50 Shades of Gray (Market) Mayhem

Want to save money on network hardware? There’s a fine line between a good deal and a data-loss nightmare.

March 12, 2019

7 Min Read
Gray market

By Allison Francis

A byproduct of the wholesale shift of compute workloads to public cloud: billions of dollars’ worth of secondhand data center hardware joining the stream of so-called “gray market” gear being sold each year without official manufacturer authorization.

Not that every used switch or server is suspect. There’s a huge difference between the gray market and the secondary market, say experts. A lot of the confusion and FUD is purposeful — and comes from OEMs who would prefer that customers purchase new gear with fat margins.

Ferro-Greg_Packet-Pushers.jpg

Packet Pushers’ Greg Ferro

“There’s a legitimate market for secondary gear; that is, used equipment, or equipment that’s still operational but may be outside the manufacturer’s support or warranty windows,” said speaker and analyst Greg Ferro, co-founder of Packet Pushers Interactive.  Some VARs have run long-term, profitable side hustles around secondary equipment.

Curvature, a provider of third-party maintenance that certifies pre-owned gear, says customers can see 75 percent savings on hardware. It and other IT asset disposition providers, including Arrow, Ingram Micro and ITRenew, take steps to ensure the previous owner’s data is wiped, that the gear is tested for quality control and that firmware is up to date. They provide certifications, support and warranties.

In contrast, gray marketing, also known as “parallel importing,” is the sale of legitimate, brand-name products that have been diverted from the OEM’s authorized network of distributors. According to the Alliance for Gray Market and Counterfeit Abatement (AGMA), a nonprofit that also addresses counterfeiting and software piracy, the value of gray market products in 2007 averaged $58 billion, representing somewhere between 5 and 30 percent of total IT sales and impacting supplier profits by $8 billion to $10 billion.

For partners looking to save money for themselves or customers, the distinction between “pre-owned” and “diverted” is critical.

As more customers start shedding unneeded hardware, partners need to be aware of red flags on the buy side and have a plan to help dispose of or resell assets securely and responsibly.

Buy Low, Sell High

Gray market activity has one primary driver: price disparity. Global IT vendors establish regional pricing schemes to compete in various markets. Sometimes, as with prescription drugs, there is enough cost incentive to drive product across borders. A device in APAC may cost significantly less than in the EU. That creates what AGMA calls a “pricing corridor.”

There are many ways products enter the gray market. According to AGMA, the most common are:

  • Partners or customers purchase a large number of products under a contract for a job that actually requires a smaller quantity in order to achieve larger volume discounts. They then resell the extra products without the knowledge or consent of the vendor.

  • Brokers buy lower-priced products in developing markets and then import them back to developed markets in North America and Europe, where they compete against authorized distributors.

  • Software licenses are sold at a higher discount or for no charge as “try-and-buy” in developing markets or for institutional customers. These licenses are then activated elsewhere.

Frank Kobuszewski, president of the technology solutions group at CXtec, points out that networking and server equipment is affected by the U.S. tariffs on China, boosting the incentive to cross borders. Cisco has raised prices on some products by 15 percent; Juniper and Arista are following suit.

In some cases, excess, aged or manufacturer-discontinued products sold by OEMs or distributors as lower product class — take as-is, no return, no support — and equally discounted are sold as new to unsuspecting customers. Experts recommend that partners …

… understand and communicate the risks that unauthorized or gray market products may pose and design procurement processes to mitigate those risks.

A Question of Security

There are massive data protection and security implications when it comes to both the gray and secondary markets. Data may be left on machines, and viruses, malware or spyware could devastate entire networks.

Christina Walker, global director of channel sales and programs at Blancco Technology Group, which supplies secure erasure and diagnostics, talks about the gray market from the perspective of enterprise accountability, particularly in light of recent EU regulations and U.S. laws that hold companies responsible for how they manage, store and dispose of sensitive data.

“An enterprise could potentially have any number of assets floating around the gray market,” said Walker. “If they don’t take the proper precautions to erase the data that inherently resides on said assets before they leave the building or protected data centers, it opens the company up to risk. Not just concerning the regulatory requirements that industries are mandated to follow, such as Europe’s GDPR law and HIPPA, but also potential brand damage.”

Even if sensitive data is not found on a recycled asset that has not been properly erased, it is still possible to see what company previously owned that asset. In an age where security has become more and more a concern in the data life cycle, this can be a PR and brand equity nightmare.

A survey recently conducted by Blancco found that in a large majority of data centers — 79 percent of U.S. and 76 percent of Canadian respondents — at least a quarter of drives on-site are overdue for sanitization and return/replacement. Over half of the respondents, 57 percent, incorrectly say that a quick or full reformat of a drive would permanently erase all data.

Walker recommends that partners either lean on IT asset disposition experts or develop a practice within their own engineering team to support customers in erasing data.

And don’t forget the chain of custody.

“According to GDPR, the data processor, or in this instance, the partner, is responsible for upholding what the customer, the ‘data controller,’ is asking for with regard to data security,” said Walker. “For example, if the protocol is to ensure that data is not recoverable from end-of-life assets, and the asset leaves a building without being erased and disappears while in transit, the partner could be at risk.”

Gray Foxes

Hardware suppliers — notably Cisco, which has been vocal about and active in combatting back-channel sales in a variety of ingenious ways — insist that it’s not just about profits. They worry about brand damage, unhappy customers and service problems, and say partners ought to be just as concerned.

According to PacketPushers’ Ferro, vendors have taken steps to stem the gray tide, including:

  • Improving monitoring of factories with dedicated employees on location.

  • Clamping down on resellers with regular inspections and controls.

  • Attempting to prevent the resale of hardware with tougher software licensing that makes it difficult or prevents use by anyone but the original purchaser.

  • Deploying software to collect asset information and phone home to the vendor as part of a support contract.

AGMA insists that partners who have relationships with a manufacturer and authorization to sell or service products should understand not only their contractual obligations, but also how unauthorized practices, such as gray marketing, can undermine the integrity of the channel ecosystem overall.

If you’re looking to help customers, or your own IT team, pick up some bargain gear, experts have some advice:

  • Find a reputable pre-owned equipment dealer that stands behind its offerings and that has relationships with hardware OEMs.

  • Consider second-hand hardware for use with noncritical and disaster recovery use cases.

  • Be mindful of OEM support for firmware updates and security patches.

When disposing of gear, check out advice from the International Data Sanitization Consortium. It provides information about data sanitization best practices across a variety of IT assets, legal language for use in service provider contracts, updates on global regulations and advice on data erasure procedures and responsibilities.

Allison Francis is a contributing editor for Channel Futures and Channel Partners. Follow her on Twitter at @AllisonWendy.

Read more about:

Agents
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like