Slashdot Mirror
Why Should I Trust My Network Administrator?
Andrew writes "I'm a manager at a startup, and decided recently to outsource to an outside IT firm to set up a network domain and file server. Trouble is, they (and all other IT companies we could find) insist on administering it all remotely. They now obviously have full access to all our data and PCs, and I'm concerned they could steal all our intellectual property, source code and customers. Am I being overly paranoid and resistant to change? Should we just trust our administrator because they have a reputation to uphold? Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"
If it was really a worry, why outsource it in the first place?
You could mandate on-site support only, but you will get charged out the yang for it.
If you're concerned, ask them to carry a performance and fidelity (aka surety) bond.
Seriously, if you really want to trust yer IT admin, push for government certification.
Because, after all, we all know we can trust the government.
That's the service they are offering. If you want someone to be on property so you can look over shoulders, hire an IT staff.
Yes. =)
You got the touch!
Either that, or learn to do it your damn self.
Obviously you want to find someone reputable, and bonded, but you're never going to get to a point where you can have a network infrastructure that is secure from the people who do your network infrastructure.
I've had enough experience with paranoid managers who hysterically insist that I'm reading their email, or their online banking passwords and crap like that. You think that some schmuck who is working fixing problems remotely really gives a crap about the plans for your Facebook-killer? Think that they care about your boring ass emails? You think they care about your customers??!? Are you kidding? You obviously don't sell networking, so what would be in it for them? Selling a customer list is like selling a used phone book.
No outsourced company is going to send a person to your building every time there is an issue, and frankly, you don't want them to because they'll charge you out the ass for that sort of service. Even if you did decide to pay the price for in-person service, anyone who is out to screw you will be able to screw you while you're watching them over your shoulder, because you won't know what to look for.
If it's really that important to you, bring it in house. And, word of advice, if you do bring it in house, don't treat the guy like a criminal or he's going to start reading your email.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
At some point, you're going to have to trust SOMEONE
Can you trust your Significant Other not to get all stabby when you are in bed sleeping?
Can you trust the drivers on your commute route not to suddenly get out their guns and start shooting at you?
It's all risk management. If you have super-important data, then don't farm out the management to someone you don't trust. If you have regular data, then farm it out to basically anyone.
SH*T happens... but if you are paralyzed with fear that bad things are going to happen because nobody is as trustworthy as yourself, you aren't going to be leaving your house.
Part of the process of choosing a company is questioning them on moral issues. As much as IT is about technology, we are entrusted with incredible power and are truly held to the highest moral and ethical standards. This should figure into any choice you make - a new hire, an outsourced company, etc.
For the same reason you trust your accountant.
Tell me, do you trust your sales people with your customer database? In my experience, they're the ones to watch.
That is an incredibly dumb question.
You should trust him because, as the manager of the startup, it is within your area of responsibility to ensure apriori that the people you hire to do this are trustworthy, or you are simply not doing your job and you should be fired and replaced with someone who can. Since your company is already on a path for doing outsourcing, I am sure your job could be outsourced to someone more competent in Bangalore.
-- Terry
I do a lot of remote support for my customers.
I also make sure I get face time with them.
Learning the work-flow of a company is very important when it comes to administering their network.
If the company you are hiring doesn't schedule regular visits than i wouldnt trust them to work in your best interests.
I'll add this as well. audit them periodically. Hire another company to check up on them.
My customers do this and I've received good feedback from the customer and the auditor.
Ursula Andress, Catherine Deneuve, and Charo, twice...
Seriously? You're thinking about this now AFTER they've put the whole network up with all remote access enabled?
What the hell makes you think they can't steal all your crap in person? Even if you assigned someone to watch every move they make it would be difficult for novices to even be able to recognize data theft happening as they watched if it happened through a command-line interface.
you are the business owner, its your stuff. if your current admin cant do what you want, find some one who does. i'm an owner of a small it firm and i like to do all remote admin, but i have a few customers i do in person, i charge more (40% more) but they insist that that's what they want and i do it for them....at a price.
the innocent shall suffer!
Hold them accountable. Track everything they do, and audit that it was in fact necessary and honest. Get a contract that holds them liable for damage they cause.
Outside of these terms, I'd suggest that you are absolutely right. The IT company that I cut my teeth under would have had no oversight of this kind of access whatsoever. Their employees would have been accessing your files from home, for kicks, in-between rounds of Unreal Tournament.
On a side note, aren't you legally obligated to monitor this access anyway? GLB, HIPAA, something of the sort? If you're in the 10% of the IT world that isn't covered by something like this, great. Otherwise, maybe you should call a lawyer...
First step. Get a good lawyer (who understands tech) and a good accountant. Protect yourself and your property; you and your employees can focus on what you do best.
0 = 1 + e^(Alt something)
As a guy whose worked in-house and as a contractor I'll say that you can give me full access to the system so I can charge you a reasonable fee or you can lock me out and breath down my neck while I'm trying to work. At which point I'll hand you a BIG honkin' bill for the hassle.
BTW, if you're standing right behind me watching, you still won't know when I'm stealing your data. Not that I would, cause I don't care a bit about your stuff.
I just want to do a good job for you. Make it easy for me to do that and I'll go easy on you. Be a paranoid, obstructive so-and-so and I'll still do a good job, but I'll stick it to you on the bill when I'm done.
I would guess that it costs less to outsource this sort of work than to try to keep your own full time IT staff employed. I might be wrong though.
Palm trees and 8
And this is different from hiring an employee to keep your IT support in-house? If anything, an external provider is less likely to be a nutcase or otherwise disgruntled enough to take punitive action against you. What about your cleaning staff? Your office security firm? Your hookers?
Security is important, but there can be a tendency for entrepreneurs and startups to over-vector. Pick a respectable vendor. Trust them, and keep an eye on their work.
When you have nothing left to burn you must set yourself on fire
If you think watching over their shoulder of a person that you aren't sure you trust will make a difference...it probably won't. If they're bent on stealing stuff they just put in a back door in the 4 seconds you're not watching them like a hawk and probably wouldn't catch anyway. You should probably back and decide how much of a risk it is to outsource the admin gig to begin with. If your files are that valuable maybe your business model should afford somebody you can trust and see on the payroll with stock options. Perhaps you need two admins. One the outsource company that obviously would have technical abilities you don't have, but maybe another one that you do trust that at least has minimal abilities to at least monitor for anything unusual?
Do you trust your bank with your money? Even though they don't keep it at your business and you can't stand behind them and watch what they do with it? Your fortune is at stake. Why do you trust them?
Do you trust your grocer to give you clean, fresh meats? Even though you can't go in the back,
see how they're stored and watch them being cut? Your health is at stake. Why do you trust them?
Do you trust your pharmacy to give you the correct medication? Even though you dropped the prescription off, will pick it up later and don't know the look of one pill from another? Your life is at stake. Why do you trust them?
I trust I've answered your question.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
If you're really that paranoid why not store all of your super secret data on an encrypted volume and only mount it when you're using it. . .
Of course, if your network admin really wanted to he could probably sniff your password off the network or install a keystroke logger, but 99.99% of network admins out there wouldn't even attempt to do that. Not only is it unethical, but you probably don't have any data they really want anyway. It would probably just be a huge waste of time.
Facts have a liberal bias.
This is why there are confidentiality agreements, data protection and security procedures defined in the contract with large fines if they are not followed.
What does your legal agreement with this firm say?
Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
If you're concerned with trust, why would you outsource in the first place? Why wouldn't you just hire someone in-house who you can interview in person and run a background check on? Sure it costs more, but at least you have control. If the company you've hired hires someone new, that's yet another person looking at your stuff.
As for having them come on-site, what good is that? An 8 gig USB Flash drive is like $10 now, and that could probably hold your entire SVN repository and all your .doc/.xls/.ppt documents.
rooooar
They're stealing your IP while you're goofing off on slashdot.
If you are that afraid of them doing something wrong, it better be in the contract you sign with them with all of the penalties plainly laid out.
I would much rather have the IT Admin in house, but then again, I'm an IT Admin. We have to sit in a weird spot in the company. We have to learn all of the dirty secrets. If someone is divulging secrets, we are the ones that have to pull up their email records and browser history.
I take that responsibility very seriously. You have to find someone that takes it seriously, too.
Look, it's really simple: If they give you the creeps, don't hire them. Go with someone who is not insistent on administering your network remotely, or who you are otherwise comfortable working with.
Proverbs 21:19
You seem to be conflicted. You don't want to have inhouse IT, but you want them there and available anytime you need them onsite. I think you first need to determine which is important: reduced costs of outsourcing (And all the issues that goes with it) or the improved service of inhouse (and all the issues that go with that)
Even if they're onsite, are you going to have someone paid to stand over their shoulder and watch? if so pay that person to do the damn work for ya.
To be honest your probably safer with an outsourcing company since no sane company would risk their reputation by stealing your "zomg important" secrets.
Once upon a time there was a kid in charge of watching a flock to protect it from wolves. He got bored and cried 'wolf'. Everyone came running, but there was no wolf and the kid laughed at the gullible townspeople. He did this three times. Then one day there really was a wolf. He cried 'wolf' again, but this time nobody responded. Half a dozen sheep - and the boy - were killed.
What's the moral of the story (the real moral, not the 'story for kids' moral)? Don't put someone in charge of your stuff if you don't trust them. Seriously, you should trust them because if you don't they can't do their job properly. Or at *best* the actual people doing it won't like you and may go out of their way to screw you within their contract.
Does a line appended to your comment give your post meaning in and of itself, or only in relation to those without?
Remote access is secure - SSH, RDP, decent VPNs are fine for remote administration.
If you don't trust the admin if you don't have them in your direct line of sight, why would you trust them if you're out of the room temporarily?
If you don't trust them when you're not looking over their shoulders, why do you trust them at all?
Either you trust them - and where they are sitting is irrelevant to that question - or you don't. If you don't trust them, fire them and get someone else you trust. If you don't trust them but think watching them in person makes it better, you're misjudging the situation and asking the wrong question.
Trust or no? If no, replace.
Nobody should trust their BOFH.
Sadly, it just happens to be the case that we can't live without them, but trustable as a group, they are not.
Trust people, not jobs.
NO SIG
Look--if you have to outsource to somebody for whatever reason--what makes you think you're even competent enough to catch them doing something malicious right in front of you?
I'm not trying to suggest you're a poor manager--but the whole point of outsourcing is to save resources--be they time, money, or space--and hopefully all of them. These guys should be faster than you, and will hopefully be using tools and utilities you're not familiar with. How will you know whether the CD they throw into the drive contains a trojan, or the latest set of patches for sharepoint coupled with windows scripting?
If you don't trust them--don't hire them. Otherwise--turn on system/account auditing if you must, but stay out of their way--looming behind their shoulder is likely to get you worse service anyway, as they may feel rushed. Even if they did have the motivation to steal your customers--most people only know enough security to keep honest people honest--a dishonest person will find a way to the data even with an armed guard over their shoulder.
If you are so worried about it then have them sign a contract that stipulates they won't do what you're worried about them doing. I've done consulting for the SMB market. We did the majority of our support remotely. We were constantly busy taking care of clients and didn't have the time or the inclination to try to steal from our clients. Look at it this way, if your consultant leaks your super duper secrets to your competitor, and you go out of business, where does that leave them?
You are outsourcing a mission critical part of your firm. Take it seriously, interview the folks you are using, and treat them like adults. Develop a set of requirements that you and your board are happy with, and get it down on paper, and in the minutes of your board meeting. Then hire someone to do your network, using your criteria, and documenting why they fit and where they do not. Trust is essential in business, I think, but should also be followed by a good contract, yes?
It's that simple. You can have them "telecommute" part of the time, maybe even most of the time, but if they work for you then you can trust them as much as you can trust any other employee.
A sufficiently advanced IT outfit could steal your data while you watched them administer your servers. They just wouldn't do it manually, using the UI; they'd write one or more applications that could do it all silently as soon as they plug in the USB drive.
And if you think you can watch them and prevent them from connecting a USB thumb drive, remember that a USB mouse is far larger than a USB thumb drive, which means logically it could contain one inside it. Remember also that USB is designed to support hot-swapping and that there are only two wires in USB that would truly have to be switched to make a hacked mouse change between USB-drive and mouse operation. (The truly cunning would, of course, secret an entire USB hub inside the mouse, solving the problem even more elegantly.)
You mentioned source code, so you have the skills to hire and manage technical people. Please leverage those talents and hire someone. Outsourced IT works best as a supplement for when your employee doesn't have a particular skill or the project is too big for one person.
I will not mourn that which I never had to lose. - Unknown
Just have google put in a bid now and save yourself the hassle.
Because any Network/System Administrator worth their salt doesn't have time to go snooping around your fucking data. They're on the front line against those whose active goal is to own your box, and possibly steal your so called, 'data'.
Should you fear the Netowrk Admin? Sure. Fear that they get tired of the measley salary you're paying them, the stupid questions that users ask, and the incompetent Manager that breathes down their necks wondering why they're tracking bugs on software forums, IRC channels, and Technology news sites.
Yes. You should fear your Network Admin. Fear that they'll find something better, and leave that position up to someone less competent.
And you come to slashdot to ask that question?
Start by hiring someone with real business talent to run it for you because you sound like your own worst enemy.
IF YOU CAN'T TRUST THE PEOPLE YOU HIRED THEN WHY DID YOU HIRE THEM?
Seven puppies were harmed during the making of this post.
...just hiring a real network administrator? Honestly, it's an employers market right now. There's lot of people who have been recently laid off who would kill for a job right now...probably even for a below-average salary.
If they know that much more about your network than you do, they could easily install a back door to give themselves remote access, even while you are watching them.
It is certainly harder to trust an offsite guy, for monkey reasons(can't see the look on their face, body language, that sort of thing) if nothing else; but I'd be curious to know if you have any reasonable grounds to believe that you could detect malfeasance in person.
An atttacker, even a modestly skilled one, given the level of access an admin would need, could do all sorts of terribly serious things in the blink of an eye, whether or not you are watching him. When I'm wearing the admin hat, I routinely run executables on numerous client PCs, manipulate server settings, write and run scripts that gather all sorts of data, make backups, and so forth. Are you really going to be able to see the difference between me tarring the contents of your OMG_Sourcecode directory for backup and me tarring for backup && sneaking a second copy somewhere? And, if you are that good, why are you hiring me to sit there while you watch me, when you could just do it yourself?
If you are paranoid enough, you can use some sort of intrusion detection/exfiltration detection setup, with shell logging, and firewalls, and disabling usb mass storage devices, and uniquely barcoded hard drives, and cavity searches, and so forth; but somebody you trust will have to build that as well.
Obviously, going to Shady Bob & Pradep's House 'o Discount Outsourcing is a bad plan; but so is hiring Shady Bob to work onsite. I'm less sure, though, that there is a significant security difference between offsite and onsite people of otherwise similar levels of cheapness and shadiness.
. . . as far as you can throw him . . .
. . . this ancient bit of pseudo-Zen probably makes more or less sense as any other answer to that question . . .
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
the cleaners have physical access to your everything. what contract did you sign with them? you know, to minimize your risk, you should outsource your IT to the cleaners. they already have physical access to everything, so it's not much of an extra step to let them maintain your systems too. they're even in the office on a daily basis. if you have any IT issues, just leave them a note!
It depends on the level of secrecy you need for your data. If you have very valuable IP like a blue print for a Anti Matter reactor then it would probabaly be best to Higher an IT Admin that works for you. That way you can do a security and background check and make sure they're up to code. They'll probably still put in some Remote administration stuff but that's normal. If you're protecting a calendar for a lawyer then outsourcing the IT would be a pretty good bet to save some money since it would be expensive to higher 1 admin for 2 computers. It really depends on what you're doing and what you're protecting.
Forcing them to do the administration locally don't fixes the security/trust concern. If that server have internet access, they could set the remote administration themselves or at least the (paranoid hypothesis) information stealing, or even take whatever they want with an usb key or things like that. Also will not add exactly sympathy to you, and will make emergency fixes slower.
Of course, when you are going remote you just don't trust in a person or company, but in its security practices too.
You really need to ask yourself if you want a professional or a peon? You write your question as if you want someone you can piss on, that tells me you want a peon. Heck, you'll save money on the peon, you can get one from any local technical college, they might even know what they're doing.
If you want a professional and don't want to pay for one, your outsourcing some part time work. You get a portion of a professionals time, that makes you a part time customer, a small fry for the outsourcing company. They are essentially offering a courtesy to you at all to work on your network in the off chance your company grows as this will leave them in a good position.
The bottom line is that professionals that live in your country need to be trusted, they have to much to lose. Most professionals will undergo a background check one to every two years. No professional is going to destroy their livelihood by leaking something like your customer list. No professional is going to risk going to prison or getting sued for crossing the line as long as they live in the same country as you. They will lose their ability for references. Outsource to India and the like and all bets are off, there's no reputation to maintain.
Really, the question is why would your customers trust your company, and is a professional service really any different?
The biggest problem is that the vendors you are talking to are being honest and setting your expectations and you don't like what your hearing. Your about to discover how every extra service has an additional charge and you'll quickly bury yourself in extra fees in the event your company does grow. If you want to position yourself for growth and don't want to be sunk under a slew of fees you should hire a professional in house and then trust them to do their job.
The same reasons clients will be trusting your start-up company.
Skip ------ See the latest from http://www.anArchyFortWorth.com
you hire a locksmith to make sure your security is top knotch, but now there's a guy out there, a locksmith, who can enter your business anytime he wants
if you want to trust professionals to do a job for you that involves the security of your business, you need to actually trust them. based on what evidence? no evidence is possible. you need to take a tiny leap of faith, and rely upon the usual indicators of trust in such a business situation: reputation, track record, time in business, contacting other customers, etc.
in business there are plenty of times you need to take a leap of faith and make a judgment of trustability and character and integrity. this ranges in all aspects of business: distributors, employees, accountants, managers, etc.
absolutely nothing in this world insulates you from the risk of being screwed by someone in your employ/ in a business relationship with you unless you do it yourself. so get out your bullshit meter, set the guy down on the other end of a table, and start measuring. and if you are spooked in any way, don't hire him or cancel the contract or fire him. you don't get any other guarantees in business beyond that
if this is not enough security for you, well then maybe the business world isn't suitable for your comfort zone and you should pursue a job where someone else worries about these kind of things
all i could think after reading your question is that life as a businessman does not suit your character
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
You say "Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"
Given that you aren't administering your own network, I'd guess that you don't have the skills to do so. Would you know trouble if you saw it?
Would you know enough to see them setting up a remote service that they could get back into? Would you know enough to catch them copying sensitive files from where-ever they live to some staging directory, then later copying that directory off to a flash drive, or to some external server? Would you be able to catch them downloading a root kit and installing it?
In short, given that you don't have the experience to admin your own gear, do you REALLY think "standing behind them and watching them" is going to do anything but waste your time?
And IF you have the skills to admin your own machine, but want to outsource that due to some idea of "I have better things to do than this" - you have the time to stand behind them and watch them do the work, does that not imply you have the time to do the work?
Like others have said: If you are concerned, make them put up a bond.
www.eFax.com are spammers
You see, I hire an admin to do a job, and then, I kill him and place his body in the server cabinet. With all that heat and dry air circulating, it mummifies the dead ex-admin. Now, as an additional profit source, I sell the mummified bodies to mummy collectors. I have an artist who's into Ancient Egypt and ancient Peruvian art so I can pass off these mummies as the real thing. I'm currently working with a chemist to fake bog mummies, but that's off-topic. The downside? When a job applicant asks what happened to the previous guy. it's awkward, but I just say the old guy moved on to another life. The applicant usually nods in understanding - I think he's thinking that the old admin moved on to management or medicine or something.
There you go! I'm thinking of writing one of those management books that sell millions of copies - you know, the ones that your boss walks in every other week with the management idea du jour. Mine will be called - Pirate Mangement: How to succeed in a cut throat business environment as taught by Blackbeard.
Anyway, that's how I have an ultra trust worthy admin staff. Now, what to do with all those cops poking around.
I own a company that does outsourced IT support. Were it us, I wouldn't insist on being able to do remote support - but you'd pay so much for on-demand on-site support you'd be better off hiring someone in-house to do the job instead. The reality is that (were it us) we'd be coming in to your office periodically (depending on your size, from maybe once a month to as much as a couple of times a week. And most of the routine requests you will make we'd take care of by logging in remotely to deal with them for you. In most cases, we can log in and handle it a lot faster than we can free up enough time in someone's day to get them over to your office.
That's the reality of outsourced IT. You can get very good coverage that way, and any good company will give you face time with whomever is handling your account. I've got a lot of clients that trust my employees (and me) with their keys, passwords, and all the lot. I've got professional liability insurance, and a reputation that's even more important to me. If we were the company doing your support, I'd gladly sign an appropriate document guaranteeing we'd keep your data private.
I'm not pimping for my company (you're probably nowhere near where I work - else I would likely have been contacted as one of the firms bidding) but most companies like mine work that way. That's how we can do good work and still be affordable. But the reality a lot of these posters have pointed out stands: if you can't trust an IT company to handle things for you, then hire an admin in-house.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
As a sysadmin-for-hire who works for an IT outsourcing company, my suggestion is to make them work within your comfort level. My company will work on-site, or remotely, at the client's discretion; and I believe we offer a discounted rate if we are able to work remotely.
You are the customer. If they won't write up a contract that meets your requirements they are not the right company for you.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
A few weeks ago I read an investigative report on repair shops in Britain. Aside from over charging and finding non-existant problems they looked at and copied information off the computers that were being serviced. Have reason to trust anyone that you give that kind of access to. Then trust, with as much verification as is economical and doesn't unduly make the service provider think that you don't trust them, since unwarranted distrust chips away at the relationship.
Sure, that'll be the gay. Day! That'll be the day.
No, that's a good question. To save money and maybe even take advantage of more knowledge and experience - you may need to outsource such activities and for THEM to save money, which saves you money, they want to remote access into your system. Others may want to outsource their servers to farm (like a web or email server). This could open up the server to the remote vendors admins. You may not know them and the vendor may not even know them if they new. You can never be to careful - we've all worked with newbees who have crashed us. Spectorsoft (I use their employee monitoring software for investigations but others may know them for their kid monitoring software) has JUST released a new server monitoring software (might be called Spector Server at spectorserver.com). From what I read it records only when an admin logs in and then records everything each one does including screen snap shots (which, along with their keylogger is the best that can be found.)I am looking at it to monitor my Citrix Server but I can see where it might give you peace of mind with vendors, etc.
I've had this same conversation with Sr. Management at companies I've consulted with and companies where I've managed the IT staff. Watching over someone's shoulder is a "fail" strategy. I'm not going to get into the details of why, but consider that my executive summary. Let's move on. From a trust perspective a third party isn't necessarily more or less trustworthy than your own staff. A bitter employee is (in my opinion) more likely to do something awful to you then a consultant for hire. I suggest that you consider encrypting your most sensitive documents. This can protect your key intellectual property from your network admins while still providing them the access they need to do their job (namely allowing you to keep accessing those documents reliably). This approach works fine for basic documents but doesn't lend itself well to source code unfortunately.
Evolution: love it or leave it
.. the real problem is that can you trust the network where that remote administrator is located. Do they have a clean network? Trojans? Sniffers? Etc.. You should really audit their network before giving them permission on yours.
TOP DSLR Cameras Reviews of the top DSLRs
If you're the manager responsible for the overall system infrastructure, look at this as a big red waving flag. Your company has reached a stage where there is a definite need for an IT specialist, and the networking infrastructure, file server needs etc are already beginning to outgrow the current capability. This would be a good time to have a Systems Administrator in-house, since this position is very often overlooked in the context of a small company, who has a limited budget for "immediate needs" in your domain (biotech, wireless, web, whatever). Assuming that your company intends to grow, not shrink, so will the IT needs and demands upon the infrastructure. Before you know it, adding more people, getting more projects. will spill over into increases storage requirements (SANs etc), failover policies, daily, weekly, monthly backups and tape archival issues, fileserver issues, remote access to employees, etc etc just for starters. This person may or may not become the eventual lead of your Systems team, but they will go a long way towards solving major and minor IT problems, and eventually a team can be built around/over/under that person when you become a 100 person mid-size company. Im working in one now, and a smart move would be to start putting the systems administrator position on your next budget. And this has nothing to do with IP or looking at proprietary data, though having an in-house person would deal with it for sure. The external company would be bound by NDA/CDAs, and the contract to not divulge any proprietary information, thats a basic line in any contract between 2 companies in a collaboration. This has to do with planning for the IT needs of your company in advance, and not ignoring this need as a "nice to have". It's not, you need to have someone who can support you and the other employees fulltime.
Well, i have to say that i've also seen quite a few shady customers, from an IT service provider perspective.
I remember i had a few conversations that went roughly like this:
Customer: "Why do you have 25 Windows Server CALs on this offer?"
Me: "They're required for all users accessing the server"
C: "Yeah, but a friend told me that it works without them"
M: "That's indeed the case, they're just a license, not enforced by technology, but you still need them to be properly licensed"
C: "In that case we don't need these"
M: "They're not optional"
[ .. ]
Well, trusting is the cheapest solution. But otherwise, give them Remote Desktop Access to a PC (GotoMyPc, Netviewer, CoPilot) and then you can monitor. And of course, it is a good idea to structure your network to not overly trust systems and users, so if they administer one server, they should not be able to get to other, more important services.
However if you have sensitive IT, for simple services it might be good to actually DIY - I mean if you Monitor them and you are qualified to understand what they do... you can also do it.
Greetings
Bernd
Ultimately, no matter who you get to do the job, you'll have to exert some amount of trust.
If you do it in house, there is a better chance that your in-house tech will be more loyal to your company. However, that is only going to be true if he is already trustworthy AND if you treat him/her like a respected employee. If they're getting no respect, no pay and are over-worked, then being his employer makes those techs no less likely to be untrustworthy.
You can't stand behind your tech all day long, even if you put him in the same office as you are. If they want your stuff, you're already owned, in-house or not.
Outsourcers do have additional problems, but your lack of direct supervision is not really one of them, at least in the theft category. They are certainly more likely to regard you as a faceless victim that can make them some free money, and certainly, if your company fails, it will impact the outsourced employee less than if you had to lay him off due to losing your shirt. Ultimately, though, no outsourcer wants to get a reputation for being untrustworthy: they will police their own people for you.
Further, there is a certain level of honesty and integrity in even the lowliest of Bangalore call center operatives. They're not amoral faceless mercenaries that are looking for any chance whatsoever to get rich at your expense. Many of them don't even have that much imagination anyway. They just want to get paid and support their families or put food on the table. You have to have a special type of person to even plan these sorts of capers to begin with, and whether they work for you or not, it's very possible that no one will see it until it's too late anyway.
The other issue with outsourcers is simply that remote administration means that your administration data is likely passing through more potentially unsecured hops. Again, with industry standard VPN software and proper security, this is not an issue really. If you have admins who work from home, you already are already facing the same risks as a remote admin at an outsourcer.
What you need to do is to get a reputable outsourcer who is bonded, insured, and can do the job you want them to. At that point, you have to decide whether your top secret sauce is so important that you can't risk it getting out. If that is the case, then you should be paying to improve your security, and that means you get in-house people who may cost more, but who are going to have an extra loyalty factor. If you can tolerate a little risk, then you get the outsourcers and then create a security policy and data management tools for your trade secrets that will withstand a network intrusion. That probably means encrypted data files and various other means of access control as well as a staff that is highly trained to follow those policies to the letter.
That's a decision you have to make for yourself. If your idea is the next Pets.com, you might as well let it be outsourced. Your success will likely be in your execution of your business plan, rather than the uniqueness of your idea. No industrial espionage organization or foreign intelligence agency will give a shit, and if you think about it, who else would pay any money for your trade secrets other than those two sorts of groups?
On the other hand, if your idea is the design for a viable Cold Fusion reactor, then you hire in-house and you have former Special Forces operatives with assault rifles trained at the heads of your techs while you have a supervisor watching over the tech's shoulders 24/7 and network security teams constantly watching every bit coming out of the interfaces. And of course, you pay the techs more than the President of the USA to tolerate that treatment. And it will be worth it, because you are going to be stinking rich very soon.
It sounds to me that your network might be unnecessarily complicated for your needs. If your network is large enough to require the services of an administrator, you should have enough funds to pay for a full-time on site admin. And with the economy as it is right now you can probably get a recent IT or CSci grad on the cheap since they'd be wise to admin your network rather than taking a job at wally world hoping for better luck later. Otherwise you might be wise to look into how you can simplify your setup so you can administer it yourself or pay one of your employees to administer it half time while doing their regular (hired) job the rest of the week.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Seriously, is that really a concern? I've never seen a company whose source code was so "advanced" that stealing it was really worth while. If you're doing something really revolutionary, patent it. If you're just implementing algorithms that hundreds of other people have implemented in the past, theres basically nothing worth stealing in your code. True, a sysadmin could possibly copy everything about your web site, and change the domain name, and stand up a copy of it, with all of the data but even a skilled admin would take a day or two to do it. Then there's the challenge of trying to convince the customers that they should switch to a system that's exactly the same as the one they're already on, but run by someone else.... Why would they want to do that?
So, lets say that the sysadmin then hires some coders to change the source code, to make their site different form yours. Design some changes, get some coders on it, and put it through QA, and you're looking at at least a week, probably closer to a month before they've got a site that's an "improvement" over yours that might attract customers. How much has your site improved in a month? How many customers have you added in a month that will be resistant to change? How much has your marketing department done in a month? How many marketing folks will this outsourced sysadmin company have to hire and spin up to compete with your marketing folks?
Ultimately, it comes down to this... The sysadmin is in a different business than you. They have no reason to steal your code or customers, because unless you provide outsourced system administration, they aren't set up to do the same kind of business as you, and probably have no interest in it.
IT companies like to do remote work because it is more efficient. I can log into a half-dozen servers simultaneously and get productive work done on all of them at the same time. While I'm waiting for some task to complete on one server I can work on another. It is much better than driving over on-site and twiddling my thumbs while the machines do their thing.
As far as trusting your administrator... Honestly, as an administrator, I just don't care about my clients' data.
I mean, I care in as much as it involves my job duties... Making backups, verifying the backups, setting up shares and permissions and whatnot... But what am I going to do with 100 GB of confidential accounting information? Or medical records? Or resumes? Or whatever it is that this company does. I'm an IT guy, not an accountant.
The odds of me actually being able to grasp the value of this data is pretty slim. And even if I recognize it as terribly valuable, top-secret information... It better be really valuable because I'm going to lose my job and any kind of reputation I have if I do anything with that data.
So, no, I'm not going to steal your data and run with it. I've got better things to do with my time.
Really, though, you're going to have the same trust issues with some outsourced guy doing the work on-site... He could throw your confidential data on a USB drive easier on-site than he could remotely. I suppose you might see him doing something suspicious... But would you actually realize what he was doing?
Even if you don't outsource - if you hire your own IT staff - you're going to have to trust them with your data. In-house guys can steal your secrets just as easily as outsourced folks.
If you're truly paranoid you'll just have to do your own IT work. There's no other way around it.
If you're just vaguely worried about trusting other people you can take some sensible precautions. You can have your IT folks use their own login instead of the generic administrator/root account. You can have them sign a confidentiality agreement. You can have them sign a contract that very clearly states what they are expected to do, and what they are not allowed to do. You can make sure you're hiring a bonded company. You can ask for references, and speak to some of the other folks this IT company supports.
"Work is the curse of the drinking classes." -Oscar Wilde
Not sure why everyone here is attacking the guy. There are plenty of companies that will do on-site IT support for a certain amount of time each week. He could have on-site personnel at a fraction of the cost of a full-time employee. I know because I work for a firm that provides exactly this service.
I'm an outside consultant and some of my clients allow me remote in access and a couple don't. If you are truly worried about that happens where there is remote support, you could try
(a) have a firewall rule configured to only allow VNC access from their subnet on the internet
(b) keep VNC turned off on the server unless you've called them for support then you turn it on and allow them to remote in.
This enables you to maintain some control over when they remote into your network, and still allows you easily to watch the screen to see what they are doing.
An alternate configuration of the same is
(a) you don't allow any remote access from outside
(b) when you have a tech-support need your IT vendor must provide you a point to use a reverse-VNC connection (e.g. under the "RealVNC" implementation you would right-click on the VNC icon and left-click on 'Add New Client', then type in the DNS-name or IP address of a public IP address they provide you to give control to one of their technicians)
If you have a problem with them providing remote support, simply talking with them about it may be a good solution; however as somebody has already commented there are usually extended costs if a person has to travel to your business to do work.
I are one, and I stand by my statement.
http://teasphere.wordpress.com - A little spot of tea
Turn on auditing, and log everything they do. This is easier in a non Microsoft shop, but you can do it there too. You can record READ access to the event log. Bare in mind that a directory listing or a search within Microsoft products count as read access. As a work around, even though they are admins you could revoke their access to your data directories. Sure, they could change that, but this makes READ access logging much easier.
SQL supports the same type of thing.
If you don't have the time to do this, then you don't really care about it. My .02.
You need to ask what you need to secure before you can legitimately worry about losing anything.
The remote admin (presumably) do not need to know how much you pay your staff, or what you are corresponding with a lawyer about. So, encrypt those things that you need to hide.
Job done. Worry no more. Sorry the solution wasn't more exotic.
"And the meaning of words; when they cease to function; when will it start worrying you?"
And why you'll trust your insourced staff? If you outsource services the basis of the service is the Agreement which should impose financial fines on the other party. This is you primary security when outsourcing.
Also even outsourced network operated by other party can be secured without trusting that party - that is what for encryption was invented. Other case is if you can afford such level of security in which system admin can't access the protected data (like - imagine - in Government Security Agency). Such systems exist but they tend to be ten times more expensive (just an example - that may be fifty times etc.).
Personal security is the basis and accounts for (IMHO) 80% of overall security.
I'm unclear as to why you think having them work onsite is more secure. The statement "administer the network in person so we can stand behind and watch them" implies that you have network skills at least as great as they have. In which case the watchers can do the work themselves.
Would you really notice if I ran a batch file that planted a trojaned your computer and uploaded your SAM file(s)? I doubt it. Your IT guy knows everything; that is just a fact of life. Hire a professional and it won't matter. Or you can hire Geek Squad level. Just plan on those "private" pictures of your wife to be added to his personal collection.
I also suspect that you might be hobbling yourself in other ways. (Unless your are geographically isolated or have a non Mac/Windows environment) there is a large number of consultants who will do on-site work. I know; I'm one of them. You will pay more, but there are some situations that require hands-on support. It is very hard to replace a power supply over a VPN connection.
Good luck, and I'm glad you're not my client.
But at least you saved a few nickels~
You want trust, quality and availability? hire someone ansd treat them in a manner where they want to see the company succeed.
Even it's just 1 Network admin Guru who oversees and authorizes permission fr the off site team.
The Kruger Dunning explains most post on
Such a service should be bonded, by an outside bonding company. It's the surety bonding company's responsibility to run background checks on the contractor's employees, and to pay up if they steal. (They'll try to get the money back from the contractor or the employee.) Banks carry surety bonds for their employees.
Here's a contract for network administration services with a bonding clause.
As a company that offers outsourced IT services, believe me, all of our engineers have no time to be snooping around and pilfering your data.
Hello
I read your post with interest because my career is in this specific area of IT. I work for an IT firm which provides services to small, medium and large business, and I must admit it does make me very happy we have built our reputation as a business to be 100% trusted by customers who have very large annual revenues. We gain that trust through tireless service and offering our customers value they simply cannot achieve with hired staff. One of our core values is in that we can accomplish equivalent (and better) work as an on-site IT resource for a lower price, and also offereing a level of service to SMB that they are unfamiliar with because they cannot afford full time IT staffing and/or have previously worked with a one-man IT shop.
This value proposition is bolstered only by customer references and the trust our customers place in us. They gain this trust because they work with the same people every day. It is very important you trust your IT provider. In finding an IT provider you can trust, you should look for a company which has a very low turnover in technicians, a place that values the people and sees them as more than a resource. This may be a golden goose in your area, I am not sure, but we are that type of company and that is why we gain the customer's trust. Most of our customer's, I would say, trust us way more than rank and file employees. After all, we do have the "keys to the castle" so to speak, and are trusted to maintain permissions to important resources such as HR information, revenues and, well, everything. The only other people with access to this information are officer's of the company.
The point is, you have to trust them. There's really no option. Just do a good job finding a partner you can trust; value personality traits, employee retention and honesty over cost and certifications.
Would be foremost in my mind.
i.e. sniffing network
If someone has physical access to a server you pretty much have to trust them anyway. Allowing remote access just feels different, it's not. You could, however log more of what happens if it's just remote access.
Given physical access to pretty much any box a motivated person can get at anything they want admin password or not. It would make it easier to get goodies outside of the physical location if the box had access to the outside world.
If you don't trust them, don't use them...EVER.
I worked in IT for about 15 years, and always held that if a company doesn't trust its network administrators for a justifiable reason, then those people shouldn't be the network admins.
Remote/local doesn't matter. If they are not trustworthy and you can document why, then don't make them your admins. If they are, then don't worry about it until they do something to violate that trust. And if they do violate that trust, then go after them guns a-blazing (figuratively, not literally, OBVIOUSLY).
Most network admins want to be trusted - and need to be. Being untrustworthy is the kiss of death in that entire career path.
As others have said, local or remote doesn't matter. In-house or outsourced doesn't really matter. You need to accurately assess their trustworthiness and then deal with it in an appropriate manner.
Insanity is a gradual process; don't rush it.
There seems to be an assumption that you can "keep an eye" on an on-site network administrator, and that's why you can trust them.
How would you tell if they were up to no good? Will you be looking over their shoulder constantly?
I have worked in medium size IT shops (appro 100 people), and have seen the system admin team all stand around a computer as they go through their manager's CV (they had left it on there home drive). This was practically outside the manager's office, but you can't be everywhere at once.
Maybe you assume that you will only hire trustworthy people, but how can you tell if you can trust someone just by working with them?
Personally, I think the bigger risk to your operation will be if you hire a bad sysadmin.
Owen.
Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
When I was still doing systems and network management, administrators had full, unlimited access. Yes, this means what you think it does. External or internal administrators WILL read all your data, the crooks will sell it to the highest bidder. It is simple to bribe one local administrator, which is all you need.
Expect this to happen. Outsourcing is not the issue. Misplaced trust is.
Your data is yours to protect. If it is important enough, make sure it is encrypted.
I'd get professional advice on that - it is easy to do wrong. (Would you expect your copier to be a security risk?)
There is some data that a sysad, whether internal or external, should not be trusted with.
Basic system administration should be required for business and management degrees, enough to maintain the disconnected key server and the separated subnet that handles all the most sensitive data.
Small networks are not that hard.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
It's inflamatory a million different ways, but AC has the right idea.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
If you are working on or doing some cutting edge development then you might want to be paranoid.
But if you are making a CMS system or a web portal, then I probably wouldn't worry so much.
Exception Duck - may or may not contain chicken.
What happened after that?
I was an admin for a large networking company and one of the managers wanted
me to setup something that would send email when one of their direct reports logged in.
They thought their people were coming in late. They were not going to tell their employees
that they were being monitored like that. I pointed out that many people do not login the
first thing when they arrive at work. The manager backed down.
See now when you want something done, you'll pay for it and often EXTRA! When you had an SA onsite he was at your beckon call and did what you needed him to do. No matter what time of day or night.......okay...wait...
Your code is useless to anyone else. The only person who believes in its value is you. That is why you are unable to administer your own systems. So relax and enjoy it...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
All your datas are belong to us.
Speaking as someone that works for an IT services company, I imagine that your IT support is more worried about your "startup" company paying its invoices promptly rather than your product or IP.
Your IT probably gets paid enough for trust.
but the janitor staff?
you think they don't snoop thru your stuff? Install hardware keyloggers? Keep trash?
Do you think people can feed their families off minimum wage?
Be seeing you...
Its probably more likely that a hired employee will steal confidential information then an outsourced IT company for several reasons:
- Micro-managing them and treating them like a criminal is a sure fire way to piss them off, disgruntled employees do bad stuff, just check the news now and then.
- Idle hands are the devils playground, if the employee isn't busy enough, they can often get into trouble.
- In the unlikely circumstance that an employee gets caught and brought to justice most employers don't do background/criminal checks anyways, so it doesn't affect them as much as it would an outsourced IT company that may get caught. (ie: go out of business)
Regardless though, if you are worried about your data, ENCRYPT IT! Keep the key on a USB stick that never leaves your sight. Now you are in control of it, and who cares if someone steals your data, unless they have a few thousand CPUs cluster and 1000 years to brute-force your key, they'll never see what you have to hide.
As a support guy, your data isn't at all interesting. To be honest we usually have too much to do to even notice what you have on your screen. We don't have *time* to steal your data and become fabulously rich, you are too busy bothering us with techie issues :p
Stop outsourcing .. problem solved.
Give a American a job you may be pleasantly surprised at the quality of the work we do.
()
Japan has gun crime? (For example.)
Gun laws do work, sort of. But, as the gun lobbiests say, when you outlaw guns, only the outlaws ... .
Oh, and then there are knife crimes and poisonings and whatever. Elementary schools have to lock their gates and watch them with video cameras to keep the crazies with knives out. Just in case, really. It doesn't happen very often.
But it is still safe for two women to walk alone at night in much of Japan. Most of the time. I'm not sure whether that's a cause or an effect here.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Good lord, companies like HP & EDS (a multi-billion dollar services outsourcing company) have (for example) a three BILLION pound (sterling) outsourcing deal with the UK MOD - you think your business is worth stealing compared to what's on those systems? That's just one of thousands of customers. Funny but those companies (and dozens of others) are massively successful because they are professional and know what the consequences of bad behaviour like that would be in the market place. Some customers don't even just have remote admin, they have remote data centres and other people doing everything for their organisation's IT, down to even answering the phones and taking care of the mail.
Do you trust the pilot you outsource to every time you fly, or do you stand over his shoulder double-checking everything he does? Seriously, if you did that to me I'd tell you to shove your contract. You think you can do it better? If you can then why did you hire somebody else?
To be honest, as a hard-working IT services provider for over 15 years, I find your question downright insulting.
Go to the local Linux user's group. Not only will you find guys that know the network because of standards, not just Microsoft ways of doing things, they tend to be really honest: give one of these guys a stake in the company (instead of money, or with a little money) and he'll be happy to help out.
Learning the good ones from the dumb ones isn't hard; go talk to them. See who's quiet, and who's helpful. At the end of the meeting, drop off a business card and tell'em about the opening. Typically, they're happy to get into it, even if it's just a side-job, assuming they have the time.
"Unix" a friend of mine used to say, "is a humbling experience. You learn that you're NOT the baddest programmer on the planet when others come and show you how to do it better. And they always will. You're never the 'fastest gun' and you never will be." Over the last 25 years, I've found that to be true. Look for a helpful, humble guy. He'll be the one that has the experience.
And no...as much as I'd LOVE to get back into the adrenline-pumping world of startups again, I have to stay here and take care of Mom. (79, broken ankle, etc)
--- For a good time mail uce@ftc.gov
pee-yew!!
For customer and email data, seed it with false information that you can intercept. This will tell you if anyone has stolen your data and is now using it. You should periodically add new seeds and store a date with it so you can pin down an approximate time period should someone email your entire list. Keep your seed source code and data outside of your production source code and database and away from the admins.
Camping on quad since 1996.
Your boss was right about that mail server.
Of course, when I say that, I also say, by implication, that he should learn enough to manage a small-scale (Linux or BSD) mail server for-sensitive-mail-only.
Management that doesn't understand enough small-scale IT to handle the sensitive stuff is not management.
More to the point, if you can't manage data, you can't manage people.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Hell, I'm the Network Admin, and I don't even trust myself.
why should they have the keys to the city? who are they? what do you know about them? unless there are legal, binding contracts, NDAs, and more in place, why not require that they earn remote access rights?
also, if you are looking for someone to be your local net admin, why are you considering companies that will only do it remotely?
not only is time travel possible, it's irrelevant.
If you are that concerned about your data, encrypt it.
Unless the admin is supporting your dev environment, or your have issues with the drive your data is on, it should not be a problem for you.
Are you worried that they're in there at all, or that they can get in whenever they want? If it's the second, perhaps look at whether the remote support can be set up to only work once someone inside the organisation authorises it.
Where I work, we have an in house IT department, but one of our vendors sometimes needs to remote in to perform maintenance, or to provide specialist support for their product. We're not worried about the vendor stealing our secrets, but they are notoriously bad at keeping us informed about what they're doing.
When they want to perform 'remote consulting', they send a request using GoToMeeting. Unless someone accepts that request, they can't get in. In our case, we also have it set up so the end users can't accept the request unless they tell IT first (blocked at the proxy). That gives us an opportunity to talk to the vendor and grill them about what they'll be doing, why, and how long they'll be in. For maintenance, they can also log in via RDP, but again this is blocked at the firewall until they call and talk to us.
Something similar might be useful in your case. And if you don't trust the outsourced company to set it up, get someone else to come in for a day and verify their work. Maybe you won't know what they're doing, but at least you'll know when they're doing it.
If you are that worried then go local since that the only way you could worst case just SHOOT the guy.
Go local pay wellish spring for bennies as you can afford and have policies in writing.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Better yet hire 2 of them so one can can keep an eye on the other.
In my day job, we rarely let outsiders admin our systems, even though it's all logged. In my side job, I offer either onsite or remote admin at the same cost, but the difference is response time.
In your case, why not disable remote access unless you need them and insist on a product that lets you monitor their activity, like Dameware?
In what universe? What definition of secure?
Or are you assuming that the guy asking this question doesn't have anything valuable enough?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
If they are not insured & bonded (or are unwilling to show you proof that you can verify with their insurers) then you shouldn't be working with them. If they are willing to put up the cash for insurance and sureties that will PAY you if your IP or physical property for that matter, is compromised, devalued etc.. then you've got little to lose.
If your IP is so important to your company that the amount of their maximum insurance payout would NOT cover your losses, then you should be doing these items in-house instead of outsourcing them.
If you use a client initiated vnc connection you can have the best of both worlds. Remote management only when you want and you can monitor every detail if you wish.
Plus they never know if you are watching so it keeps them honest.
First of all, congrats on your startup.
Sounds like you're meeting a theme you'll see over and over again in your business lifetime. Risk assessment. What it comes down to is this: Is the confidentiality/integrity/availability of your data worth more then the savings you're seeing by going with an external company?
This of course begs the question, what is the stuff on the first side of the equation worth, in terms of dollar value? This is key and will drive most every security decision you make, from how much you should spend on locks for the front door, to fire insurance, to hire vs outsource.
Of course hiring doesn't remove the risk (as a general rule, risk is never going to be 0, you can mitigate it, not remove it) but it likely has a lower risk value, because the person is inhouse, subject to supervision, easier to perform background checks on, etc.
Google Threat Risk Assessment for a starting point on the exercise.
Disclaimer: I do this crap for a living, your value for $paranoia may not equal my value.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
When someone holds your wallet, Watch, Always Watch!!
My company manages the networks for over 100 small/medium businesses in our area.
I am the lead admin on 8 of them. I maintain day to day operations on the servers (37 of them now!), networks, printing, desktops, applications and such.
I have customers that won't let me see some of their data. But it's these same people who won't let anybody see it. Which makes me wonder what happens if they get hit by a bus. It makes me wonder if there is a secure backup happening, since they won't even put this info on the network.
I think the real reason is so that nobody can check her work and see if she's embezzling. I wouldn't be able to find that out, but if she lets the stuff onto the network, somebody else might figure it out, so it stays hidden.
Most of the time our problem is that the customer doesn't want to know about the security risk in their organization, much less from anybody else.
These guys have passwords that are 9 years old for their administrator account, and they won't change it. OUR admin account's password changes regularly, but Administrator or root's passwords stay the same in perpetuity.
If you outsource the IT stuff, make sure you're still admin. Make sure you're getting all of the emails from the backups, the network monitoring tools, the array controllers, etc. If they hide that stuff, start worrying.
My mom says I'm cool.
Or should we lock them out and make them administer the network in person so we can stand behind and watch them?
If you have the time to stand and watch your network administrator, and the knowledge to understand what they're doing, surely you don't need them in the first place.
Blazing Spiders
I don't get it, actually. Are you planning to have a person just dedicated to "watch" the admin guy? Just hope you don't outsource him/her, too. And even if you do (ok, needless to say the previous one was sarcasm), how are you gonna verify that everything is ok? I mean, if the outsourcing company asks him to retrieve any data, he could just write a script at night and run it silently. Don't you think?
I agree that some tasks can be covered just by "asking" an outsourcing company for a guy with certain skills. But in other ones, trust is very important, this is a good example. Certainly you will pay more (most 'cos of taxes, I guess, just like in Mexico), but in the end I think it's the best option.
Regards,
What makes you think you can trust a person you hire directly to Administer the network? He too can steal your data and sell it to your competition. ;-)
What is your job description? You work in a start up that has/generates source code, but you don't have a CTO/CIO? You have people that generate source code but can't set up and maintain a LAN? Get some one who knows WTF they are doing first. Then they will tell you what to do.
"It's because they're stupid, that's why. That's why everybody does everything." -Homer Simpson
You seem to be under a misaprehension. He's NOT "your sysadmin", he's your outsource company's sysadmin. As others here have said, if that's a problem, hire one yourself and be sure you treat him/her well.
Whether it's an "insider" who works for your agency or an outside contractor, it doesn't matter: either way you have to trust somebody.
The only solution that makes sense is an audit trail that records file transfers and can't itself be modified - which is a real bitchkitty to implement. Does anybody know of any decent products that cover both servers and workstations?
In addition to the other points made above, consider that anyone competent to do the job could grant themselves remote access while you're not looking. If you select your level of support based on a notion that you can trust some types of support people more or less than others, you are choosing them for the wrong reasons. First determine what level of support you need -- full-time onsite employee, part-time onsite employee, or outsourced support that may or may not do all work in person. Once you've made that decision, choose someone with a decent reputation or references to do the job for you.
It's interesting that the realization comes after the ink has started to dry on the proverbial paperwork.
As others have already pointed out, you have to choose what you are willing to put up with. No solution has zero issues or problems, just different ones.
In all cases, your risk of data/ip theft? Greater than zero. It will never be zero, short of you getting all copies and all peoples who have had contact with it and lock them in an underground room for all eternity.
* Presumably, you have some form of agreement(written contract) with the outsourced IT group. If you don't, you should _address_ that issue.
* You should have insurance for your company, so that in the event of fraud, theft, etc... and your business goes belly up, you have the means to cover your debts.
* You should be just as equally concerned about data loss as you are about data theft. Ie, make sure you have enough copies of your data/IP.
Regardless of whether you have in-house staff or outsourced staff, you should have some means of auditing your environment to address and reduce the risks involved. If nothing else, it will give you visibility into the types of areas of knowledge that someone other than your IT admin would know and be able to pick up the pieces should one of the problem scenarios appear.
Assuming you decide you are happy with your current support situation, get them to produce a human readable run-book for you, so that should they go out of business, bail, or otherwise default on the agreement, you will be able to bring someone in to take over. Schedule time for someone other than the primary support person to use the runbook to perform downtime/maintenance tasks/etc with the runbook. If there are any issues or problems, have the outsourcing company update it. Make it part of the understood and written agreement. You want to be able to rebuild, in the case of any failures.
Quick summary:
- validate/verify terms of agreement with existing IT support partner
- affirm creation of run-book with support partner and verify that it is valid and up to date with regularly scheduled DR/maintenance tasks
- have an on-site "intern" learn the tasks and serve as your in-house backup IT resource. Presumably, this person can also do double duty, if they happen to be a coder/content developer/PM with prior admin experience, etc. That person is your plan "B". This makes the runbook that much more important.
- NDA(s) and the legal expertise on retainer will help alot in terms of enforcement and collection on damages, but it will not prevent theft.
- Know what your company's plan "B" is in case of theft. Should you be segregating your information? Should you be encrypting your communication? Is the fact that some of your coders are bringing in USB flash devices and bringing work home a problem in your mind in relation to remote IT support?
There are plenty of issues and potential areas for IP theft/leak/sabotage to occur.
Legal agreements will help you when dealing with another company entity, but those legal agreements will do precious little if the theft/release of your IP causes your business to go down the drain.
Winged Power Photography
I can tell you right now, and administrator is going to tell you right where you can tar it if you stand over his shoulder while he's trying to work. I've been an admin for a long time and I've dealt with people like you and it always comes down to the same thing:
Either you will trust me to do the job you hired me to do or you can find someone else to do it. Being administrator inherently means I will have access to all your base. The fact that I'm a professional doing a job I was hired to do means all your base are not belong to me. Irritate me by hovering over my shoulder all day and that will change.
It is a mistake to think you can solve any problem with just potatoes.
Either hire an in-house IT person or pick a reputable outsourced IT vendor and trust him.
You're apparently a software company (or at least a company concerned enough about their source code to fear corporate espionage), and you outsource your system administration? If you were a dog I'd slap you on the nose.
My response is one of many just like it, but bottom line is you HAVE to trust your network admin. Whether he's on site or off, he has access to your stuff. And frankly, I don't care if anyone walks in and sees what I'm doing randomly, but outside of a performance evaluation, the day anybody steps into my office and starts watching what I'm doing is the day I quit.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
You used the past tense. Therefore I see that you've already made the decision to do this and have executed on that decision. The agreements are signed and the admins are working on managing your systems as I write this. A lot follows from this having already gone down. In other words, this detail important to clear up before proceeding because there is a large difference between something you have not yet done and something you have already done and now have to live with.
Of course they all do. Look at this from their perspective: many organizations hire them to do what you hired them to do. None of these IT admin firms have the staff to do things in-person (as you later contemplate threatening upon the firm you hired) where people expect explanations and instruction while they do what you hired them to do (which, by the way, makes everything take at least twice as long). If you wanted teachers to train your staff, you should have hired said teachers. If you wanted something different, you should have considered this before you contracted with them. Be here now. Best to focus on where you are now and proceed from that point realistically.
Your so-called intellectual property isn't the issue here, you've crossed that bridge. Your issue is you have post-commitment jitters about something you apparently didn't think through. Since you've already inked the deal, it's time to trust your new partners and understand that you don't have the power to "lock them out" in any way that wouldn't constitute a breach of contract or at least erecting circumstances that make them want to get rid of you as clients. You don't have the power to "make them administer the network in person so we can stand behind and watch them" nor would they likely want you to do that. You need to think ahead this time and consider the ramifications of being watched; I'm almost sure you wouldn't want to work that way because hardly anyone wants to work that way. Why would you think they'd want to work that way? You've described nothing unprofessional or bad on their part, so you have no cause to treat them as you describe.
Chalk it up to a lesson about thinking through the details before commitment.
Digital Citizen
How can someone who can't manage data and networks manage people?
Of course, the managers would hire IT specialists to actually do most of the work, but if managers are able to maintain a small, secure network for the sensitive data, they can set it up as a sub-net, and keep the sensitive stuff off the main network.
And, of course, management trained in IT would be better able to evaluate the costs/benefits/risks in hiring vs. outsourcing for their situation.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
I am a remote administrator for dozens of companies. I have been doing this for many, many years. My business success is directly dependent upon your business success. I have a vested interest in every single one of my customers growing and flourishing in business. As such, I only recommend solutions that are justifiable in direct, easy to understand terms.
You have proprietary information? So what. So does every other company and government agency I do work for - all of which is done remotely. Only on rare occasion do I visit on site.
If you cannot place your trust in the people holding your admin password, then administer it yourself. Otherwise be prepared to pay 2-3 times more for simple administrative tasks.
I'm sure I have access to tons of proprietary information, sensitive information, etc. but so what - I'm an honest guy. If I see the stuff, my first reaction is do we have this properly protected? I know the first reaction in a criminal mind is "What can I do with this?". Criminals don't usually want to work for a living.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Whether on-site or off-site, network administrators can screw you.
1. Make sure you have an excellent employee screening process.
2. Know what security measures are in place where your data is being processed and stored.
3. Get the non-disclosure and other legal documentation in order.
4. From time to time, have an independent entity validate that all these things are in place and being managed appropriately.
You cannot ensure that no administrator will go bad.
You can mitigate the risks significantly and make the little SOB suffer if he screws your business.
The main difference here is the significant amount of damage that they can inflict, so make sure you are covered. There's insurance for this as well.
To the OP, if you outsource any part of your company, including cleaning services you are putting your company in the hands of outsiders. After in-house theft from employees the source of theft is almost always going to be the contractors, cleaning staff, or even delivery guys. We had a pizza guy steal a blackberry with 3 blinking security cameras pointed at him. He was a convicted felon but we did not know that because we did not hire him and yet he still with access to our site for a few minutes, we almost lost a Blackberry. If your IP is that important to not trust outsiders than don't. IT will always have the keys to the kingdom and if they are not on your side they can clean you out in minutes. Think encryption or passwords will help you? They will just install keyboard loggers or do man in the middle attacks (when applicable) using your own network.
BTW, what kind of startup can't afford IT or do it themselves? It does not take a rocket scientist anymore to handle a few servers, some switches/routers/firewalls and a dozen or so workstations. Anything beyond that and yeah it makes sense to go with an in-house IT person but seriously what kind of company has no one that can do this and is posting on Slashdot? If you can't manage to setup and run an OpenBSD box for a firewall, an Apache boxen for slinging HTTP, a cheapo 300-400 dollar gigabit router and less than a dozen workstations than this is really not the site for you and you pry don't have what it takes to run a startup. Startups are hard work and require people to be jacks of all trades till they can hire on specialists. Why not try Business Week or some place that can help you with your problems because I just don't see them.
An Education is the Font of All Liberty
No, I wouldn't trust them. If you have important and personal data I wouldn't trust that information with anyone since someone that company can use that data for ill use or hold your data for ransom. I read too many people and companies when their relations turn sour they use that to use that important and data information for ransom or personal gain.
How is someone more trustworthy just by virtue of keeping your office furniture warm? How you manage risk is entirely up to you, and your personal tolerance for it will dictate your need for insurance. If you're paranoid about the level of access admins will have to your data, run background checks on anyone authorized with that access. If you're still not satisfied, buy some insurance. I'm sure Lloyd's will insure you against even brain mice for the right premium.
Welcome to the world of outsourcing!
I'm sorry, that answer isn't very helpful. The real answer is, you don't. There's no way of knowing. Let me find my Galactic Overlord hat... here it is. Gotta get that visor fixed. Ok ok, if I were the Ultimate Evil, and I wanted to fleece a bunch of companies, I'd set myself up as a network outsourcing service, build up a solid reputation (even if it took years), a large clientele of important companies, and quietly scoop anything valuable. And then, one day, I'd simply disappear, with a suitcase full of hard drives (on a cart, 'cause those things are heavy), exploit the data, buy a third world country, and set myself up as President for Life. Um, of course, if I were unredeemably evil, which I'm not, so I'd never do any of those things.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
If you are a large startup and you may require an internal Network Admin. Eventually companies get large enough where they do need an internal IT staff that can take care of day-to-day activities and then use an outside consulting company for projects and even extra hands.
I work for an IT consulting firm that actually specializes as both staff augmentation and full time IT support. Most of our clients are small to medium businesses. Some with as little as 10 employees. They don't have enough for a full time person to work on so they use us once a month. We also have an oncall/helpdesk department to handle things when the primary engineer is not on-site. But we also don't automatically give ourselves remote access without the permission of the client. We have some clients that only remote us in when there is a problem. Others trust us fully to be their full time IT support. It really depends on what your product is. I've signed confidentiality agreements with clients in order for them to allow me to work on their systems.
In this day and age IT is a major part of many businesses. You really can't take it for granted. Also you can't go around being paranoid of every IT person. Of course they are going to have full access to your systems and data, but if they are good they will not jeopardize their reputation by stealing data. You get what you pay for also. Look for the companies who have been doing this for a while. Look at their partnerships (Microsoft Gold Partner etc..) Many vendors require that their partners meet certain criteria so not every consulting company can be a Gold Partner just because they know about the product. They need to have a certain amount of certificates among their engineers.
As far as the remote monitoring, well that is a cost savings to you. It costs much less to have someone remote into the systems to look at it than to have someone travel to your office and look at something that may only take a few minutes to fix.
Dewser - all around techy "In the immortal words of Socrates - 'I drank what?'"
If you're a Windows shop then ObserveIt is designed to help with this situation. http://www.observeit-sys.com/
with them that states they shouldn't be looking at source code and data, and should only administer the server.
One of the dangers of outsourcing or even offshoring is that people are working for you out of the office at a remote location and you don't know what they are doing as you cannot see them or even monitor remotely what they are doing.
In some cases offshored and/or outsourced work did lead to IP being stolen, especially if it was being done in a third world country.
If you have such trust issues, maybe you should hire a network administrator to work at your office or do it yourself.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Here's a thought: If you hire an admin, you have ONE person who might potentially steal your data. If you outsource to a company that has 500 people who have the ability to remotely connect to your systems, you now have 500 people who might potentially steal your data. The chance of having one bad egg in 500 is much higher than having one bad egg out of 1.
The larger the company the more resources you have to share the cost of IT Support, so for a start up, unless you have a large pot of money, outsourcing will be the way to go. Using outsourced IT should be fine, you get a team of people with different skills, you don't have to worry about them leaving, being sick or taking holidays. Look for a local IT provider that can provide boots on the ground. It will work out a lot better in the long run. The sad trend in IT support is managed services that allow support companies to sit around and run reports and do things remotely, but they hate coming out to see their customers, because they can't bill 2 customers at the same time. The commoditisation of IT support is creating this downward spiral in services offered.
For slightly larger companies that can afford more than one IT person, there is sometimes the added benefit that person B and person A can to some extent negate each other if only one is doing something inappropriate.
Of course if they both decide to drain the company bank account, steal your IP, and move to the Caymans together, you're still screwed.
You have to trust someone, if you are not able to manage a network and all if it's components then you have to hire someone to do so (whether it's outsourced or insourced.) If they are a reputable company then they won't usually give a rats arse about your "important data" other than to protect it as much as they can do so within the contract you specified. If you want someone you can baby sit then you need to hire a network administrator but be prepared to have a pissed net admin if you constantly look over their shoulder and second guess them. Sure it's an employers market but net admins tend to like to consider themselves adults. They don't need a mommy to make sure they are playing nicely. If you feel you cannot get by without baby sitting, then learn to manage the network yourself. If you trust your data to a sales drone, an accountant drone, you are going to have to trust it to someone with a clue about how a network works.
Either you trust your sysadmins or you don't give them the access they need. Administrators require access to all of your files, your network traffic, your email, your financial data. Not all of the admin staff needs it, but at least one of them does need some access.
The problem with outsourcing is you are treating sysadmins like janitors, a necessary evil farmed out to the lowest bidder. Where the reality is the function is a critical professional appointment which requires vetting, just as you would your accountant and lawyer.
POKE 36879,8
Knife crimes are reported sensationally in England but it's false that knife crimes are increasing dramatically -- see here for example. Knife crime has remained relatively stable over the past decade, most recently actually dropping by 15.7%. Maybe you're confusing knives with umbrellas?
I'm not too sure what your startup does, but it sounds like you're working with some things that you're very worried about losing, and are easy to steal. My guess is unpatented formulas or inventions, or maybe a complex bit of code...am I right?
The only problem with this is that you gave up control of your network to save money. If you force the admins to come on site for everything, you will probably be charged a higher rate because of the travel involved, etc.
On the other hand, a full time employee is just as likely to be tempted to steal your intellectual property, and probably have an easier time of it since they're insiders. The real solution is to hire people, insiders or outsiders, who you are comfortable trusting. I've seen a lot of local small businesses basically outsource their IT to "mini Geek Squad" rinky-dink little IT shops just because they're the cheapest around. That' s fine if the most complex thing the company uses is e-mail and their web site. If you actually use your network for sensitive information-handling, it may not be the smartest idea in the world to have the $10/hr PC techs straight out of A+ school managing your devices.
The truth is, with exceptions, system administrators are a trustworthy lot...at least the ones I work with. Since we really don't have a formal "profession" yet, our self-made reputations are important to uphold. This goes triple in small industries. where you need specific skills to do related IT work--I regularly bump into people I worked with several jobs ago. Trust me, in my industry you'd never get another IT job if you were caught stealing customer data, credit cards, safety-sensitive info, etc. Everyone knows you and the work you do, or can easily find out.
I'd say my advice would be to pay your outsourcer a fair rate and really get to know who's doing work for you. Do you trust your own employees? If you can't say that about your service provider, go get another one.
The only problem might be the travel expenses for the flight from Europe.
But ever thought about File Encryption? Not typical on a file server but it works.
And if you do not trust your Administrator you possibly should look for a new one. Even if he could not read your data, he could bring your system down for quite a while or nag you with other things.
In theory one could also keep tabs on the local guy. You probably know some readily identifiable information on him, whereas ShadyCo may overall be a decent company, but overall you wouldn't know their staff overly well. A good manager is often in touch with his department, so you might catch on if "Bob Smith" from IT has a bad drug/gambling/etc habit and talk to him about it (and keep tabs on him) in order to catch any fishy business. Stan Doe from ShadyCo you don't know... so everything at that point is dependent on how strong your contract is with ShadyCo if he borks you servers or does something unethical... as well as their ability to pay VS declaring sudden bankruptcy and starting a new entity.
A disgruntled sysadmin could in theory plant all sorts of nasty backdoors in places that would well be well nigh impossible to remove without complete reinstall/reconfiguration, which is why knowing your employees (and/or treating them well) may very well be the most important part of having them on-hand. My former co-worker and I used to make a game out of breaking into each other's desktops, with success being shown by a few amusingly tweaked settings (desktop wallpaper, internet start page, language settings, hot-pink window manager theme,etc). It made me really appreciate how deeply a system could be penetrated in a truely serious situation.
You don't outsource to a random idiot -- that's step one. Welcome to referrals. Ask a friend, or a competitor, whom they've used. At least that way, if the IT guy screws you over, he loses more than just you.
Second, hopefully you have NDAs with your clients. Those NDAs undoubtedly say that you have to have an equivalent NDA with your contractors. So make your IT guy sign an NDA.
Third, "stand behind and watch him"? Are you nuts? Not only are you not going to actually do that, but if you did, are you going to read every command? Are you going to understand them? You can watch a magician, or other slight-of-hand artist as much as you want -- most of them depend on your trying to pay attention.
Wouldn't it be possible to set up encryption in such a way that all machines and all data requires something like an RSA token to access?
Have to company owner order the tokens and sent to him. That way there won't be a way for the administrators to surreptitiously keep one for themselves bla bla bla.
Granted, you'd still have to trust them to set the software up properly, but shouldn't this reduce the likelihood of data theft? Or at least what the thieves can get access to?
Bear in mind that there's nothing to stop an angry local administrator stealing/selling data, and being more intimately involved with the company's business activities, he probably knows better where to look.
But, I'd suggest not outsourcing if posssible for a different reason. It normally doesn't work. The lack of local site knowledge is hugely detrimental to knowing wtf is going on. I was with a large aussie mining company that tried it - after 18 months they couldn't get away from the outsourcer fast enough. Main problems are that there is usually no continuity in who deals with a problem, no sense of personal responsibility, no problem ownership, and any admin who gets a clue at the outsourcer leaves and gets a real job as soon as they can.
You'll end up dealing with muppets who either don't care, have no clue, or both.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
While I won't argue with the idea that you should replace the system admin if you can't trust him/her, there is a fundamental problem when we separate managing data from managing people.
No, our current managers should not be trusted with their own networks, at least not most of them.
But management schools that don't teach enough applied systems management and enough information technology that someone graduating with a management degree could be expected to safely manage disconnected keyservers and a small, highly secure subnet for critical data, well, such schools are not teaching management.
They're only teaching how to either party or crack the whip or both.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Understanding process is the most important thing, for you a resposible customer. If there is not a process in place for change control or the vendor has nothing (system or software) that records changes, you might not want to use them if you are paranoid. That doesn't mean they aren't worth their salt, but it definitely a consideration if you require HIPPA, sox, or gov guidelines and compliance.
I've had similar discussions with customers in the past, but typically over installing software on multiple machines from a single source (pre-XP).
Customer: But I already own (Windows 2K/Office/whatever)
Me: Yes, but it's licensed for, and already installed upon, a single machine.
Customer: So?
Me: So I'm not installing it on any additional machines, nor will I touch any machines that have the software installed in violation of that license. If you don't want to pay the licensing fees, I could install Linux for you...
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
i'm an internal systems engineer and i don't trust the boss to not be doing suspicious stuff on the network. when i started, he was already a domain admin and there's not much i can do to remove those rights. he likes to login to switches, servers, routers, etc and just change settings that he thinks he needs changed, then when shit crashes, i have to go fix it. at one point, he installed some worm on his laptop and our intrusion detection system went crazy. i've also watched our exchange server as he constantly checks everyone's email.............the email checking is for personal gain of covering his own ass. i'm just sitting and waiting for him to make some huge mistake so i can justify removing his domain admin rights. 8)
stephen
Now that you've felt superior about someone else with your little word-salad of insults, you can go back to your wife and continue to fail to please her. In a few years, she will meet a kind, thoughtful man from Bangalore whom she will divorce you for.
Devastated by your loss, you will start to insult people in your personal life, not just people on the Internet who can't fight back. You will lose your job, and stumble into a series of manual labor tasks for which you will be ill suited, because instead of doing work you will spend your time insulting the shovels you should be using and the boxes you should be moving.
You will end your life standing on a street corner holding a sign that reads, "WILL INSULT YOU FOR FOOD." When you fail at this business opportunity (you will call it Panhandling 2.0, but that terminology will never catch on), your frozen corpse will be found by police, who will bury you in the city's Potter's Field. Your headstone will be carved by someone who doesn't speak English very well (he's a recent immigrant from Bangalore), so your name will be misspelled as an insult.
in most places I worked for, the network admin staff had a great time peaking into emails and privates files (and, of course, "repurposing" quite a bit of our bandwidth and storage space). I imagine outsourcing does not alleviate the problem.
I'd look for a way to outsource network management, but keep all files encrypted, and unreadable by the network admin. The network admin doesn't really need to read the files to do his/her job.
The Cloud - because you don't care if your apps and data are up in the air.
Use the best of both worlds approach. I typically have offered remote administration but through a webex or live meeting session. That way you can watch what they are doing without getting in the way but also maintain control if you feel they are up to no good. I took over for a shop where they had allowed complete access to an outside support company and I cut them off immediately. Not necessarily because I didn't trust them but because I didn't want any changes being made that I was not aware of. Nothing more frustrating than having to troubleshoot something without all of the information.
Uhm, no. Gangs are not a non-problem here.
I live in a middle-class neighborhood, and the cops regularly patrol the roads from the station out to try to discourage purse-snatchings and the like. (We have one knife-wielding wild man in the neighborhood, but so far he hasn't stabbed anyone.)
Organized crime comes in all stripes here, although most gun use is between competing organizations.
(The pachinko parlors are generally implicitly understood to have connection to organized crime.)
There is a lot of stress here, so your experiment with hand guns would not be wise. Nor would a similar experiment with knives be wise. (Stress, not the weapon, being the issue.)
It's still relatively safe, but that will probably change with the new generation, who are being mostly raised without religion, but really aren't being provided with any good philosophical basis for moral or ethical behavior to replace it.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Make sure that you have a document to describe how to take back the network in case you decide to fire the IT staff. I used to work in this area, and I provided this to my clients even if they didn't ask for it. If I were looking to outsource, I'd certainly make sure that I had the ability to rip it back. Even if I trust the outsourcing company completely, which is requirement #0 in my book, I want to make sure that my company stays my company.
I happen to provide outsourced IT services and administer servers remotely.
My clients place the utmost trust in me. I provide the services all myself.
I guess it would be different if there were a large company involved.
Placing your trust in a company with remote administration is sometimes a good idea and usually a bad idea.
If it's really that important, give your outsourced admin an office in your building. Make him work from your site.
If you find you can't justify the costs of keeping him on-site, you should probably hire your own IT director who can either do it all.
They're using their grammar skills there.
PRC already has all your data . . .
systems administration is a job of many roles, sometimes even including managerial tasks. Are you really proposing that because someone doesn't have a degree in management they can't be trusted with management? sure sounds like it anyway. Not to mention, what about technical managers? I'm really curious what "data" you're referring to in your original post and how useful/less that data really is. Whether you can trust someone or not has nothing to do what their job title is, that's for sure, and unless you plan on running an entire company all by yourself in paranoid dream land, you're gonna have to trust someone.
You've had a lot of good advice, that boils down to "you get what you pay for"... ... but consider: most likely, all your intellectual property worth having would fit on the MicroSD card in my phone with a huge lot of room left over.
The biggest issue with remote administration isn't the administrator, precisely, it's that there's a path intentionally maintained to permit remote access. That's the vector that needs to be secured.
I'd be more concerned about the remote admin's competency than his honesty (though I must agree with many upthread -- if you can't trust 'em, you shouldn't have hired 'em!).
ll big outsourcers - especially those who have large offshore operations - make their offshore staff sign all sorts of confidentiality and privacy contracts. A sysadmin in India is as likely to wind up in jail as a sysadmin here. A worker in a Chinese factory committed suicide just because an Apple prototype got stolen from him.
That is sometimes true and sometimes it ain't. Managers have been known to get the bright idea to outsource to places (I won't name any names but you all know which countries we are talking about) where the outcome of a court case depends on who makes the judge the best offer rather than the merits of the case. Another thing with overseas outsourcing and outsourcing in general is to make sure not to become so dependent on the contractor that you wake up one day and discover you have become so dependent on the contractor/outsourcee he can start to dictate terms to you. There is nothing wrong with using contractors/outsourcing extensively but be prepared to keep a close eye on them... Stasi style... constantly.
No, No, Yes!
640YB ought to be enough for anybody.
You could encrypt the data. That however would require some technical knowledge on the part of the office staff and would potentially be something that would need support in itself.
You could always use "the cloud" and move to cloud based storage where your data would likely not be as interesting as the other data stored there as well. Although you might want to ask the guys at Twitter about the risks of that.
Face it. The best way to secure your data is to have physical control over it. The government uses "chain of custody" to secure most of its data. Outsourcing by definition reduces the amount of control you have over your data. Walking down the street has risks as well although the risks of being hit by a bus tend to be lower if you use the sidewalk.
It's kinda funny, I joked about this very same idea, that the $2.00/hour outsourcers might be intentionally raping our servers for profit. Then the next day one of my support clients had that exact thing happen to him... one of his developers in India decided to create a bunch of email accounts and spam off of them. I have to admit, it makes perfect sense: he probably made more money selling spam runs for a few days, than a week of regular salary, plus he's not going to get into any immediate trouble... I'm not going to fly over there and beat the tan out of him, he just lost one smallish contract - big whoop.
It's not about "you get what you pay for", and certainly not a racially charged disconnect (at least not in my case), it's just the risk vs reward balance that's tipped against us. Globalization is a double-edged sword. White collar crime is just as big a problem in western societies, but we do it bigger and badder. As an American, if someone offered you $100 a day to sacrifice one of your clients, you'd probably tell him to blow you. In India, $100 might be equivalent to $1000 to us, maybe more. I don't know about you, but in my neighborhood if you want to make $1000 a day you either have to sell your ass, or sell gobs of crack and blow. The incentives vs risks aren't on the same scale at all.
I'm not saying we should treat all outsourcers as hostile crooks, we have plenty of those right here at home, on the payroll even. We just need to approach it sanely. If you underpay someone, they are more likely to fuck you over - that much should be common wisdom in the business world. It's the dirty side-effect of living in an entitlement culture.
-Billco, Fnarg.com
you must encrypt
1. Trust is overrated. You should be looking at the processes that your outsourcer uses rather than the people who perform them. Look for an annual SAS70 or SYSTRUST audit/certification and shop elsewhere if you don't get it and you are paranoid.
2. Competence - The idea that that sysadmin should have access to the contents of the filesystem is quaint. Encryption solves the problem on one side, while a secure log host that the outsourcer *doesn't* administer will help you enforce accountability. AlertLogic do an appliance based log archiving system that would be ideal.
Its normal for companies to remotely manage servers. It costs time and money to leavce the office for a clients site.
If the information is critical then you need to stipulate that only employees at outsourcer are:
1. Americans
2. Have credit score of 650 or better
3. Have no criminal background
4. Outsourcer agrees to pay costs of lawsuits from stolen property.
#4 is a big one and many might just refuse such a contract. I am waiting for an interview from an outsourcer who wants a thorough credit check and criminal background. THe client is a mortgage firm and I would be working at the site and in the office of outsourcer but its what the mortage company requires.
http://saveie6.com/
Andrew, your question is not dumb and I hope this reply helps you in some way. I am currently also a manager for a company that has a dev dept. that maintains proprietary code. I have been here long enough as well to grow the I.T. Dept. from when they were small and had little controls in place, grew my staff and hired security types to do gap and risk analysis to help establish proper controls, and also back down the hill with little to no staff again and having to vendor everything out.
;) ) on what controls can and feel you may want to put on place to allow only those who need to know work with that data.
My advice to you would be that it doesn't really matter whether you vendor out or hire internally, thatâ€(TM)s a cost based decision that should be made based on your company's need. (i.e. are you growing with many projects or downsizing and have a freeze on all projects) Usually during the expansion phase and stabilized phases of a business you will hire as it typically is cheaper and more beneficial because in-house developers and engineers (usually) take pride in their work and if you are a good manager, they will always go the extra mile and do the little things that really help make a network run its best. You'll have to do cost comparisons and analysis to see what fits your needs.
What does matter it appears from your post is your IP, source code, and customers. That is just information and any infrastructure engineer does not need access to that info to properly manage and maintain your network and systems. So concentrate (if those items are deemed super secret
Your IP info can be encrypted to those who only need to know the info and still be managed by an engineer. Some examples might be going down the road of AxCrypt, Truecrypt, or some kind of PGP based type of setup. Your source code can be maintained in a source code manager like subversion, vss, or CVS. And the same with your customer information, you should be able to manage it in such a way that your engineer does not have access, or can see the information, but access to manage it and let them do their job. Again, you'll have to do cost benefits and risk analysis that dollars spent provide true value and not a feel good value. Either you or a consultant can do a Quantitative or Qualitative Risk Analysis to help give a clearer picture of your risks.
As also pointed out, most engineers that I have worked with, really don't care about data and just want to do their jobs. But in the end youâ€(TM)re the one responsible for ensuring you point out all the risks to the business and let them decide what do to from a dollar standpoint. Cause in the end, if there is an incident and you failed to identify it to the business, that could be your job.
G/L !
Seriously - if you're really concerned about the integrity of one company, hire a second as an auditor. They could both share access to the system, keep their own logs/records, etc, and you can be sure they'll look for bad things the other guys have done. Or you could give them complementary responsibilities: let one run the servers, another runs the network (with logging functions.) Checks and balances.
Am I being facetious? Partly. Obviously this is greater expense and reduced efficiency. But if you need to hire someone outside to begin with, what makes you think you can audit someone based on internal talent? And if you cost out this solution and show it to people, they will quickly and quantitatively understand the cost of distrust, and will be able to make a quick decision.
Sounds like the poster has inflated notions about the importance of his data. Most of us couldn't care less about what is in the company network, and if we looked, we would probably be mentally soiled. Maybe at Microsoft where you could copy down all the latest Windows releases (woo-hoo what a thrill). On the other hand, I worked for an outfit that had us read an employee's email to see if he was talking to other employers (he was) and we were assured that snooping on employees email was legally acceptable. Can't trust anyone, huh.
If I wanted to, and I usually don't but then again I usually don't have someone standing behind me and watching everything I do, I could do a whole lot of damage to somebody's network and data even while he was watching me. And when I was done it would be hard to prove that I had done anything at all.
The only way to prevent that kind of thing would be to have someone watching me who knows exactly what I'm doing and understands that, say, creating an at job to echo the number zero five times into a text file will cause that file to be picked up by another scheduled task which would overwrite a source address in another file which would then be included in a firewall configuration later that weekend, and leave a giant back door open on the Internet where I and my friends could gain free access to your entire network. And if you have someone who understands all that but who still has time to just stand around watching me, then why wouldn't they be doing the job themselves?
Let's face it, even if you have the guy on site you aren't going to be standing behind him making sure he doesn't steal the entire time he is there. If the person who does your work is unscrupulous and your IP is interesting enough that they want to steal it, I would say they are going to steal it if they work remotely or on site.
I probably would try to insist upon meeting any techs that will work on your stuff face to face on a few occasions. Not that you'll definitly be able to spot a thief but you will get to see if the individual is someone that you feel comfortable with.
Keep in mind that just as you are saving money, the place you are outsourcing too is doing the same. There are so many benefits to them to not have to send someone out. They save money in gas. They don't lose an hour or so per incident to travel time. The tech that would have come out might be able to work on something else while he is patching your servers. The tech who comes on site benefits from being able to bounce ideas off others sitting in his vicinity rather than trying to call someone if he gets in trouble. There are a myriad of reasons why they may want to work remotely that are not remotely connected to ripping you off.
Another thing to consider...let us say that you hired me to come on site and be your Admin. I see a potential gold mind in ripping off your information and selling it so I go ahead and do it. You end up catching me. You sue me and are awarded all of the $8,000 in my bank account. I go to jail. That hardly makes up for the damages I caused you. A consulting firm is going to be able to compensate you more fully if one of their employees turned out to be a schmuck.
If you still would rather have them on site, see if you could work out a deal for slightly higher hourly wages to offset the "Hard" and "Soft" costs associated with sending someone on-site. If you can make it worth their while I would think they would be willing to accomidate you.
Get your own in-house guy. Someone who looks you in the eye daily, and sits at the same lunch table as the rest of your team.
If not a fully fledged network admin, then at least a support person who knows enough to know when things with the outsourcing firm get shady.
I do IT consulting for small businesses. There are costs and benefits to both. Basically you need to weigh them as they apply to your business.
IT On Site:
Benefits -
Closer supervision/peace of mind Able to fix some things that require a physical presence
Costs -
Higher charge for on-site visits Lost time for anyone who is watching the admin. You are paying double or more, and losing productivity. Aggravated admin. Nobody likes someone watching over their shoulder. Fire fighting support depends on unscheduled availability. If you call and the company has no free technicians for 8-12 hours you experience downtime. Misplaced increased belief that your data is safe
Other issues -
Even if you watch everything done would you recognize malevolent behavior?
Off site:
Benefits -
Lower charge for remote support. Often much lower due to minimum charges for on-site visits. Quicker response to emergencies 24/7 monitoring. The remote monitoring will notify you and the support company that the server/application is down.
Costs -
Personal supervision/peace of mind lower Some issues are nearly impossible to fix off-site
I am sure this list can be greatly expanded, as well as customized to your environment. I think the question is a valid question, but I'm pretty sure the answer isn't what the poster hoped for.
Here's the thing. If I own a company, I trust my accountant not to embezzle from me and the rest of my staff not to slack off every time I turn my back because I sign their paycheck. I'm paying them good money to act in my company's best interest. Does it work 100% of the time? Obviously, no, because sometimes accountants do embezzle from companies.
However, if I outsource such functions, suddenly, I'm trusting someone who is ethically and financially beholden to someone else with the keys to my kingdom. Ideally, my company's interest and my outsource partner's interest are aligned, and everyone is happy. Many times, this is the case. However, if there ever is a conflict in interest, it is altogether reasonable to expect the employee to not act in your interest, but the person's who signs his paycheck. That's what I would expect from my own employees, and it's what I expect of outsourced employees.
Here's a concrete example. My company has already outsourced all of its first-level and second-level support to a help desk service provider. It worked well enough that now, it is considering outsourcing all of our third-level server support (i.e. the guys with the root passwords to all of the systems) and possibly even our architecture and engineering teams. Personally, I think that this is asking for trouble.
Why? Because with us on my company's payroll, it is in our employer's best interest to have the environment in peak working order. We respond to issues as quickly as possible, and we do extra work to make sure everything is in tip-top shape. If we get outsourced, however, suddenly the equation changes. Now, it is is our employer's (the outsource company's) best interest to have the environment working only just well enough to not lose the contract. If we have all problems solved within, say, 50% of our contractual service level agreement, that's a pretty good clue that our staff can be cut by 50% and still meet our service level agreements. It's in our best interest to solve every problem right at the last second. If the company we're working at doesn't like it, well, they'll have to negotiate faster service level agreements, and of course, that's something my employer can charge a lot of extra money for.
Extra work to make sure everything is working great? Hah! If anything, we should be working to make sure everything isn't working so great, but again, just barely come under our contractual agreement. The worse the company we're supporting is hurting (while we're still meeting our legal obligations), the more they'll have to spend on additional services and support.
Laughably, our server environment is a mixed-vendor environment, and the company they're probably going to outsource to is one of the two main hardware vendors we use. Of course, they're negotiating supporting both hardware platforms. Now let's say that the service level agreement to have a down server is four hours. If it's hardware vendor A's server (and I'm working for hardware vendor A as a contractor), I'll jump right on it. If it's hardware vendor B's server, even if it's just a minor little configuration tweak, I'm going to wait until three hours and fifty-nine minutes to get it back up and running. Six months later, when the higher-ups are talking to each other, hardware vendor A (who I'm working for) goes in and tells my former employer how much better vendor A's servers are to support than vendor B's, and how my former employer needs to dump vendor B's server and use vendor A as their exclusive hardware provider, even though in reality, it's entirely possible that vendor B clearly has the better hardware.
I could go on, but hopefully I've made my point. I honestly think our management either hasn't thought of these types of issues, or they just don't care, and they're hoping to
I run a small consulting firm in the midwest and we've been on the other side of this issue for as long as we've been in business. What it comes down to is integrity. While we would NEVER consider stealing from our clients or any of the other things you have mentioned, we know what our competition is and we have an idea of what they are capable of. Some of our clients are even competitors with each other and while it can be tricky at times to deal with both sides, I'm fortunate to say we handle each instance with professionalism and integrity. I know it sounds pretty pious of us to say we are above such things mentioned in your post, but we have a business to run (even more so in this economy). Our clients and their business operations have always come first and will continue to come first. Shady business practices will bite you in the long-run for sure, if not immediately in the short-run. We are fortunate to obtain all of our new clients through referrals. So Client A recommends us to Client B. Now that means Client A has really already vouched for us and our services. So as soon as we step in the door for Client B, trust on some level is already there. This is a tremendous benefit for us and one that not everyone can claim they have. So the long and short of it is, get a refferal if you can. That way you can verify from someone you already trust if they out-sourcing company is a good fit for you. As for the remote administration, a lot can be said of the IT consultant who shows up when you have a problem and has a physical presence. It sets clients at ease and even though it's more work in some cases, I think it continues to pay off. There is a happy medium to be found in remote admin and on-site service. Any company that tries to rely on just one will find themselves unable to compete due to unmanageable costs (heavy on-site) or unhappy clients going elsewhere (heavy remote admin).
It doesn't matter if you hire someone on-site or off-site. You can't watch the person 24/7. If he/she is going to steal from you, its going to happen. In fact, off-site makes it harder to steal expensive computers or personal stuff that the other employees might bring in.
If your system is engineered correctly (proper checks and balances, levels of security) -- they wouldn't be able to get to 'sensitive' material electronically even if they were on site, unless they steal the hard drive, backups or just any design documents lying around your office.
Best way to protect your IP would be to patent/copyright it -- that way, even if they steal the design docs, they can't sell it.
Why should you trust you network administrator? Why because you are a competent manager who fully vetted the organization who will be responsible for such sensitive data right? If you hired some Joe Shmoe site unseen with no references and qualifications that cannot be verified then I would be worried. If you put the time and effort in to find the right outsourcing organization or single contractor who is fully qualified and respected in the local industry you have nothing to worry about. I am not saying there arenâ(TM)t immoral contractors out there but the likelihood that a well respected organization or a well respected contractor would steal data or maliciously destroy something would be remote. They would not want to risk ruining there good name which would take food off of their table. It comes down to building relationships. You have to know and trust this company/individual.
Outsourcing critical business infrastructure is simply insane. It guarantees your most important work will be done by the lowest possible bidder -- whatever YOU paid -- by people who don't give a damn, can't be held to account and are barely competent, if you're lucky.
Offhand, the NDAs forbid me from naming an huge insurance company, two hospitals and large municipal area that burned down to the ground just this past year from doing exactly this. I was on the teams that got called in to sift through the rubble and rebuild. In each case, the disasters could have been avoided by having even one competent seasoned admin on staff with the authority to say "I don't think so" and make it stick.
Personally though, I hope the large outsourcing groups keep right on going. I get to charge mugging rates to desperate men for cleaning up their messes.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
If you understood IT people, you would understand that they really don't care about your intellectual property or who your customers are. Its just data to them. They care about the systems on which that data resides. Most IT people are geeks who love tech, at least that's why the got into it in the first place. If they were entrepreneurs looking to start a business, they probably wouldn't be working IT.
This is further evidenced by the fact that they insist on administering everything remotely. They're lazy, motivated solely by their need to continue to pay the bills and fueled entirely by mountain dew. These are not the types of people looking to screw other people out of some cash for themselves. We leave that to upper management and lawyers.
That being said, if you're so worried about it, do what everyone else does. Require that they sign non-disclosure agreements and then sue them for more money than your business would lose in the event they steal any profits.
Little background: I work for an engineering firm that contracts with defense industry firms. I split my time between working remotely and working in-house. Even in-house, no one looks over my shoulder (hell, I hold the *only* key to the server room, aside from the master building key). I wouldn't trust you (and likely would refuse the contract) if you made such demands. Makes me wonder what you're hiding. Ultra-paranoid bosses are not conducive to an effective working environment.
The reality is, there's not a lot of incentive for me to steal your IP, unless you have something your competitors would pay me enough for to retire for life (ie, 7 figures minimum). The business world is small, if I get caught doing something stupid, I've screwed myself for decades and completely ruined my chances of working anywhere in the same industry. Well, unless I'm a CEO, in which case I'd get 30 job offers within a week of getting out of jail =)
Truth is, even with you looking over my shoulder, I could *still* do nefarious things. I'm a command line guy, and most servers can be managed from a console, so unless you've memorized all the cryptic switches for all the servers you run, I can do almost anything and you wouldn't even know anything is amiss.
Unless you can monitor my activities 24/7 by someone who knows what I'm doing, I can design a script at home and execute it right in front of your eyes with a carefully written shell command. You'd see me do it, and wouldn't even know it until I was long gone.
In Summary, yes, you are being paranoid. If you're a company with *very* valuable IP, you can't trust *anyone*. But then, if you were one of those companies, you wouldn't be outsourcing your IT in the first place.
I believe that the IRS states you cannot manage a contractor in the manner you wish.
As well. If you do not know what the sysadmin is doing, how would you know if they stole your data anyway?
Even an employee is likely to steal your data and in fact has more access and time than you might think.
The risks are the same with internal people. At least with external suppliers you should have a contract with penalties for any data loss.
That doesn't mean you shouldn't watch all suppliers and force them to only perform work while you are watching, if you like. Cut their VPN access and only provide access when you are available. However, you'll get tired of watching them and you'll get lazy.
With internal people, you will have a difficult time recovering anything after a breach. My company has been brought in after-the-fact a few times to help bring companies back after internal IT people with too much power (they didn't tell anyone their email or computer logins) either completely screwed the data OR stole key the equipment.
With external vendors, you can sue them out of existence.
Don't trust anyone.
A) If this was something you were good at, you would be doing it your self.
B) They have root.
Implies
C) Your standing behind them and watching is irrelevant to the question of whether they can steal from you.
If you cannot trust them, it's not going to make a whit of difference either way. If you can, it will also not make a whit of difference either way.
So you need to make a decision - either hire someone you *can* trust, even if you have to train them up yourself, or hire someone already trained, even if the 'trust' half of the relationship has to develop over time. This is a situation where the 'golden mean' between those extremes seems worse than either of the other options. Decide your priority and go with it.
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
We have multiple clients that have intellectual property that could be stolen or used for immoral gain.
We also do 85-95% of our work remotely, and only are on-site for projects or major hardware failure situations.
Our customers trust us because we have instilled confidence in them. They trust us with all of their data, be it quickbooks company files or large access databases full of proprietary information (shutup.. I know), because we have made a point of instilling that trust and confidence through our relationship with them.
Do you feel you can trust your remote administrator like that? If not, investigate why not and A) remedy it or B) find another company you can trust.
I worked at one time for a small (3-person: owner, accountant/receptionist/wife, and field tech--me) IT support company. We did contracted support for companies, and ad-hoc support for residential customers. Most of our corporate customers were clients my boss has known for years (maybe decades by then) and supported them from AS/400s or IBM minicomputers up through Novell and Windows 2003 Active Directory networks. We were the outsourced-to company, and we were trusted with access both on-site and remotely with the most sensitive data these companies had--accounting, contracts, customer lists, everything.
Establishing a relationship with a local outsourcing vendor can lead to an good, long-lasting support situation where you know the person servicing your systems whether they come on site or work remotely, and if they are willing and able to come on-site when necessary (Your router crapped out? someone will be there within the hour. Your file server is smoking? turn it off, and I'll be there in 30 minutes.) This was the kind of support that was provided, and we did everything from routers and servers to desktop and ip phones. All with only two technical people (myself and my boss, the owner). Several of our customers would never even consider outsourcing to someone they could not call on, especially if the people who supported them on the phone weren't the same people that would come to their office when needed.
There are two arguments for outsourcing, think of it as Theory X, and Theory Y, but with respect to keeping your job. Bernie Madoff used the same logic, and reaped Millions, his Outsourced Accountant won't face any criminal charges in the U.S. for the outright Embezzlement of Billions. But in my heart, I know that if Bernie's Accountant came to America, some people would love to treat that person like a King! however short 'lived' it would be. :-D
I have a few system support contracts for some small businesses in town - in person, but a lot of small stuff is done remotely, often after hours.
Honestly, I'm surprised at the amount of trust people have in me, or any other outsourced provider. Basically, I live and die on my reputation... it's funny, I never would have predicted that 10 years ago.
Anyway, if the shoe was on the other foot, I would do the following (this is also my fallback offer if someone objects to my working remotely):
- Do not leave the remote access on 24/7. Have someone in-house turn on the remote access software (or enable the firewall rule) on an as-needed basis.
- Use remote access software that you can watch. E.g. VNC for Windows works this way by default. RDP can be used this way. Or, GoToMeeting type meetings.
- Then monitor the screen out of the corner of your eye. Or just give the impression that you do.
Many, many other posters already made the point: you have to trust the entity you hire, or rather, delegate to. Simply, you cannot have your cake and eat it. Once you give your cleaner keys to the house/premises, it becomes pretty difficult to prevent access to the interior. Who cares if the contract is social/relative-for-favor, employee, contract (person) or contract(corp) - it's services rendered, moneys paid. If you were concerned about (civil) recourse, you would normalize contract language accordingly, but it's all about recourse - after the fact.
If, on the other hand, you wish to prevent disaster, then a) define your asset/threat b) implement appropriate security controls c) audit/enforce. Physical access with you standing over someone's shoulder *might* be the appropriate and cost-effective solution, but the odds are low. More likely, the few super-secret files are in a safe to which the general population does not have the key.
Whatever the asset, whatever the sensitivity, exactly how do you expect someone to handle it without ultimately having access?
I have lots of clients like this, worrying about the wrong thing, at the wrong time. We might be asked to manage thousands of desktops, in a completely open LAN/WAN - we might even manage the LAN/WAN itself - where malware/worm/virus would spread like wild-fire. Whatever weak security links the client has, we cannot undo. Yet, by phychological transference and amplification / "dwama", the focus is with my side's security when the worst we could do is expose a client login screen to the wrong staff member. That's nothing compared to the impact of a plugging something into the client LAN.
Do your homework on the company. Get a list of their current and former clients and call at least 10 of them (at least two of them that joined in the past 6 months).
Don't hire an individual. Make sure when you contract with an outsourced IT company that you have the following in place:
1. They must notify you prior to outsourcing any of their work to another party (subcontract the work to someone you may or may not approve of).
2. They provide background checks on their employees.
3. They have privacy and other policies which they follow that comply with GLBA, HIPPA, or Sarbanes-Oxley (if necessary for your industry)
4. They will provide you with audited financial statements on at least an annual basis (you don't want to trust your goodies to someone that is going under and my be "pushed" towards unscrupulous behavior when the going gets tough).
5. There is no "automatic" renewal of the contract. (you should review their service at least annually to ensure they are doing the right thing)
6. They provide you with a copy of their support practices. (how many privileges does each employee have? Do they each have separate logins so you can tell who was doing what, etc.)
7. What State (if in the USA) laws is the contract governed by. Make sure it's not a State which is highly favorable to the outsourcing company.
8. The company is to maintain an insurance/bond policy against it employee negligent or malicious actions that harm your company. The amount of the insurance or bond should be sufficient to cover your assets and your liabilities if data stolen from you led to a lawsuit against you or your company.
There is a lot more you can/should do. I would also have an attorney well-versed in contract law examine the contract to ensure it completely spells out the outsourcing company's responsibility and yours without favoring one party over the other.
Good luck!
If you are a dev shop you should probably see computer operations as a core competency. Do it inhouse and protect your assets. Anything else looks bad.
Fixer of things broken by people who really ought to know better
A vendor who has a roster of satisfied clients and the clear intention to continue doing business in your industry/area is not likely to ruin all of that by stealing from you.
Our firm tries hard to screen our staff and make sure they're trustworthy before allowing them anywhere near our clients and their data.
-B-
Answer: Do Not!
Trust is not and never "Assumed."
Trust is Erned, 24/7 and can be taken away in one senond.
Okay, this sounds like a joke: A paranoid manager comes to Slashdot to complain about mistrusting outsourced IT labourers. Is this a troll?
only allows trusted identities to gain access to sensitive information. Problem is almost no networks are properly administrated, and current OS's and apps are woefully insecure. For every layer of security added, another layer of risk is also added. Security is largely an illusion and trust is pointless in a fully corrupt society. I think the best way to handle intellectual property is to make it available to everybody. If your information is top secret/classified, then follow the protocols for handling the information, but understand that secrets are made to be revealed. If you don't trust the outsourced firm, then fire them. It sounds like the responsibility is yours and you don't feel like you are in control or comfortable with the situation.
we don't think badly of you, because most of us are like you.
...and still stole billions from those who trusted him.
Put audit rules on database access. System Admins aren't necessarily DBAs. Outsource a DBA and lock down your data so that transactions are audited, including the DBAs transactions. Audit access to backup files and off-site back-ups. It won't be easy, but you CAN audit and/or prevent Sys Admin from getting to your data.
If you didn't outsource, were you seriously planning on standing behind your internal sysadmin the whole time? Why is an internal sysadmin more reliable than an outsourced one?
A man does not look behind the door unless he has stood there himself. - Du Bois
Ask yourself what YOU'RE holding back, what's your secret, what are you taking that's not yours, what's your agenda. Trust shouldn't be that hard unless you're also untrustworthy.
No you may not stand behind me and watch. You can hire me as an outside contractor to take care of your system remotely with site visits when warranted. You can pay more to have me sit on your site as your employee and twiddle my thumbs while everything is working and fix stuff when it isn't. But you SURE AS HELL CAN NOT STAND BEHIND ME WATCHING. Am I alone or do other people here have a problem with being watched while working? I bloody well hate it. Having to account for what you have done and/or explain it, fine. But some gobshite sitting watching your every move? No way.
Are you looking hard enough for a solution to the problem? I encounter businesses all the time who want their IT firm to work on site. They also have problems trusting anyone with remote access to the data, especially when confidential medical or financial records are involved. There are competent IT support firms that will do on site administration for you. In some cases, they can even be more affordable than the remote support types. You just have to look around! If you're in the Phoenix, Arizona area, my PC Techs is one example. They will provide an expert who will come to your business every time you need, and will work on site as long as you need them: http://www.mypctechs.com/
LeoPolus Web Design: http://www.leopolus.com
You trust your administrators because you have to, because they either have knowledge or time that you lack.
You want to have them onsite so you can stand behind them? If you've got enough knowledge to know when they are scamming you, and enough time to stand behind them and watch, then you should just do your own administration.
You can certainly break up the privileges, encrypt your data etc. but it has a lot of downsides when your administrators can't do things they need to do.
The fact is that you trust a large number of remote parties that gain that trust based on necessity or by staking their reputation on it.
You trust microsoft, adobe, mozilla, intel, nvidia, AMD, the guy who makes you sushi etc.
- Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
The company jewels should be encrypted and kept in secure locations only. Just because someone sets up your network doesn't mean they have to have the decryption keys to everything on it.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
You are more likely to lose money from them over-billing you than from them stealing your source code. Stated another way, try offering to pay your outsourcing company with a copy of your source code and see how agreeable they are. Regardless, it is always good to evaluate your risk as long as your effort is proportionate to the value of your IP. Better communication and virtualization are making telecommuting more commonplace so I wouldn't focus your concern too much on their location. An NDA as mentioned by another reader is always a good idea. If your company is reasonably small, than get a little time alone and just write down your concerns, than address those concerns in the form of brief high level policies. Don't try to address the technical aspects of implementing your policies until you have written them. Example: I don't know who has access to, or is accessing critical files or source code. Resulting policy: All critical files must never be copied from ServerX without proper authorization. A weekly audit of Active Directory accounts/ Memberships and ACLs must be performed weekly and as requested by ... Even this may be more specific than you need to begin with.
After you have developed your policies, than begin addressing how to implement them in the form of a processes/procedures. You might even engage your service provider to help you implement them. Don't waste too much time on wording your docs just right as they will be living documents that will change as your business requirements change.
Try to maintain a good balance of governance and efficiency. Over time, you will realize some tangential benefits for your effort and will have developed the crucial part of what will become your IT Governance strategy as your business grows and will even add value if selling the company is your exit strategy. Stated another way, If you are buying a software company with a unique application, would you perceive more value if they have policies and processes in place to protect their assets and can demonstrate that they follow them.
Good luck
Having been the victim of outsourcing I feel precious little sympathy. When you made your decision, you looked at it in very black and white terms when the world is quite grey and multidimensional. Had you considered the downsides to outsourcing and not just looked at it from a cost/benefit analysis, you would have made a better decision.
Do you stand behind all of your other staff watching them too ?
Must suck working for you!
"So according to you you should trust the guy because before the fact you should trust the guy or because you are doing your job?"
No AC, that's not it.
He's the manager. He is a party to a contract in which he trades use of his ability to manage for the companies money. Part of that ability to manage is supposed include the ability to judge the character of the people he hires to do work on behalf of the company. If he doesn't have this ability, he is in breach of that contract, and at best irresponsible for having entered into the contract in the first place, or at worst, himself untrustworthy.
So he's come to AskSlashdot, either to troll us ("Let's ask IT people how you can trust an IT person, and watch the hilarity ensue!"), or because he's not competent to be in the position he holds. Now there is a small possibility that it is the latter, and that he is clueless enough to not realize that he's unqualified for the position he holds, but it's more likely that he's either trolling, or he simply doesn't care that he's unqualified, and he's cheated the company by accepting the responsibility without being able to deliver.
So yeah, there's a miniscule probability that I should have called the question "naive" instead of "dumb". But if I had to bet money on the reality, I know which side the probability is going to come down on.
-- Terry
"He's here asking for advice, so give it to him."
Fine.
You know you that can trust them exactly the same way the people who hired you knew that they could trust you to be able to make the decision on who to hire.
-- Terry
Don't trust outsiders. I have always worked at small companies and they all started with a developer being a part-time sysadmin. I once saw the transition between inside sysadmin to out-sourced. If I ever manage a company, I will not do it. Because it is another company, they will make you pay more than it is worth, and you will end up with a quality that is what a sysadmin gives to a client, not to his boss.
Security is not that hard to make right. Have one developer who can do part-time sysadmin and when the company grows too much, hire a good full-time sysadmin (that maybe can be a part-time developer as well)
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
How valuable is your data? If it's so valuable that you don't want it remotely administered, then can you justify the extra cost for on-site administration?
No, I will not work for your startup
Have beautiful young women administer on-site naked so you know they aren't stealing anything.
When I was young, I had to rub sticks together to compute.
This is a really good question I think.
I work for two companies in the same buildings. I am the sysadmin and have configured every server, every service, know all their codes, all the alarm systems, run the backups. /. :) I love my job. ItÂs the easiest cash IÂve ever made. Yet IÂm one of the most important people here.
But IÂm a rouge. I read documents, sneak on documents to see whats going on. Pretty much, I know.
I wouldnÂt trust myself at all. The thing is, I have no reason to be doing them any harm either, why would I? They are paying me BIG BUCKS to do this. I just made 2000USD in 1 week doing this.
But If they would simply use their heads and ENCRYPT their data, I would leave it alone. But the temptation is far to big, not to sneak into those documents. I have learnt a lot of pitfalls of business in doing this.
I know itÂs illegal, but NO ONE will know. Not a soul. Except for
Encrypt your data. Either using Truecrypt file-containers (you donÂt need plausible deniability) or use some sort of other security measure of the stuff thatÂs really important. Truecrypt runs on any platform and is free. But you knew that.
But really, what is it that you might end up loosing? Most businesses are revolved around GETTING CUSTOMERS. And a sysadmin canÂt steal your customers. If they do anything to your customers, sue them,
By the way. Why do you need a sysadmin like that at all? If you have a disaster on-site, thereÂs nothing they can do from the outside anyways. And if you have properly configured systems, why do you need to pay someone to log in and tinker?
IT-staff NEVER ends their tinkering. I know. ItÂs how I make my living. I wouldnÂt hire myself.
And developers are not engineers.
Deleted
Make sure your CONTRACT specifies what they can and can't do.
I know an ex-financial manager who thought like that. "If there are any consequences of my lazy, negligent technical decisions, I'll know who I can sue."
They found out a couple of things the hard way.
1. Once your authentication server has been compromised, the damage is done and permanent before your ever realize there's a problem. Once the money is gone, it's gone. On most of the planet, US law means exactly squat.
2. The companies with deep enough pockets to make you whole long ago acquired enough legal staff and connections to tie you up in court for decades, making them effectively immune to lawsuits.
3. Even if you could win in court and get a judgement against them, your bosses will be so angry at the situation in general that they'll hang you from the nearest tree for the sheer satisfaction.
This person had been a thorn in my team's side for some time, and we silently cheered the Blackhats on while we went through the motions of doing our jobs. Unknowingly, I'm sure, but the Blackhats were doing God's work that day, punishing the guilty, forging eternal parables in living flesh. On paper, we did everything possible, but let's just say it wasn't exactly a pitched battle, more like "...help... ...police...we tawt we taw a putty-tat..." We did our jobs, sure, but we weren't the Angry Avenging Angels that day.
The Law is the wrong tool to use to fix poor network security. It's too slow and unwieldy, taking years to remedy situations that can go wrong in literally milliseconds.
Hire competent, experienced network admins and sleep the sleep of the Just at night.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
It should trust no one:
http://www.efluxmedia.com/news_Disgruntled_System_Admin_Holds_San_Francisco_Network_Hostage_20523.html
IANAL but write like a drunk one.
http://www.efluxmedia.com/news_Disgruntled_System_Admin_Holds_San_Francisco_Network_Hostage_20523.html
The only solution is proper segregation of privileges at the OS level.
IANAL but write like a drunk one.
http://www.efluxmedia.com/news_Disgruntled_System_Admin_Holds_San_Francisco_Network_Hostage_20523.html
There are many ways to segregate access to data and resources.
The "you have to trust somebody" is just an excuse from people that don't have enough technical know how to secure their data and systems properly.
IANAL but write like a drunk one.
http://www.efluxmedia.com/news_Disgruntled_System_Admin_Holds_San_Francisco_Network_Hostage_20523.html
The naivety around here is astounding.
IANAL but write like a drunk one.
"Trust your Systems Administrator" is the mantra. This is so pathetic that the only thing missing is the violin music.
You should trust no one, it is that simple.
Yes, it is harsh, it is difficult to implement, but it is the only sane approach to handling your and your client's data.
You can have a person administering services (DNS, DHCP, LDAP, whatever) that actually has no root password to the machines where the services run (if you ask me how, then you are out of your depth regarding security).
There are tools out there that ensure that when somebody needs administrative privileges (root password) the access is logged and reported and the password is reset after the work is completed.
You can segregate functions so the person that needs to administer a database or run backups is not the same person that administers user accounts, and tell your systems about this so it is not a matter of trust, but of security policies and software configuration (sorry, forgot to say this is all doable in decent OSes, if it is not doable on yours then that should give you pause for thought).
Any company that actually trusts people just because they are internally hired, are fooling themselves, the business world is littered with histories of people that betrayed that trust, it is simply irresponsible to keep this stupid mentality going.
I can almost see the answers coming: "but it is a PITA!". Well, yes, it is. So what is your point? That is why you get paid more than the average person: because you are providing solutions to problems that are difficult to address. Just advising blind trust is a complete dereliction of duty.
IANAL but write like a drunk one.
If you are worried, make sure one of the schemes for transparent (for users) strong encryption is enabled for the data you wish to conceal.
Just the way you work with SSL over the network - and do not think about it twice. Even backups, heavy and processing-intensive, are now routinely done with SSL.
In the same way, enable the storage of data itself in encrypted format. The current approach is to use (slow) public key cryptography for key exchanges, then (fast) symmetric key cryptography for actual encryption.
And that is the simple solution. Period.
You check the integrity of your data with cryptographic hashes, also a routine operation.
You do this only to the critical files if you are worried about the CPU load on your machines.
Then is cost the main sticking point? I mean if you are worried about outside contractors stealing your IP what about your staff? Not just from a perspective that your staff may steal your IP but what about the numpty who has his password set the same as his user ID or blank, who reads every email the spam filters don't catch and opens every attachment because my bet is his PC is already owned and your IP is easily viewable to various forms of MAFIA. Sorry if I'm going a little over the top but if you are worried about trusting an outsourcer get them to sign an NDA.
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
you meant to post this in the forum of Dr. Ruth... this is /.
You seem to have a problem with remote work. Why would giving your network admins physical access to systems make them less likely to abuse the system, leak data, etc than working remotely? In fact, they'll have MORE tools to do so then. If you don't trust your network admins, maybe you shouldn't have hired them in the first place.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Provided you take the decision to administer remotely you have to be prepared to delegate and trust, otherwise you are not going to sleep well tonight... nevertheless you should heavily encrypt your data, one thing is paranoia, another very different is being incompetent... but I imagine you already have a proper encryption approach to all your sensitive work and IP.
Teach everyone management skills and get rid of the management specialization. Great idea.
I'd go for that, too.
But information technology is so fundamental to communication, freedom, management, and just basically living, that we should not be turning it all over to specialists.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
you found an IT firm that will come to your office for every problem, will you have time to look over their shoulders when they are there. As a manager, if you do have the time maybe you are in the wrong position. An IT firm gets no benefit from stealing from you. We wouldn't be in business very long if we did.
Am I being overly paranoid and resistant to change? You're not being "overly" paranoid, but your paranoia is poorly focused. The remote access issue doesn't increase your exposure to unethical sysadmins. If the admins are going to steal your data, all they have to do is make a "bad" backup tape and walk out of the building with it. The remote access increases your exposure to hackers and other Slashdot readers due to the open port on the internet. If you already have a remote access feature for your own employees, letting the outsourcing company use that gateway isn't really adding to your risk.
Should we just trust our administrator because they have a reputation to uphold? No you should trust your system administrator because your contract specifies stringent penalties they will be required to pay if they violate your trust. You should trust them because they are contractually obligated to provide on demand network access logs for all of their personnel showing the systems, directories, files, databases and tables that were accessed. You trust them because you vet their remote employees accessing your systems with the same security scrutiny you would perform on their employees with physical access to your site. You trust them because your firewall rules can restrict access to your most critical systems to specific addresses on the contractor's space. You trust them because your contract manager has the technical chops or the technical staff to know when you're being bullshitted.
In other words, don't just trust them. Treat them like any other "arms length" business partner.
Or should we lock them out and make them administer the network in person so we can stand behind and watch them? If you go this way, your cost savings pretty much disappear. Cost will be comparable to leasing your computer HW and having your own IT staff. The lease option may be better for your peace of mind.
We are the 198 proof..
Why not just encrypt your data?
Or make encrypted file image that you could mount with a password of key file.
on a mac it's trivial but i don't see whay it should be hard on any plaform. that way the network admins can not read of your documents
Make absolutely sure you count the time it'll take guaranteed to have the network admin professional on site from the second you place the call, otherwise you end up with:
"Hello, network support? Yes, our network's down and doesn't work. What do you mean, they'll connect up remotely? The NETWORK is down. What do you mean you'll send a technician who fixes PCs? The whole network is dead. You don't have a roaming Network Admin spare? Next week?".
When your network dies, everyone stops any work based on servers, or relying on the internet.. Or anything else that needs communication. For all that time, you're still paying wages, and not producing what your company needs, so you sum up the money lost in salary over the time, and get an estimate of the loss of productivity in your company (as that time should be at a profit to the company). If you end up with a figure that you don't like, then you can't afford to outsource your net admin. This applies to servers too when their remote services go awry (nothing beats console login for reliability of link).
When you have someone on site, they jump the second something goes wrong, and start fixing. Knowing the systems well, they have a good chance of fixing it quickly. From an outsource, you usually have "4 hour response", which is essentially "We'll send round a junior technician to see if they can diagnose, then we'll escalate that to the people who know a little more, and hope. Otherwise it'll be a few days of escalation before we pull out the big guns to take a look".
Check the figures. It's not the corners you can cut (unless the company is dead in the water without it), it's what you can't afford not to have. If you run a network, I always advise having a local network admin, not necessarily for all the reasons you can think of, but for the ones you can't if you're not an expert.
As we always say at our IT firm;
If you don't trust your Network Admin, you need to get a new Network Admin.
For any company that rates intellectual property theft as a risk to their business they should, as a matter of course, have procedures in place where all employees (both inhouse and outsourced) and any contractors who have access to the information are required to sign non-disclosure/confidentiality agreements. Make sure that these agreements emphasise what information is of a proprietary and confidential nature and outline what actions you will take if they breach the agreements.
While this won't stop all instances of intellectual property theft it does give the business a solid legal foundation to pursue any damages if you have to take it to court.
Insurance is one option although intellectual property is a very difficult risk to insure as is virtually impossible to place a monetary value on the ideas/source code/manuscripts etc. It is probably worth exploring though, from my experience in the insurance industry, the cost is likely to make it uneconomical for all but the biggest companies. Though thats a business decision for you to make.
my customers are so messed up, I dont even understand what their data is!!! I never think to do something like steal data, or look through files. The closest I like to come to my customers business, is a employee list, so I can make the user accounts.
even with onsite, you won't be able to sit there and watch them. as a small biz manager you are too busy. so the remote being more trust worthy than remote, is a marginal difference at best.
I am an IT consultant and do this for a living.
i wouldn't trust either, i have seen a CCIE steal data, so it could be anyone. however, onsite vs. remote won't make a difference.
Get references, not just on the company, but any engineer who will be working on your stuff. have a specific account set up for them, not the admin account, and then turn it off when they are not in your system. this way they need approval prior to access.
and for extra security, have their account locked out of your sensitive data, they won't need it to admin your system.
Non disclosure forms is what you need them to sign, then make sure the form states exactly what you are afraid of, and puts a humongous penalty for it. Secondly, you need to trust them more, they will be doing clean ups, and all sorts of mix mashem' during week end periods to keep the network working efficiently and without disturbing the daily usage. Some people would think there is some downloading or trojan going on, but technically IT WOULD BE THEM, AND IF IT IS NOT, IT IS NO LONGER YOUR CONCERN, THEY ARE RESPONSIBLE FOR ANY INTRUSIONS.
also, if security is a concern, nothing stops you from using truecrypt for any such things you might need to keep private, they are only there to keep the network going efficiently, not to review your materials, so if you encrypt your stuff, even if they were to say have access to the file, it is encrypted, no?
I am a sysadmin for a small business, been here over 3 years and have a great boss and have helped grow the company tremendously which I consider part of my job. Everyone has their issues and after 3 years you really start to learn allot about a person, so don't take the above as if everyone I work with is straight out of Care Bears or something.
There is allot of talk in above posts about having your outsourcer sign all kinds of contracts, agreements, liability waivers and what not. Here are a few issues with that:
1) A contract is ONLY good if you have the capital to win in court - for a small business this can destroy them financially and in reputation (no one wants to deal with a company with legal troubles)
2) You are assuming a US contract will hold up in whatever court system the outsourcer is in, they may they may not depending on the laws and other factors there. Also how do you expect to get to that country to show up for court proceedings (this all takes lots of $$$)
3) Contracts with on site employees have a similar drawback of court costs but you have MUCH more opportunity to mitigate the risk by watching (not stalking) the employees behavior for warning signs of them being unsatisfied, disgruntled or financially stressed (all of which will largely increase the likely hood of incidents). It is also much harder for most people to fu*k someone over when they know them and have met them face to face, you can't watch how pissed a foreign worker is at their boss and on the verge of taking out the entire outsourcing company.
Those are just a few notes on contracts - there is LOTS more to onsite/offsite staff to consider.
A piece of advice, if you decide to bring on a local admin, give him some space and respect. He will have to earn your trust and you will have to earn his, remember this is a two way street. If you watch everything he types and hover over him at all showing just how much you don't trust him, well that makes people do some crazy stuff. If someone thinks they are not trusted they are more likely to act out in such a manner.
And they thank me for it when they get the bill because we don't charge an on-site hourly minimum and we bill in 15-minute increments. As for security, a guy on-site could just as easily be pushing your data to some remote host just as easily as he could pull it while connected remotely, off-site, and chances are, you'd have know idea either way.
Have him sign a NDA, encrypt your important data with EFS (built-in) and get on with running your startup.
body massage!
No, you're not being paranoid at all. I worked for a small fly by night company that specialized in Cisco hardware. They told all of their engineers to remote in to the clients they deal with just to "check things over" whether they were asked to or not. Of course that "check things over" time was billed. It's a small step from that to making things break so you'll call for support.
Then hire a LOPSA member and make them sign the code of ethics that their org publishes.
I do this pro-actively for my employers, and I post the code of ethics on my wall. Oddly enough, rather then me being the one doing shady things, there have been about six or seven times over the years where manager would come in and ask me to anal probe someone's -home- email while they were at lunch. I'd sit there silently and point at the code of ethics on the wall until they get the idea.
Surprisingly, I've never been fired for this.
trust no one, only paranoid survive
Nice try.
Or are you assuming the person who posted this question is HR?
If you are saddened that someone is questioning the validity of your authority as a member of the IT priesthood, I am saddened that you would resort to misdirection in your pathetic attempt to misdirect the debate.
Or not. Who knows whether you did that consciously?
The reason I got modded up today is probably timing as much as anything. But more and more IT people are recognizing that we simply have too much dependence on specialty in our modern society.
What is really sad is that the current state of IT is such that it requires specialists to manage. We've overbuilt.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
That's an illusion.
What money buys is just enough that you have to buy more.
But, yeah, what I have in mind is to somehow drag the current crop of managers through some sort of schooling that they can't fake their way through with essays justifying demands for turnkey solutions.
I know. I'm a dreamer.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Just remember this... when you hire a contractor, who do they work for? When something goes wrong, someone on your payroll has to worry about losing his job. A contractor, however, only has to worry about losing a client. Also, someone on your payroll is (usually) paid a salary to be around to fix things when they go wrong. They get paid no longer how long it takes to fix problems. Depending on your contract, outsourced IT is likely to get paid by the hour. The longer it takes to fix something, the more they get paid.
If you're concerned about your IP getting stolen, back it up offline. If anything ever happens and you need to go after that IT company, take your backed up data (back it up again somewhere else) to a lawyer and sue them for your losses, plus some. If you're realllllly paranoid, save the money on the outsourced IT and spend it on training someone you do trust to do the job, and still keep offline backups.
Either I am or the world is.
Either way, our current data systems are way too complicated. If the ordinary user's workstation is too complicated for the ordinary user to secure, it is not secure.
Same goes for small networks and key servers.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
You stoopid assed managers. "ohhhh lets outsource and save the buck".
you made your bed, now you get to lay in the crap you spread on top of it.
Maybe if you weren't so cheap, you would have people on your payroll that you could trust because they have the same interest as you THEIR PAYCHECK!!!
moron.
that want I hired gun, but have seconds thoughts...
It has happened, to me, many times. All my contacts are from business people that recommend me to a new business that has a need for my services. At the time that I'm told about ethics, I realize that I'm not what they are looking for. I'm too good for them. So, with a smile, I inform them that I shall send them a contact that includes an NDA (that my customers get any way) and they never hear from me. I am a sysmg/ sysop/ sysadm whatever you wonna call it and I was sent to these new guys by people they trust, and thats the job I do for a living for over 20 years. There are plenty of customers out there. I got enough contracts. Too tired to prove to just anybody that my lifes work needs justification when I provide them my proff. credentials. Hire the guy next door or your nephew and let professionals live.
Seriously. If feel you need to play babysitter that badly and have that little trust in the Terms and Conditions and Non-Disclosure Agreement that you required your outsourced administrator to sign (you read the T&Cs and you made them sign and NDA, RIGHT???!!!) and you have account level encryption for your application data, WHY are you outsourcing? Hire an admin that you can put in a cube next to yours. Then you still won't know what he is doing but at least you can see him in a desk every day. Cheap. Fast. Good. Pick two. If cheap was one of them, they will either be remote or they probably aren't worth what youve gotten them to accept. If he is any good, he probably isn't going to stay very long with a clueless management type wanting to look over his shoulder. My .02.
Armaments, 2-9-21 And Saint Attila raised the hand grenade up on high, saying, 'O Lord, bless this Thy hand grenade' N
There are plenty of ways you can allow them to remotely administrate your system without them sneaking in the back door. Remote tools such as GoTo Assist (or GoTo Meeting) as well as TeamViewer allow you to choose when to give them access to the system...they can't get in without you initiating the session. It also lets you see everything they're doing on the screen so there's no question about them copying things in the background.
The question is: Do you trust yourself enough to be educated enough about what happens on your network to know whether or not they're doing something shady if you saw it?
Simply put:
SysAdmins and NetAdmins (as contractors) primarily rely on reputation- you screw one customer over, the rest of your clients will hear about it ( because it usually becomes a legal issue, with your name plastered all over the world for all to see ) And your 100K+ a year incomes becomes the 14K you make flipping burgers at the Mickey D's around the corner.
You have little to worry about. Besides, the best encryption can always be circumvented one way or another. If s\he wants to get into anything even remotely attached to your PC at work, they'll do it, and they will make it look effortless. Worry about something that you have control over, like turning a profit. You make money, they make money, everyone stays happy.
And if you haven't had them sign an NDA and\or a Non-Compete with your company, you probably should.
You could still monitor what they do by not having a permanent VPN to their office, but have them do the remote with some sort of web meeting program that you can use to give them control. I work for a company that has several support plans with software vendors and we allow them to do their stuff while someone is watching. This does two things, first it stops your systems from being directly connected to their network so if someone breaks into their systems, you are still safe, second it stops them from doing anything that is not what you want. You can stop them from downloading content from your servers and other things like that. In our case, we started this after a software vendor updated their software without our knowledge and stopped several dozen people from doing their job the next day. Also, make sure they have had audits done of their process and systems, we are a public company and require all of our contractors and support groups to have a SAS-70 done by an external group that we can see to assure us that they do not let their cleaning people access our system or passwords.
Offshoring to companies that provide guys with huge lists of (bought? fictional) certifications on their CVs and signatures and no actual knowledge whatsoever. It may be cheap but the servers and network are being run by some guy off the street who can't spell "Windows," "TCP/IP," or "UNIX."
The frustration with trying to get these "admins" to do simple tasks is mind boggling.
You got me into this! You were the ideologue! I'm only a poor assassin! - Twenty evocations, Bruce Sterling
The question isn't really about whether you should make them come on sight to do work, because a skilled admin could open everything up for him to access at another location with you watching over his shoulder and you wouldn't know the difference.
As in most cases it comes down to a decision of security versus convenience and money. If you want your data totally secure (if such a thing exists) then you need to hire your own IT staff to maintain your systems to give you better control over them, however you still run the risk of those employees stealing the data.
When you outsource any function of your company you enter into a trust relationship with that company. People and companies live and die by their reputation and you should defiantly investigate any company before entering in to any contract with them.
This comes from an article at MS's site:
http://technet.microsoft.com/en-us/library/cc722487.aspx
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea
I used to work at a outsourcing company like that. I don't think you're being paranoid at all. I wouldn't give anyone outside my company top level access to anything. Any data you have, they have. When they come in and build your network and setup remote access, it's more than just that one guy who ultimately gets that access. When he gets back to the office, he'll allow whoever needs to perform maintenance on your system. In the end, if you choose to keep costs down by outsourcing, you might consider having your lawyers draw up a network access agreement so that if something were to ever happen where your data was compromised, you have that safety net to fall back on.
Having said that, when I was doing this work, myself and my colleagues could care less about what was in the accounting records or the file shares....for what it's worth.
I'm an IT administrator, users often flinch about giving me passwords or getting onto their laptop, trouble is...
I really couldnt care about fixing the problem, i just have to do it, so why would i care to spend my own free time messing with their data? we have much more imporant things to do.
As someone who runs a company that primarily supports small business with outsourcing, i wouldn't work for you if you stood over my shoulder. I don't stand over yours when my invoice gets there to watch you cut it, do I? There has to be mutual trust that he's going to do what you want and nothing else and that you're going to treat him fairly and correctly.
Also, having remote access doesn't mean that we do all of our work that way. But if you need a password reset or an account setup or permissions changed, having remote access is the difference between 20$ on your monthly bill or $75 for mne showing up and frankly wasting my time with something i could do from anywhere.
as to this:
"But, I'd suggest not outsourcing if posssible for a different reason. It normally doesn't work. The lack of local site knowledge is hugely detrimental to knowing wtf is going on"
You're a moron. I know WAY more about the sites that i manage than anyone who actually works there, and more than most of the sysadmins who used to work there full time. Good people know how things work or can figure them out, clueless ones don't no matter what experience they have there.
Honestly, did your company perform any "due diligence" on the outsourcing company before engaging them in that contract? Any security audits, risk assessments, business impact studies. Did you perform any sort of checks on them, or did you simply engage them on cost alone?
I know startups don't always have the resources to perform the required "due diligence" before handing over the keys, but if you didn't perform these checks, you would be primarily responsible if you've opened up this level of risk and something wrong would occur. I'm sure this is not what you wanted to hear, but CYA (cover your ass) is especially important if you hand over the keys to an outsider and it could involve a significant loss to the company.
If you don't have enough confidence in your decision on behalf of the company, why should the company have confidence in you making decisions for them?
Require an audit log maintained on a separate computer of all administrative changes. I'm not sure whether there's an out-of-box solution for this... Lots of options for what you do with the log, but just having it could be worthwhile if disputes arise.
Your the ones writing the checks so I am sure you can have them sit in your office if you paid them enough.
If you want to be sure your outsourced IT company isn't doing something wrong, hire a third party to routinely audit your systems. The best option would be on-going monitoring with live response, but at least a periodic audit would tell you if something was wrong. Inform your IT company you are auditing them, and the likelihood of them doing anything bad will drop. If they don't like it, find someone else. There is no reason to object to auditing in this type of situation.
...and whenever anyone says something like that to me I pretty much tell them, I hate to bruise your ego, but I have a lot of clients and your data just isn't that interesting that I would want to go through it. I just want to get into your machine, fix what needs fixing, and move on.
Why hire someone you cannot trust? There are initial trust patterns that must be held in certain IT positions. Not blind trust, but still, you have to go with some things. I present it to clients in this way... If I do something unethical with your data, the fallout from that could ruin my business for years if not finish it off altogether. Your data is not worth that price to me. So far, I have not seen any client data worth that price even at the CEO level. Trust, but verify.
We do that "outsourced admin" work for clients. Yes, we have a reputation to uphold, and all of our processes are auditable (ISO 9000). We take secrecy seriously. But...
If you want, we can supply an admin to be onsite. After all, you ARE the customer. It will cost you, though. It will cost you MORE than hiring your own admin. It has to, because our company wants a cut too.
Why would you want to pay more? And, having the admin work "part-time" doesn't really save you much. Simply because travel (the drive over if local, or the flight) is YOUR expense, and the "opportunity cost" is also your expense.
If you don't trust the admin, you are going to have to do something like "shoulder cruising". I have worked in environments where I wasn't allowed to actually touch the keyboard! Just remember, it'll end up costing you money.
Just another "Cubible(sic) Joe" 2 17 3061
My opinion is that trust is earned. This is true whether you are talking about onsite full-time employees or third-party providers.
I don't think looking over one's shoulder will provide anything other than a false sense of security.
The best thing may be to use a remote control tool that requires a trusted user to 'log in' the outside resource each time they need access. (not 24X7 on demand access) You can record the sessions and review them later, but file transfers and other activities may not stand out in the recording.
The comment about locking out the third-party and forcing them to be onsite is interesting. I am certain that you can find third-party companies that will come onsite, possibly causing their services to be more expensive. The level of service may be lower due to travel time. Remote administration is likely saving you much time and money, realize the benefits of this before you lock them out. Locking them out is a business decision based on risk assessment and comfort level with the third-party. (showing a lack of trust on your part)
You need to protect yourself by ensuring that you can recover any password and lockout any user account used by a vendor. If you do decide to change vendors, the new vendor will need access and the old vendor's accounts need to be disabled.
From my experience in the IT industry, you are much more likely to be a victim of excessive billing hours or 'milking' a project than any type of malicious activity. (think about it from their point of view)
If the administrators should not have access to critical information, don't give it to them. (example: if they are not your database admin, don't give them database access) Try to develop a relationship with your vendor and protect yourself at the same time. Doing business involves risk, assess the risks and realize that they exist. Make them come onsite and pay for their travel is that is a priority. Meeting them at least once may help you to trust them remotely. Know your passwords just in case you need to change vendors.
Someone will need to be able to administer your network. Who do you trust, that is the question.
If security is a priority, involve a security professional or two. This leads to the question, do you trust the security professional. We have no choice in life but to trust other humans. Do you trust your doctor or your airline pilots?
The harder it is for the person who is actually doing the work to do the work, the more problems you'll have. If you get a contractor to run your stuff and you don't give them access, what are they supposed to do?
Thats why I'm a fan of an organization running their own stuff... they don't run into this problem. My philosophy is that if you can't do it yourself, then you either need to learn or get replaced by someone who can. I can't stand "Managers of IT" and "Directors of Technology" and their subordinates who don't know who the technologies they are supposed to be managing.
1- You should ask for proof of Liability/Corporate Insurances. 2- You should put down in writing what they are authorized to do and what they are forbidden to do...obviously you should both sign that piece of paper.
Though fucking noogies.
You get what you pay for. If you can’t pony-up the cash for hiring a competent administrator, well, you have to bear having remote administration done to your rig.
First read all the good comments above on audits, backups, chains of command, etc, etc, etc; then read this comment, as it focuses on one small piece of the puzzle.
I work for one of the top computer companies worldwide as a Wintel Server Admin L4, and am contracted as such to a Fortune 100 company. I have full access to many important files, such as Human Resources, Bankruptcy documents, Engineering designs for future products, and even HIPAA Medical data.
I really couldn't care less what's in your files. My only concern is the SLAs, up time, security, and accessibility of them to their authorized users. And if I do have some free time, I have much more interesting things to do than dig through a customer's data. As for supplementing my income selling said data to outside companies, why bother? I am not in to servers and technology for the money, I'm in it for the love of computers. I'm the guy who, during LAN gaming weekends, would be spending more time building computers for people to play on than playing games myself. I'd be tweaking my Windows auto install and testing it out, or trouble shooting the network and crimping new cables. I'm lucky enough to be doing what I love, and I would not give it up for anything.
The only thing I've ever seen that I would of actually of been interested in looking at? Hundreds and hundreds of paper files sitting on bookcases in one of the largest insurance underwriter's offices, all labeled "Three Mile Island". I was alone in that office for days and nights at a time, working on upgrades. Did I even touch them? No.
HEX
Horror & SciFi Erotic Nudes
I'd be more worried about your laid off local IT workers hacking you. I love how companies cut corners like this and then whine about not having the best of all worlds. If they screw you over you deserve it imo.
Andrew, You should trust us, I mean them. They have a reputation to uphold and I am positive that they mean you no harm. Oh and you accidentally deleted a important email from you wife that said, "Don't forget to pick up the kids on your way home!"
"Be wary of the man who urges an action in which he himself incurs no risk."
~Joaquin Setanti
Hire an in-house sysadmin to monitor external people from the inside or another third party to monitor the other third party and then another third party to monitor the first third party admins.
The role Systems Administrator and Network Administrators play is a difficult one. For example, corporate resources are to be used only for conducting business and certainly not for illegal activity. So many companies use monitoring and blocking techniques to try to keep the incidences down. Usually, the idea that your are being "spied" on is enough to deter the inappropriate use. But not always.
I remember seeing a manager one time hitting a whole mess load of porn sites from his office one time. Sure... I could have turned him in and it would have resulted in immediate termination, instead, I just would casually walk by his office, knock and have a short friendly conversation with him. I think eventually he figured out I didn't show up except when he was needing his porn fix. Message received... and nobody got hurt.
In another case, a person made a system change to our mail system which resulted in a complicated failure (that cost they company some serious money). I was tasked with figuring out exactly what happened. I did. The accident was caused by something that a close admin friend had done. I did not turn him in, but instead told him that he need to tell them that he was the root cause. Unfortunately, he chose to not handle the situation well, and he ended up losing his job (sigh).
So... it is hard. I think that employees need to understand the risks of violating their corporate policies, be it network or system admin wise. If you think you might get fired if someone finds out... use your head and STOP. Good rule to live by.
But yes, your Network Admin and Sys Admin have a LOT of access to your data and what you are doing.... and if they strictly play by the rules, it could be disastrous. So... the easiest thing is FOR YOU to play by the rules. Then you won't have to live in fear. Rules are different at different places. Your own personal web surfing from home is different than using your corporation's Internet. Be nice to your admins, you might get some unexpected mercy when you need it... but realize that doesn't HAVE to happen. If you follow your company's policies, you won't have to worry so much. Net/Sys Admin are NOT off the hook, obviously, they have to adhere to an even more stringent set of rules (well, at least a heavier temptation to violate rules) since they have access to things that a normal person might not have access to.
As an admin I can say that I don't give a rats ass about the data that's on the systems I maintain. I have access to just about everything in my company and I don't spend any time reading emails or trying to find valuable information. I just don't care what's the data contains. My job is to make sure it's available and protected. Unless you're in prono the admins will most likely never even look at your data.
What you are looking for is controls that keeps your sysadmin from doing anything bad to your company, data, network, etc. One control is to have them onsite. But how many employees have caused the harm you describe while onsite? You need to look at different types of controls than proximity. What does your contract with the outsourcer say? Are their employees subject to your company policies? Do you have company policies? Has the sys admin read them and signed something saying that he agrees to abide by them? Have you run a background check on your sysadmin? These are all things you should have thought of a long time ago.
Hire another IT company to audit them and make sure that you have all the permisions to lock out the IT admin from the intelectual Poperty.
That's why you specify clauses for lost data, breach of confidentiality, ensure non-disclosure agreements with any staff who have access, etc, etc in the contract you take out. That way your support company has to ensure that breaches in your security are minimised (nothing is 100% secure ever and this has to pass the test of reason...). To be honest, when you ask for a contract covering those liabilities and cannot get it - you need to pull the plug. They will either be able to handle these eventualities or they aren't worth trusting.
I work IT for a small company that provides outsourced IT services to other business/individuals. While your worries are understandable, there are a myriad of reasons (already given) as to how founded your fears are. I can tell you from personal experience though that you should likely consider a few things - 1 - remote management is cheaper than having to roll someone onsite every time someone needs a printer added or an email issue resolved. If you're paying the same amount for onsite support as remote support, there's something wrong there & you should renegotiate your contract. 2 - I don't know your skill level but most people in management could be standing behind the sysadmin watching everything he's doing on screen and still not understand what they're seeing. A talented thief could steal data while you watch him /and/ he's 'explaining' what it is he's doing. That's just the way it is unfortunately and it gives all IT people a bad name when it happens. 3 - Something my dad told me a long time ago is that a lock only serves to keep an honest man honest. If someone truly wants to get into your building and get your sensitive data out of there, then they will...The minute you build an idiotproof system, the world produces a better idiot. 4 - While I know this doesn't apply to all people working in IT everywhere, I can tell you from my own experience and talking with others in the field - most IT folks in an outsourcing business don't really care /what/ data you have - as long as it's not illegal...most of us are just too busy to care what your data is, we only worry that the job we do helps protect your investment so that you'll keep paying us. The better service we do for you, the more likely you are to continue to pay us. Hell you might even refer us to other business associates. Which means more work for us. There's always going to be some asshat out there that wants to profit illegally...IT people are no more likely to be that person than someone in Accounting...or Management. It's just that there's a certain mysticism to what we do that people don't understand. If you don't trust the people you've hired, get rid of them and find someone you do trust, but eventually you have to stop watching the watchmen.
I can't believe what a bunch of nerds we are. We're looking up "money laundering" in the dictionary.
"decided recently to outsource"
Well there's your problem: you're a cheapskate.
This suggestion above is equivalent to proposing that managers have to learn electrician skills to wire the most important room in the building, for fear the paid electricians might sabotage it, or they have to learn locksmith skils to key the locks on the most sensitive file room, because they can't trust locksmiths not to share a copy of the key or sneak in one night.
There is no such thing as as an IT professional.
So the suggestion that one must learn to do these things for oneself is perfectly valid - there is no professional body to define what competance is, so therefore everyone is an amateur. ( except for the software engineers, of course )
With all the other professions, not behaving as a professional gets you kicked out of the "club". At which point it becomes illegal to continue practicing that profession.
Without this mechanism, there is nothing to prevent cultural corruption of the "profession".
Check your definitions - a "profession" requires that there be a professional body legally recognized to govern it. Historically, the first true profession was medicine. The professional body was used to criminalize hedge-witches and the like who had no scientific basis for the treatments they proscribed. This worked. Those who didn't support it got their treatments with the non-medicos and died.
If doing something in particular is how you make your money - that doesn't mean you are a professional. You are simply not one until you belong to a recognized professional body willing to claim you.
It'd be great if such a body existed for programmers. The work of anyone thus registered would have a higher market value than the amateurs. To get into the club, a programmer would be required to do what any other professional body demands - write a paper, presenting their work such it can be judged. Alternatively, they could simply be the maintainer of any successful OSS project. Either way - one could be sure that a registered programmer knows what he's doing. Pretty soon business customers will demand that their software be written by only registered programmers.
This would be better than the current system - whereby smart companies use expensive software engineers - who are as difficult and as expensive to train as most other engineers.
Consequently, the cost of engineered software development is enormous.
Professional IT should fill the same role as nurses with respect to medical doctors.
Or mechanics to mechanical engineers.
Need I go on?
We (the shareholders) trust the management to run the company. However we want to make sure everything is fine, so we hire auditors to verify the statements management is making. And find things that management may be unaware of like a rogue trader. Seems to work most of the time. Why not do the same for IT security and ability to take back control at the flip of a switch? The thing that would make it effective is if the two parties (outsourcing and auditing) are independent and competent.
There is an entire engineering specialty devoted to independent infrastructure for data centers, hospitals, command centers and the like. If it's important that the lights stay the hell on, there are entire engineering firms who spend all their time doing nothing but that.
When lives or capital-L Large amounts of money are at stake, no one in their right minds trusts the city grid alone.
But hey, by all means, don't listen to me. I make a very good living sifting through the rubble that this kind of clueless business-school so-completely-brain-dead-only-an-MBA-could-have-thought-of-it thinking creates. I certainly don't want you listening to me for free now when I can bill the hell out of you for listening to me later.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
"there are entire engineering firms who spend all their time doing nothing but that."
Yes. And do you know why there are "entire firms" doing and maintaining high resilience electrical systems? Migth it be because other companies that see electricity as a really critical asset OUTSOURCE THE DAMN THING TO THEM?
" I make a very good living sifting through the rubble [...] I certainly don't want you listening to me for free now when I can bill the hell out of you for listening to me later."
May that happen by me OUTSOURCING IT TO YOU?
'Or should we lock them out and make them administer the network in person so we can stand behind and watch them?' - EXCERPT FROM THE ARTICLE INTRO ABOVE
That would assume that "those watching" even BEGIN to understand what said network admin is up to, in the 1st place... because, IF they did? What would they really NEED a "network admin" for, in the 1st place??
(Sure - there's "exceptions to every rule"/"an outlier in every sampleset", etc et al... & yes, SOME employers MIGHT have some inkling of how to use a personal computer to SOME extent, but to expect them to have the skills & knowledge necessary to be a network administrator (let alone programmer, which imo, IS THE "ULTIMATE EVOLUTION" of a 'geek/techie' really) or even a network tech? THAT might very well be QUITE beyond them...)
I.E./E.G.-> The "bottom-line" here, is this & it's quite simple - When You cannot understand what it is you are seeing, then... WHAT GOOD IS TRYING TO WATCH THEM?
(Might as well ask ME to understand reading Russian Cyrillic (which I do not, admittedly))...
APK
P.S.=> The problem is, what everyone here has stated: IF YOU DON'T KNOW HOW TO DO THE JOB YOURSELF (or, use the old b.s. line of "I don't have time for it", well MAKE TIME THEN, or spend & trust others, simple)? You'll have to trust SOMEONE, sooner or later... & that, IS THAT! apk
You get the cake, eat it and then put it back into the fridge.
1) No one cares about your source code. At least not the remote admins.
2) Either you have a real person under your direct control or you outsource.
3) If you want people to come on site, expect to pay for it.
4) If you want a real person or heavy contractual terms, expect to pay for it.
5) Seriously, no one cares about your source code. At least not the remote admins.
I own an IT company that does this sort of work. When setting up a system of this sort, we prefer to administer remotely for two reasons: firstly it's easier on us, and secondly its easier on the customer.
It's easier on us to just be able to do the work without having someone breathing down our neck. It's easier on the customer to not have to constantly worry about breathing down someone's neck. It's a trust issue.
Honestly, if you don't trust them, why would you let them set it up in the first place? Also do you know enough to police them either way?
Seriously, if you don't know how to maintain your server yourself, you won't know whether that command he just added to your log-on scripts is going to add a new network share for each user, or download a remote kill switch to every computer in the network. You have to trust them, or you have to do it yourself.
Our company spends a good bit of time with a customer, going over everything, documenting our every move so that the customer knows what's going on. They eventually start to trust us and then they just want us to fix issues instead of explaining them. Building that trust is important.
If your company is not willing to build that trust with you then I would be nervous about them, but remote administering is not the problem.
Your network and system administrators need to be under your control. It's that simple. You need to be able to fire them and to prosecute them as individuals in the event of wrongdoing. Oursourcing reduces your control over the people doing the work. In the cases of network and system administration, it gives you far too little control over the individual people who are acting. Bite the bullet and accept the fact that it's worth paying to keep these vital services in house and under full local control.
"You're a manager...." Look, Mr. Manager. Don't think. The admins that you hire whether outsourced or not can decimate you on a whim. You are stupid peon in the IT world. You're credentials speak to what you know (or don't know). You = manage. IT = other people. Therefore "You manage other people". Don't worry about their ethics. That's what laws are for.
Goddamn I get so sick of managers thinking. You are all just "C" or "D" students trying to leech off the genius of the real smart people. Did it ever occur to the "D" student that maybe that's how business is done now? I guess you still question doing business over the phone too because maybe the phone repair guy can listen in on your conversation.
Fucking managers. Just go sit in your office and collect a paycheck you useless wart. Leave the thinking to people who actually can.
You are too stupid to exist.