and recycling from the outset.

Smartphone technology also offers a greater return because handsets tend to be available for disposition after a year or two and, unlike PCs, are easily shipped around the world in bulk. Unsurprisingly, though, assets that are also easily lost or retained when an employee leaves service, present their own challenge when it comes to data sanitisation.

With Gartner reporting that smartphone sales for 2015 reached 1.4 billion units, these are data carriers on a huge scale, and the imprint of smartphone-borne data at one company can be therefore be sizeable.

While much of this can be wiped remotely, the problem is further complicated in the case of bring-your-own-device (BYOD), Schafer says, where employees may be using personal phones or tablets in a work context. Here, a robust selective data sanitisation programme is required.

Even with company-owned PCs and desktop laptops, though, the problem of ensuring each and every asset is accounted for during ITAD can be complicated by the global nature of today’s institutions. It’s an issue that Schafer believes executives should be more concerned about.

“In my humble opinion, there are an awful lot of executives out there, overseeing very large organisations, who are sleeping too well at night,” he says. “When asked about their ITAD process, they tell people, ‘Yeah, we’ve got that hammered; our ITAM process flows seamlessly into disposition and everybody’s happy’.

“That process at a high level might look very good, but there are often many challenges. You can say [to IT managers] ‘Thou shalt use a large IT asset disposition supplier all around the world’, but then you have somebody local in Azerbaijan or wherever who has been using his brother-in-law or ‘Joe and his truck’ because he’s low cost and he’s never had a problem with him, or he didn’t get the memo. And the problem is that 99.9% using your great process isn’t good enough, because that 0.5TB drive that falls off Joe’s truck is just as at risk as if it had happened in the US or the UK, or anywhere else.”

The great inspection

Carrying out regular inspections of the facilities of any chosen ITAD supplier – or choosing suppliers accredited by regular audits – is advisable but such due diligence only converts to strength if all offices in a company’s global footprint are monitored to ensure the designated process and supplier really are being implemented.

There is an end-of-life challenge in finding and disposing of all these data-bearing things, throughout your enterprise and globally, and don’t underestimate the challenge of doing that.

The scale of such an overview takes on an even greater enormity in the face of what Schafer sees as the next big challenge, what he refers to as IoTAD.

“We [Gartner] are projecting that by 2020 there are going to be over 21 billion devices installed, between cars and soda machines, all connected to the internet. That means your data can be anywhere. An awful lot of these are dumb devices that don’t store data, but of the 21 billion you’re going to find increasing numbers that have residual cache that might need to be cleaned.

“So there is an end-of-life challenge in finding and disposing of all these data-bearing things, throughout your enterprise and globally, and don’t underestimate the challenge of doing that.”

Schafer’s warning is particularly significant in the wake of recent high-profile cyberattacks targeting internet-connected devices. French television channel TV5Monde fell victim to such a strike in April, while clients of internet infrastructure company Dyn (including Spotify, Netflix and Twitter) were impacted in October.

But while the growing prevalence of hacking has raised awareness of the need for robust corporate cybersecurity, it does not appear – as Schafer hoped it might – to have raised the profile of the data security aspect of ITAD. In fact, his sense is rather that the drive to shore up firewalls is actually seeing resources redirected away from ITAD.

“Certainly, you have to be laser-focused on cybersecurity and hacking; it is top priority at the board and CEO level,” he says. “But my point here is that, yes that’s all well and good, but don’t take your eye off ensuring that your end-of-life process is strong as well.”

Research director at Gartner Rob Schafer.