The Demise of the Internal Datacenter and Consequential Risks

Recently, I happened upon a short article about the demise of internal data centers in favor of cloud services. The article, by John Delaney, appeared on page 28 of the May 2020 edition of the Communications of the ACM, and has the title “The Shuttering of Corporate Datacenters.” The article quotes a Gartner forecast that “80% of enterprises will have shut down their datacenters by 2025.” The article quotes an Oracle prediction that “80% of enterprise workloads will move to the cloud by 2025.” At least Gartner and Oracle come up with similar predictions.

The article appears to be somewhat biased in its reporting of datacenter decommissioning and data erasure services. This may well be due to the fact that the article is mostly based on an interview with someone from an organization that provides such services. While I agree that much of what is said is relevant and suitable for the tasks at hand, the article does not mention other options, such as the degaussing of magnetic media. As a member of BITS Security and Risk Assessment Working Group, I contributed to an April 2006 report, BITS Key Considerations for Securing Data in Storage and Transport: Securing Physical Media in Storage, Transport, and for Data Erasure and Destruction, which is a somewhat convoluted and confusing title. We covered a whole range of possible approaches to securing and destroying physical media and the data contained therein. Unfortunately, I was not able to find an archived version of the report on the Web. However, as I recall, degaussing was a significant method since it removes all data resident on magnetic media. The degaussed media cannot be reused and the method does not work on optical data media, but degaussing is an effective, quick and relatively inexpensive method. There is one proviso, however, and that is that those with pacemakers are advised to stay at a fair distance from the machine. The warning label on the equipment caused some anxiety even among non-pacemaker operators.

The bottom line is that we need to be aware that the decommissioning of datacenters and the movement of computer processing to the cloud creates issues relating to ensuring that sensitive data are erased using reliable techniques. Yet there are much greater issues when it comes to decommissioning applications and erasing their respective data that have been moved to, and now reside in the cloud. With the common practice whereby cloud service providers replicate systems and data across many of their datacenter locations, the problem with ensuring that all programs and data have been eliminated is orders of magnitude greater than with traditional inhouse datacenters. I would doubt that many of those moving their systems to the cloud fully account for what it will take to terminate those systems and cleanse the cloud service providers’ systems of all traces of the applications and data associated with that decommissioning.

Unfortunately, it is all too common to concentrate on the going-in issues and not spend enough effort on what needs to be done when contracts expire or are otherwise terminated. With the huge movement of datacenter services from organizations to the cloud, it pays to come up with an exit strategy ahead of time. That will save a lot of aggravation when it happens.

*** This is a Security Bloggers Network syndicated blog from authored by C. Warren Axelrod. Read the original post at: