The Challenge
A leading global bank classified as a Systemically Important Financial Institution operates extensive private data centers supporting critical financial services worldwide. With annual server refresh cycles requiring the retirement of 30,000 servers, the bank faced a significant economic opportunity: transitioning from costly recycling to profitable server resale in the secondary market.
The primary obstacle was ensuring complete data sanitization beyond traditional software-level wiping. Given the bank’s handling of highly sensitive financial data, customer information, and proprietary trading algorithms, they required absolute confidence that no residual data could be recovered from retired servers—including data potentially stored in non-volatile memory, firmware, and sub-components invisible to standard sanitization tools.
Customer Needs
- Complete hardware-level data sanitization across all server components, firmware, and non-volatile memory to enable confident resale of retired equipment.
- Comprehensive inventory and verification of all hardware components and firmware versions across 30,000 annual server retirements to ensure nothing is overlooked.
- Regulatory compliance documentation proving data destruction meets banking and financial services requirements for handling sensitive customer and proprietary data.
- Scalable process integration that works within existing server retirement workflows without disrupting data center operations or extending decommissioning timelines.
Eclypsium Results
- 100% verification of data cleansing at the firmware and component level, with comprehensive scanning of BIOS, BMC, network interface cards, and all embedded systems within each server.
- Complete bill of materials (SBOM) generated for each server, documenting every component, firmware version, and embedded system to track sanitization status across the entire hardware stack.
- Detailed audit trail and certificates of data destruction meeting NIST SP 800-88 guidelines, with component-level verification reports for regulatory compliance.
- Automated scanning and verification integrated into retirement workflows, with cloud-based reporting that scales to handle 30,000+ servers annually without operational overhead.
Transforming Server Economics Through Verified Data Sanitization
The bank’s implementation of Eclypsium’s supply chain security platform fundamentally transformed their approach to server lifecycle management. Eclypsium validates that devices are cleansed of any sensitive or identifiable data through device cleansing: factory reset of hardware and firmware components and validates cleansing process was successful and no identifiable data resides on any components.
By leveraging Eclypsium’s world-class firmware security researcher team and the industry’s largest global firmware reputation database with millions of firmware hashes across dozens of enterprise hardware vendors, the bank gained unprecedented visibility into every component within their servers. The platform identifies changes to baselines, finds outdated firmware, and exposes any tampering that could indicate residual data or security compromises.
Financial Impact: Tens of Millions in Recovered Value
The transition from recycling to reselling 30,000 servers annually represents a substantial financial opportunity. Conservative estimates suggest recovering $1,000-3,000 per server through secondary market sales versus minimal recycling value, potentially generating $30-90 million annually in recovered value. This dramatic improvement in server lifecycle economics demonstrates how comprehensive data sanitization enables new revenue streams while maintaining the highest security standards.
Expanding Security Across the Infrastructure Lifecycle
Building on the success of their server retirement program, the bank is expanding Eclypsium’s implementation across their entire infrastructure lifecycle:
- Production Monitoring: Continuous firmware integrity monitoring and vulnerability assessment across active server infrastructure to detect threats that evade traditional endpoint security.
- Pre-Deployment Validation: Acceptance testing to validate they are getting what they purchased by ensuring new servers haven’t been tampered with during shipping or deployment.
- AI Infrastructure Protection: As the bank expands AI and machine learning capabilities, they’re extending Eclypsium monitoring to GPU servers and specialized AI hardware, leveraging new AI security capabilities for the Platform that help to secure the fundamental layers of the generative AI (GenAI) tech stack with support for NVIDIA GPUs, AMI Baseboard Management Controllers (BMCs) and other critical AI hardware components.
How Eclypsium Addresses Critical Financial Services Security Challenges
Financial institutions face unique cybersecurity challenges as prime targets for nation-state actors, sophisticated criminal organizations, and regulatory scrutiny. Traditional vulnerability scanners, endpoint monitors, manufacturer monitoring, and security tools stop in the shallow end. To verify your device’s integrity, you have to go under the application code, where your current tool stack can’t take you.
The financial services sector increasingly recognizes firmware as a critical attack vector. The past several years have seen a sharp uptick in disclosure, and exploitation, of vulnerabilities in firmware and low level components of IT and network infrastructure devices. Recent attacks on financial institutions have demonstrated how attackers use firmware-level compromises to establish persistence and evade detection by traditional security tools.
Eclypsium focuses on the firmware and micro-code running underneath the operating system, detecting implants and backdoors that are designed to evade EDR detection. For banks handling trillions in assets and sensitive customer data, this deeper level of protection is essential for maintaining customer trust and regulatory compliance.
Continuous Protection and Compliance Assurance
Eclypsium provides the bank with continuous monitoring capabilities that extend far beyond the initial data sanitization use case. The Eclypsium platform scans hardware, firmware, and software components in your IT infrastructure. You get inventory, vulnerability management, and threat detection at the component level.
This comprehensive approach helps the bank meet evolving regulatory requirements for cybersecurity supply chain risk management (C-SCRM) and firmware integrity verification. As financial regulators increasingly focus on third-party risk and supply chain security, Eclypsium’s detailed documentation and verification capabilities provide crucial evidence of due diligence and compliance.
