The Complexity of Shared Infrastructure Disposal
Multi-tenant IT environments, where multiple organisations or business units share physical infrastructure, create unique data destruction challenges. Co-location facilities, shared office spaces, managed service provider platforms, and multi-tenant cloud infrastructure all involve equipment that has stored data from multiple parties. When this equipment reaches end of life, ensuring that every tenant’s data is properly destroyed requires coordination and rigour beyond what single-tenant disposal demands.
The fundamental challenge is that shared equipment may contain intermingled data from organisations that have no relationship with each other. A shared server in a managed hosting environment might have hosted websites, databases, and applications for dozens of different businesses over its lifetime. A co-working space’s shared printer has processed documents from every tenant in the building. Each of these data remnants must be addressed during disposal.
Types of Multi-Tenant Environments
Co-location data centres host equipment owned by different organisations in a shared facility. While each tenant typically owns their own servers and storage, shared infrastructure such as network switches, load balancers, and storage area networks may process data from multiple tenants. When the facility operator decommissions shared infrastructure, data from all tenants must be accounted for.
Managed service providers (MSPs) operate IT infrastructure on behalf of multiple clients. Servers, storage arrays, and networking equipment owned by the MSP store and process data from all their clients. When the MSP refreshes hardware or a client leaves the service, the shared nature of the equipment complicates data destruction.
Co-working spaces and serviced offices provide shared IT infrastructure including Wi-Fi networks, printers, meeting room equipment, and sometimes shared workstations. Data from every tenant passes through these shared systems, and when equipment is replaced or the space is reconfigured, the data from departed tenants may still be present.
Multi-department organisations with shared IT infrastructure face similar challenges internally. A shared file server, print server, or application server that has been used by multiple departments accumulates data from each one, creating complex disposal requirements when the server is decommissioned.
Contractual Frameworks for Multi-Tenant Disposal
Service agreements between infrastructure providers and tenants should include specific provisions about data handling at end of life. These provisions should address what happens to tenant data when shared equipment is decommissioned, the standard of data destruction that will be applied, who bears the cost of data destruction, what documentation and certificates will be provided, and the timeline for destruction after equipment is taken out of service.
For tenants of managed services, the service agreement should specify what happens to data when the tenant leaves the service. The departing tenant should receive confirmation that their data has been removed from all shared equipment, including backup systems, before the relationship concludes.
For co-location tenants who own their equipment but share facility infrastructure, the co-location agreement should address the disposal of shared networking equipment, facility management systems, and any other infrastructure that processes tenant data.
Technical Challenges of Multi-Tenant Data Destruction
The primary technical challenge is ensuring complete data removal for one tenant without affecting the data of other tenants who are still using the shared equipment. On a server that hosts virtual machines for multiple clients, decommissioning one client’s VMs must include secure deletion of all associated virtual disk files, snapshots, and backup data without disrupting the remaining clients’ operations.
Storage area networks (SANs) that serve multiple tenants allocate storage volumes (LUNs) to different clients. When a client’s LUNs are no longer needed, they should be sanitised to NIST 800-88 standards before the storage space is reallocated to another tenant. Simply deleting the LUN configuration does not remove the underlying data from the physical disks.
When shared equipment is being fully decommissioned rather than having a single tenant removed, every drive in the system must be sanitised. For storage arrays with dozens or hundreds of drives, this requires a systematic approach to ensure no drive is missed. Each drive should be individually processed and documented.
Network equipment in multi-tenant environments stores configuration data that may include credentials, access rules, and traffic patterns for all tenants. Decommissioning shared networking gear should include a full configuration wipe to prevent exposure of any tenant’s network architecture or access credentials.
Managed Service Provider Responsibilities
MSPs have a heightened responsibility for data destruction because they manage equipment on behalf of multiple clients who trust the MSP with their data. An MSP’s data destruction procedures should be documented, auditable, and aligned with recognised standards.
When an MSP client departs, the MSP should provide documented evidence that the client’s data has been removed from all systems, including production servers, backup systems, disaster recovery infrastructure, and any test or development environments where client data may have been used.
When an MSP decommissions shared equipment, the MSP should engage a certified ITAD provider and provide certificates of destruction to all affected clients. The MSP’s data destruction processes should be included in the scope of any SOC 2 or ISO 27001 audits the MSP undergoes.
Tenant Responsibilities
Tenants of multi-tenant environments should not assume that the infrastructure provider will handle data destruction adequately. Before relying on a provider’s disposal processes, tenants should review the provider’s data destruction policy and verify it meets their requirements, confirm that contractual provisions address data destruction specifically, request certificates of destruction when shared equipment is decommissioned, and maintain their own records of what data was stored on shared infrastructure.
For highly sensitive data, tenants should consider whether multi-tenant infrastructure is appropriate in the first place. If the sensitivity of the data requires absolute assurance of complete destruction, dedicated infrastructure with full control over the disposal process may be preferable to shared environments where the tenant depends on a third party for data destruction.
Getting Multi-Tenant Disposal Right
Multi-tenant environments offer significant efficiency and cost advantages, but they require careful attention to data security at every stage of the equipment lifecycle, including disposal. Clear contracts, systematic processes, thorough documentation, and open communication between infrastructure providers and tenants ensure that the convenience of shared infrastructure does not come at the cost of data security when equipment reaches end of life.