The importance of managing Return Merchandise Authorisations

01 September 2015 by Milagros Gamero

Imagine a perfect data centre world where disk drives never failed or needed to be replaced.  A world where even if drives came to the end of their useful life they could be simply swapped out and replaced with new ones.

Unfortunately for anyone managing a data centre, life is just not like that.  Drives’ purpose in life is to store data, which means that until they are properly dealt with they pose a huge risk to organisations in terms of regulatory compliance, client confidentiality and data breach.

In a now notorious case, the Information Commissioner’s Office (ICO) proposed a fine of £375,000 should be levied on Brighton and Sussex University Hospitals NHS Trust when a number of hard drives containing confidential patient information were stolen. 

The drives were reportedly in the decommission phase, meaning that they could be wiped clean and reused.  However, instead of being returned to the OEM for recommissioning, they were diverted to eBay for sale before being retrieved by the Trust and the police.

Meeting regulatory requirements

As well as being aware of the financial and regulatory risks involved in misplacing corporate disk drives, it’s important to recognise that there is an international standards organisation (ISO) standard governing information security called ISO 27001.  Part of this standard involves carrying out a risk assessment to check where breaches could occur in the organisation and taking preventative steps.

In the case of disk drives, one clear place to start is with Return Merchandise Authorisation (RMA).  This is the process whereby organisations return disk drives to the OEM either when they fail but are under warranty or come to the end of their lifecycle and is due to be replaced.

Under the terms of their security policy, organisations managing the RMA process can be loath to send drives and their data outside of the building.  As a result, drives are stockpiled, given to a third party for decommissioning or wiped using often expensive or ineffective software tools. 

All three of these scenarios create new potential security risks for the organisation.  But the first one also causes headaches for the disk drive OEMs, since they are missing out on receiving hardware for recommissioning, reuse or at the very least scrap value.

The proliferation of drives in data centres

RMA should be part of the day to day data centre and information management process.  However, we are aware that non-return of disks is a growing problem, partly because the number of disk drives within data centres is proliferating and partly because the range of different drive technologies and encryption types is expanding.

This puts pressure on busy IT teams who need to fit RMA into the processes involved in keeping the technology lights on as well as developing new systems for the business. 

Most break/fix agreements mean that a drive will be swapped out in a matter of hours when it fails, creating an ongoing stream of disks that need to be managed through secure erasure and RMA.  An estimated 2% of drives are replaced annually, while the introduction of new technology platforms creates even more problems at the decommissioning stage.

The sheer time involved in managing this process can be prohibitive in itself.  In a recent job managed by our engineers, it took a whole month just to erase the data from 2,000 drives.

How to operate in an imperfect world

So what is the answer for organisations operating data centres in this not so perfect world?  From what we see with our customers, all organisations have a data erasure approach in place as part of their information management strategy, but for reasons outlined above this tends to be the quickest and easiest route, rather than the most effective.

In-house data erasure using a reliable appliance means that the transportation of disks back into the supply chain is safe and secure.  An appliance can also provide relevant information such as serial number, make and model so that organisations can prove compliance as well as maintain rigorous standards.

Load more comments
Thank you for the comment! Your comment must be approved first

New code