Why Should I Trust My Network Administrator?

Andrew writes "I'm a manager at a startup, and decided recently to outsource to an outside IT firm to set up a network domain and file server. Trouble is, they (and all other IT companies we could find) insist on administering it all remotely. They now obviously have full access to all our data and PCs, and I'm concerned they could steal all our intellectual property, source code and customers. Am I being overly paranoid and resistant to change? Should we just trust our administrator because they have a reputation to uphold? Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"

Worried about the results of your actions?

[HunkyDory]

If it was really a worry, why outsource it in the first place?

Re:Worried about the results of your actions?

[egcagrac0]

Mod parent up.

Either you trust your outsourcing company to do what they do how they do it, or you hire an admin to be on site.

Disclosure: I'm an on-site admin, because the company I work for doesn't trust outsiders.

Re:Worried about the results of your actions?

[Moryath]

Basic advice: Make sure your CONTRACT specifies what they can and can't do.

If they break the contract, they (and anyone they did it on behalf of, including if they sell the info to some competitor later) are in for a world of legal hurt.

You agreed to outsource this rather than hire someone to do it in-house. Either cough up the money on lawyers to make sure your butt is protected legally, or hire someone yourself who works just for you and is directly accountable to you.

Re:Worried about the results of your actions?

[Tubal-Cain]

This is a startup. The law may be on their side if the contract is broken, but they may not be able afford pursuing the issue in court. After all, they can't even afford an in-house admin.

Re:Worried about the results of your actions?

[Maxo-Texas]

Outsourcing to IBM has lead to a 30 to 60 day lead time.

No BS.

To make a change to the software, they need to allocate resources away from all the other companies we are sharing the resources with.

To get new hardware requires 60 days after they get an approved PR. And the cost of setting up that hardware is incredible. $14,000 for a server for example-- more than the cost of the hardware.

Main reasons we do it... Sarbanes Oxley (sp?) and Disaster Recovery. If our corporate office is wiped out, we keep going. If IBM site 1 is knocked down, we keep going. If IBM Site 2 is knocked down- we keep going. Sites 1 & 2 are in very stable, very safe areas of the country.

But our productivity has gone to hell and our costs have skyrocketed.

And YET--- it's cast as a "savings" in the annual reports. Really laughable.

When executives set the rules, they *ALWAYS* make their goals.

This is what being bonded is for

[Dr_Harm]

If you're concerned, ask them to carry a performance and fidelity (aka surety) bond.

You get what you pay for...

[jasenmh]

That's the service they are offering. If you want someone to be on property so you can look over shoulders, hire an IT staff.

Re:You get what you pay for...

I never did figure out why he enacted that policy.

He enacted that policy because it probably dawned on him that he had no way to enforce whatever the company has in its Acceptable Use Policy (assuming there was one) because they don't own it.

I'm dealing with this issue where I work: Some of our engineers have decided that they can't live without their Macs, so they use the ones they own at work, bootlegging copies of Windows XP, Office, etc. to run under Parallels. Their managers turn a blind eye to it, because it "saves the company money", but it creates a potential liability for the company: We can't enforce the company's AUP, which states in part that we do not condone copyright infringement in the workplace, because it's not our hardware.

I had one remote engineer complain to me about his laptop crashing... and then he mentioned that he'd wiped the hard drive and installed Windows 7 RC. WTF?!? Who uses a beta OS for production use? Fucking idiot.

I don't care anymore - everyone shits on MIS, especially the technical employees, who all secretly (or sometimes not so secretly) think that they can do it better... except that they're too busy, of course. And these same people are the ones that act as though the company's Internet access exists for their personal entertainment, and whose computers end up infected with all the latest malware because they absolutely *have* to be local Administrator equivalent full-time on "their" laptop (something that none of us in MIS here do anymore, by the way, and haven't for years), and disable or uninstall the corporate antivirus software... and a few of them have asked for Domain Administrator rights... no fucking way. And they won't backup even their work data, despite the fact that they've been given the means to do so easily, and if they want, we'll issue them an external USB hard drive so that they can do it at their convenience.

One lawyer decided that he didn't want to wait for the automatic data sync that takes place for laptop users after logging in when connected at the office, and unbeknownst to us, took it upon himself to move his documents folder... hard drive died, and the backups on the network were over 6 months old. The backups of all of his current work documents relating to pending litigation, etc., which represents literally millions of dollars to the company? All more than 6 months old, and useless. Why, the backup must have stopped working, he said... Bullshit - that's why God made logs, and why we keep them. I cheerfully pulled them for the past 6 months, and proved that the backup was working, but that no current documents were getting backed up because there were none to back up... and after we got the USB hard drive with his recovered data back from the data recovery company (and almost $3K later)? There was his data folder, right where he'd made it, off the root of the drive - imagine that. Vindicated, I gathered up all of the evidence, emailed it to my boss, and let him handle it.

And I guess the end of this little rant is this: You know, you might well be smarter than me, better than me, etc., etc., ad nauseum. Good for you! But, I'm damned good at my job, and take pride in doing it to the best of my ability, even after 20+ years, and knowing that so many of you think that I'm incompetent, stupid, ignorant or all three, and believe that you're special and don't have to abide by the company's rules.

And if that sounds more than a little bitter and antagonistic - well, it is: At my company we run MIS as a service to the users and the company, and do our best to keep everything working well and available to everyone, working long, unpaid hours sometimes to do so, responding to pages 24/7, because we know how important the network is to everyone, and that it's our job to keep it running and available. We keep "hot spare" computers, at least one for each model in use, so that we can minimize downtime if someone's breaks, handling the repair after getting them back up

You should trust them

For the same reason you trust your accountant.
Tell me, do you trust your sales people with your customer database? In my experience, they're the ones to watch.

Re:You should trust them

[SatanicPuppy]

Absolutely. The sales people have an existing relationship with your customer; knows the guy by name, knows about his kids, his dog, his business needs. They will turn that around on you in a fricking heartbeat.

Sales is a mercenary business. Your competitor offers more money, they'll take it.

Re:You should trust them

[DerekLyons]

Except that my accountant has her CPA - a real life honest to god certification. (Not the take-a-class-and-take-a-test mickey mouse 'certifications' of the IT industry.)
 
She also has a code of ethics, belongs to a serious professional organization, and has a body of law that restricts what she may or may not do and an oversight organization over the top of all of that.
 
Pretty much none of which IT 'professionals' have.

That is an incredibly dumb question.

[tlambert]

That is an incredibly dumb question.

You should trust him because, as the manager of the startup, it is within your area of responsibility to ensure apriori that the people you hire to do this are trustworthy, or you are simply not doing your job and you should be fired and replaced with someone who can. Since your company is already on a path for doing outsourcing, I am sure your job could be outsourced to someone more competent in Bangalore.

-- Terry

Re:That is an incredibly dumb question.

[thomasinx]

There are no dumb questions.

He's here asking for advice, so give it to him. Even though most of the people who read/post this board are heavily involved with IT, and it might be a common sense answer, the fact is that to this person it isn't as simple a solution.

In many cases, people have sensitive information that they are handling on their servers, and whether or not to trust the IT staff is a valid question. (not all geeks are trustworthy). Also, in many cases, (especially with startups) they dont have the resources to hire on-site IT staff, so they have to outsource it. It introduces a dilemma that many will have to deal with.

-T

If you can't trust your admins you're screwed...

[Narcocide]

Seriously? You're thinking about this now AFTER they've put the whole network up with all remote access enabled?

What the hell makes you think they can't steal all your crap in person? Even if you assigned someone to watch every move they make it would be difficult for novices to even be able to recognize data theft happening as they watched if it happened through a command-line interface.

Re:Worried about the cost of your actions?

[rtfa-troll]

I would guess that it costs less to outsource this sort of work

That's true. It's mostly a tax and shareholder benefit (you don't have assets and depreciation (CAPEX) instead you have costs and service charges (OPEX)) but it's also true that since the outsourcing company probably works for several other companies they can share costs and normally come in cheaper.

This means that it's a simple calculation in theory. If the extra cost of doing on site administration properly, or at least better than the external company, is more than the value of the information (asset) that might be lost times the chance of it being lost (risk) then forget about it. There's a slight chance might save your company money, but you guarantee to lose it some money.

Simply put; in business, especially start ups; there's always risk. If you have a fire in your office your company is probably dead. Probably there's a key person in your team who, if he leaves, will stop the company working. List all the risks you can think of and handle those risks where you can get the best benefit for the least money. Do that in the cheapest way possible (maybe a contract change will reduce the risk of your administrator to a reasonable level). It is possible that there's some special data where that risk is the system administrator in which case you might be worth adding extra protection. For the rest just accept the risk and move forward.

In the end; you seem to be the responsible manager. You have to calculate the above things to your satisfaction and spend your money to make things work best taking into account all possibilities and not just this one. Since we don't have enough information about the information we can't really help you.

Re:Worried about the cost of your actions?

[multisync]

If you keep it in house, you still need to trust the people you hire.
Hell, you need to trust your non-IT staff to not steal whatever IP (or physical equipment) they have access to.

Good point.

Do you trust your accountant to not embezzle from you? Do you trust the rest of your staff to not slack off every time you turn your back?

Do you trust the kitchen staff in the restaurant you ate lunch at to not hork a booger-laden loogie in your lunch?

Do you trust your wife to not fuck around on you? Or your kids to not steal money out of your wallet?

Honestly, if you are so distrustful of those who do work for you that you feel you need to stand behind the administrator and watch what he types, you should really be examining the root cause of your distrust. Asking a contractor what safe guards they have in place to ensure the confidentiality of their clients' information is one thing; feeling the need to stand over somebody's should while they type is just insane.

Re:Worried about the cost of your actions?

[Grishnakh]

You're missing something important: if your staff/employees do things that are illegal, they can be prosecuted and imprisoned for it. This is why more accountants don't embezzle from their clients. Kitchen staff has been prosecuted for contaminating food (it's rare, but it does happen).

The same goes for an IT admin who's an employee. If he steals your data, not only can you fire him on the spot, you can have him prosecuted. Going to jail is usually a pretty big disincentive for people in this country who contemplate illegal acts.

But if you outsource your IT work to India (or to someone who subcontracts it to India), you have no such recourse. What are you going to do if they steal it? Sue them? Have them jailed? Good luck with that.

I do this for a living.

[JRHelgeson]

I am a remote administrator for dozens of companies. I have been doing this for many, many years. My business success is directly dependent upon your business success. I have a vested interest in every single one of my customers growing and flourishing in business. As such, I only recommend solutions that are justifiable in direct, easy to understand terms.

You have proprietary information? So what. So does every other company and government agency I do work for - all of which is done remotely. Only on rare occasion do I visit on site.

If you cannot place your trust in the people holding your admin password, then administer it yourself. Otherwise be prepared to pay 2-3 times more for simple administrative tasks.

I'm sure I have access to tons of proprietary information, sensitive information, etc. but so what - I'm an honest guy. If I see the stuff, my first reaction is do we have this properly protected? I know the first reaction in a criminal mind is "What can I do with this?". Criminals don't usually want to work for a living.

Re:trusting the in-house admin?

There is some data that a sysad, whether internal or external, should not be trusted with.

Basic system administration should be required for business and management degrees, enough to maintain the disconnected key server and the separated subnet that handles all the most sensitive data.

Small networks are not that hard.

This has got to be the worst idea ever.

Lets take the ABSOLUTELY CRITICAL DATA and have someone who's core abilities are not system administration maintain it. This is more than a bad idea, its incompetence.

Trust your admin, or replace them.

Re:spoken like a true sys-ad

[mysidia]

This suggestion above is equivalent to proposing that managers have to learn electrician skills to wire the most important room in the building, for fear the paid electricians might sabotage it, or they have to learn locksmith skils to key the locks on the most sensitive file room, because they can't trust locksmiths not to share a copy of the key or sneak in one night.

The simple fact is the management of key systems should be entrusted to skilled IT professionals whose primary responsibility is maintaining consistent, operational, available systems.

That doesn't just mean setting up systems and forgetting it, it also means implementing secure backups, monitoring audit trails, managing the complex access controls, monitoring system logs, and correcting problems.

Something important to do:

[lorenlal]

Make sure that you have a document to describe how to take back the network in case you decide to fire the IT staff. I used to work in this area, and I provided this to my clients even if they didn't ask for it. If I were looking to outsource, I'd certainly make sure that I had the ability to rip it back. Even if I trust the outsourcing company completely, which is requirement #0 in my book, I want to make sure that my company stays my company.