Bad times force IT to deal with orphaned hardware, software

Mounting corporate layoffs are causing unused PCs and software licenses to pile up.

Pat Beemer, the IT director at Seattle Lighting Fixture Co., has a lot of orphaned computer hardware and unused software licenses on his hands — the result of what he called "serious" layoffs at the company in recent months.

"Some of these PCs had sensitive data on them," Beemer said. "We're scratching our heads [over] what to do with them." He added that the company is working with software vendors to renegotiate licenses for products that are being taken out of service either temporarily or permanently.

The Seattle-based retailer has plenty of company dealing with orphaned hardware and expensive unused software licenses.

The troubled economy has forced many companies to lay off substantial numbers of workers, leaving countless desktop computers, laptops, handheld devices and even large servers — often holding sensitive corporate data — gathering dust in vacant cubicles or in stockrooms. And in many of those cases, companies are still paying monthly or annual license fees for software installed on the unused machines, analysts said.

There are processes that can be implemented to effectively deal with those issues, analysts say, but such projects become much more difficult with the loss of experienced workers.

Employment numbers released by the U.S. Bureau of Labor Statistics show that companies will probably be dealing with the problem of orphaned IT products for quite some time. The bureau reported that nonfarm employment fell by 651,000 in February, 655,000 in January and 681,000 in December. And from December 2007, when the recession began, through February 2009, 4.4 million people lost their jobs, the BLS said.

"Let's say half of those [laid off] are knowledge workers," said Forrester Research Inc. analyst Peter O'Neill. "A knowledge worker usually has a copy of Microsoft Office, so you can make a direct correlation" between the number of layoffs at a company and the number of software licenses outstanding.

The soon-to-be-released results of a software budget survey Forrester conducted between December 2008 and February 2009 show that more than one in five businesses that audited their software over the past year are paying for at least some unused software, or shelfware.

At the same time, the Forrester survey of 776 U.S., European and Asian companies found that only 35% of the respondents were using a third-party firm to audit software licenses, so the percentage of companies with unused software is likely even higher.

O'Neill said that the survey also found that, on average, 15% of corporate software maintenance payments are for licensed shelfware.

"At the end of the day, I'd say almost every company ... [has] shelfware," said O'Neill, who is based in Germany. "I've seen it in Europe even more dramatically. Many companies have no comprehensive, well-documented end-of-life program for hardware and software."

He called the lack of such programs "a business oversight now coming to light as the recession deepens."

Seattle Lighting, which has retail stores in nine locations in the Pacific Northwest, has just begun to look at how it will implement an end-of-life policy for hardware, according to Beemer.

Most of the company's sensitive data resides on centralized servers, and for hardware without a home, "most likely, we'll run an eraser tool on hard drives," he said.

Software Options

O'Neill suggested that companies may have an easier time solving the software licensing problem, because vendors that would never have considered renegotiating a software contract two years ago have softened and are now likely to rework deals to keep customers.

"This year especially, [software vendors] are highly dependent on maintenance ... and that's dependent on the relationship with customers," he said. "Even Microsoft these days probably doesn't feel that safe."

Beemer said that hundreds of Seattle Lighting's software licenses have been orphaned because of the layoffs there.

"We're aggressively asking our vendors for renegotiations," he said. "In some cases they do, but others won't. That goes across the board for the enterprise in general, including lease negotiations."

Simson Garfinkel, an associate computer science professor at the Naval Postgraduate School in Monterey, Calif., suggested that a long-term solution to the licensing issue would be to start migrating to open-source software. Open-source software would "render this issue moot," he said.

One option for orphaned hardware is to ship it to computer recycling companies, though experts caution that that path could lead to some unforeseen security risks.

For example, Angie Keating, vice president of compliance and security at Reclamere Inc., a Tyrone, Pa.-based IT asset management company, noted that customers are increasingly sending Reclamere hard disk drives that hold sensitive corporate data. In fact, she said that about eight of 10 computers sent to Reclamere still contain hard drives that were supposed to have been removed.

The poor economy has proved to be a boon to Reclamere's business, Keating noted. "Trucks are booked. Schedules are tight," she said.

A Sensitive Issue

The increase in the number of drives with sensitive data that Reclamere is receiving could be traced to workforce cuts at customer companies. Often, such cutbacks include the people who had been responsible for making sure that systems were ready for recycling.

Keating added that the economic climate is probably making sensitive data from struggling and failed companies readily available in a variety of ways. "In some cases, those companies have gone bankrupt; the data is literally just sitting out there, probably sitting on eBay," Keating said. "It is very frightening to me as a consumer, a mom, a health care patient. Everybody's data is out there."

Kessler International, a New York-based computer forensics company, reported last month that 40% of the hard disk drives it recently bought in bulk orders on eBay Inc.'s online auction site contained sensitive information.

Keating recommended that companies have three things in place to ensure that data is properly destroyed: a thoroughly documented process, a strong quality-control program, and solid follow-up documentation about what was done to orphaned equipment and who did it.

"If you have, say, 500 machines — and that's a small number — coming out of service, and you've got them stacked up, how do you know which ones have been processed and which haven't if you don't have a quality control program?" she said.

Garfinkel agreed that an end-of-life program must include strong documentation policies. He asserted that dealing with orphaned hardware doesn't require expensive or complex technologies.

"A lot of people say that it's technically difficult or even impossible to overwrite the contents of a hard drive," Garfinkel said. "This is not true."

He said that open-source software, such as Darik's Boot and Nuke, or DBAN, "does a great job." Once the data is overwritten using such tools, Garfinkel said, companies should "track which drives you have erased and which you have not."

He added that an easier option is "to just punch a hole through each hard drive."

Laura DeBois, an analyst at IDC, said other options include encrypting a drive and throwing away the encryption key, or electronically "shredding" data by overwriting it using hard-drive-wiping software that's been approved by the U.S. Department of Defense or the National Institute of Standards and Technology.

Another option is to simply keep the hardware in a secure warehouse until better economic times roll around, DeBois added.

This version of the story originally appeared in Computerworld's print edition.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon