Don't Network Administrators Require Privacy?

An anonymous reader writes to tell us that Recently their company has decided to move the IT staff out of their offices to make room for the Service Department. The move has placed the IT staff in cubicles that all face inward and lack, obviously, the ability to lock their doors at night. This is, to them, an obvious breach in security and privacy for what may be sensitive network information. Have any other Slashdot readers dealt with this sort of problem before? If so, what specific information was best suited to rectify these security concerns?

Man up, nancy.

[markv242]

Quit trying to make up bogus reasons as to why you don't want to be in a cube and just tell your boss, "I don't want to be in a cube." If it's a dealbreaker for you, resign. Next they'll be moving you down into the basement and taking away your red stapler.

Re:Man up, nancy.

[shawn(at)fsu]

Bogus is exactly right. Our company, an IT company that employs over 100,000 people worldwide has the sysadmin people in cubes. They can store the equipment in either lockable cabinets or is the server room. Sorry but this article just sounds childish and elitist.

Re:Man up, nancy.

[TheSkyIsPurple]

It's a legitimate concern in general, but we just don't know enough in specific

We had a building restack awhile back, and they wanted to bump our group into cubes. I ended up going to the Real Estate folks at HQ and letting them know that my screen would now be facing public walkways, and communications about acquisitions would be ripe for compromise. (I kinda wish we had the SOX issues back then... since I deal with private info as well, it becomes a legal issue.)

Fortunately for me, Facilities didn't want to get those goofy cubicle sliding doors, and we didn't have enough conference room space for me to be able to reserve a conference room for all my confidential meetings.

Then again, at another of our offices, all of us are in cubes, but our bank of cubes is behind a secure access controlled door, and the general users aren't allowed in there... All depends on how critical your info is, and what is available to protect it.

I wouldn't press the sube issue directly, I would press the security issue, and let management come up with their own answer.

Re:Man up, nancy.

[blincoln]

Seriously.

What company gives regular IT people their own offices?

I've been at a Fortune 500 company for five years, and in that whole time (which has spanned two buildings), the only people with offices were the directors.

Re:Man up, nancy.

Kinda right, kinda wrong. if the IT department deals with any of the financial data the boss will get his arse reamed hard the second a Sarbanes Oxley audit is performed.

No he wont. Not for the reasons you're implying anyway. A little known company called Visa manages to keep all their IT guys in cubes. If you think your IT guys deal with a lot of financial information...

It's all about using the correct procedures in handling that financial info. This means, lock your desktop when you leave to take a piss, and secure all your hardcopies in a lockeable cabinet at the end of the day. What exactly are the 4 walls of an office affording you that a locked cabinet cannot?

Re:Man up, nancy.

[n4t3]

My small (100+ employee) company does. There's only one of me but I share my office with the tech writer (who works with me on the website and helps coordinate advertising projects). I'm actually surprised that IT seems to be treated so poorly elsewhere, and might consider another position if I had to leave. Why am I surprised? Generally an in-house IT person needs to be trusted - beyond reproach - because he/she has the keys to the whole company. That person can see everyone's salary (if they chose to), change passwords, read email, delete documents, etc. It's really a lot of responsibility - treating a person entrusted with that much *access* poorly (or unfairly) could be dangerous. ...and besides, cubicles suck, man.

Re:Man up, nancy.

[Halfbaked+Plan]

That isn't a privacy concern. That's a security concern. Maybe standard desktop hardware isn't secure enough.

Maybe the only consoles at which critical passwords are entered should be in the server room. There are rackmount keyboard trays that can slide right out when server access is required. The IT staff can stand when doing this work and/or a tall hard stool can be provided.

All the old BOFH stuff is ancient folklore. It's all PUBLISHED at this point and management has had somebody review it.

The jig is up.

Where I work we have the same situation

[onyxruby]

Where I work we have the same situation. However all of IT (security, network and so on) is in the same office area. In order to secure the area they just put up a wall and secure card access. That way the only people in there are the IT people. If you can't trust your IT staff, than they don't have any business being your IT staff. That way the risk is still there, but you don't have anyone other than IT in the area to begin with.

Re:I don't see that they do, no...

[Homology]

A good IT admin should be able to secure the PC on their desk and therefore everything else that they access. Help your company cut costs and keep you, it is much better than the alternative.

Bullshit. Once you have physical access to the PC you can compromise it.

Money talks

[Thu25245]

Draw up a budget proposal for whatever locking file cabinets, secure equipment cabinets, Kensington locks (better than nothing...) and desktop security software that you'll need to ensure the security and functionality of your information systems. Keep in mind that this includes not only malicious snoopers but also cleaning staff that snag cables with their vacuum cleaners, and take whatever precautions are necessary.

Be thorough, but don't make stuff up. Don't make it a turf war, just make it clear that you're working to protect the systems that you're responsible.

Come up with this proposal, and an estimate of the costs, and request that Accounting begin soliciting bids from vendors. And then lightly suggest that this would not be necessary if you could have good locking offices.

Keep in mind, though, that private offices are only effective if they are truly private. If they're not always proerly locked, or if too many people have the keys, then you'll be the worst kind of office hypocrite.

Re:Yes, and stripper girlfriends

[v1]

The "secure your computer" idea is obvious enough. There are other subtle problems though.

The "looking over your shoulder" problem is more difficult to deal with than you might think. More than once I've had issues with users stalking up behind me and reading my screen before I even knew they were there. (the really rude ones ask questions about what they've read) I could be doing any number of sensitive things - sending someone an email discussing the layoffs that are scheduled for next week, chatting with someone sending them their new account password, drafting a memo to someone outlining new security policy... posting the new router passwords on a secure filestore... any of these and more could be serious breaches of security and privacy if observed by the wrong people, and as another poster mentioned, could violate state or federal laws.

It's really a design problem to set up a cubicle where the user faces away from their door. For one, they can either look at their visitor OR their computer, but not both. I always prefer looking at my monitor, and then off to its side to see my guest. This also allows me to look up information for them without having to turn my back on them. Intelligent cubicle design has the desk on the left or right of the doorway, not opposite it. If your desk is opposite your cubicle doorway, tell your HR to get a clue. The best cubicle design is of course to have to walk around your desk and sit down, facing the doorway as well as your monitor, but I'll recognize that not every company has the space or the funds for such large cubicles.

As for physical security, that's another matter in itself. The best design is of course to have every computer imaged identically, with network login and home folder, and to allow no one to store their own information on the local hard drive. This seldom goes completely followed, and all sorts of things wind up on the local drives. Besides being a backup risk, anyone with physical access when you are away from your cubicle can rummage through your hard drive. Some I.T. are paranoid even of the nighttime janitors and clean the I.T. room themselves so they don't have to give out another key. But for that I'd say if you don't have janitorial staff you can trust at least that much, you need to find new janitors.

And of course if the fileserver is in your cubicle with you, that opens up a whole new can of worms. (and if not, why is your office away from the server room?) On that note I will say one thing I am against... leaving the server with an account logged in on it. I see that where I work sometimes, and it bothers me. I like that extra layer of security on top of physical security, and knowing someone with a key can play with the server is not my idea of a Good Thing(tm).

Re:Might Even Be Illegal?

[GuyverDH]

Actually, all that has to be done, is to follow a clean desk policy.

Monitors need to be faced in such a way so that they cannot be viewed from the walkways.
I also run mine at maximum resolution (1400x1150 for the laptop and 1600x1200 for the 20" second display) with small fonts so that my eyes are the only ones that can read anything displayed (unless someone looks directly over my shoulder).

Important papers have to be stored in locking cabinets/file drawers.

No sensitive information should be stored on the workstations. All sensitive information should be stored in a protected data-center type environment. File servers, host systems, database servers should all be protected. Workstations should be set to lock within a few minutes (mine is set for 2 minutes). I also have gotten into the habit of locking my workstation before I stand up for anything.

With no locally stored sensitive information, then the administrators PC is unable to be used as a tool to gain said information.

Cubicles are not necessarily evil, they are however, a fact of corporate life.

Don't be lazy, keep the information secure, rather than trusting a simple "door-lock" to keep unsecured data secure.

Lots of replies from the living with momma crowd.

[AlexisGrey]

Privacy is important to any real network admin / computer support person. Not only do we often has information up on our monitors that would compromise security if it was viewed by others, many of the phone conversations involved in resolving problems also contain information that may be sensitive. Someone close to my desk could pick up IP address, Router information, Type, model and OS version on our firewalls. For instance, we had a video conference with our manager on Friday regarding the implementation of the patches to our Cisco routers and whether it had to be done this weekend. He asked for the router passwords over the phone...his opinion is that EMail is unsafe. Then there is the other type of work we do. For example, I was working on a report last week that basically involved some deep data mining of our health plan over the last five years. The benefits person, a sweet young thing of 55 going on 2000 was asking me how to take the data and apply various scenarios to it - such as increasing the employee contributions, reducing maximum payouts and removing some coverages. Its obvious from our conversation and from the data that cuts are going to be made. This sort of stuff is not something management wants to be public. Wednesday, I had to recover about 100 EMails for our Human Resources person. Some of them included questions about Employee evaluations. Some companies may not ever have their Net Admins talk on the phone or use their monitors to work on but we sure do.

It could be far worse

[evenprime]

It could be far worse....just be happy they didn't hire someone in New Delhi to administer your servers.

No

[pvera]

You are asking about privacy, not about the limited access of specific company-owned information.

You are NOT entitled to privacy in the workplace. You are entitled to limit access to your work materials to those employees that have the need to know.

Two completely different concepts.

You can run IT from a cubicle, there is nothing terrible about that. If you are going to type in a password, look over your shoulder and make sure nobody is watching you. Access to the machine itself is no issue since you are not going to put your servers in your own office, they go to their own room. If you were running all the servers from your office then you are not as smart as you think you are.

Regardless of server OS, you can manage it from anywhere, there is no need to be sitting in front of the damn machine.

As for privacy, when you signed your offer letter and you agreed to follow company guidelines, you pretty much signed away any hope of privacy in the workplace. The boss can listen to your phone calls, can read your mail and read your paperwork. Yes, your boss can read your personal email if you are trying to read it from your workstation at the office. It is the company's computer and you are using the company's resources for personal reasons.

Now, say you are a programmer or a DBA, then you need a bit more shielding from prying eyes. But the plain IT folks? Nah, they can sit outside like everyone else.

Re:Yes, and stripper girlfriends

[WhiplashII]

How about this: Late at night, I come in to work - notice that you are not at your desk, and attach a hardware keyboard sniffer to your keyboard. A few days later, I mosy over and disconnect it.

What do I have at that point? Enough info for a serious carreer boost!

Re:Yes, and stripper girlfriends

[Lux]

Nice post.

> But for that I'd say if you don't have janitorial staff you can trust at least that much, you need to find new janitors.

I disagree. I think your colleagues are making a very prudent move by cleaning those rooms themselves. It's not about trust, it's about money. A janitorial position is simply not worth passing up a hefty bribe.

Fun example: My sister went to school in Ghana for a year. Going price for a human to do menial labor is about $5/month (or something like that,) so the school kept four people watching the international dorm 24/7. Going price to get into the international dorm: about $20. After a "break-in" the guards get fired, take a paid month off, find another shitty job. The burgler gets a laptop to fence. Everyone's happy.

Now, if the school had one person on duty 24/7, and that person was making $20/month, then that person might start valueing the job over bribes. Job security in a position paying 4x what you could get anywhere else is worth a lot more than one month's pay.

Even ignoring the difference in salary, an IT person has a lot invested in their career that a janitor does not. So they're going to be intrinsically much harder to bribe. Even if you get a dishonest one.

Re:Yes, and stripper girlfriends

[Mike+Markley]

Yeah, and that's the overpriced ThinkGeek one. I've seen them cheaper than that $10, and even free at trade shows.

I think that most professional geeks need to come to grips with reality. If you're in IT, you probably think you're more important than you really are, while management probably thinks you're less important than you really are. This, obviously, adds up to a huge disparity, and causes plenty of conflict when these two distorted realities butt heads.

I'm sure some will look at this and say "no, really, I'm that important", but really, you're not. First, think about how many other people have exactly as much value as you do to the business. Unless you're in a very, very small shop, there's more than one person doing critical IT things in the first place. Then consider the people who produce whatever it is that your business does. It's popular in geek circles to complain that those people don't understand that they wouldn't be able to do their jobs without us geeks. Well, here's a news flash: you wouldn't have that job to do without them.

Next, try to remove that built-in Dilbert filter you've developed, and take a critical look at your immediate management. Now, your manager may be just as utterly useless as the stereotypes one would normally apply, but more often than not, that's an unfair stereotype. I know for certain that without my team lead or our group's manager, who both know how to work within the corporate political system to get things done, I would have been either downsized because upper management had no idea whether I was of any use, or I would have been fired for pissing off enough people.

You should also consider what those other departments really do (outside of the automatic reaction you probably have to that question, which is almost certainly along the lines of "annoy me" or "piss me off"). Sure, without the network guys, lots of things wouldn't get done; what wouldn't get done without this other department? "Service Department" is sufficiently generic that I have no idea what they do, but contrary to the common jokes about it, businesses aren't usually in the habit of hiring people to do nothing. Or take the Sales department, which is one of the bigger targets of IT vitriol. The individuals may often deserve it, or they may not (I've known some incredibly slimy sales guys in my life), but either way: the business needs customers. Without the IT guys, the sales guys would lack email, IM, and possibly even the productivity tools they use daily, but without the sales guys, nobody would be paying the IT guys' salaries.

For reference, I've only ever worked in one place where the IT staff got offices instead of cubicles, and that's mainly because there weren't any cubicles anywhere in our small office space. Not to mention the fact that it was about a 25-person ISP, and our customer base was primarily in a few counties. Oh, and they've since been gobbled up by a much larger competitor, had their employees laid off, and moved operations to another state.

I think, ultimately, that the submitter (and the GP) need a reality check. Despite what years in IT have led you to believe, you're not the most important preson in the organization and you're never going to be viewed as such. Millions of people get their jobs done just fine within cubicles. And for the GP: if you have a server in your cube or office, you're just asking for it anyway.

Re:Might Even Be Illegal?

[thegrassyknowl]

Cubicles are not necessarily evil, they are however, a fact of corporate life.

Cubicles present no significant cost gain over giving everyone a small office with a door. That material they use to make cubes is expensive. In fact, this has been done on Slashdot before and many link were posted to different office design styles. The general consensus was that technical types (IT, engineers, etc) like to be able to isolate themselves from the world for periods of time so they can focus entirely on a task.

Cubes don't give you that. I am continually distracted by the goings-on in the next cube. If two or three people are there looking at a demonstration or trying to find a bug then it's very noisy and I find myself having to wind up the volume on my closed-back headphones to unsafe levels.

Should I remind anyone what happens when people in your office are testing audio equipment or a product that talks over a 56k modem in an open plan environment? All I hear all day is that noisy screech of modems (we have hundreds of them scattered around the place) and "test, 1, 2, test" through the other audio equipment that people are testing.

It has been studied to death and decided that if you put technical people in an office with a door they will be more productive. I think this more than offsets all the other reasons for having cubes, and the exotic measures that you have to go through to protect people's privacy when they are in cubes (lockable drawers, filing cabinets, secured rooms for storage of documents, etc).

Cubes are put in place by management who want some level of separation between the "elite" and the rest of us. Management justify it by saying "we want to foster an interractive and friendly work environment to encourage productivity" but they have never had to work in cubes, and dont understand the loss of productivity that will occur when everyone is there.