Slashdot Mirror
Why Should I Trust My Network Administrator?
Andrew writes "I'm a manager at a startup, and decided recently to outsource to an outside IT firm to set up a network domain and file server. Trouble is, they (and all other IT companies we could find) insist on administering it all remotely. They now obviously have full access to all our data and PCs, and I'm concerned they could steal all our intellectual property, source code and customers. Am I being overly paranoid and resistant to change? Should we just trust our administrator because they have a reputation to uphold? Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"
Does the original question asked check their employee's bags every night for confidential documents? Mandate no USB drives?
I worked for a small business that started doing crap like that. The lead programmer brought in his own laptop to work on, instead of the crappy machines the boss had laying around. Then *I* brought in my own laptop to work on (which, while orders of magnitude crappier than the lead programmer's laptop, was orders of magnitude better than the crappy desktop the boss had allocated for me). My productivity immediately doubled (larger screen, faster processor, and more RAM help immensely when you spend your day mangling delimited data files).
Fast forward to several months later. Of the six employees in the company (including the boss), three of us were bringing in our own laptops. The boss, the lead programmer, and myself. Out of nowhere, we get an e-mail from the boss saying: "Due to a client's security concerns, employees are no longer allowed to bring in personal laptops. Except [the lead programmer], because he needs it." (He also banned iPods, a policy which only affected the other peon employee.) Never mind that we were still allowed to connect remotely from home with full access to the entire network.
That's fine and all, if a client really did request it... but I asked the lead programmer about it, because he was in the meeting during which this policy was supposedly decided upon. He claimed it was never discussed, and he had no idea where it had come from.
I sent an e-mail to the boss about it, telling him that because switching to my personal laptop had increased my productivity dramatically, prohibiting me from using it would result in a corresponding decrease in productivity that would be quite beyond my control. He didn't seem to care. I never did figure out why he enacted that policy.
Seriously? You're saying: "I'm quite happy with whatever you decide" on something core to the business?! So whoever they hire (and let's not forget the idea is to get this as cheaply as possible) is perfectly "OK"?
I worry about this nonsense. I'd want to meet the person, get to know them, make sure they were treated fairly. Before anyone thinks this is a race issue, it isn't - I'm don't care about the colour of their skin, their gender or what what they believe in. I just want someone who seems trustworthy, and someone I know can talk to me if they have a problem. So yes, I want them to come into my office. I want them to be happy. No I don't want to stand behind them watching their every move - I want to trust them.
I wouldn't worry about it. I have this and I work for IBM :)
For example, a recent server we bought internally went up the chain for approval, fell at the last hurdle, back down a different chain to someone else, back across to our team, then back up the approval chain again.
When we got the hardware, no-one had factored in software licenses, so we went through the whole process again while the hardware gathered dust.
We now have an 8 core, 32GB RAM machine simply doling out compile jobs, rather than the original task it was intended for.
Gotta love IBM.
Knife crimes are reported sensationally in England but it's false that knife crimes are increasing dramatically -- see here for example. Knife crime has remained relatively stable over the past decade, most recently actually dropping by 15.7%. Maybe you're confusing knives with umbrellas?
The reason that I don't steal from my employer is not that I could be punished.
It's because I don't steal. Or, rather, because theft is dishonest and wrong.
He enacted that policy because it probably dawned on him that he had no way to enforce whatever the company has in its Acceptable Use Policy (assuming there was one) because they don't own it.
I'm dealing with this issue where I work: Some of our engineers have decided that they can't live without their Macs, so they use the ones they own at work, bootlegging copies of Windows XP, Office, etc. to run under Parallels. Their managers turn a blind eye to it, because it "saves the company money", but it creates a potential liability for the company: We can't enforce the company's AUP, which states in part that we do not condone copyright infringement in the workplace, because it's not our hardware.
I had one remote engineer complain to me about his laptop crashing... and then he mentioned that he'd wiped the hard drive and installed Windows 7 RC. WTF?!? Who uses a beta OS for production use? Fucking idiot.
I don't care anymore - everyone shits on MIS, especially the technical employees, who all secretly (or sometimes not so secretly) think that they can do it better... except that they're too busy, of course. And these same people are the ones that act as though the company's Internet access exists for their personal entertainment, and whose computers end up infected with all the latest malware because they absolutely *have* to be local Administrator equivalent full-time on "their" laptop (something that none of us in MIS here do anymore, by the way, and haven't for years), and disable or uninstall the corporate antivirus software... and a few of them have asked for Domain Administrator rights... no fucking way. And they won't backup even their work data, despite the fact that they've been given the means to do so easily, and if they want, we'll issue them an external USB hard drive so that they can do it at their convenience.
One lawyer decided that he didn't want to wait for the automatic data sync that takes place for laptop users after logging in when connected at the office, and unbeknownst to us, took it upon himself to move his documents folder... hard drive died, and the backups on the network were over 6 months old. The backups of all of his current work documents relating to pending litigation, etc., which represents literally millions of dollars to the company? All more than 6 months old, and useless. Why, the backup must have stopped working, he said... Bullshit - that's why God made logs, and why we keep them. I cheerfully pulled them for the past 6 months, and proved that the backup was working, but that no current documents were getting backed up because there were none to back up... and after we got the USB hard drive with his recovered data back from the data recovery company (and almost $3K later)? There was his data folder, right where he'd made it, off the root of the drive - imagine that. Vindicated, I gathered up all of the evidence, emailed it to my boss, and let him handle it.
And I guess the end of this little rant is this: You know, you might well be smarter than me, better than me, etc., etc., ad nauseum. Good for you! But, I'm damned good at my job, and take pride in doing it to the best of my ability, even after 20+ years, and knowing that so many of you think that I'm incompetent, stupid, ignorant or all three, and believe that you're special and don't have to abide by the company's rules.
And if that sounds more than a little bitter and antagonistic - well, it is: At my company we run MIS as a service to the users and the company, and do our best to keep everything working well and available to everyone, working long, unpaid hours sometimes to do so, responding to pages 24/7, because we know how important the network is to everyone, and that it's our job to keep it running and available. We keep "hot spare" computers, at least one for each model in use, so that we can minimize downtime if someone's breaks, handling the repair after getting them back up
Outsourcing isn't always in India. The true and proper term for that is generally off-shoring. Outsourcing simply means outside the company and I am guessing that this outsourcing isn't the kind that goes to India, based on the scale of the outsourcing and the way it was presented in the summary.
-----
I think that outsourcing should be fine because even if you hire your own people they can probably steal the information just as easily and then you don't even have a company to sue, only a person(with far less ability to pay any judgment). Also, I doubt that a network engineer in a firm offering these services has the time to look through all of your shit, find important stuff to steal and find a willing buyer.
If you have some sort of secret formula that can be copied and pasted and is then instantly useful then I would change my statements. Generally its hard to steal something and start a directly competing business unless your business if founded on some sort of extremely simple proprietary knowledge.