Slashdot Mirror
Ask Slashdot: Do I Give IT a Login On Our Dept. Server?
jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented). My fellow faculty (a dozen or so) want to switch from a paper calendar to electronic (night and weekend on-call schedule). Most have an iPhone or similar, so I envisaged a CalDAV server. The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any scan, to ensure it has no security issues, but I'd rather not let anyone else have a login account. What do the readers of Slashdot think? Should I give IT a login account on a server that is not owned or managed by them?"
.... you'd be breaking network and security policies up the wazoo by plugging your own server into the network, much less having a machine that IT couldn't manage and audit.
You bought a server, with your own money, and connected it to your corporate network. Now the corporate IT people want a login to it, and you think it's OK to say no? Yeah okay.
Secure the machine against privilege escalation attacks, and give IT an unprivileged SSH login. Why not?
they may want to remote admin it with things like WSUS / AV and other tools.
But instead of asking "should I give IT a login account on a server that is not owned or managed by them?" perhaps you should ask "should I give IT a login account on a server that is on their network?"
It becomes a lot less clear in that formulation, huh?
Why does a server that is not owned or managed by the IT department exist inside the firewall?
In my workplace that's a sacking offence.
Yes, you are operating on their network and should supply a login so they can at least see what is going on. You may let them scan, but you could be hiding anything on that server. Also, they would simply not be providing due diligence if they let an independently managed server on their network that they cannot access.
Have you asked him why he wants a shell? If not, why the hell not? And if so, why haven't you told us?
Please tell us which hospital this is for.
I want to make sure I never go there.
You shouldn't be deploying rogue hardware that is not company owned at any place of business let alone a hospital. Have you even considered the compliance ramifications?
Yes.
Essentially you are setting up a sandbox in someone else's backyard. When your users have a problem with your new setup, you better believe they will be calling IT at least occasionally. In this case it's just resource scheduling, so security is not really an issue here. Avoid the headache and oblige the request.
You're asking them to open ports and you're "taken aback" for them asking for an account? They ARE the IT department.... did you even bother asking them if they had the capability of doing what you wanted before you reinvented the wheel?
You may not think that IT owns or manages your server, but they do own or manage the network. Imagine if some guy from IT came down to you and wanted to start looking through radiology records. I'm sure you'd ask him if it was ok to look over his shoulder every now and again before you gave him full access.
You want to put a server on the network, complete with special firewall rules to support it? Yes, it's reasonable for IT to want some access to it.
"National Security is the chief cause of national insecurity." - Celine's First Law
Tell them that the second they reimburse you for the server they can not only get a login, but they can become responsible for its maintenance and security and they had better be sure it has a solid uptime. That only seems reasonable. :-)
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
It's their job to manage security and the infrastructure. At a minimum, you gain a second set of eyes and hopefully expertise in hardening the server against the outside world. The last thing they want is your box to be a big gaping hole in their system.
If IT doesn't need root access, then he probably just wants it there to review the OS/changes to make sure that it won't break anything. Also, if it goes down, IT can help you get it back up or raise it when you're not available.
Really, I don't know why you *wouldn't* give IT a non-root account... but then again, you know what they say about doctors/academia and their egos.
while(1) attack(People.Sandy);
If you're hit by a car tomorrow and die you want someone else to be able to pick up the work and go forward. Once upon a time I had a VP I worked for at an ISP put me and the other head of the IT department on a plane with him to LA. The three of us were the only ones with access to the entire companies systems. I mentioned to him, if the plane went down, the company would probably be dead within a week. He just laughed it off.
That said, your IT department are the best ones to handle this. I doubt the hospital is paying you to play tech nerd, I'm sure you have other work you should be doing. The IT guys are PAID to do this and are screened carefully (at least I hope so) by management to be trustworthy in doing it.
It sounds to me more like you're looking for job security by being the only one with keys to the castle.
Your IT department seems to be operating within the bounds of reason. At the company I work for it is against corporate policy to allow anything on the network that is not managed by corporate IT. If we're willing to provide a box with network access, or even moreso if the box needs to actually be visible from the outside... We've got to be able to confirm patch status and compliant security policy, which requires the ability to login and check such things. I'm actually rather surprised that the demand was not for an admin account.
You probably have more pull than the IT goon anyway. As an EE (RF/Microwave) constantly battling the IT roadblocks, I have come to the conclusion it is not about service & support. They want power and control.
Making a change to the network infrastructure was not your job, rather, it sounds like it was the IT department's job, and you didn't step on his toes, you dropped a high-tonnage anvil on them. I'd say the tech is reacting very well to your intrusion and breach of work etiquette. Work with him if you want something productive to happen.
If you don't want IT to have access to your server, then don't come crying when something "doesn't work".
Let me tell you how this goes down in most corporations. If you don't, their security dept. simply won't give you what you want. They're likely to shut you out anyway. If you take it up the chain then you're calling attention to the fact that you have a non-hospital entity on the company network. This is/was a bad career move. You might get away with it and many do for some time. Given that you're running BSD is a plus as you're not as likely to propagate a virus. Unfortunately for you, IT already knows. So if you choose not to give them a login you might find yourself without an IP address. Or worse, without a job.
Asking what port 8443 is for wasn't a stupid question - if it's not in /etc/services, it's not a standard port number. As for giving him an account, look up "chroot jail". Problem solved.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
You are operating a server, behind the firewall, on their infrastructure, in their facility. You, (un)fortunately, don't make the rules. What you're doing sounds great and the lengths you've gone to make it happen are commendable. But I can't imagine any decent business being run while allowing any employee to run any server they want behind their firewalls without at least some oversight. You're going to have to follow their rules, sorry.
Yes. The simplest is to give the tech an account with limited privileges, let him log on and look around, and then when you have this server up and running, reduce the privileges on his account further so that he can't interfere with anything.
But here's bigger factors you should worry about : think longer term. There's a chance that your hacked together server will be in use for the next 10-20+ years. Just how things go. Make sure to make an image file of the final configuration of the server onto a DVD or something and tape it to the server, with a text file on the disk and hand written instructions how to restore from this image. Make sure to save the newegg receipt with the exact hardware configuration of the server. I hope you used a passively cooled cpu, a solid state disk, and a good quality power supply.
IT is responsible for network issues, including ones created by a server that was setup by someone not qualified to do so.
In our organization, you wouldn't even have been allowed to attach "personal" servers to the network, period.
Feel free to take this up the chain of command. Both you and IT probably have valid arguments, and you should have a chance to duke it out to higher-ups. But at the end of the day, both sides will need to abide by whatever decision. To do otherwise would risk firing. If you don't like the decision that comes down ("Yes, IT must be given login access if you have this server"), you can simply tell your clients (the docs and allied health staff you serve) that you can't provide the calendar feature they asked for, and tell them to take it up the chain if they don't like it.
In other words: be the advocate for yourself and your clients, but don't try to be the judge as well, because you're likely to get stomped on by those who are the judges, deserved or not.
You say he doesn't want root access, only an account. Maybe he has an iPhone and is also stymied by the IT department's lack of support for CalDAV.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
As a person doing IT at one of the larger Universities in the US, the answer is most assuredly NO!
There is no valid reason what-so-ever that a 'tech' managing the FW needs an account on your machine.
Play nice with them. Consider yourself lucky they didn't go ape-shit.
Give them a nice minimal account that doesn't have access to anything. That way you can show that your shit is tight. If they start demanding more then start playing hardball.
TCAP-Abort
Bringing in your own resources from home - while a novel idea, creates alot of headaches. From the Accounting department on down to the IT dept. What is your dept going to do if you leave? What is the refresh cycle on your little "server"? What happens when the PS dies and the box goes down? Who is going to back it up, and rotate the tapes? Who is the security point of contact for HIPAA? Is it within HIPAA scope? Sometimes, especially in the world of retarded litigation -- it is best to ask questions before apologizing...
Given HIPAA standards I'm suprised they are just asking for a user account. An unknown public server at a medical facility is a definite risk, and IT is probably very aware of HIPAA standards. Then again, they probably don't think twice when installing the latest version of whatever commercial software they use that makes outgoing TCP connections from "license compliance".
What you've done would cause any professional IT group to get out the hot tar, feathers, and rail. Or at least come into your office and ask you politely to remove the damn server from their facility. And never do this again. You must have missed all the security briefings, the issues with HIPPA, and whatnot when you were looking at systems. What you've done is to create a 'rogue system'.
Imagine one of your kids sets up a server in your house. You don't understand it, you don't know if it's happily sniffing network traffic to steal passwords so pizza can be ordered using your credit cards, serving up pr0n, or just running minecraft. Would you willy nilly allow the kids to open a port on your firewall without the ability to audit what they're doing ?
Of course not.
Personally I'm amazed that they only asked for an account on your little server. I would have gone over and watched while you removed it from the facility and put in in your car.
Does it sit on an IT managed network? Connected to IT managed switches? Does it use IT managed/owned internet access? Did you get approval from IT to connect a server to their managed network and deploy an unapproved service from them before plugging it into the IT managed network?
Im willing to bet the answer to all of the above is "no". You should be prepared for the WWE type smackdown. You should also re-read the Acceptable use policy for your enterprise/organization and you should very politely offer them watever access they desire to allow your unauthorized service on their managed network.
My ,02.
Armaments, 2-9-21 And Saint Attila raised the hand grenade up on high, saying, 'O Lord, bless this Thy hand grenade' N
Several issues here.
1.) You're storing organizational data on a non-organizationally owned IT device. For that reason alone, they should say "no". (What guarantee do they have that you won't take your machine with you when you quit/get fired, and the data with it?)
2.) Your machine is on their network. They are responsible for what happens on that machine. Your machine could potentially be used to escalate placement of an attacker to the rest of their network.
3.) Even if you leave your machine after you quit/get fired, do you really believe that someone left behind will know how to maintain a BSD machine running OpenLDAP? Or that they NEED to maintain the machine?
Be GLAD they aren't asking for the root password. It's their network, it's their neck, and it's fair for them to have access to check up on you every now and then.
(I'd concede some of the above points if your job role was explicitly systems administration, but it doesn't seem to be the case in your description.)
no they will try and dominate it you'r better off running it on your own
It's pretty dicey to say it's not owned by them. While technically it might belong to you, and you might be able to prove it after an expensive lawsuit, in general it's not a good idea to mix your own stuff with company's stuff. If you bought it for use by the company, being possessive of it will not help you much.
Do you trust your IT group? Did you ask them why they want a login on your box? Do you have any reason not to trust them? Because they do have a reason to not trust you, and that is, lots of employees do weird random things. It makes sense that they want to be able to check stuff out on the box. If it doesn't hurt you, then there's no reason to not allow it. BSD was designed with multi-user security in mind, after all.
"First they came for the slanderers and i said nothing."
If you are able to put a server on the hospital's network and have it working without IT approval (apparently), then I'd say the hospital has a bigger problem.
Never mind the fact that IT is unable or unwilling to support the tools that you and your team need to do their jobs.
Go on, citizen, stamp the vote card. R or D, your choice.
Wait! jddorian?! Like JD, John Dorian, from the show Scrubs? I love that show!
Comment removed based on user account deletion
They can also not provide it a network port. When the server gets pwned it will be IT people blame.
Haha!
I've been in this situation multiple times before, and it's quite simple: What constitutes a greater portion of the infrastructure? Your server, or their equipment? If you're not the majority owner, you don't get to make the decisions. If they don't get root, you don't get your server.
I'm surprised they aren't demanding that they have admin access. Having one-off servers that are not standardized to the rest of the infrastructure can cause real headaches. What happens if you leave, and someone else in your department must manage the server? Even if it the setup is documented that doesn't mean your replacement would be sufficiently savvy enough to perform upgrades or customizations. I would hand the design over to them and make them manage it. This way you can concentrate your time on other things.
Can I plug my packet sniffer box onto your network?
Idiot.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
It's a game. Get over it. Give him an account that has zero privileges. And set it up to log whatever he does. 99% chance that he only logs in once and does nothing more than peer around for a minute. 1% chance of interesting :-)
is if IT should even allow it on the network.
Your hair look like poop, Bob! - Wanker.
The server is on their network, so of course they may want access to it. Even if it's not managed or owned by them it uses their resources. Otherwise they have full right to ask you to disconnect it and unplug it.
If you are in the US then what you have there is a HIPAA violation. You could be fired, fined and have other nasty things happen to you in addition to that.
Why would they even let it int the firewall? I suggest having your employer repay you for your mini server and then letting IT go to town. Its a huge issue if its your property in their network/firewall. Speaking from an Auditors POV its a huge no no. Make them buy there own and junk it up as they may.
I think you need to consider what data might pass over this server and consider that it's not company owned. There are so many laws right off the bat that you broke in sticking rogue hardware in with accordance to laws such as HIPPA... My thought, remove the hardware and beg for your job... and don't allow such things to happen again. Oh, take an IT security class centered around computer ethics and hospital background.
It doesn't matter that you bought the server with your own cash. It's located at your business and being used for a business purpose. It's a business server. Having you A) claim ownership of the machine and B) resist anyone else having access of any sort should make your business very, very nervous about you.
What would you try to do if you quit or were fired? Would you pull the plug and take it home? Would you donate it to them at that time, making sure to give IT the password? What if you are hit by a truck (and your colleagues can't save you)?
You need to do two things:
1) Start talking to IT. It's great that they will let you manage the server and even maintain exclusive root access, but you should develop a transition plan (either to move the service to an existing IT server, or to transition maintenance of your machine to IT in the event you leave).
2) Put in an expense report and be paid for the hardware you bought. That way the ownership of the physical hardware will be clearly established (as theirs) and you won't be sued or arrested when you try to walk out the door with it later.
Yes, it's just scheduling software (for now), but seriously, if you proceed down the path you've chosen, all I see in your future is Terry Childs.
It doesn't hurt to be nice.
would you let a device that you couldn't administer onto a network you were responsible for?
Probably not. Its a reasonable request. Maybe you can trade with said IT guy and see if he's designed any surgical devices he'd like to see get some action :)
It is on the hospital network and the IT department is responsible for everything on that network. The act of you placing your own machine on that network makes them responsible for it. The fact that they didn't immediately shut it down when they found out about it shows that they may be a lot easier to work with than you might think. It could also show that they are not very good at what they do. Either way, they have every right to demand the password or cut you off from the network. It's not your job on the line if something happens regarding the machine, but theirs.
For people saying no, under the HIPAA, the IT department has to have access and make sure it's secure if it connects to their network.
This sounds stupid ... you understand you need to ask IT for permissions to open up a port, but you don't want to allow them access to your machine. Well, why should they allow you access to their network? The poster doesn't elaborate on why he feels IT shouldn't be able to access the machine -- especially since they accept they don't need root.
If you don't trust them with access to the information, you already have bigger problems in that your IT department can probably access all sorts of private information.
Just because you're head of a clinical division, why do you have any expectation of being able to put un-verified machines onto the hospital network? IT has a responsibility to the hospital as a whole, and not just your department. Certainly not if you're talking about punching holes through the firewall.
At a very minimum, they need to be sure that you're not opening up some great big hole in the overall security. Why should you be allowed to connect a machine to their network without some involvement from them?
People going around insisting on installing machines without oversight and adhering to the rules are generally people you need to be very leery of in any organization -- because they insist the rules don't apply to them, and they try very hard to circumvent policies which are in place for a damned good reason.
I see your choices as waiting until they provide you with a solution, or working with them to allow you to install your own solution. Insisting they open up the firewall and then insist they shouldn't be able to access the machine ... well, that's just rather short sighted.
Lost at C:>. Found at C.
As an IT manager myself, I'd have to say this is a very reasonable request. Firstly most places wouldnt allow you to run your own server on the network, so I'd say your IT team is being quite generous. The responsibility for the network and its security is the IT departments, should a hacker break in and steal personal records who would be blamed ? In an environment like a hospital which is subject to numerous government IT regulations (at least in the UK and US) having a non secure system is a massive liability, it would immediately cause an audit to fail.
..."Should I give IT a login account on a server that is not owned or managed by them?"...
You mean not owned and managed by them right now. However, someday down the road, when you are gone, IT will have to manage the damn thing. The company I work for made a mistake many years ago by allowing every user to have Microsoft Access installed on their machines. A lot of power users went wild creating Access databases for their own purposes. Naturally, over time, two things happened: 1) The databases grew in size and complexity. 2) The company began to depend on them and link the information in them to each other. Very quickly, all these databases became IT's responsibility to manage, especially when the pinheads who designed them got promoted to their particular level of incompetence, or left the company. It has been very tedious getting the data away from these god-awful Access databases, and re-designed and normalized into proper SQL Server or DB2 databases.
Yes, IT should have access to your server. They'll have to manage it eventually anyway.
Proverbs 21:19
Is the IT department liable for any patient information that may be sent out to the Iphones? Possibly John Doe has a surgery scheduled on tuesday...
That is what scares the hell out of most hospital IT staff (know from being on the IT side)
I say give them access, or better yet, run it up the chain that they get Exchange to support mobile devices ( I believe Iphone supports exchange now...)
and then start the push to get tablets (android or ipad) and run the citrix client on them to connect to the citrix network. You lose the Ipad and no patient info is lost. that is awesome. no real security problem from lost devices.
IT needs access to the server to keep control of their network. This is not a matter of them being BOFH and trying to get access to your server, it's a mandatory requirement for them to be somewhat HIPAA compliant (true HIPAA compliance would require them to install the server in the first place and manage it).
They're trying to avoid getting fired, not to annoy you. Check out http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
We find that, by far, the most problems come from systems not managed by US. I don't mean problems of a trivial nature, I mean shit getting virused or hacked. Most non-sysadmin types are not as good at administering systems as they think they are. Now I don't blame them, not only is it complex but they have other things on their plate, but it does happen.
That your IT department it willing to entertain your request tells me they are probably a reasonably good IT department, the kind that works with users to provide what they need not the No you can't have it," kind. In that case, you probably should give them want they want because they are looking to protect you from yourselves.
I know that you probably view yourself as really smart, and indeed you may be really smart, however you may well not be as good at this sort of thing as you think. Also even if you are, you may not give it the attention it needs. You set it up and then turn your attention back to your regular job duties, letting it languish.
Also you might want to work with IT lest you find that they simply say "no". In some environments, that is an option. They can just flat out deny your request to run your own stuff and that is that. If you work with them, maybe they work with you. If you don't maybe they use the nuclear option and just say "You can't have it, sorry."
This is the polite first step in absorbing a server into central management. First IT gets an unprivilaged account, then they will ask to have a standard scanning tool be installed that requires root access, then a recommendation to move all priviliaged users to sudo root access and allow IT to do some basic tasks for you, then some process will be added to notify IT when you are making changes to the server and then slowly your authority and access to change your server will be diminished until you are a regular user of an IT server.
I'm not judging centralized IT vs local responsibility, just saying that these are the signposts to watch for as it happens.
If it were my network you would either provide IT with root access, or it would be physically removed from the network permanently.
If you were to do such again and firing you was not an option I would revoke your access to all network resources.
Rogue users in a hospital environment (where privacy regulations have teeth) are not to be tolerated.
I'd be reporting you "up the chain" for deploying a server on the hospital network without telling IT about it.
Is this a fake question? Give him a login and be glad you're not being sacked.
Why host it yourself? Just use a free service, such as this?
My current IT department, in addition to every IT department I've worked with in the last ten years, would be pretty damn pissed that you took it upon yourself to set up your own server and stick it on a network we're responsible for, to the point of our jobs being on the line. So yeah, give them the password. Then explain to the accounting department and purchasing department why you didn't go through the proper channels there, either.
If a machine is on the hospital's network, it should be managed by them. Who's going to audit it for HIPPA Compliance? I'm surprised they even said yes (especially with the non-root account qualifier.)
You're asking for trouble. If the machine is hacked, and your patients information gets exposed, then who's responsible? You? The hospital? And then if that machine is used as a staging area for the rest of the hospital, forget about it.
It's just a really bad idea, overall.
It sounds like one or both of the following are true:
1) Your IT department is not doing their job.
2) You are way out of line with what you are trying to do.
In reality, if you wanted a collaborative calendar, even though you may be technically capable of setting one up yourself, the appropriate course of action would be to submit a request to your IT department, and assuming your request was approved by management the IT department should set something up for you. Your IT folks are paid to do a job. Would you want IT to spec and purchase a centrifuge for you to do blood work? No, you wouldn't.
If one of the users where I work brought in their own tiny server and tried to hook it up to our network, there would be hell to pay to our CIO. In the end, we would set up what they needed, but users bringing their own home-brew IT solution into work is totally unacceptable.
"YES" give them limited access. (you can always remove the account after they have done the scan)
Otherwise you're opening yourself to a multimillion $ law suit if there is ANY breach of the system due to your server being on the network.
If you let them check it over then subsequently there's a breach, then it's the hospitals problem.
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Look, you just introduced a foreign object onto their network and on top of that want an exception to the firewall. While you may be competent enough to run that server, how do they know that, and why should they take your word for it? You could be introducing a serious security breach in their systems, you could be violating HIPAA regulations that you don't even know about. Think of the other computer lackeys that you have worked with over the years and whether you would blindly trust them? You can't completely verify the security of a system by external scans, let alone compliance with any auditing requirements or other regulations.
Keeping the hospital network secure is IT's responsibility, and the least you can do is let them look at how you have configured your machine. Besides if you have permissions setup correctly then there should be no harm giving them non-privileged login account anyway, right? Stop being so damn possessive about something that isn't even in your legitimate realm of authority.
Definately, I manage an airlines infrastructure and anything plugged in I should havs access. Computers and devices not controlled by the responsible IT is a violation of our network security... I would go further and have it shutdown untill it was "approved".... These things are a great way to encourage Trojans and malware
In any sane working environment IT would simply take away your server and your boss would be asking why you were no longer happy working here. Since this hasn't happened I think you should thank your local IT guy and give them whatever the heck they want. They're treating you better than you deserve.
You're call. Their call whether you get your firewall hole.
Take it up the chain. Great way to get the whole thing framed as a 'rogue system' running on personal assets. If the IT staff takes enough offense at your belligerence they'll frame it as a HIPAA compliance problem and shut you down.
We're talking about a calendar tool here; why should such a system need to be isolated from IT? Not demanding root seems particularly reasonable.
(Policies and Procedures)
If your institution has them, you probably should get to know them before plunking down your hard earned money. I worked for a large company years ago where that kind of behavior got people fired, including some corporate execs who insisted on doing the very thing you are doing.
Chances are, if the IT department has any mandate from higher-ups to protect the network there, you're going to have to jump through whatever hoops they require. In that case, just be glad that they're allowing you to use something you bought with your own money rather than telling you to use it as an expensive doorstop. If they screw it up, then go have a long chat with the head of IT and whoever gives them their clout, financially and otherwise.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
WSUS / etc won't do much good for a Linux server...
bork bork bork!
Give him the username / password and give him root access..
If the server gets compromised and it brings down the whole network.. It's going to be his job on the line, not yours.. They're going to go after him for opening up the port and they're going to go after him for allowing rogue hardware on the network that he doesn't have access to or can control..
He's in IT, let him do his job.. Give him the username/password or get that server off his network immediately..
Comment removed based on user account deletion
In reading over this, it seems harsh. It is not my intent to be harsh. I get to deal with this type of interaction fairly regularly where I work. I think it is an opportunity to talk openly about some of the struggles IT has with providing responsive, responsible support to our customers.
A couple of observations:
* You're right: The server is not owned or managed by them
* You bought something and put it in place without explicitly consulting IT
* The box is going to travel on a network that ~is~ owned by IT
* There are lots of other nodes on that network that may be affected by yours
* You're asking IT to support something they were unable to plan for
You're not an ordinary Joe if you're installing/connecting all those pieces of the puzzle. However, it's a bit presumptuous to think IT needs to conform to your personal requests without prior knowledge of your intent. As for running it up the chain, you may tread lightly. My current CIO would smack the request down pretty quickly and would probably demand that you remove your unauthorized IT device from ~his~ network.
Looking forward to reading some of the other responses.
God is good all the time! -K
...You're a doctor, not a network engineer.
In Soviet Russia, Chuck Norris will still kick your ass.
You don't appear to understand why a hospital needs everything to be done by the book. To get to a HoD position you must have been in the business a while, so I can only wonder what other rules you've broken during that time. But it sounds like you just don't understand the basic principles and really shouldn't be working in a place like that. The decent thing would be to leave, now. Before your acts get discovered and before your actions cause serious problems.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
1) Hospital ... hmm. Does HIPAA ring a bell? ... hmm. Does Warranty, support, reliability ring a bell? ... hell he is even polite. By the time i heard your request explaining that you put a rogue piece of hw on my network you are going to be totally cut out of any form of network access most probably your whole department and an ugly note would be going "Up the chain"
2) Your equipment
3) Tech asked for accunt
3) should i take it up the chain. By all means yes, just remember the first 2 points. And even more importantly remember what are the punishments of breaching point 1.
So, you know enough to setup a BSD and OpenLDAP, but you didn't think to ask your IT dept if they would allow such a service on the network. AND you just bought your own server and used software that may or may not be authorized by said IT Dept?
I totally understand that it's just for your small group, but if it's IT, and not secured against attacks within or without your network, you are liable, rather than the IT dept.
Granted I know it's 'only' for an electronic calendar, but couldn't you have saved some cash and time by finding an online alternative that would work across all phones your group would have? Maybe a web app of some kind?
-Josh
We'd be lobbying for you to be shot (well, j/k, but close). You probably are violating who knows how many regulatory issues, created a rogue server not under the control/review of the professionals whose job it is to KEEP YOUR NETWORK SECURE. Do you have any idea what might happen if your little server got hacked? What are the ramifications if your network data is exposed to the outside world - you're part of a hospital network! Your ass is hanging in the breeze and you've opened up your organization to all sorts of risk. If your patient records get exposed, welcome to lawsuit land. With you as a defendent, no doubt.
Job well done - you should be fired.
Dude you probably ALREADY violated several IT policies of the hospital doing this yourself. This is where you should have got with your IT department and asked them what you needed to do to get what you wanted. If that didn't get you far, then you go up the chain.
So what do you do now? Scrap it and take it home.
Gorkman
because university accounts DON'T use cash except PETTY CASH.
The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access').
From the point of view of the hospital IT department, they now have a rogue server inside their network from a guy that tried to get around their (possibly misguided) policy of only using approved software on hospital equipment. Then this jackass that went around their policy with unapproved equipment and software is now trying to get IT to do favors for him.
Basically, he needs to count himself lucky that this machine isn't unplugged right now.
I am officially gone from
jddorian - I'm going to bottom line this for you. It's really quite simple.
The request to have a non-root account on a box plugged into a network managed by IT could not be more reasonable. If you have problems with this request then you have bigger issues my friend than we could possibly deal with here on Slashdot. It might be interesting to know exactly why you are opposed to this request. If you can't live with it then take you box and go home with it.
If they are willing to run the server and the service for you, then "yes", otherwise "no". If it's your server then it's yours. Adding more users to it as "tourists" with shell access but without without any responsibilities whatsoever for keeping the machine secure will will definitely increase the probability of that server being compromised. This applies to sysadmins as well as to anyone else. If the sysadmins won't run the server for you, and won't open up the firewall for you then should consider locating the server somewhere outside the hospital's network. There are plenty of colocation and/or virtual hosting services out there. It's not expensive. That's my opinion anyway.
Sorry dude. IT departments would take it in the ass if that server violated HIPPA laws. You JUST don't DO this now. PERIOD.
Gorkman
This whole Ask Slashdot is bullshit flamebait. Anyone who reads /. knows this request is absurd. Someone that knows enough to install and configure the listed apps knows that requesting a rouge server to have open internet access and no management it NOT going to happen.
I realize different organizations have different rules and operating philosophies, is it accepted practice for employees to set up their own systems in your hospital?
Is this a US hospital? Does HIPAA have anything to say about this practice? Are IT systems audited? Would the IT group be liable for any problems that are found on your system? What if someone cracks your system and uses it as a jumping off point to get patient data? What happens when you leave?
Self awareness - try it!
Coming from someone who might be criminally liable for HIPAA compliance issues based on your server, this was pretty damn polite.
I'd suggest you give it to them, and ask if they have any securing suggestions for you.
Let me get this straight... you've set up your own personal server inside a hospital network. I will assume that there's no monitoring in place, no regular update schedule...
And when it gets pwned and turns into a botnet node with access to all internal network servers, it will end up being ITs job to clean it up.
Rather than being offended, you should be thankful that they're even humoring you. A properly run IT department would move that server of yours into the nearest body of water (to maximize cooling performance...) using a catapult.
What hospital is this? I want to make sure my confidential medical records don't end up in a place that permits such an egregious security breach.
I would insist on the same if I were in that person's shoes. The network is managed by IT, and they need to know exactly what is running on it. It would be negligence to allow an unmonitored/uncontrolled server inside of the firewall. Also, anything related to IT stands a strong chance of being inherited by IT in the future. Someone sets up a system, and then they leave and IT is left to reverse-engineer the whole thing because they weren't involved.
Would this totalitarian attitude actually prevent someone from plugging in a sniffer, or would it just keep people from getting their work done?
Godaddy is a scam and a ripoff.
Knock it off - use Google Calendar like everyone else who is doing an end-run around the IT department.
This keeps a separation of responsibilities.
Do you really want to be the one fired for causing a HIPPA failure/fault/fine?
What do they want if for?
Privacy is terrorism.
Its not your network, even if it is your machine.
Read your IT security policy statement. Being in the medical field, information control is highly regulated. Even if they didn't care, they're legally obligated to ensure privacy policies and network security are followed and, more important for your field, that all access is properly audited.
Do you have something to hide from IT? Like unapproved software that may give a third party access to their network (ex. LogMeIn) or lack of a valid antivirus solution? In our corporate environment you would simply be prevented from connecting to the network by NAC.
Best you can do if you do want to insist on not giving them access, is have the server moved outside the firewall and let them run periodic vulnerability scans on it (ex. Nessus, Nikto) to ensure that they don't have a vulnerable node in their net rage.
Please read the BOFH where the IT guy plugs the pc's network connection into an AC wall outlet. Problem solved! There are no illegal devices on the net.
This sure is far more efficient than using a thumbtack and a cork bulletin board.
Having learned this lesson as a "rogue admin" at a hospital -- let me give you some advice:
1) Give them a shell account on the machine.
2) Make them log into the shell acount in your presence.
3) Make them su to root.
4) Explain everything about the machine, including any startup scripts, user accounts, password policies, and anything else you might yourself need to know.
5) Give them the root password, in addition to the password to their shell account.
You may have donated the machine to the cause, but you are now responsible for a whole of lot of compliance paperwork -- and the better and nicer you are, the better it will be if someone else's machine is comprimised and you become a suspect.
Trust me. It hurts when the risk management people get involved. I was thirty seconds away from being escorted off property -- and they were going to bring me my stuff once they had me out of the building -- and it was just for a simple fileserver for creative files in a PR role.
If I'd set up a calendering server for a bunch of doctors, they would have performed a lower gastro procedure on me...
Anon, of course, to protect my position.
If you want something to run on the corporate network, and ESPECIALLY if you want a firewall hole opened up, you sure as hell better be giving me access to your server. And I better be able to have full admin rights, even if I'm not going to do anything to it. This is an ABSOLUTE requirement, there is no exceptions here. You would be lucky to get permission to even plug a network cable into this since you didn't go to the IT department about this before you ever started. IT is for the IT people for a damn good reason. Things you haven't taken into account, security (ok, I'll give it that you have thought about this some), HIPPA, Sarbanes-Oxly, several other legal liabilities that fall back upon the IT dept if something gets hacked on that box. All of these have to be taken into account.
Use Google calendar. Whether they use an iPhone or not they can access it and you won't need to worry about Hospital Policy.
There's even a swafty little article discussing iPhone usage in tandem right here:
http://news.softpedia.com/news/How-To-Use-iPhone-With-Google-039-s-Products-59231.shtml
For all the people posting about what you can or can't do in their own particular corporate environ, who cares? My environment allows us all to bring in our laptops and anything else we want and hook it up to the network inside the firewall without anybody poking their nose in our business. Who cares? You and I don't work at his hospital, and mayhaps the people he works with aren't allowed to go ape shit over something like this.
As for all this blather about handing over an account that has virtually no rights, that'd be pointless. IT would need admin access just the same as they would on any other box. I'd be more inclined to say that the guy who said he didn't need but basic login access either
a) didn't know how to do his job right
or
b) intends to root your box anyways
I can tell you after working 14 years in IT, that if ANYBODY did this they would find their network ports blocked and a notice from an executive on their desk in the morning. ESPECIALLY in the medical field with, as others mentioned, HIPPA compliance issues. If you really want to make enemies in IT then keep pushing it. Otherwise make a case to the director with your requirements and do it the right way.
For even setting that machine up on a hospital network. Do you even know what HIPAA is?
CAn'T CompreHend SARcaSm?
While I'm not familiar with DAViCal, when your admin opens up that port - he/she opens up a vulnerability in their (and your) network. Scanning for viruses alone helps protect this to some degree - but what if patches arent applied in timely manners? What if there's a hidden trojan in the application and your admin has a few tricks up their sleeves for determining this? Does the setup leave you potentially vulnerable? An admin having admin access has only themselves to blame if/when something malicious does happen when it could have been prevented.
Here's the deal - if a hacker gets a hold of any kind of access to that machine via DAViCal, that leaves your whole network vulnerable. If people are syncing their phones - then their phones as well. By introducing this machine *and* this software to the network, you've made the whole network vulnerable.
As others have stated - simply allowing this 'rogue' machine on the network is unusual - and in any corporate environment is dangerous to allow.
Your admin is doing what's responsible - by trying to secure your system, he/she is trying to protect the rest of the network.
Personally, In your position, I'd be handing off all of your machine's networking integration and securitization to your admin - this requires full access to the machine. It is, after all, their job, right?
Just because you and your department want a certain feature/service doesn't mean that you should have free reign in implementing and installing non-approved services in the hospital's infrastructure. You have to ask yourself why IT can't (or won't) provide this service to the community as a whole. More often than not it is a matter of money, time, risk, knowledge, business need and/or a combination of these and other factors. The IT department is there to deliver a bunch of services that ensures that the hospital's mission and objectives are achieved. Often, these objectives conflict with what individual users, or user groups, want. God, I wish my company would allow us to connect our devices (Androids, iPhones) directly into the Exchange server, allow us to have some sort of internal social media, wikis, etc. But we don't. And we don't because the company has chosen not to. Myopic? Yes. Justified? Absolutely. It is the company's business and assets they're protecting. So the short answer is yes. They're allowing you to play in their network? You need to give them access. What you need to do is go up to both IT and Hospital management and convince them that what you want to do is not only good for your group, but for the company as a whole. Hey, maybe you'll end up changing the way the company delivers services to your user community.
the future is but past forgotten
IT are Dogs! They are a bureaucracy that exist only to make real useful systems less effective. Throw them a pig ear and tell them you'll call them when the Exchange calendar is down again!
There are so many reasons why you should be happy they didn't simply confiscate it. They're responsible for making sure all computer hardware is following regulations for example, all electronic equipment that plugs into the local power system needs to pass an inspection to make sure it won't cause a problem with any medical equipment (like shorting out circuits). Also, the hospital needs to be able to ensure HIPPA laws aren't being violated with patient data making it's way straight out of the network into the wild open as well as making sure your "little server" can't be a point for a security breach from the outside world with an open port.
I'm sure in your mind "YOUR" server has no problems but other people's asses are on the line for it.
I don't have time to make a sig
If you're too stupid not to be able to answer this question yourself than you're too stupid to be managing and securing your own server to a suitable standard.
If all he did was ask for a shell account, you should happily give him a shell, or even root and be thankful HE hasn't gone up the chain and had you run out the door for breaking how many security and privacy policies.
...like, doing scans or whatever, instead of playing makeshift IT guy. Seriously though, if IT is not providing a service that you believe is beneficial to your department, then approach them. You'll probably going to need justification, and if it they don't have the budget, they'll want some money to implement it, if it doesn't violate existing policy, procedures, etc.
BTW, would you please disclose where you work. I don't want any medical work done by someone not focusing on medical work.
All they want is a login and not even root access AND they allow you to run your own server? Wow.
I would give them an account and also ask them why they want it. Perhaps they just were thinking to put something like that up themselves.
Or they want it so they can verify where the problem is if somebody complains that it doesn't work and you are on a holiday.
So ask them why they need it. That way you could either deny it or give them MORE access, depending on their answer and not on guessing. If security is an issue, don't run anything over their network.
Don't fight for your country, if your country does not fight for you.
IT people often forget that the only reason any of us are employed is to make money. If you ask slashdot (aka the mecca of IT people) if you should be allowed to implement something that your inept IT department could not handle because they were feeble of course slashdot will tell you that you are "violating policies" and "screwing up"... what you do is take it up the chain until you have a bunch of fired IT people and an IT department full of new knowledgable people who can help you make your company money instead of running around with a God complex telling you what will and will not be done.
Just use google apps iPhones, androids, web browsers can all connect just fine. It doesn't sound like you are putting up sensitive data that can't be used in the cloud for security reasons.
I have to agree with Gorkman. If I can't see what your box does from A to Z, then I am not going to put my neck on the block for the possible HIPPA violation, let alone trying to track a bug caused by incorrect configuration, extra services such as DNS, etc. This doesn't even take the yearly security audit into account, where I have to explain what your box does. 'I don't know' doesn't go very far with them.
V for Vendetta: People should not be afraid of their governments. Governments should be afraid of their people.
Exactly. Unless you're willing to take full responsibility for any damages incurred on the organization as a result of your potentially insecure server providing a crack in the network (which could most likely be huge damages), you're out of your mind to suggest that IT shouldn't be allowed to manage the server. If it's so important to you, host it on an external network like you would host any other independently operated service.
The things people don't get fired for at schools. I can't believe you're still employed.
Hahahaha you must work in marketing. Ask Vanna if you can buy a clue.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Just get a cloud server up outside the corporate firewall if you can. -- IV
i think a lot of you aren't real keen on just how fragmented IT generally is at academic hospitals .. i used to work at one that was also a large cancer research center in IT when we were trying (key word) to centralize functionality ... the reality, however, is that the various departments often maintain, and hold on to their own IT groups because of funding, and how that grant money comes in and must be accounted for. while it may be ideal to centralize as many functions as possible, more often than not dept A may be granted a specific amount of money for new-fangled-system-x and dept B might be using old-system-y
whether or not the "IT" department needs a logon to his system really depends on how much they have really been successfully been able to demand centralization on - if it's like a lot of institutions, they may not really have any more control than the network and telecom areas..
I work in the managed IT services space, and honestly given this is a health organization and HIPAA applies, I think they're being rather nice. If you're able to build a box, connect it to the hospital network, and get a port opened to the outside world where you are potentially storing PHI (face it, you're going to end up with at least a peppering of health information in even just the subject entries let alone the details for the calendar). . . that's pretty lax on their part. Does the hospital outsource their IT support? If yes, I'd jump on the opportunity to move forward with "just providing a login", because if this works it's way up the chain you'll no doubt be taking that machine how with you soon :)
If the hospital manages their own IT, you're chances are better since there's probably less worry of finger pointing in the event of a breach.
Give him the login, but tell him you will disable it once everything is running. Every time he wants to login, tell him you'll gladly re-enable it. He'll be happy that he can check that things are ok anytime, you are happy that he doesn't have permanent access. He is probably just wants to do a netstat, ps, and other stuff to make sure your not running something nasty. Maybe offer to run an nrpe daemon (or equiv) so he can safely monitor it from a distance.
Do proper scoping and implement changes if approved. Until then yank it from the network and face disciplinary action...
IT is required to administer policies that protect the hospital from exposure on legal grounds. HIPPA requires securing personal heathcare information, and scheduling appointments or coverage for patients falls under this guidline. I am more than certain that you were required to sign off on policy documents explaining what you can and cannot do before being granted access to the network. In this case, I think IT is being very much on your side here by not immediately locking out the server from any network access and bringing the installation of a non-approved device to the security management's immediate attention.
Your heart's in the right place, working to make things better for your group and contributing your own resources to do so, but you are not thinking in terms of the network and resources that have to be managed for the entire organization, and the protections and monitoring that has to be in place to assure that the patient information is handled and protected appropriately. I would do everything in my power to cooperate with IT so they can help implement your solution while preventing you the potential problems that you did not consider in your approach to the issue as an isolated problem rather than a necessary addition to the system.
The fact you were able to plug a device into the lan of a hospital without anyone noticing and without any restrictions shows that your IT department are already incompetent.
See what happens.
You're the one that's out of line here. Even if you do know what you're doing in setting this up and getting it to work, you're intruding on IT's job. Would you be OK with it if out of the blue IT decided to setup their own X-Ray machine or MRI? Even if they told you that they "took all the necessary precautions"?
At the base level, this is not about your ability to run a server, competently or otherwise. It's about IT being responsible for the IT infrastructure. They don't know how competent you are, they don't know whether you'll keep it patched or up and running properly, but they know they'll damn sure get the blame if you do not. If you're IT shop is incompetent or inflexible, this is an issue to "send up the chain", but don't expect to be treated with respect if you go rogue.
All of these comments here about your overall strategy, being “flawed” are correct. Unique, de-centrally managed hardware, with inbound traffic from the internet to the box under your desk is wrong, bad, short term thinking, etc.
Now, that we've got that out of the way...back to reality and your question.
Does IT need access to the data on the server, do they need access to its resources, if not then don't give them an account. Apparently its ok where you work to just plug internet accessible systems into the network. Don't give accounts to people that don't need access to the data to which that account has privileges.
And just to be clear, the process you are following, the policies you are complying with (assuming that you're not blatantly violating policy), the problems you are opening yourself up to, are all bad...and don't give them access.
Quit trying to do IT's job for them. If you want a server for an iPhone-compatible calendar tool, the IT department should be the ones building and administrating the server.
I'm surprised they didn't disable the network port as soon as you told them you had an unauthorized server on the network.
Scrap your server and if IT isn't willing to deploy their own managed server that provides the services you need, take that request up the chain. This is the only right way to handle your situation.
Seriously? I'd confiscate your server and push for disciplinary action.
*You brought up a rogue server inside the company firewall with the intention of exfiltrating data (regardless of how harmless you think it is).*
For all intents and purposes, they own that machine and are within their rights to root it themselves. Them _asking_ you for an account seems more like a courtesy :P
Also, it sounds like you made the feeblest of attempts to see if your IT department would support your use case. Did it ever occur to you that, if they don't, they have a good reason?
The network in a company is a company asset, paid for by the company and legally, I.T. is responsible for ALL data on that network. In my workplace, installing any machine on our network without my director's approval will get you walked out the door as soon as it is found. Since it is my job to make sure that that doesn't happen, guaranteed that the server wouldn't be there more than five minutes before I found it. Wireshark is a wonderful tool.
Besides HIPAA, there are also various ISO regulations on any computer networks involved in medical devices, testing & the like. You'd have some major explaining to do when your ISO auditor can't get into one of the servers on your network.
You're doing work for the hospital on the system; therefore they need access to it.
Not only that, but there are all sorts of legal requirements around any data on the damn thing. Technically, your calendar, which includes appointment data and scheduling for when you worked on which patient's stuff probably falls under the domain of medical records....
There's a reason that beaurocracy isn't real compatible with you throwing up a server for whatever.. there are legal requirements that make it so every little thing needs to have enterprise grade bs and management behind it. At least on paper anyway.
Not only that, but once you've used it for that, who'se going to sanitize the data off it when you're done with it? I'm surprised the IT guys didn't show up with crowbars demanding admin accounts, followed shortly by dismantling the thing.
That said, I'm sure it's a sweet iphone calendar thingy or whatever.
If you brought your own server into my network, you would be taking that right back home with you. That is an absolute no, no with me.
I don't even allow people to bring their own monitors, memory or speakers. (I'm not so strict on mice and keyboards though)
Assets management can be an issue. Especially when people leave/get terminated and they have brought their own hardware/software. If you need/want something. Get it approved and we will buy it. Don't bring your own.
If I were the IT person there, I would take it up the chain and have your rouge server removed from the network.
Don't you have enough to do as "Head of the Division" you want to install servers. You ought to be fired or have your pay docked for doing work well outside of that you were hired to do.
Why is a Division Head fooling with computer hardware like this? Isn't that what IT is there for? That's why you are paid several times more than them...
In the hospital where I used to work this guy, head of a division or not, would be reprimanded (if not worse) for trying to pull this stunt.
If you want to take something up the chain, it's a request for a caldav server. Not a "hack" to allow your own little pet project to jeopardize security. I assume you want others to use this system as well? Who will train them? Who will maintain the service after you leave? Who will fix this server when you're on leave? Who wil be held responsible when your server gets hacked? Did you actually think any of this through?
At the large company I worked for, hooking up personal computers to the network was a terminable offense. So no, you don't give them a login - you don't set this up at all.
The chief reason appeared to be fear of viruses and hackers, but there are many, many more. The hacker front can be a bit obscure: What if your CEO read the article about RSA getting hacked by an excel file with an embedded flash object, and the CIO assures the board that all computers will have flash removed and tasks IT with identifying and removing flash everywhere? How are they going to look having to explain 'well, we got everything, except for the personal computers that we don't have access to'?
Lets say people start relying on the service you are providing with a personal computer under your desk. What if it goes down? Helpdesk will get called, and need to know what to tell the caller so they don't appear incompetent, and need to be able to address the problem. What if IT is required to certify that all of their computers have X patch applied as part of a compliance audit for certification? What if a corporate policy goes out that no computer can run unecnrypted ftp regardless of port # they run it on? What if your company is obligated to ensure that terminated employees can't log in to servers? What if a lawsuit is served and your company is required to provide copies of all records pertaining to meetings with client xyz, and your calendar server has meeting info on it but your IT department doesn't even know it exists? None of these things are unreasonable, but none of them can be done easily if you're allowed to set up whatever box you want doing whatever.
Sure, it makes your job harder if you have to go through official channels to get the things you need to get your job done. But your company needs to be able to get their job done too, and a bunch of random whatever-somebody-set-up-under-their-desk systems makes that really hard.
is competition good, or is duplication of effort bad?
As several other posters have pointed out, in my work environment, your server would have been confiscated already. I doubt that you would have been able to purchase such a thing here at all. And any complaints about being unable to get the services you desired, or how it was a 'simple' task, or any other excuse would have been met with silence.
And you would have been on the carpet with at least three senior VPs, along with your own VP explaining how they permitted the attempt. Just the attempt.
Around here, you would have had to install it all on a desktop PC you snagged for some other purpose. It would have lasted a few hours until someone from network services came around with a cart and bolt cutters to snip off the cable lock. And a security guard.
Now, if it were MY network, and I were either the great high Administrator or director, I would have demanded immediate root access or disconnection, per pre-existing policy. It's kinda like paying for the insurance on my car, but having no say in who drives it. I'd like to at least know who crashed it was permitted to drive, and no, I would not let the local meth heads take it for a spin to Mexico. Either your IT department is in charge or they are not. And no, you can't have your own Internet gateway, even if you promise to never ever interconnect it. Do you not know what HIPAA is all about?
deleting the extra space after periods so i can stay relevant, yeah.
You are inside their firewall so it's their responsibility.
"If any question why we died, Tell them because our fathers lied."
Hi, my name is HIPPA and I see a problem with this rogue IT networked equipment.
You have an IT department for a reason...use it. If someone tried pulling this kind of crap at one of the sites I manage (and people have tried), you'd be packing the hardware in the trunk of your car and taking it home with you. It's in your best interest, as well as your peers and clients, to follow whatever policies are in place. Maybe if you tried collaborating with your IT department you could have made this whole thing easier on yourself. More than likely there would have been someone willing to take your requirements and run with it to get your desired service up and running while making it compliant with whatever polices are in place.
Insanity: doing the same thing over and over again and expecting different results.
If you plug something into IT's network, IT gets an account... period.
OK, if the point is to get work done, then jddorian (the original submitter) should meet with the IT department and explain to them what he needs and how he went about setting it up. That at least puts the onus on the IT department for providing the requested service or explaining why they can't do it.
The attitude of "default no" at least keeps organizations from making serious mistakes. IT drug deals and one offs are a recipe for disaster since issues such as security and support are usually ignored, until something goes terribly wrong that is.
In the land of the blind, the one-eyed man is usually crucified.
First of all, as has already been said, you may be violating a ton of policies as well as HIPAA by putting that machine on the network.
In most instances, IT has control of every piece of equipment that connects to the wire, even if they don't officially support the software or hardware. However, I know of plenty of exceptions to this rule. There are times when it is desirable to exclude IT from having access to a piece of equipment or server for a variety of reasons. Said equipment is generally supported by either a local department resource or an outside vendor directly. These arrangements are pretty much always in writing though. If you want to keep your server outside of IT control, you'll no doubt need to work that out with them.
and even less for a BSD server
Since its a single function server paid for out of the OPs OWN pocket, it belongs somewhere else than on the institutions network.
He should put it under his desk at home on his own cable modem, and use dyndns or some such.
If Its just work schedules and contains no HIPAA data. It can be anywhere.
Why set up your own machine, you can buy this service for dirt cheap.
On the other hand, if it truly only runs schedules, whats the problem with forking over an account for IT? The fact that there is resistance to doing so suggest there may be some internal gossip board or other motive for keeping everyone else out.
Sig Battery depleted. Reverting to safe mode.
You must consider if the overall structure of access falls in line with HIPPA requirements if you are in the US.
Having IT login access to your server would be a corporate design issue. If IT is the top tier support for your servers, then yes there is no problem with them having the access to your system.
If your system is managed by a third party, then the managing party should be the one to negotiate with IT on access rights.
Would need more details to give a specific answer.
Colbert Consulting Services, Stone Mountain, GA. (404) 941-8225, Sea Oats Designs, Lawrenceville, GA. (770) 605-7019
http://www.facebook.com/#!/pages/Colbert-Consulting-Services-c-1994-2011/149522228442631
While you're at it, why don't you have a new entrance built for only your use. Don't consult the maintenance department or anything, though.
1. install vmware server, configure a barebones virtual machine
2. configure local ssh to listen to an alternate port number.
3. configure port forwarding on your local machine to direct port 22 to the virtual machine.
4. give them access to the VM
Best of both worlds.
They think you've given them access, and you have...just not to the machine they think they're accessing.
If you decide to give them an account on the actual machine, configure an external location to backup your logfiles, even remote logging. When they attempt to do something bad on your machine (and they will) you'll have the proof you need to make someone regret their actions.
"Lame" - Galaxar
Academic IT departments are very different beasts. The bureaucracy to get things done can be much more complicated, the resources much scarcer, and the variety of tasks that people need to do/think they should have a right to do/assert that IT is born to do is vastly greater.
The more the IT people lock things down in an academic environment, the more rogue operations there are. If they go after the rogue operations, then the bureaucracy increases as the rogues fight to take the power away from centralized IT.
On the other side, if I want something done on an academic network, dealing with support in an IT department built to have work-study students explain to incompetent professors how to bring back a menu bar in Outlook (or Thunderbird, or whatever Macintoshes use, and, of course, professors will insist on the choice of which one) can be a nuisance. It'll waste a half-hour of my time (more in the phone queue), and a half-hour of thir time. On the other hand, if I screw up the MAC cloning on the rogue device I'm jacking in, or if I put it into an unauthorized drop, the competent person calls me, and we can sort the issue out. Nobody wastes any time. Of course, they'll also call me if I run an IRC client, and tell me that my PC is botted.
So, yeah, if they want a login on the box, good for them. They won't have the interest or money in administrating it. Naturally, they could be just collecting the data they need to bring a complaint.
Or a BSD server, like in the OP...
Actio personalis moritur cum persona. (Dead men don't sue)
Subject say's it all...
"I am head of a clinical division at an academic hospital" .....this screams of HIPAA violations. You should be fired.
Becauses when your machine gets compromised, it's going to be IT's ass anyway.
...so I bought (with my cash) a tiny server, installed BSD...
Sounds like the general theme here is we have a user who knows just enough to be dangerous trying to have things his own way and messing up IT infrastructure in the process. Of course, there is also the flipside -- an IT department that is unresponsive to user needs, perhaps because of layers of red tape instituted by management or perhaps out of overwork or even laziness, stifling potential improvements and forcing users to manage the best they can on their own. Without knowing the more about the situation, either scenario is possible.
That explains a lot. Guess what, Head of the Division: just because you are smart, and well trained in YOUR field, does not make you a computer or network expert. As the head of a division at an academic hospital, you have a responsibility to not only follow HIPPA (or your country's equivalent) requirements yourself, but to set an example for the medical professionals training at your facility.
Do you simply not understand that plugging unauthorized and unaudited equipment into a hospital's network is not only a very bad idea, but against the law in most places? As the head of a division, you should understand that.
The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law. No one expects you to be a network expert, that is your hobby, not your profession.
In short, stop being a condescending ass and let the professionals do their job. If I knew an untrained "division head' was setting up unauthorized networking equipment, I would avoid that hospital like the plague, as I don't want hacked equipment broadcasting my medical history to the world, understand?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
This is why you should need a licence to own and operate computer equipment :-) If someone attached their own kit to my network I'd shutdown the interface on the switch. To suggest that *they* shouldn't have access is a joke - it is *their* network... Give them root access and be thankful you haven't been fired!
Geezus tap dancing Christ why would you think it was ok to put your own server on a business network?
My wife is a practitioner at a large hospital. What upper management says goes - and what IT says goes for the network, hardware, and software. Much of the software and other infrastructure is slow, cumbersome, and IT is about as responsive as the DMV.
They wouldn't allow what the OP did and they wouldn't do anything about iPhone calender software. She'd be SOL.
The OP would have a much better chance having the hospital get them some sort of PDA/smartphone that's compatible with their infrastructure and paying the associated monthly bills.
Keep the iPhone for personal use.
Plug it in at home, problem solved.
However: Why buy a server at all? Get a hosted vm image somewhere, throw the software on there, and just have everyone in the department use it. Putting a machine on the IT department's network is what causing the issue (legitimately for them, annoyingly for you) remove that part of the equation, and the problem is largely solved (only issue left would be whether keeping the schedule outside is a privacy, or policy violation).
We are agents of the free
Is it really that hard to load into your smartphone a few weeks schedule occasionally? Even if everyone in the department is a techie, there is no need to try and get fancy. Sometimes the old fashioned really is better.
If you were talking a department of 100+, I can see some benefit. For a dozen freaking people though, you're just creating needless drama.
Yes, give them the account.
Be grateful you're not already unemployed for a major security breach. *
Start begging them to provide a service matching what you've set up, now that they can log in to see what you've done.
Take your hardware home and run home automation stuff on it, or something.
*paraphrasing other posts. I ASSUME you got permission from someone before doing this.
More than that, who says you are a qualified systems admin? You say "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented)." And I take it that you installed BSD and OpenLDAP. My question is... so what? Who is to say what you really know? You are operating in a hospital. You have medical records. The IT staff there MUST make sure ALL systems there comply with HIPPA and industry security standards.
Hey, the IT guy watches Grey's Anatomy. Can he perform medical tests in your hospital? No? So what makes you think you are comparable to IT? They respect your job, how about you respect their's.
I'm sorry, but there is no way in hell I would let you on such a network without root. Not an account, but root. And if I were a patient, I would be screaming bloody hell if I found out non-IT staff got to run their own servers on the hospital network. The fact that they let you run at all is mind boggling to me. Probably because they can't fire a department head or you have tenure or something similar.
But you are on the most sensitive type of network and balking at the most basic request. "Should I give IT a login account on a server that is not owned or managed by them?""
Should they allow you host a server on a network that is not owned or managed by you? Honestly, if you did this all without first passing it by my IT department, I'd do my best to have you fired. Don't wanna give access to your precious box... geez, you really think THAT is the big deal in all this. Unbelievable, foolish, and arrogant to say the least!
I8-D
You want to use their Network infrastructure you play by their rules - simple. If you don't like their rules, unplug your box from their network.
The reason IT is perceived at times to be slow at coming up with solutions is because of people like you. Because sometimes you will go up the chain and if you have a buddy upstairs that mandates IT to allow you to have a rogue device on the network then headaches abound. Are you following IT's update scheduled? Are you following IT's best practices?
Because for all intents and purposes by asking to host a server on their network you are asking to join the IT department and be in charge of all server maintenance. It sounds like the tech was being a lot nicer than I would have to you. Not only was he willing to allow your rouge device on the network he, it appears, wanted a login to do your job and update the server and keep it secure. Jaw dropping that you are pissed about this.
So now you get your device on the network and IT has to account for it in the Operating Procedures and add another layer of complexity. What happens to your peers when you roll out and take the server with you? Everyone is going to bitch at IT for taking it away.
You need to make these requests through you IT Department and follow the chain of command, douchebag.
Google Calendar
you are what you is -- FZ
IMO you really don't want to fight them on this, especially since they're not asking for root access. Even if you kick it up the chain of command and get a ruling in your favor (which is by no means a foregone conclusion), making enemies in the IT department is simply bad office politics.
If you cooperate with them on the little things, you increase your odds of being able to fly under the radar on the stuff that actually matters.
Where I work, the IT infrastructure is very MS-centric. We're a satellite R&D office, with no dedicated IT staff; the corporate IT people are 1000 miles away. I help the IT folks with the day-to-day stuff at our site (making sure the Windows server gets backed up, installing software, troubleshooting Outlook problems, etc.), and in return they leave the software group (which comprises about 20% of the people in this office) alone to manage our own Linux-based server and desktops. Everybody wins. (Well, other than the part about me having to troubleshoot other people's Outlook problems... but I digress!)
Assuming a network scan from your IT people means that the machine is secure and not infected says that you haven't quite got a full handle on security.
Yes, you bought your own machine with your own money. Did you ask IT before doing this? Do they support iPhones as devices on the network? If not, why are you connecting them to it?
The real solution is not to randomly go and install your own project without asking, it's to engage with IT first, and ask why they don't support particular devices and services. If there's a great hospital need that can be filled by this, then get a project started, with a bit of budget, and get the IT bods trained. Get the service installed such that when it (inevitably) goes bang, someone will be around shortly to get it fixed.
I'm wondering, as head of a clinical department, how much your time is worth, compared to your IT guys? If it's several times the cost (most likely) then you've just cost the hospital a shed load of money. You now have to support it (more money), and odds on, you'd not be as good as an IT specialist at doing so. So, several times the cost for a less reliable service.
When you're doing your clinical job, will you take the calls when it falls over (or will you even take the night calls when it fails for the staff on over night that use it)?
There are so many things wrong with just slapping a machine on the network, it's not even funny (I work in a hospital, in the IT side, and attaching a computer to the network that's not been vetted and supported by IT is a disciplinary offence; you could easily put a hole in the network security that puts patient confidentiality at risk). If your IT guy wanted to play by the book, the recommendation would be to shut the box down as a rogue, and get you to engage with IT properly. Do a risk analysis, and a security vetting on it to make sure it's not going to do anything nasty. Make sure it's supportable and the skills are in house to make sure that when it goes bang, someone whose job it is to fix that will be there while you're concentrating on fixing patients (which IT really can't do, but they really are pretty handy at fixing computers that break).
No, it won't be ready tomorrow. Or in a few weeks.. But as long as you put your money into it to make sure it's supportable, then all is good.
Have a good think, and imagine what would happen if all the departments decided to run their own little projects without engaging IT. What would happen with the standard fail rates of hardware and software, and the user support needed. What would happen to costs and department efficiencies?
The account on there is really such a trivial thing in the wrongness here that it's barely worth mentioning amongst the much bigger wrongs going on..
All IT want is to help you do your job more efficiently and provide you with what you need, balanced with what's safe for the hospital and the patients, and what can be safely resourced. If you use the IT department properly, everything gets slowly better. If you don't, you fragment the systems, and end up without support and with lots of expensive wasted time.
Perhaps before placing a system on the network that may violate any number of laws, not to mention HIPPA, you should formally request this service from your IT department. If it's a service that the hospital wants, they will pay for it to be done correctly. Otherwise you are simply introducing a nice gateway for the Internet to access patient information and subject the hospital to any number of law suits.
How did you even get your server on the network? I don't work in a hospital, just a run-of-the-mill business, but you wouldn't even get a rogue server on our corporate network without IT's permission first. If you found a way to get it on the network, then we'd track it down and confiscate it with management approval (management doesn't like to hear "HIPAA violation") and you might be facing sanctions for violating IT policy.
You wouldn't get that permission to host this server unless the server was sitting in our datacenter running our build of Windows or Linux, configured with our patch management system along with reviews of the configuration and especially any custom code. And yes, we'd have the root password and you would not. If you could guarantee that no HIPAA covered data would live on the server, you might get to have the server in your own DMZ, but IT would still need the root password so we can check it out or shut if down if it does anything suspicious (like become part of a botnet)
HIPAA ceritification is a long expensive process, and allowing self-managed departmental servers on the internal network is not HIPAA compliant. People think that IT just makes arbitrary rules that makes it hard to get real work done, but often those seemingly arbitrary rules are due to the seemingly arbitrary regulations that we have to follow.
I don't think staffing calendars are HIPAA protected data (as long as no patient data is revealed like "Tuesday - Dr Joe performs Joe Doe's sex change operation"), so why not just rent an Amazon EC2 instance and host it outside of the hospital network entirely? Though the IT department may still not allow it unless they have a way to audit the hosted date to ensure it doesn't fall under HIPAA protections.
(A) you can buy your own hardware and take it to work and use it, but (B) it's their network and they can demand access to it to insure it's secure.
But really, if they didn't need root access, it's going to make security checking approximately impossible to do confidently, so they're already demonstrating some ineptitude. Beware. It's quite possible the IT person you are working with is a "knows just enough to be dangerous" and they outsource the heavy lifting and he's just the eyes and hands on site for simple stuff. In which case stick a sucker in his mouth and be thankful you don't have to deal with hassle.
I've been known to take my own stuff to work - heck, I've always had my own laptop, and so far nobody's challenged me to get their hands on it. But then I generally know at least as much as they do, or more, so they leave me alone. Once they told me they needed to replace my computer with a "company machine" and asked for a written quote for replacement of everything in my laptop bag. I assume they got severe sticker shock, (I don't pack light) as they haven't brought it up since. First place I took my laptop to it was the only machine in the building that could work on the server's scsi drives, and the PHB didn't want me to bring it in until the day I had to and then he left me alone. (and refused to pay for one of their own)
If they were pushing me on the issue, and only wanted a shell on my machine and not root, I'd call that a fair compromise actually. (at least I'd be fairly confident they wouldn't do any danage) No way I would give them root. If they want root they can supply their own machine. But I do accept that my denying them root it would be totally fair to result in them to deny me a mapped port. Or just plain forbid me from connecting to the LAN period. I've seen companies and schools that are that way, the switches only routing traffic from apprived MACs. Flash drives too. Had a manager in the past the forbid personal flash drives on premises. But he was an ex bank manager so that wasn't too surprising.
Really you've already opened a can of worms by not just bringing in your own machine, but turning it into a server, a business-reliant machine. If I take my laptop home, stuff doesn't stop working. I'd say you've gone too far and should make a presentation to the PHBs to replace your kit with some of their own. Tell them you brought it in to demonstrate NEED and that the test is done and the results are in, and you are now going to take your gear home and they need to decide whether or not to buy their own stuff. If they can't see the improvement by the numbers now, take your box home and that will make the numbers fall again. If they still don't see a justification, either it's not worth it (is it? be serious and answer that) If it's worth it and they don't see that, time to move.
I work for the Department of Redundancy Department.
So, this rouge server, does it make people blush, or what?
All kidding aside, I agree, it's their network, their rules - and besides, let them have the headaches/ability to fix it if some hardware dies on a weekend. That's a win/win scenario.
Of course you're going to get lambasted for bringing in your own resources. What you did was both cool and questionable, and I can see how you might want to bounce the idea off of a bunch of geeks.
I'm going to ask you an alternate question - can you set up a Google calendar for this? I know, I know - you went to a bunch of effort to roll your own, but if the department isn't too large, and you don't worry about giving everyone write access to the calendar (they're adults, right?), then a "community" style calendar might work without the need to get IT involved. I use it for two or three small organizations along with my family calendar, and it works seamlessly with the iPhone, iPad, (it better work with Android), and any box that has port 80 access without a block on Google apps.
Go grab a cold beer now - it'll help put out all the flames ;-)
Is it just my observation, or are there way too many stupid people in the world?
OP is very lucky to have such a friendly IT department that just doesn't outright ban the server from the network with no questions asked..
You want an iPhone calendar server? You go take THAT through the proper channels and we'll see how far it gets you.. If it gets approved, then fine, let IT install the services that's needed and you'll have your iPhone calendar server.. This is how 99.9% of companies work...
But instead of taking your iPhone calendar sever up the channels you went and bought your own server, installed it yourself and dumped it onto IT's network which made it IT's responsibility without even letting them know beforehand (because as you said, they had to ask about the port)....
Then after that, you expect IT to open the port for you and you're apprehensive about giving IT root access... I don't think that's appropriate behavior, especially for software services that haven't gone through the proper channels..
Stop abusing your IT department, please... Give them root access to the server and next time you want something send it through the proper channels instead of going out and doing it yourself and you'll save everybody a whole lot of headaches.
One thing I'll never understand, is why non IT people spend hours attempting to integrate/install/deploy technology on their own. The only possible legit scenario I could ever forsee this happening is if the IT folks were so overburdened or so horribly apathetic, that you can't get anything done from a technical perspective. Even so you would think most people would work their managers to request/deploy/implement new technologies for them.
My only concusion is that people who do this are bored with their current job. Either that or the management structure has not emphasized just that, structure. I would think as head of a clinical division you have 500 other things to do that are clinical related and require your time and attention...yet you chose to deploy a calendaring system on your own? That makes no sense and honestly if you aren't cited for implementing your own technology which is hopefully against policy, you should be cited for taking on this kind of project in the first place if you don't work in IT and IT projects are not your core responsbility.
This is like IT people taking hours out of their day to go re-run payroll.
Have you met any IT people? The ones I know are not much more than computer literate. They know just enough to pass their MCSE cert. The last one I met didn't know the difference between a router and a switch with vlans....he thought they did the same thing! Before that, I spent a few hours explaining to an MCSE newhire what ping and traceroute did! I'm not saying that all MCSEs are that bad, but I haven't ever met one that was any good.
So, I got out of IT....associating with those guys will give you a bad name, and everyone will hate you.
This guy is trying to run open source software, his IT department is - no doubt - filled with Windows weenies.
I recently needed a server with internet access and had to configure the server myself....the IT department here doesn't "speak linux". They recently asked me if I was doing my own backups! The first thing I did was create offsite backups because I don't trust their ability to keep this VM running!
"Lame" - Galaxar
"The Hospital IT department doesn't offer... so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal."
Wow. Why not just push all the buttons on management to get the 'real' IT folks to support a calendaring package from this century, or at least a scheduled sync with a Google calendar that your devices can sync to?
What you just did was add a whole mess of unaccountable, unmaintainable, indispensable, and covert technology to the mix. If I was a manager in I.T., I would likely cut some of your department's support over something like this, and start inviting you to more meetings so there are no further 'misunderstandings'.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
I'd come and turn it off, and tell you to take it home, the minute you called asking to have a port opened up and I'd disable the wall port you plugged into since I know you won't adhere to what I'm suggesting. Your personal equipment has no business being on a business network let alone providing that type of functionality, with out going through the proper channels first.
This is the reason companies create policies and start layering on the bureaucracy.
No, you shouldn't give them an account. You should use the proper method of acquiring the hardware and services you need to better server your dept. Not go out to Best Buy and pick up some random crap and start plugging away. Where do you work? I'd like to know so I can point and laugh when I read the news story about your patient records being compromised.
Having been round the block, I understand the issue from all sides.
I understand your wish for a service of some kind. But I don't think its your job to provision or supply it, and above all else, primarily, its not your network, or system. As such, nominally you don't have a starting position other than to take forward your request for the services you might like in the first instance. And the fact they don't provision something may not be a lack of service, it may be legal or compliance based.
I also understand that sometimes in research and scientific areas, there is in some orgnaisation some leeway applied. But in all cases, IT really has to be involved, and you have to end all the ideas that this is your service, on your network. Its not. It is a service on their network, through their firewall, and all the threats and vectors land on their plate and not yours.
Its sometimes tedious because in the real world - you get a full spectrum of IT, from very bad to very good, and often beyond your control or influence. There is another side of course. IT really only exists to provide services and tools to people, and sometimes thats lost in the mix. It gets lost in the storm that is lack of money, compliance, legal garbage, and budgets, problems, support, and so on.
We`re all equal
Yes, you should give IT a login and make him a member of the wheel group so that you don't have to give out your root password. However, I'm surprised that the IT department hasn't thrown off some alarms regarding a rouge server on their network. If I were in your position, I would work with IT and allow them to secure your system and bring it up to their SOP's and R&R's regarding equipment on their network. You really should have consulted with the IT department before spending your own money and time when they could have just as easily taken care of this for you.
However, what's done is done. Of course, this falls under what a mentor of mine used to tell me: It's better to ask for forgiveness than it is to ask for permission.
Good luck!
For when that HIPAA audit occurs, or when something fails (while you are on vacation, etc) and no one ends up being on call for a weekend.
I work in an IT dept. for a large public hospital corp. and we use Sharepoint and Outlook for the same thing. You could just set something up in Sharepoint instead of bringing in a rogue server and putting it on the network and then asking IT to open the port on the firewall for you. What are you thinking? We terminate people for that. You can't just do what you want in a hospital environment, there are laws that have to be followed.
WSUS / etc won't do much good for a Linux server...
He did say "and other tools", and that's exactly the point - if they can't do patch management for your particular flavor of Linux, they can't easily ensure that it is up to date with security patches.
Very quickly, all these databases became IT's responsibility to manage, especially when the pinheads who designed them got promoted to their particular level of incompetence, or left the company.
This inevitably happens because IT organizations refuse to comprehend or work under the concept that they are not the reason for the existence of the business, but instead exist to help the business make money.
I'm one of those "pinheads". My VPs give me requirements to accomplish some task, gather some data, and build some reports in order to support the operation of the business. Such a task requires some kind of database to hold the data and some kind of reporting application to build the reports. So I go to IT and ask, spend weeks building BRDs and cases and they come back with the ridiculous response that it will take 2 years to build and cost half a million dollars.
I'm not allowed to hire any new employees to do this work manually and this is far from the only task I have to do each week, so what do I do? I spend a couple evenings and weekends hacking together a solution that "works".
Now I try use the best practices I can, with normalized tables, primary keys, with the data all in SQL and linked to Access, etc. But I'm no expert. But why can't the IT organization come up with "quick solutions"? Are there no people in IT who know more than me who could make something "as good" as the POS I cobbled together in a week or two?
Well, the answer is that there apparently aren't. So pinheads like me, who have to get a job done "now" so the business can do what it does (making and selling widgets) do what we have to get the job done so we can sell widgets and earn the money that justifies our existence as a business (and pays for the IT budget and salaries).
I also know this makes a mess for the IT department when they have to inherit the POS I made. But just imagine how much easier things would be for the IT folks if they would provide people to help with these quick solutions so that they are designed reasonably well and are easier to support. Considering how much time and effort they have to spend on the back-end of it, dealing with crappy databases and data, it would probably actually require less time and effort if they availed themselves at the front-end when the business needed a quick solution.
If a pinhead like me can come up with a solution in a couple weeks (less time than all the project scoping meetings) that's still holding up pretty well after 5 years, then it's clearly not rocket-science. Why can't an IT person or two, who actually do this for a living, do the same or better?
Ah, the old IT conundrum: If I ask IT to do it, it'll take several months and tens of thousands of dollars in budget to implement. If I hack it together myself, it'll take a few hours, and a $1000 investment in hardware. But then comes maintenance, and repair, and so forth and so on.
In the end, you're going to need to hand over control of the system to IT, whether that means having them build a new box for you that does the same as the one you built, or handing them over root control of the system you built, if they're familiar with the components of the BSD/LDAP/CalDAV beast you've hacked together. Basically what you've built for them is a Proof of Concept system, or a Prototype, which they'll need to take over eventually, because you're not going to in the business long term of supporting this tool.
Awesome. I had the same question the other day and looked it up.
Loading...
He might be gone sooner than he thinks. He broadcast enough information to be identified, and he has publicly pointed out that his institution doesn't have policies in place that affect HIPAA compliance issues. Maybe the hospital is private and the OP is a doctor who has a large personal investment that funds the hospital (or some other situation that puts him into the "can't be fired" category). I hope so, for his sake.
-fb Everything not expressly forbidden is now mandatory.
IT is a service. I know, he probably should have tried putting in a formal request first, but the feeling I get is that would have been a waste of time. That he went ahead and did this shows initiative on his part, or possibly frustration with the (lack) of support from IT.
I've been on both sides, and I can understand his frustration. As the quote by Plato goes, being ruled by lesser men is a punishment. Maybe the IT people where he works are competent, and he should try to get to know them better, get on their good side, etc. But if he needs something, and the IT department isn't providing it, it's not his fault. Could be the IT department is underfunded or apathetic. I wouldn't want to give someone who's apathetic access to a machine I rely on. OTOH, the guys who run the network *need* to know WTH is going on it.
Nathan's blog
how do I know that you aren't running some warez or porn farm or hosting some video game server?
A better question is, how does the submitter know that his server has not been infected with bots or other nasties? I'm sure his intentions are good, but he could be creating a lot of unintentional problems.
-- Flame me and I will happily flame you back. Bring it!
The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law.
Now who's the doctor here?
You want him to play hardball with the guys that have to open a port for him, not to mention letting him on the network at all? Yeah, that works great, I'm sure!
Where I work you just don't plug in your own hardware. It would earn you a nice cardboard box to put your personal shit in, if you're not escorted out first.
This guy is beyond stupid.
I think your instincts are on spot here, not allowing IT to have a log in seems like it might help protect your intellectual property. You put together a great solution where your department had a real need that wasn't being filled. You have invested in tangible assets here, too. The IT department has a very valid claim also, they really need a login in for anything they may need to support or integrate. Compliance in hospitals is also a huge factor, as you know. The good news: You are on the brink of the solution! My recommendation, for what it's worth: Step 1. Go way up the chain, to the Chief Compliance Officer, or whoever has authority in compliance, as well as the ability to make decisions to purchase software licenses, hardware etc. Request a meeting to show him your prototype. Step 2. Bring the prototype and demonstrate it. Step 3. Then ask for what it is worth to you, ( $1000? $20,000? you decide) That number is to allow them to license your solution and to cover hardware costs. Offer the hospital a trial period of 30 days. Tell him about dozen or so are excited about the trial period.If your team will put that in a cheerful looking petition, even better. During the trial period, you will implement both the old system and your new solution. This will take a tiny little time more to perform the same tasks as before, but your solution will work, hopefully be implemented and save a lot of time and improve efficiency in the long run. Tell him you have spoken to IT briefly about security and feasibility and they seem willing to work with you. Tell him the IT department will need a login and request permission from the Chief Compliance Officer to provide the IT department a login. Step 4. Let the IT department know you have received permission from Compliance to provide a login and give them one. Step 5. Whether or not your hospital implements your solution, I would recommend contacting several other hospitals' Chief Compliance Officer and making the same offer. Step 6. Cash your hard earned check. I believe in you!
It sounds like you followed the old mantra of "It's easier to ask for forgiveness than it is to get permission". You had no permission to set up this server in the first place, but now that you've gone ahead and done it, you're asking for forgiveness (in the form of the opened firewall port).
That is not how IT works and that is not how any decently run organization works (IT or otherwise). So although it is "easier" to ask for forgiveness, it does not mean you are right in this case. Do the right thing, shut down your server, and go through the correct process of working *with* the IT folks to get something you need, not behind their backs up until the last step of the firewall port.
That said, he shouldn't be hooking up hardware to the network, especially in a hospital.
Better to have this as an "external example/proof of concept" that his management can use to demonstrate "this problem isn't that hard" and "the solution shouldn't cost $5mil".
By adding an unaudited computer to your network you more than likely are compromising the security of not just the server your running CalDAV on, but the whole network itself. This unsecure computer can and will allow outside access to your network since that computer is compromised which is what the IT department is worried about (reasonably so). So to be honest, they will probably block that computers access to anything rendering it useless.
is why your IT guy is only asking for limited access. He should get fired straight up for that.
Even if you are not in the US and HIPPA does not apply, I am guessing your patients would not like this setup. At least not the ones who understood networks.
If the box is inside their perimeter, they're going to want at least some degree of control or at least monitoring for it.
If I understand correctly, you need this hole in the firewall because all your devices (e.g. iPhones) which access it, are coming from outside of the LAN (e.g. cellphone network).
These two things raise the question: why have the server in the LAN? If the server were elsewhere, would you care? Possible solution: consider hosting your server at one of these kind of places instead. Sorry you already bought a computer, but since it's yours, you can just take it home and find a new life for it.
Alternatively, maybe the box can somehow be physically in the hospital (i.e. take power from the hospital's wall sockets, have local staff show up with fire extinguishers when it smokes, and so on) but plugged into the network outside of the firewall, so that from IT's PoV it will be outside, just like the rest of the internet. Then they probably wouldn't care.
I'm surprised at all the tech people here whom are so far behind the tech curve. Being able to use a computer is no longer a specialty. It is expected of any worker to be able to use and maintain a computer for job specific tasks. While I have meet some admins that were very restrictive of their networks, they usually did so out of fear and ignorance. They didn't want anything they didn't issue because they didn't know what might happen. Most professionals realize that a computer not issued by them is not the boggie-man.
Really, this is what you think... that he should start selling IT services to the place he already works at??
these little POS solutions suddenly become the most critical production apps without anyone telling IT. this means you have to buy clustering, SAN storage and all other expensive and overpriced crap
or suddenly a restore of data is needed and it's IT's fault that it wasn't magically backed up
few years ago we started doing database snapshots because our SQL replication was kind of whacky at the time. it was simply for people to do simple data lookup. next thing we hear someone tried to use the snapshot copy for an executive demonstration to a client for new software right at the time that the snapshot was scheduled to go down for a refresh of data.
and Access is the worst of the crap i have to deal with. it's notorious for locking millions of rows of data to update one or two rows. and some people leave for the night with a linked table open causing blocking that screws up the nightly maintenance.
Your IT guys must be extremely apathetic about their job or you are the supreme god of dhoom of the hospital...your machine should be shutdown and confiscated immediately, they should be in your server and examine every bit in the drive. For all they know, you could be serving up pr0n, bot nets, bittorrents...etc. or you could be gathering "their" patient information and sell it to other companies. Stop being the "wise" guy and work with you IT.
I surprised that the guy you asked hasn't chimed in on this thread already?
Are you here Mr Hospital IT Department Guy?
I can understand why an IT department would have a problem with a user bringing in their own server. Some rare places do allow employees to provide their own equipment but probably not a hospital with HIPA and all.
;-) Either way, you better hope your IT guy doesn't read Slashdot. Good luck on that!
BUT!
Why did it ever get to the point where he felt the need to bring in his own server? IT infrastructure exists to help people get their jobs done. IT departments exist to support that. Corporate IT culture these days is absurd! Remember, unless the business is a server farm it isn't the IT dept that produces wealth for the company. It's the workers. If something simple like installing an LDAP server helps the workers be productive then the IT department should be doing so long before it gets to a point that a user has to take it upon himself to fill the need. This was a failure of the IT department before the user even bought the box. Buying one's own server is a pretty extreme step, a real need must have existed.
I've worked for a large corporation with a lock it all down corporate IT culture. Daily I had to deal with irate customers with simple problems that were totally the company's fault and should have been fixable by a few simple clicks but IT had crippled our tools. Try telling a customer you have to send a ticket up to a higher level of support so they can get their email when the last 10 people they talked to said the same. Now I work in a place where often I am the one calling for better security. I can understand both sides.
Meanwhile... to the author. I'd probably give him the login. You are probaby really lucky he is nice enough to let you have your server let alone not get you in trouble. I only hesitate because not asking for root seems really weird to me. What is the IT guy really wanting to do with it that he doesn't need root? I'd be watching that account to make sure it doesn't become his personal MP3, Divx or P0rn store.
If you really are feeling rebellious about this then you could always give IT their own personal jailroot.
This seems like a pretty obvious choice. Either:
a) you give IT a login on your box that you installed at work without their knowledge or approval; or
b) you don't and take your box home and leave their job to them.
Don't get me wrong, I don't think providing a quick solution when your IT department can't or doesn't is bad. And that's doubly true when it helps your department do its job; after all, IT etc. is really just there to provide the infrastructure to allow the *actual* work to be performed.
But their request is more than fair. In fact, I'm surprised they're only asking for a login on the box.
TL;DR - you don't have to give IT a login on your private boxen, but a box you install at work is by definition not private.
I'd disconnect the server, let hem watch me securely destroy any and all writeable media found in the machine and only then could he put it in his car.
And that's on a good day, because if he raises so much as an eyebrow the whole server gets destroyed while he is escorted out of the building by security.
What a nutcase.
He put BSD on it. So it must be secure.
If I understand it correctly, that server ISN'T on hospital network and OP only wants to be able to access it from it. If that's the case, I see absolutely no reason why the IT dept would NEED account on that machine.
Or am I overlooking something there?
OTOH I can imagine several reasons why that IT guy might WANT account on that machine (mostly for personal uses) and when OP wants to have something non-standard done, he (IT) might consider it fair compensation. Might be just miscommunication.
http://slashdot.org/comments.pl?sid=2087768&cid=35848972
Why even bother setting up a server with the numerous excellent online calendars? A little company called Google comes to mind. Many schools have already moved their users over to google apps for education.
Do you know anything about HIPAA? You can't just plug random systems into a hopsital IT network. Despite what many people think, the HIPAA "Security Rule" covers all systems on the network, NOT simply ones that contain patient data.
If the system is on the network, IT is responsible for ensuring it is compliant with HIPAA, including auditing and storage of all security events on it.
Am I the only one who read the post and thinks that the server is off-site? Everyone is complaining about a rogue server on the network, but he didn't mention that. Rather, he said he needed IT to open a connection through the firewall, implying to me that this server is on the other side of the firewall; aka not on the network.
That said, HIPAA is a big deal, and this server is walking around it. What if a doctor made a calendar appointment for "Conference to discuss the nasty STD that Mr. Fancypants Celebrity has" and then your server gets hacked? That seems like a risk I wouldn't want to take.
As others have likely pointed out, this server, not owned by the company, is connected to the business network! As this is a medical business, there are likely countless government regulations with regard to information security. There may be reasons outside of IT's control for not being able to provide your operating group with a calendar server. Among them is resource restrictions/limitations, support requirements and, of course, "x group has calendar! I want calendar too!" which leads to more problems of resources and support.
Turn that server off now, take it home and run it there. If your ISP blocks ports, then buy business class service.
Hilarious. This story has polarized Slashdot into the "I actually work in IT in a systems administration capacity" camp and the "I tinker with computers as a hobby" camp. The tinkerers are actually taking offense that the "so called experts" won't immediately recognize their superior genius. The experts, for their part, seem used to this crap. Here's the deal, tinkerers: we will respect your mad skillz only after you have demonstrated them several times and jumped through all the proper hoops. Until then, you are just like any other Little User. No insult intended, but this is our job, and our butts on the line, not yours.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Un-frigging believable.
I wish there were hints at to which hospital this was. OP really needs to be led out by security *today* with his box of belongings -- after it's been carefully searched and any recording media erased and confiscated. The server needs to be confiscated and picked over by competent professionals to make sure it hasn't been doing god-knows-what on their network. (And the bill for this sent to OP, deducted from his last check.)
The tech that opened the port -- or was considering it -- doesn't really have a clue what kind of of trouble he's tacitly authorizing. HIPAA violations are some serious shit, up to $1.5 million a year. Even if we weren't talking about a hospital: any reasonable management of an organization with IP or trade secrets would be having a fit about this.
Get off my lawn.
If you've tried getting an IT hosted solution and couldn't cut through the bureaucracy (sorry, it exists, and has the potential be quite stifling to progress). You could consider just getting an off-site host that will not impede the overall security of the hospital (assuming the information is non-confidential).
But honestly, you should try really hard to work with IT and come to a beneficial agreement for both sides. Doing this work upfront will make it easier for other ambitious staff to work with IT if they want to try and improve working conditions in the future.
There's no way I'd open a port on a firewall from the public interface to the inside interface. That completely defeats the purpose of having a DMZ. You set something up in the DMZ to proxy the requests.
It's still a hospital. It still needs to abide by whatever laws & rules that apply to hospitals.
Shame on the powers-that-be in the "academic environments" that eschew laws & policies that protect patients.
"so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal"
And at that same time you alienated your IT department and kissed your chances of a happy relationship with them good bye.
Your server would be rather useless.
It wouldn't be functional on my network, you may be able to plug it into a port, but you wouldn't move any data through those wires.
I'd know about it the instant you plugged it in, the switch port would throw you into NULL land, and that would be that, followed by someone showing up at that port promptly to ask wtf you thought you were doing.
Its unlikely, being that managing the network isn't your job, that you are fully aware of all the requirements and conditions that apply to data in your hospital. Its unlikely that you are as well versed at managing the server as they are.
Without rambling on about all the other reasons why you shouldn't be running your own server, to put it bluntly, the fact that you asked on slashdot is proof enough that you shouldn't be running a server in that environment. Of course, to follow up, the fact that they simply want a login/admin access is a good indication that your IT department is substandard as well.
Nothing talks on my networks that I don't have complete control over. Its my job to make sure things are done right, that includes preventing people like yourself from having any possible way to break company and legal requirements, of which I'm sure you are bound as a hospital. My job is to make sure everyone else can do what they need to do and make sure no one else screws it up for them. Letting someone who isn't part of my management domain have control over something that isn't separated into its own private unreachable network isn't going to happen ... opening a firewall port? I don't think so. Thats just begging for problems.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Inside the hospital? Comply with IT rules. In fact, turn the whole thing over to them to manage. You're getting off easy only having to provide a non-root account. (By inside the hospital, I mean on the property or connected to the Intranet).
Outside the hospital? Then you are basically providing a service to your staff in much the same way that Google, Facebook, Twitter, etc. do. If department policy doesn't prohibit employees from using such services, then you are doing nothing different. If calendaring is not a function provided as a part of the work flow your IT people manage under published organization policy, use what you want. The fact that you are using paper tends to suggest that this is not an IT responsibility if by paper you mean scribbling things on your own desk calendar or day timer.
Have gnu, will travel.
Why even bother setting up a server with all the excellent online calendar applications? For instance, many schools use Google apps for education or MS Live.
That aside, going rogue, not talking to IT, and making a custom solution just for your one area, is one of the things that makes working in IT so frustrating at times. Among the many, many problems that implementing your own solution can create, just think about one: what happens if you change jobs? I can personally attest to getting calls from random new department heads saying "Joe Smith (former department head) set up system xyz to do abc for us and now he's gone, I expect IT to now support system xyz".
This scenario is especially prevalent in academia. Academic freedom is important, but all too often it spills over into areas that it really doesn't belong.
Why even bother doing that when you could get a FREE Google Apps account that has up to 50 (used to be 100) users? Then you get great calendaring, anywhere. On iOS, Mac, PC, Android, etc.
Seems sorta like inventing the wheel again. plus what are you going to do if it crashes or the IT bozos mess it up?
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
First of all, to the OP, I am sorry you are having so much difficulty with your internal IT group that you (felt you) had to spend your own money. That's always no fun.
Secondly, why didn't you just use Google calendar? Free, works with iCal, etc. It sounded like you just need a shift calendar for the doctors, not something that would need HIPAA protection. Also, what calendar system is your IT department using that won't work with the iOS devices? I can't think of one off the top of my head that doesn't work with iOS anymore. Exchange works with the web services turned on at the server, so if that's it then you're dealing with an inflexible IT department and I'm sorry.
FInally, if the above two options aren't possible, hosting a secure calendar offsite (insert the name of web hosting company here) for less than $120 a year is also quite possible.
If the poster were part of my network, I'd have calmly sent one of my techs to his office, found the machine, turned it off, unplugged it, unhooked it, taken it to my office where it would stay. ...plug an unauthorized, unaudited, uncontrolled server in my network... the nerve, the arrogance...
YOU should not be placing a non company owned system in there network, the fact that they only want a login is letting you off easy. if it was my network i'd be turning the uplink to your network off until corporate security is able to go ensure the machine is removed. if its just for schedules and benign information thats not medical info HOST IT EXTERNALLY as a network admin its incredibly irritating when people think bringing there crap from home and plugging it in is an acceptable idea, its not, working in medical i assume the information stored throughout the network is sensitive. and the IT people are the one who are responsible for ensuring it stays safe, allowing your crap on the network introduces an unknown which they would have to be responsible "I'm happy to allow any scan, to ensure it has no security issues," there is no rudimentary scan that they can do to ensure there is nothing malicious hidden on the machine, its a tedious audit like process that no IT staff wants to do, they have approved software/images etc for a reason, so they don't have to spend hundreds of man hours inspecting every good idea an employee implemented.
I'd grab that machine and throw it in the dumpster. Then I would proceed to have you fired.
You're nothing more than a TechTV fan.
Tell IT to butt out of things they do not understand and go back to fixing viruses on the desktop computers.
Seriously, IT is the Geek Squad of the corporate world. Their interference of real back-end technologies implemented by system administrators and other highly technical people by insisting that they control it all is counter-productive and generates headaches for all those who actually know what they're doing.
Yes, if you're in IT, I mean you. You're low-level tech support, nothing more. Know your place. I'm tired of you overstepping your bounds.
In the United States, the hospital as a whole is legally responsible for maintaining the privacy of all patient records. You are asking to open a port that has a very high probability of transmitting patient records (for example patient names, appointment schedule time and exam type) to hand-held devices that are taken off hospital premises and frequently lost, stolen or casually discarded when upgraded. iPhones do not have passwords or encryption turned on by default. Calendars are frequently shared between multiple calendar services like Google and Yahoo.
I think it is completely inappropriate for you to provide this service outside of the enterprise environment in the first place. I believe that your IT group is being excessively lenient allowing you to do it at all.
Any more red meat like this in the submission queue?
the no
first of all, it it's a valid requirement then yes. If you're concerned that this person may be rouge or whatever, just leave his account disabled, and only enable it upon request with details on what will be performed and disable it again. Simple as that.
Because, knowing hospital IT: They'd take 6 months, then offer ten to twenty times the cost of doing it yourself for a much worse service (probably some hack on their outlook 2003 install). Then they would not support it, because they're seriously understaffed.
Fun times.
The OP is a troll.
The user ID "jddorian" is a fictional character on the US TV program Scrubs.
No head of department at any hospital or university I have been associated with would have had the time in their career to be more than passingly conversant on computer IT issues, forget know about ports. Heads of departments get to those positions only because they do nothing else with their lives.
A head of department would know better than to set up something themselves. They wouldn't also have the time to do something like that. They would be familiar with the idea that the hospital IT infrastructure is far more highly managed than normal corporate IT structures.
And, unless this is a seriously podunk hospital, they likely already run Microsoft Exchange for email, and so have electronic calenders.
Troll. It's a troll.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
I personally would say No.
I was a IT consultant at a major hospital, and it scared the hell out of me. I found that about 25% of doctors and Dept. head's are total self-righteous a-holes, who look down on everyone that doesn't have their title or better. They expect to do whatever they want and for everyone else to fall in line. An IT tech is so far down on this guys list of people who are authorized to question his judgment, he is completely in awe at the audacity of the question.
Here is the real kicker...
The Hospital director is exactly the same way, his primary function is to keep the doctors happy, and he will, by authorizing this personally. If IT put's up a fight, then he will make them come up with a solution, no matter the cost, all to satiate this one pre-madonna's wishes.
I'm sure this isn't every hospital, but this is my experiance with a hospital, that if i said the name, globally is would be recognized.
You have a pretty nice IT guy. If you were at my place of business, a university, you wouldn't even get it on the network. If all your IT guy wants is basic access, not even root, give it to him because he's cutting you a break.
Where has reason in the world gone? Have we abandoned it in favor of power and politics?
I strongly suspect that there is a documented set of rules that is supposed to be followed for all servers/workstations on the network. You probably violated those rules the moment you put your server on the network. In some companies this would be grounds for termination. It sounds harsh, but this is one classic method for accidentally compromising security on the internal network. If there is a procedure for setting up a server, ask IT, they can probably get you the information you need.
If IT opened a port for you in the firewall and some malicious hacker used that port to hack into your server, they would then have access to everything that server had access to. After this happens, the IT department would have to explain why they allowed that port to be opened to a server they knew nothing about. If you were the person in IT who allowed that to happen without asking any questions, how would you explain your thought processes to senior management? You may think that your server is perfectly secure, but it's not. Nobody knows what security holes they have until they are later published. This is why IT needs to know what is on all of the servers so that when there is a published security weakness, they will know which servers are affected. When management asks if they are vulnerable, they will not be able to give an honest answer when there are servers they do not have access to.
If it is considered a security violation to install unapproved servers on the network, do you really want to go over IT's head so that you can publicized that you are violating security? Worse yet, you are trying to take it a step further by having that server accessible from outside the firewall?
There is a real need for the solution he developed, and management is probably already struggling to find that solution. I know a few hospital administrators in our city looking for a solution exactly like that. Several of the obstacles management would encounter in implementation, he has already overcome. And he is just the kind of guy who would know what and how to implement. He has so much going for him here, technical knowledge, an academic hospital environment, willing staff. I bet this really works well. So no, in response to your question, no I do not think he should sell IT services, he should give the IT department a login and let them handle the IT. But he could and maybe SHOULD sell a product he developed on his own time. I expect anyone with his level of intelligence knew enough to not develop this while on the clock, or using sensitive data.
I won't harp upon the obvious as it seems most posters already have. However, you seem like an intelligent guy, but lack a bit of common sense. Did you consult with IT and let them know of your needs first? I work for an SMB with iPhones, Blackberries, and Android phones. We run Exchange. I can't speak for the Lotus or Groupwise admins out there, but Exchange has a nifty thing called EWS...Exchange Web Services. Out iPhone users do fine utilizing Exchange calendars for such things as you mentioned (scheduling and meetings). From your descritopion, it seems you work for a university hospital that I imagine has an email system that already exists. If it is Exchange, EWS would have suited your iPhone needs it appears. Instead, you built a custom server that no one else may be able to manage and that will eventually fall into IT's hands after it is "mission critical" and no one knows how it works anymore (assuming historical experience dictates correctly). You should consider yourself lucky they only asked for an account. Now, they are thinking they are going to need to run a separate OpenLDAP instance, and BSD server to run a single application in the future...even though better solutions may already exist in their organization.
Omg, bitch, bitch, bitch. Look at me: I'm a brilliant IT whiz kid and I'm going to tell you that what you're doing is WRONG. If I were your IT overlord, I'd beat you with your own electrical cords! Bwa ha ha! HIPPA's gonna crush ur ballz like an angry rhino!
Seriously though, play nice, give them an account in a chrroted jail and call it good. A lot of IT departments want non-root accounts so that automated inventory software can scan the machine for current OS, uptime, etc.
I see absolutely no problem with IT letting you do whatever you want on their network as long as you allow them practice medicine in your division if they feel like doing so.
..or have them set up a similar service.
Less headache for you.
Would you let one of your IT bods to wander into your operating theatre and start assisting during an operation? Thought not.
"Do you like being employed?" is a valid question for the poster. I would be shocked if any reputable corporation allowed employes to connect their own devices to the corporate network.
If you don't want IT to have access to a machine on their network, perhaps you should find another network.
The server should be removed from the network immediately. Aside from the fact that you work in a hospital environment where the penalties for security breaches can be astronomical you have absolutely no business putting your own server on their network! If you want to work in IT then get a job in IT. Otherwise you make due with the tools and services provided to you by your IT dept. The fact that they are even considering allowing this happen indicates that your IT dept. isn't very good. Anyone who knows anything about how to run an IT dept. (especially one in a clinical setting) should and will tell you to shut down and remove this server at once! Go ahead and send it up the chain, if the folks above you in the chain are smart they will fire you on the spot for introducing a potentially harmful system to the environment!
I think the question is academic. Should you give the IT department access to a server that they should disconnect from the network?
It just doesn't matter.
Besides, does the "envisaged" server and apps (CalDAV, BSD, and OpenLDAP) comply with HIPAA or any other rules/laws/IT policies at this hospital? Are the iPhone's device security policies persistent? What else aren't you telling the IT people?
First I'd stalk you on all systems in the hopsital that I had available to me. I would start fucking with the traffic on your little LDAP server that could be used to cache/query/steal LDAP passwords. I'd refuse to support you as your little calendar mysteriously functions part time. I'd let you start dick swinging and "go up the line".
When you've gone about as far "up the line" as you can go, I'd report you to the medical review board for anything nasty I found about your behaviour at the hospital. Even if you were completely clean, I would serve hospital administration and medical review boards with notice of your recent HIPAA violation. I would possibly call the police and tell them you'd deployed a server which was quite possibly being used to harvest credentials for nefarious activity.
Then I would find your little POS bsd/ldap liveinstall server, unplug the shit out of it, pour kerosene on the thing and burn it in front of your car as you were escorted out the building. Long story short - I hope your server dies in a fire and you lose your license to practice.
In a hospital environment? All they want is an interactive login? I would say that's pretty hot that they didn't come to your door with torches and pitch forks. You do sound like you know what you're doing, but how people come to IT and say, "Don't worry about, I know what I'm doing." I myself work internal IT at a technology company. "IP Engineers" for our production network saw no problem in plugging in "a hub" to our corporate network. They actually had plugged in a home router. They managed to loop the network, flood it with rogue DHCP traffic and open up an unencrypted wireless network. This from people that are paid (a lot more than me) to run a customer facing network. Long story short, its IT's job to trust no one because most of the time, they're right.
You mean they actually trust Doctors with computing?
The purpose of existence is to make money.
I agree. You should be reprimanded or fired. If your IT staff allows it, shame on them, they should be fired too. I also agree that if no HIPAA data is on calendar use Google apps, if you MUST have your own server, host it at home(marginal) or in the cloud(better). By opening up holes in the firewall for a server that doesn't need to be inside the firewall is just dumb. If it has HIPAA data or is syncing with something internally you best beg IT to set it up. Though after your actions good luck.
Dear Slashdot,
I'm a friend of the original poster of this article. While my wife and I were visiting the OP recently, she wanted to switch from AT&T's 3G to a local wireless connection. She has an iPhone, so I envisaged an open wireless access point. The OP doesn't offer any open wireless access points, so I bought (with my cash) a tiny wireless access point and configured it. After I tested it out, I emailed the OP to ask to allow port 21267 through his home firewall to this wireless access point. The OP (not knowing what port 21267 was for), said he would unblock the port after I provide him with a login account on the wireless access point (though 'I dont need the admin account'). I was taken aback, and after considering it, I am still leaning toward opposing his request. I'm happy to allow any scan, but I'd rather not let anyone else have a login account.
What do the readers of Slashdot think? Should I give the OP a login account on an open wireless access point that is not owned or managed by them?
I work in Network Services in a region of health care. This means I service the network and inter-connectivity between corporate, clinical, hospitals, and anything related or in between.
I'm rather taken aback myself that ALL the tech you spoke with asked for was login credentials. Typically IT, NetOps included, frown severely upon non-standard devices being connected to their network. I'm taken aback that it worked at all, to be honest. Most large health authorities at a minimum have port security enabled.
Sounds to me like yours is far more open minded than ours. At a minimum you're looking at proposing a case study to IT management for approval. Should be no prob after that.
And yes, give IT credentials. They said they don't need root, so they're pretty accommodating. Good luck!
And look at all the comments generated by this question, especially the acusations and just all-around negativity. This is precisely why IT is not respected and consulted when new "projects" like this go in. If you keep jumping down people's throats and quoting this and that is it any wonder why the profession is generally ignored by the workplace as a whole?
The snarky part of me wants to suggest that the author attempt to go over the IT guy's head and take it up with management so that he gets the kick in/up his ass that he deserves. The article author is wielding an overdeveloped sense of pride like an amphetamine hyped scalpel. He clearly assumes that his knowledge and intelligence rival that of the silly IT staff that don't understand his needs yet doesn't understand enough of the basic principles of IT that he is offended when IT asks him for admin privileges to the machine that he connected to the network.
If you think you have a bright idea for IT, bring the idea through the proper channels...
Evolution: love it or leave it
Just use Google Calendar... amazing.
The fact that your IT department will allow non-sanctioned servers in their environment and on their network means you've already won a very big battle. Don't get greedy: If you escalate up the you won't be in a better spot, because somebody higher in the IT chain will put their foot down for territorial reasons and you'll end up selling your server on eBay. At that point you'll also find the advocate who was willing to open the port for credentials will be forbidden to do anything for you.
Also, I'm not clear on how you expect somebody to evaluate your server's security without being able to login... If this was my network I'd shut-off whatever network port this device was plugged into, and ban it's MAC-adddress from all my switches until I either had a login I could use for auditing, or until you gave up.
Who did what now?
First, for those people saying this is a sacking offense, the OP is not a peon, and not drudge. He's a doctor, and a department head to boot. As others have noted, he damn well has the clout to do this. Hospitals are not like the corporate hell holes most of us work in where koatowing to authority is the order of the day. Surprisingly enough, when your core services are provided by people who mostly operate their own 6 or 7 figure practices at least part of the time, they can damn expect to operate their own equipment for their departments. I imagine this case is somewhat similar to university professors operating their own lab equipment. How many folks here went to grad school, and had their professors operating their own private source control systems for their assistants? Pretty common, and you can damn well bet that neither department or university IT had logins.
Second, for those bitching about HISPA, stop. As long as appointments with patients aren't on the calendar, its perfectly complaint. And if it is password protected, its safe. HISPA complaint systems are crypoticgraphic fortresses. And its sounds like the schedule here is the shift schedule, which certainly does not fall under HISPA.
Third, the IT guy wants an account but not root access? Bullshit. What's we going to do with ordinary access? Jack shit is what. If we wanted root access, then ok, he could make a case for needing that. But regular access, take a hike. IT isn't going to provide iCAL for the entire hospital, thats where they've drawn the line on service. But again, hospitals aren't the corporate hellhole most of work in. Departments can and and do have the power to run the things they need without IT hand holding; and they should reasonably expect IT to facilitate self service once IT has decided not to support a certain operation.
Is this mostly about dick waving? Sure it is. But guess what. Doctor dept. head absolutely wins this round. End of story.
jddorian? Scrubs? Anyone?
And even though it was another part of my body that was the problem, the doctor had the audacity to ask that I open my oral port for examination! Something about "checking for the possibility of infectious diseases brought into the hospital that might affect other patients" and that I wouldn't be admitted until the examination was complete. The nerve! Well, I told them that while I would submit to any kind of external examination that might be necessary, an internal examination was out of the question. I took my body out of there and decided to use homeopathy in the safety of my own home instead to cure my ailment.
I get your point, but there is one important difference - it's not illegale to 'practice IT' without a license - there's no licensing regime for IT.
As a medical organization, your IT director has to make a legal certification that all systems within the organization are HIPPA complaint. If they do so and you set up a rogue server and someone places patient medical information on it and it becomes compromised, your IT director could go to jail. Or possibly you, you'd need to consult a lawyer to find out.
I love all the people claiming to know about HIPAA but can't even type in the acronym right. It's HIPAA not HIPPA.
I work in a computer science group in a hospital, we constantly run ins like this with the IT group and we would deal with an issue like this by saying a straight out no. We manage our own servers, if IT screw them up then our systems are up the creek and we get shouted at. It is worth pointing out that we try to keep as upfront as possible with IT about ongoing projects that will directly influence their infrastructure i.e firewall etc.
Putting the server out there makes YOU entirely responsible for it, and removes any connection with IT or the hospital. So if someone decides to sue for disclosing Sally's appointment at a cancer ward, they will sue you, and not the hospital. This is also helpful from the IT dept. perspective because by making it external, they will use their web scanners to look at the traffic in-bound and outbound, virus scan it, etc...
Mind you, IT will likely still have their shorts in a knot because you by-passed them and got an external service, which is likely not HIPAA certified, etc... but they would have a harder time and a lot less leverage.
More than likely the Hospital in question does not allow Iphones etc, due to an internal policy and security controls. Not to mention HIPPA is a big nasty word and the fines alone if something were to get compromised are in the millions of dollars per incident. Now more often than not senior IT staff are listening to the needs of their physicians and attempting to honor their requests, but I agree with everyone else this "server" creates a huge problem for the entire organization.
Again as the post above this one states, for an on-call schedule, you could have used Google Calendar. Your institution may already have a Google Apps for Education contract.
As for what you should do, read the applicable policies for your institution, college and department. Put yourself in compliance with those. And then open a dialogue with the folks in your IT unit. At my institution, as it turns out, servers administered by faculty are the number one source of breaches, mostly because they are never patched.
You want to have an honest, friendly relationship with your technical bureaucracy. Much of that revolves around making their job easier.
Sounds like you and the other IT need to talk more about the users needs. Setting up a rouge server, especially in a hospital is a bad idea. If your IT guys are so bad to the point where you need to go behind there back to get a service in place then sounds like management needs to step up and get things back in line.
"Lameness filter encountered. Post aborted!
Filter error: You can type more than that for your comment"
i could, but that would be superfluous
Here in the IT department, we are amused every time some genius 1) Assumes IT can't provide something without bothering to ask, 2) slaps together part of a solution, 3) discovers they need IT's help in some critical way, 4) is appalled when IT thinks they have the right to do their jobs, and 5) never, under any circumstances, manages to realize what's wrong with their sloppy little 2nd grade crafts project of an IT service. You work for a hospital, you say???
Two guys with black golf shirts should be waiting for you in your office tomorrow morning, to collect your employee ID, your rogue hardware, your personal belongings, and your silly ass for violating pretty much every rule in the book. If you worked where I worked, what you just did would get you an all expense paid vacation in the Federal pen at Ft Levenworth, Kansas. Be thankful IT doesn't terminate all your network access for this silly stunt.
Taken from wiki. This is a breach on at least 3 HIPAA technical safeguards.
Technical Safeguards – controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
Covered entities must also authenticate entities with which they communicate. Authentication consists of corroborating that an entity is who it claims to be.
Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.
Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.
In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.
Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)
If so, there is someone in the IT department who has to swear under penalty of perjury that the entire network, and every device connected to it, is PCI compliant. And he's on the hook for any mistakes he allows. And he cannot possibly know your server is PCI compliant if he has no access to it. You are literally expecting him to break the law, and putting your employer at risk for considerable liability (if they say they're PCI compliant, and there's a breach, and it turns out they're not - and the presence of your server on the network that the IT people can't access at all is, itself, non-compliance). In fact, if they're non-compliant, they are liable without limit for all costs related to the investigation, and all damages resulting from the breach. And the average breach adds up to six figures in costs. This can put a company out of business.
Were you employed at the company I work for (and I run the IT department), you probably wouldn't be any more. If I were feeling generous, you might be given exactly one chance to remove the server until such time as I, personally, could verify that it is compliant (and the requirements are pretty strict if it's visible to the internet, as they should be). If you made much of a stink about it, you'd be at risk of criminal prosecution. If any actual damage resulted, I would certainly push for criminal charges.
It's not your network. It is the property of the company, and they have designates someone else to be in charge of it.
Look at this from the other side--should they allow a server on the network that is not owned or managed by them?
I'd never let you install such a thing on our network without root access and then restricting your own access. But for the purpose its supposed to fill why do you need to host it at the hospital on their firewall?
In summary: quite frankly, just piss off. You are literally the weakest link. Bad enough now but god help us if your toy system takes off. Scalable?, manageable? by whom?
The only reason you want it inside their network is because of LDAP and you want to log in with the same credentials. Unfortunately that's a challenge with their IT trying to be compliant with federal regulations.
Your choices are:
1) Drop LDAP, host this yourself somewhere, let the users create their own passwords.
2) Talk IT into buying and supporting your server. Just take the hands off approach.
3) Have IT firewall your machine to only allow LDAP (port 389) connectivity inside their network and only outgoing/receiving on that port you requested. Hopefully that's all the access you'll want to get it to work.
4) Give IT admin login. If you don't trust them, then back up your setup and also run a backup on your calendar program. Worst case is that IT ruins your system/setup, you just restore. It's probably some tiny app that writes to mysql or sqllite or whatever.
Honestly for a small scheduling app like that, LDAP is nice but totally unnecessary. IT is supposed to help people do their jobs, not hinder it. Bring it up in a staff meeting or some such, go through the proper channels and make them support you.
Why not run the server externally - co-location, or some other hosting service - and then IT won't be involved at all?
sounds more like you were bounced out of IT. if you work in a secure environment I wouldn't be surprised if you were bounced out the door for keeping your own "offsite backups".
There is probably a reason why they don't "speak linux". if something goes wrong with your server there is nobody to sue or indemnify the company if the server doesn't perform the way it is supposed to.
as for being "windows weenies" our SA covers us if we need deep help with windows on our servers or desktops. try getting kernel level debugging with the copy of Debian or Ubuntu that you downloaded from the internet.
Was going to suggest this, but I would try asking the appropriate people before doing this.
Gorkman
IT should have shut down the network port and had security escort you from the building long ago. HIPAA, Corporate Policy, Common Sense, you've ignored a bunch of regulations.
Testing 1,2,3,4, Testing
I'm surprised that your organization hasn't come back hard on you for going rogue. It is people like you that cause major problems for organizations and IT departments. Imagine every user thought like you and set up a server to do what they want to do?!? Don't be surprised if you made a few enemies also for bucking the political chains.
It goes against the law of least privilege... If there is not a business need, there should be no access granted. You are not asking for his support on that machine - he is just holding you hostage to his request...
It would be like me deciding to purchase a small X-Ray machine and perform radiological exams (since I happen to have some knowledge in this area) even though I'm not certified to be a Radiologist. But, that's okay because it makes things more convenient for the patients who normally have to wait by going through normal channels.
I know you are not in Radiology, but this is to illustrate a point. You are not only potentially violating HIPPA regulations by adding a rogue server to your hospital's network, in some companies, you risk losing your job as well. Even though you think you know more than your IT department staff, they understand the security and network requirements and is the department responsible for all IT matters. You need to either go through them or maybe even consider a career change since you obviously seem to like IT more than what you're doing now.
In all the organizations I've worked in, IT is usually, but not always, the lowest common denominator, i.e., low pay and low training. This is especially true in academia. Your opinion of IT is a lot higher than my experience has been.
And BTW, where is the HIPPA-violative privacy information in employee work schedules?
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
Who gets mad when IT doesn't jump at his request.. Just maybe your IT department has other priorities? I see it on a daily basis... For whatever reason some people think the IT department is just playing solitaire waiting for their phone call. Just like you, we have priorities dictated to us from management. Follow the proper process and put a request in for a new calendaring application. If you have a sound business case, then it will get approved, prioritized, etc.. For all they know, your app is only used by you and your buddy to schedule poker nights.
Who is going to support this application? You? Or are you going to expect IT to do it? Who's going to support it while your on vacation/sick? Who's going to maintain the server, apply security patch updates, upgrading, backup and recovery, etc? Is the server in a proper location or is it under your desk? Does the cleaning lady unplug it so she can vacuum? (Seen this one happen, don't laugh..)
You know, setting up and configuring an application, especially if there are no customizations, is the easy part. The expensive part, which no one talks about is the lights on maintenance. Its funny how everything thinks they are an IT expert cause they have a computer at home. I wonder what would happen if I spent an evening reading Teach yourself Radiology in 24hrs book and took a stroll over to that department.
"Thanks to the remote control I have the attention span of a gerbil."
This was a dumb move, without notifying your IT-department before you went and bought a server and installed it in your department is a big mistake.. If you really need a calender, just choose a calender that is compatible with your IT-infrastructure, or use another app.. It's ridiculous using a special server just because some people are using an iPhone, make the iPhone work with the infrastructure that is around, not the other way round... If I was the IT-department I would already have taken the server down and reprimanded you...
Is there an Android equivalent of DAViCal?
This sounds like a classic case of "IT is incompetent, therefore I'll do my own thing because I know better". That's all fine and good until something breaks and you have to get those "idiots" to fix it for you. Or if you need a port opened in the firewall. That's like asking building security to issue an extra badge with access to sensitive areas for your unemployed friend you've brought in to help out with things, out of the blue. And then balking when they demand to know who this person is. Just let them do their jobs, what's the downside? Worst case scenario (won't happen), they crash your server and you get to cry foul. Best case scenario, they take the burden of administration out of your hands and let you focus on what you do best.
As the security guy at work, I would have you tarred and feathered at this point. My only question is how you were able to get this far without them noticing. If they were doing any decent amount of network monitoring they would have found this a lot sooner. Where I used to work they had a similar situation at work with someone bringing in a laptop from home. The laptop was confiscated and then wiped. The contractor was then asked to not show up for a few days. It was in the user agreement that we should have been harsher.
Absolutely. It is not your network, nor your butt in the sling if there is a compromise. I am surprised they let you put this box on the network. Give them the login. I wouldn't open that port unless there was a real business need for it, which in your case i would say no, it is not a true need. a calendar is not reason enough for this port to get opened.
In the words of Donald Trump: "Your Fired!" My ass would be out of a job even before I asked IT for a port to be opened. Especially at a Hospital, didn't you take HIPAA training? I had to do that when I volunteered at the info desk.
It's nonsense like this that makes Slashdot less relevant every day. Whether or not the incident in the story is real, it's so blindly obvious and stupid that it ought not to have warranted consideration for posting. And yet, here it is, and brought to us by CmdrTaco, Mr. Slashdot himself. Between the product-placement ads & book reviews, the old news dredged up from digg, reddit, and fark, and "ask slashdot" ridiculousness like this, what are the editors doing with their time that they aren't filtering out this crap any better?
I've worked at 4 colleges, and the IT departments were invariably mouth breathing morons at all of them. The CS faculty knew 100 times more about networking and security. You see, classified employees are contract employees (also tenured), and they tend to be much less educated than the faculty, and quite jealous of the salaries. In one school, these IT boneheads required a ONE YEAR application process to install software (great for when I got a 3 month notice to teach a software training class! I installed the software myself in a single weekend day on every computer in the place, and saved the day.). Not because of some elaborate review and testing process, but because they were lazy, incompetent shits.
Am I missing something? Wouldn't a shared Google Calendar have worked just fine . . . for free, and without all the IT requirements?
IT should have access to the server and you should not be plugging anything into a production network without their ok.
Why would you plug a server into a network that you are not responsible for?
You may have the technical know how to implement the solution, but, after it is stood up who is going to patch it? Who will document the location? What issues would this introduce for HIPPA?
I imagine that you signed an agreement through the hiring process that states you would follow IT policy and procedure. Even if their policies are 1/2 assed I imagine that it states that you can't add systems to the wire w/o any kind of change control or approval.
It's possible, if (and only if) your IT dept. is sufficiently enlightened, they may take your idea and deploy it elsewhere. A non-root account is a great demonstrator. Also, if IT guy find a hole as non-root, better you find out from him/her instead of J. Random Bad-Guy.
As most others here are, I'm somewhat stunned that your IT staff would allow a user managed server inside the firewall, even with them having a login. If they actually do open the port, I'd seriously question their competence. But the solution here is relatively simple - return the server you bought and go pay for a year of cheap calendar hosting somewhere. Or better yet, just tell everyone in your department to set up a free Gmail account and use that for calendaring. I find it kind of hard to believe that IT doesn't have any iPhone-compatible calendaring software. Most organizations are using Exchange, Notes, or Google Apps, all of which are compatible with iPhones.
If your IT department is so understaffed they can't provide basic support for a service they set up, you have a funding problem that doesn't originate in your IT department. You don't fix the funding problem by inviting multi-million dollar lawsuits. And yes, I realize that your hypothetical involves a bad solution with a high cost, but maybe that's the route they have to go because they don't have the manpower to implement a good solution?
If your IT department works like you've described, the smart money is on the problem coming from someplace above them, even you see a significant number of poor sys admins at the bottom. They are probably there because somebody didn't want to spend the money on a more qualified candidate.
You should escalate. Go over his head so you can show the bosses what an arrogant idiot you are; how you are willing to risk the hospitals money and reputation so that you and your team can conveniently get your calendar on your iPhone.
While you do that, I recommend you polish up your resume. You'll need it.
"Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup."
Two years ago, some go getter at Social Security Admin, loaded his work up on his laptop, to work from home. Then lost the laptop and the records. Fool he.
There may actually be a good reason IT is not allowing you to hook up to the hospital network. The previous comment is just one. A work around IT (the guys that guard the doors) GREAT! Just what everyone should be doing!
And if the IT guys are smart, they look over your VM hardware, realize it's a fraud, then come knock on your door with a hammer.
Pull you equipment out of the hospital today, before someone fires you.
It's a place of business, not a pissing contest.
Yeah - but since he's already doing an end-run, I figured he had his reasons for not going through channels...
The short: Give them an account. For a hospital IT department they're unusually permissive about this. If you're giving them an account with suitably circumscribed permissions, there's zero harm they can do to the machine. Likely the most they'd need to do is shut it down in the event that there's some sort of information leak via the system.
The long: Your IT department requires access to the machine because they need to be able to show HIPPA compliance. This is federal law in the US and breaking it can lead to expensive fines, civil lawsuits, and if severe enough, could do SERIOUS damage to the hospital's ability to continue functioning.
As I mentioned, your IT department is being unusually permissive about this. Prepare for them to want to dissect the setup vigorously as part of their risk management and get ready for additional demands to be placed on you as the price for them allowing this system onto the network. Again, they're not being dicks just to be dicks about it. They're doing this because it's part of their job, and keeps the hospital from getting sued and fined into oblivion.
Grant the an account. And ask them what sort of permissions they need on the box. It may be that they want to add the system to their backup routine, or as a node being watched by the network monitoring system. It could be as simple as needing to be able to cleanly shut the machine down (rather than breaking into your office and pulling the plug) if there is an issue where sensitive data is being released by the system. Go out of your way to be accommodating and IT should, baring issues beyond your control, respond in kind.
Chas - The one, the only.
THANK GOD!!!
I can't tell you how much, as a systems admin, I HATE users like this! This guy went out and bought equipment (not his job) with his own money (giving your employer money is pretty stupid since it's supposed to be the other way around), and now is mad at IT because he can't have the toy he wants without sharing it.
This user also seems to forget where he works. In a building subject to HIPPA compliance, you can't just plugin a server that sends data outside the network! I'll almost guarantee there's a change management procedure this user knows nothing about that he has just taken a dump on.
It sounds like their sysadmin is pretty nice, since I would have called security and had him remove the hardware from the building post haste under threat of force (or just dropped it off the top of the building myself). Asking for a login account to his server in exchange for a forwarded port is not only reasonable...given the sysadmin's other options, it's downright charitable!
Given the possibility of needing to comply with healthcare regulations you might as well give him a limited login (it is HIS network, not yours, dept head or not), but they should be able to configure it in the dmz or some other fashion as to isolate it from confidential information as well as to keep it from affecting anything if it gets compromised.
...... blah blah blah ....
The real can of worms is that YOU brought it into the building, so if it blows up (so to speak) it's your fault. I'm surprised the IT guy even is allowing this, period, login or not. I can hear it now...
You attached WHAT to my network and want to do WHAT with WHAT? Why, I never, this flies in the face of
Flappinbooger isn't my real name
The whole point of a central IT department is to remove the need for rogue servers from the various departments. If IT is not able to manage all aspects of its environment, including your server, it doesn't have control. If you need a service, IT should fulfill that request provided it is given the resources to do so. I'm sure any CIO / CTO will agree. Rogue servers are bad, central IT management is good. IT is a service partner to all other departments in the organization. It enables them to function.
In an academic environment, e.g. somewhere where people do tech research, I wouldn't expect that every electronic thing hooked up needs to be run by IT. That's a very inflexible solution, that might work if network security and stability is valued higher than innovation and experimentation, e.g. if you're in a production environment, and not doing research... You can't do research if you're not allowed to act on your own initiative...
(In fact I wouldn't want to work anywhere I'm not required to act on my own initiative).
I don't futz with the IT guys' systems. They have their process, I have my home network if I want to tinker. Amusingly enough though, they caught wind of my IT background and had my office located across from their cube-pod. So they can keep an eye on "the guy who thinks he knows computers." Ironically, many of the systems here are so old that I do know how they work inside and out, even after 7 years out of the buisness... but, I've got my home network if I want to tinker. :D
No matter who purchased the server, there's probably a security policy related to this access...
In my environment, denying said access could easily turn into a Human Resources opportunity... ;)
Obviously he meant "Threat Level Rouge", the one above "Condition Fuchsia" and second only to "Alerte Noire"
Sure, Give IT the access they want to the server. Then after things calm down after 2 weeks or so disable that account. IT has bigger fish to fry.
as a network admin for the past 10 years it is simple. You bought the box and set up it yes. The minute that machine touched the network at work it became IT's no matter what. the request that they have asked for is not unheard of in fact my friend you got off pretty light if you ask me. I have to fight this kind of things every day and it takes up a lot of time. If you had an idea you should have ran it by them then you might have gotten a much different response then what you have gotten. The biggest reason that they want the information is to make sure everything is secured. You are asking for a tunnel to be created from an outside ip address to a internal machine that is on their network. this opens up the internal network to all aspect o attacks. do yourself a favor give them the non root password and you might find them more open to help you and possiably keep the system backed up for you.
Well, all these IT problems come from IT always saying "no" to the "business users" or coming up with ridiculous proposals for a solution.
Believe me, the "business users" aren't just sitting out there trying to come up with ways to make IT work harder. They're trying to run a business and make money. When IT consistently says "no" or comes back with ridiculous proposals, the business users have no choice but to go find some other way to do it; and that usually means hacking something together with the limited tools and knowledge available... typically excel with some vba and/or Access. They don't have a choice... they have to get the job done because it's how the company makes money. And eventually you get tired of all the countless hours of bureaucratic meetings trying to get IT involved and you just give up.
In a recent example, we have a relatively simple problem... there are 3 simple excel sheets that have some 100 elements of data that need to be handled each month and put into a database to hold the history. Then an excel file needs be generated based on that history. We've been in countless hours of scoping meetings, with a consultant writing the BRDs and Business Cases over the last 4 months. All the while, the business users are handling this process by-hand in Excel (how accurate and error-free do you think they are that way?). Finally a solution was proposed... they can do it in 6 months and will charge the business $200k.
Really? For that money, we could just hire a new analyst and just have them keep doing this by hand. But that's not allowed by HR. So I'll be hacking this together over the next couple of weekends. And then IT will get to support it when I won't. They better hope I do it well. I'll do the best I can, but like I always say, "I'm not a database person".
Now wouldn't it have been better to not have all those hours and hours of meetings and just have a database person and a report-writing person sit down with me and spend a week building this "lightweight" application in a way that IT will prefer to support?
We're not talking enterprise-class software that has to have 24x7 availability with multiple redundancy. We just want a database to hold a trivial amount of data, import data from a standard format each month, and generate a standard report. If I can hack together over a weekend or two a solution that works, how is it that nobody in IT (who should know how to do this) can spend even quadruple that time and deliver something that works but is also built in a way IT would like to support?
It's inevitable that the business users will need lightweight applications. And as you know, it's inevitable that IT will have to end up supporting it. Wouldn't it make more sense to get out ahead of it then, and offer lightweight solutions in a reasonable manner, and not force the business users to hack their own crap together?
What most people here don't get is that academia is very different than business. I have no experience with academic hospitals, but it if's primarily a research hospital, I wouldn't be surprised if it's similar to most places in academia. I'm currently a PhD student, and neither my current university nor my previous one had any restrictions on servers so long as you didn't generate too much traffic. Most departments (in fact, most large groups) in universities have their own IT person who runs their own servers, and the main IT department is only responsible for managing campus-wide services (i.e. non-departmental services). Hardware owned by each department is subject to the policies of that department - some will enforce much more control than others. But I've never seen the situation where you couldn't bring in your own laptop and use it to work.
Again, this may or may not apply to academic hospitals, but the notion of a port being closed in a university is absurd.
Every businessman should be a programmer and sysadmin.
Exactly.
Attention, all you "professionals" who advocate the tar and feathers: Both you and the "luser" are equally wrong in this scenario. If you dread rogue servers, you'd better be prepared to ask why the users are setting them up and how you're not meeting their needs rather than crushing their initiative. The dept. head in this example is the type you should actually talk to to
find out how you can (mirable dictu!) make your services better.
No, this doesn't excuse the user. But have some fucking sense, people. This fire-the-bastard attitude (seen in several posts here) is exactly the kind of thing that makes people think outsourcing I.T. is a good idea.
Given your desire to have a calendar server to arrange call schedules and the difficulty with the hospital IT and/or Federal regulations, just move the server. Get a fixed IP at home and set up the server in your basement. Give all your colleagues appropriate logins. Neither IT nor the Feds will care.
Problem solved.
duke out
Hugely successful troll is hugely successful.
The health privacy act or HIPPA (http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html), is very clear about this. This is untrusted HW running on a network dealing with medical record and other private data. There may indeed be h*ll to pay.
I'm actually surprised you managed to get the device networked without IT involvement. Network best-practice requires the network to not admit untrusted hardware so that an infiltrator can't find a quiet spot and hack the servers from within the "trusted" private network.
they should explain to you the responsibilities which come along with running 'your' machine on the network and ask you if you are willing to do the necessary patches and updates all along!
if they are Stasi like they send the security and confiscate your hardware and might put you before the disciplinary commission.
-
In my workplace IT is Stasi like ( US-gov influenced )
If your IT department has (any) policy it would not be allowed in the first place. If you really need it, it should be in the computer room anyway. They should have the root password, and you should have an elevated user account. Ask yourself, what if that little server of yours gets hacked, do you really want that blood/liability on your hands?
You need to host this server externally (ie from home, on your own domain name, using something like dyndns). You've got no business having personal equipment inside the corporate firewall.
How much do you want to be culpable if something happens to the computer network? I don't care if it happens to your box or not, just if it happens anywhere on the network? Because an attacker could use your box as a place to launch attacks to other areas of the network. So, if the hospital discoveres an information leak which is going to cost them money and they want to be able to share the cost of the settlement, they may well come after your box which was added to the network in violation of policy. You may have to prove that your box wasn't used as a launching point. Do you have insurance to cover this? You can argue that your box couldn't have been used in such a way, but can you prove it in court? - to a judge/jury who may not be technologically savy? Can you afford to pay for someone who can?
How much money do you want to lose? How comfortable are you with risking said loss?
really this thread is 'over in 1', as I totally agree with the initial comment. Ad-hoc servers on the net, you're lucky they don't give it and you the boot.
I'd have a personalized plate on my car, but "toxic bachelor" won't fit into 7 letters.
Pretty fluffy clouds...
I wouldn't have even considered allowing that port to be open. I'm a sysadmin, and if I discovered someone setting up an internal resources like that, I wouldn't have a problem with it as long as it had 0 interaction with other resources, but I also wouldn't let it out to the rest of the world either.
@OT You can't fight IT, you have to work with them. Obviously it sounds like there's a need for some kind of connectivity. If response #1 was we don't have that, you need to engage with them and try to figure out what it would take to have that. Money, time and permission are always the answers. Do what you can to massage a few of those along. In IT, there's very rarely such a thing as "can't do". Nearly anything is possible if the resources are available and the policies allow.
In any medical field/facility they're going to have to pay special attention to how data is moved around. You can't get a "no we don't do that" response from IT and then just try to build something yourself. You're not responsible for data security, they are.
If you were on my network you would have to.
Do you have logging for the application?
Does the security group need access to?
How does this affect HR since its a calendar object?
This is production is there a back-up server?
If you go away what happens to this server?
I hate off the cuff application that somehow land on our lap after what ever event happens.
It sounds like it does not have to be physically located in the hospital, just for scheduling. Get a home static IP address and run it, or host it somewhere. This avoids hospital IT, HIPAA and it sounds like the OP is willing to pay a little for the convenience.
Well It's too bad you didn't share the clinic and/or hospital because I'd be emailing a HIPPA violation instead of this comment. You do understand that IT allows you to surf the web during all that downtime you probably have. You don't bite the hand that feeds you. /facepalm
You have good intentions and you want to work more efficiently but the execution was bad. You should involve the IT staff and got them on board because then you wouldn't be at risk for possibly loosing your job.
My advice is, take your initiative to another workplace that will appreciate it with infrastructure in place that suites your working desires. Docs are cheap and they would rather pocket the money for a server than allow you and your co-workers to be productive. They will also go as far as telling the accountant to not fund the 401k with employer contributions because they'd rather have a bonus for that quarter and the funds can be done later(which was a lie but...whatever).
Sometimes, the answer is to just destroy it all.
I'd tree out the argument on a purely economic basis, something a department head should clearly understand:
Was the "rogue" hardware paid for with Hospital funds?
If it was, it belongs to them, and thus belongs under the control of the department with responsibility for management of hospital computing resources: the IT department.
If it was not, it is a personal item, belonging to the purchaser, and should be prohibited from use for storage, retrieval, or manipulation of any facility data. Connecting personal computing devices to facility networks should be prohibited, on privacy, security, and accountability grounds.
Simple enough?
They are worried about their information escaping, and their network being compromised. If you put the server somewhere else (or use a google calendar or similar), you would not need the network security hole, and you can access it from anywhere (iPhone, hospital computer, etc.) You just have to make sure no proprietary or confidential information ends up in that calendar.
Nope, never been bounced out of anywhere. And by offsite, I mean not on the local machine, and not within the server farms geographic location - but still within the secured private network of the organization.
as for being "windows weenies" our SA covers us if we need deep help...
Is that supposed to make it ok to be a windows weenie?
I haven't called tech for support since before Y2K, but since I spent a number of years taking level 3 support escalations, I don't hold it against anyone for calling tech support. Some people are just incapable.
"Lame" - Galaxar
No, you don't need to give IT a password on your server. That is, as long as you don't plug it into IT's network.
If someone were to do that where I work, well ... nothing would happen because you'd be put on the guest network VLAN. But if you could, and did, it would be very poorly looked upon.
I see a lot of responses here from people who seem to have very narrow experience in system administration. Allow me to offer a slightly broader perspective.
It depends.
We don't know the administrative or security policies of this hospital. We don't know its regulatory environment or even what country it's in. We know that it's an "academic hospital", and those of us with experience in academic computing environments know that these tend to be very open both philosophically and in practice.
So, it depends. If there is an established practice of allowing groups within the organization to manage their own facilities, then it's completely appropriate to have done so here. And it's completely inappropriate for staff in the IT department to request access to those facilities, especially after the fact. It's either strictly not their business, or only their business within a mutually agreed SLA. As a senior system administrator, I'd regard that as an attempt by staff to undermine security within the organization. Unfortunately we often deal with junior staff who don't know any better but think they do. That's why I think it's appropriate to take up this issue at a more senior level.
Maybe you'll get your knuckles rapped when you do. It depends on whether there is an established policy that defines how such facilities are to be managed, and whether this particular facility is being managed in line with that policy. On the other hand, if there is no policy, then it's the CIO whose knuckles should be rapped.
One thing I can say for sure is that these scenarios come up all the time. Senior IT people have to anticipate this in formulating policy, and they have to build their networks and train their staff toward the goal of making the organization productive and secure. That's why we all get paycheques. It means obvious things like ensuring that patient treatment and administrative facilities are on their own subnets, behind their own firewalls, with DHCP administered very tightly and switch ports locked down. It many mean the same for individual research labs and other groups, depending on their legitimate needs and budgets. It means having a service catalogue. It means having SLAs. That way, if someone comes along and plugs in a laptop or whatever, it's not the end of the world.
Parity: What to do when the weekend comes.
Lucky not to be fired for violating all kinds of security especially in a HIPAA environment.
You also need to think about and have a plan for one of your coworkers lossing their iPhone with company data on it. What's your plan for disabling the phone? What if the employee leaves abruptly, can IT erase the company info on his personal phone? How does HIPPA view this risk?
As many have said before me, there are a lot of procedures, testing, approvals to work through before you can implement something like this; it's much more than just purchasing a server and plugging it into a port.
It need that password because if they allow this (which i never would unless i set it up my self on my network) they are the ones who are going to be hed responsible if some one hacks in through your server. And the thought of some random on my network setting up and running his own server scares me to death. DEATH I TELL YOU!!
Maybe he could convince them to put the server on a firewalled DMZ. Isolate it from the rest of the network as if malicious; enable the port that he needs. I don't see any reason a compromise couldn't be worked out.
Hospital security, though, must not be compromised. He's already made one critical mistake. He's unknowingly poked IT in the eye by bringing in outside computer hardware. That's a big no-no anywhere data security is important (and can lead to big lawsuits).
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
The OP never said if it was on the hospital network, just said he needed firewall ports opened. Maybe the server is sitting at his house and he just needs 8443 outbound to get to it from inside the hospital?
Your homepage links to an astrology page. All of the astrologers I've met have been crackpots.
It's just a server at work. It's not your bank account.
Go out of your way to let IT do their jobs as easily as possible.
Give them the account and even go to lunch with them later that week.
IT being your friends is the smart way to go.
Cheers!
I'm replying here because this is the first post I found mentioning the name of the OP. This story screams: "TROLL TROLL TROLL!" to me. The alleged original poster Dr. John Michael Dorian is a fictional character from a tv series.
Avantslash: low-bandwidth mobile slashdot.
I can see another side to all of this. You tell the IT guys that you need a calendar that the iPhone can connect to. They don't comply. Your choices are to not have one or do it yourself. I have chose do it yourself a lot. I guess what I am saying is that maybe if IT were more receptive / accommodating to requests from their users then they would have less of a problem with people bringing in their own servers.
...with nologin set as the shell. :)
How many millions of pages does your website have? Mine is pushing 135 million (unique) pages.
Reading the About Us page, is an explanation that the site is an experiment to monitor search engine response to large numbers of pages.
Upon the next rewrite, the pagecount will be around 500 million pages. The reaction from Google should be interesting when presented with 135 million 301 redirects, and 370 million new pages.
"Lame" - Galaxar
So, a doctor dies and goes to heaven. He's waiting in line at the Pearly Gates, but he figures, "I'm a doctor, I shouldn't have to wait in line like normal people." He goes up to ask St. Peter, who tells him everyone has to wait their turn. Then he sees another doctor walk right up to the Pearly Gates, wave to St. Peter, and walk right in. "Hey, how come THAT doctor got to cut in front," he asks. "Oh," says St. Peter, "That's not a doctor. That's God. He just likes to play doctor sometimes."
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I saw someone recommend using a web based service like google apps... good idea.
If that doesn't work for you, why don't you run the server from your home? I assume you have internet access and can afford the $9.99/year for an optional domain name?
Seriously... My first thought - what the hell were you thinking?
You bought a server with your own money. Plugged it into the hospital's network. And you think that's going to be OK?
Does anybody else know how to run the thing? If you get hit by a bus tomorrow, what're they going to do with the machine?
You bought it with your money. If you get fired tomorrow, are you planning on taking it with you? Is it legally documented anywhere that you or the hospital own this thing? Is its value being tracked like every other asset in the hospital? If the auditors show up while you're out of the office, and ask what that box is and how much it cost and which department owns it, can anybody answer them?
Is the thing safe for use in a hospital environment? Every single piece of equipment in my server room (I work in a hospital) has a little tag on it indicating the last time it was tested to make sure it is safe to plug in to an electrical outlet. We don't do the testing ourselves - another company comes in once a year or so and audits absolutely everything in the building that plugs in to an electrical outlet.
Is the thing going to pass HIPAA regulations? You said it's a calendar server... Any chance you'll be putting any PHI on there? What safeguards are in place to make sure that any PHI on there will be protected? Or what kind of safeguards are in place to make sure PHI doesn't show up on there?
And you find it worrying that IT wants to know what you're planning on using port 8443 for? 8443 isn't a standard port number. I've seen it used for a number of different things - not all of which I'd want running on a random box on my network. And it doesn't sound like you asked for any kind of clearance ahead of time... Do you even know if they run public-facing servers on the same network you've got the thing plugged in to? Do you know if they've got a DMZ somewhere that this thing should be plugged in to? Do you know if they're already using 8443 for something? Do you know if they've got a public IP address available for your use? Hell, were you even given a private static IP to use, or did you just grab something that didn't respond to ping?
And you're thinking it's unreasonable for IT to have a login on the machine?
If the thing starts misbehaving in the middle of the night, are they supposed to page you in to fix the issue? If some segment of the network develops issues and they need to move your machine elsewhere, are they supposed to call you in to do it? If it becomes compromised and starts spitting out garbage, do they call you to clean it up? Are you going to be come an honorary member of the IT department, solely tasked with maintaining this single machine? And are you going to personally train a replacement when you leave the company? Or when you go on vacation? Or when you get sick?
"Work is the curse of the drinking classes." -Oscar Wilde
Never, ever waste your own money on buying servers or computers for work. Especially if you work for a large company that can afford it. You won't be thanked, at best the company will keep it and at worst you will be punished for it.
You were trying to do something nice for your coworkers, but you should have pushed it through the proper channels.
All of the comments talking about breaching the network, HIPAA and, yes, your administrative qualifications raise good points. However, the first problem I see is that nothing in your post indicates that you attempted to find a solution through the proper channels before setting up this private server. I work for a state agency as a system engineer and I think this would have probably gotten someone fired for breaking policy. In addition, I'd like to put forward that a better system may be possible if you work with IT, especially if IT provides a mail system that uses IMAP or Exchange.
I think your largest problem is HIPAA, I seriously doubt that you have the resources to comply properly without working with the IT department and non-compliance could get the hospital in trouble. (For example, HIPAA requires that incremental backups be taken every day with a full backup on Friday. These backups must be stored off site. In addition, medical records must be retained for at least thirty years.) It is critical that you get policy sorted out but the safest move for you is to take the server down and try to obtain a scheduling system through the proper channels. Whatever your decision, DO NOT put patient information of any kind (even appointment times) into your system. If the hospital finds out, you will almost definitely get in to serious trouble. In addition, it could make you liable for criminal penalty under HIPAA but I don't have specifics.
If you were one of the companies I supported, you would be considered "going rogue" by purchasing and implementing any computers/servers outside of the normal IT workflow. There would be phone calls and meetings with the head of your department and potentially the owner of the company (for some of the companies I support, not all.)
The correct way to get this done from the get-go is to work with your IT department to have your requirements fulfilled, not to work around them.
Wow, I never knew that most of slashdot were admins. IT is a service, they _should_ provide the tools necessary for the employee's do their jobs because lets face it, it's these employee's who make the money for the company. Asking any IT department, at least those I've worked with, small to medium size companies, is like voluntarily walking into the dentist for a root canal. If they IT department did it's job and provided the staff with the technology required by them, he would not have had to do this himself. Unfortunately, IT departments seem to think of themselves as the heart of the company and try to dictate what get's used. Pony up, and get this guy his god-damned server.
there would be a network tech and 2-3 security guards on the floor asking questions about 20 minutes after I plugged a rogue server in. I've seen it happen twice in the last five years. Both times it was company owned equipment that was being used as a sandbox during development, but no one let the network group in on it before they plugged it in.
Our rule is if IT doesn't have ~full~ access, we don't allow access to it at all.
We find an unauthorized server we remove it from the network.
who actually let this topic get to the front page? dude, stick the server in your basement and be done with it...
-----
petes-brain - it's in his basement
You are lucky that IT department didn't send someone to your office to collect the hard drive from the server along with any other persistent data storage on the box, then have you take the rest of it to your car (with hospital security lurking in the hallway, and escorting you to your car). After which you would have a long meeting with your superiors.
I work in a similar environment, and I understand both the user of technology and the IT sides of things.
What it basically boils down to is this.
I was to use technology A, I contact IT and ask if it is possible, they say sure anything is possible, but it will cost you X dollars. At which point jaw his floor. Looking outside of IT structure I see I can have it built for Y dollars with is a merest fraction of X.
Though I understand on the IT side of things as well. Who is going to maintain A, particularly after you up and leave and it is not a critical system? Not to mention all their security policies they must adhere to etc...
Anyway for this particular example I would say, no IT shouldn't have a login to your private server, however you also shouldn't have access to their network. If you want to develop external to the system, then it should be external to the system, don't expect to be able to connect to it.
It has been very tedious getting the data away from these god-awful Access databases, and re-designed and normalized into proper SQL Server or DB2 databases.
... but then again, putting anything from a dynamic SQL environment into a DB2 database, and actually expecting it to be remotely usable afterwards, is pretty far fetched to begin with ... ;-) ... (since the only DB2 engine that really accommodates dynamic SQL is the "Universal Database" edition which has a completely different codebase from the "true" DB2, and a ton of stability and performance issues) ...
- Jesper
Copy your machine out to an Amazon EC2 instance and run the services there, then IT won't bother you. IT needing a hand in every computing device is silly. They don't have logins for the X-ray machines or bed-side monitors, and those are just as much computers as your server.
This guy sounds like a Doctor, and I fixed their little wagon by configuring 802.1x and registering every mac address I manage. No more rogue equipment problems.
But consider the unexpected. The machine in question is behind the primary firewall and can expose the rest of the network to risk.
What if your box is not patched properly and catches a worm? The IT department probably receives memos and straight away that morning runs a script to login to all machines on the network and execute some check for versions of something, followed by a request to you to patch it up. With no login, they can't do this.
What if your box is the weak point of the network and becomes a haven for some hacker. With a login the IT department can check to see if there are attacks on that server. In essence, remember that the IT department is called "IT services". With the login they provide babysitting services for your server. Evidently you weren't able to get resources paid for by your organization to make this happen, but since you have provided the hardware, and they're willing to service it for free, might as well. This will take more time for your actual job, which is... I missed that but somehow related to actually serving patients. So, that's good. Personally I would provide them with both root and a standard login, with the expectation that they will safeguard this info appropriately. At any rate, this entire situation seems to me to stem from a lack of communication, and poor communication skills. IT folks are known for this. Give them a break. Their usual human interactions is limited to phrases such as:
What should have happened is your IT guy (or girl?) says "Oh. Servers on our network need regular security audits. Could you set up a login for us to facilitate that? It will take X days and then we can open the ports you need."
Sales skills are required in every human interaction in which you wish to get your way without question. Simply provide some information, a benefit, then request what you need, and if possible follow up with more information involving a benefit.
I would hope that the owner of this indy office server can submit receipts and get the server paid for and ownership transfered in the future, after all the red tape gets dealt with.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
Every hospital I've worked at required that all patient information live in the datacentre. Are people not going to "ever" have anything personally identifiable to a patient? No medical record numbers, no names, disease descriptions etc? How about confidential information like budgets and problems?
IT needs to be able to shutdown anything that could expose information promptly if it is compromised. Plus any information that must be around for operations needs to be properly backed up and maintained. I'd go with Google Apps or the like. A calendar can be shared with CalDAV from there I'm pretty sure. It is free and doesn't need to cross the firewall to get to the iPhones.
Another question will be: does everyone have access to CalDAV? It doesn't make much sense to have a calendar for iPhones and then a half dozen people with blackberry access to their corporate outlook account that will never look at the caliDAV calendar. You'll end up with information split amongst the two or more systems and often conflicting with each other.
As a retired IT manager with a duty to provide a secure network, I would not require an account on your system.
As soon as I discovered your action, I would call for your immediate dismissal, get security to escort you from
the site (sans box) and then I would assign a tech to wipe your drives with extreme prejudice before shipping it to you at your cost.
This may seem harsh, but I have seen the cost of similar acts in real life, and users need to be aware of the penalties.
Incidentally, I would charge my time and that of the tech to your line manager, and include the cost of a thorough security audit of all systems in their department. Hopefully all involved would emerge sadder but wiser.
nec sorte nec fato
This scenario is especially prevalent in academia. Academic freedom is important, but all too often it spills over into areas that it really doesn't belong.
Actually, the real problem is corporate attitudes spilling over into academia. Maybe an insurance company or a sprocket manufacturer can lock-down its network to run only the handful of services that an obedient little cubicle-dweller at needs - but part of the point of academia is to experiment and investigate, so that system is really not fit for purpose.
The only sensible way of treating a large academic (medical or otherwise) network is like a giant DMZ with all the commercially sensitive stuff (patient/student/employee records, financials etc.) safely tucked behind a secondary firewall, with VPN access only given to those who need it. Many just won't, and with computers now costing negligible money (c.f. the cost of human resources wasted by bureaucracy - but, of course, accounting systems are set up to hide that) you can always hand out locked down thin clients in addition to general purpose PCs to those who need both.
Ever looked inside a large university or hospital? Dozens of buildings, thousands of employees plus All Human Life (not to mention students) wandering in and out for conferences and yoga classes, often with no front desk security (if you started challenging strangers mooching up and down the corridor you'd have a full-time job). Meanwhile, quite a few of the academics will have a genuine need to install random shit, access YouTube/FaceBook/whatever or set up their own blogs because they've got a funded (so don't mock) project on "The Use of Social Networking in Urso-Sylvan Scatology" or "The Effect of Minecraft on Adolescent Motor Skills" (I don't think I even made the last one up!).
Want physical access to the network? Forget mission Impossible masks and high wire acts - even the old "carry a clipboard and look purposful" trick is overkill. Some bright staff member acting in good faith adding a (pretty bloody secure out-of-the-box) BSD or Linux server is the least of your worries.
To think that you can keep that all secure by printing "Acceptable Use Policies" and occasionally slapping the wrists of the few offenders you catch is rather optimistic. An academic network is best treated like a tributary of the internet.
...and yes, ad-hoc systems may work for a while and then have to be junked when the guy that lashed them together leaves, but, hang on, who did I hear offering to set up, document a "professional" alternative, and maintain it for perpetuity, on the available budget of (lets see, zero plus zero, carry the zero...) nothing?
I am head of an IT department at an academic hospital. My fellow faculty (a dozen or so) want to switch from a caffeine to amphetamines (night and weekend on-call schedule). Most have an hypodermic or similar, so I envisaged a ephedra lacing. The Hospital Doctor doesn't offer any ephedra laced amphetamines, so I bought (with my cash) a chemistry set, combined methamphetamines and ephedra for kick, and buffered it with saline. After I tested it out on a neighbor's cat, I emailed the doctor to ask to allow extra hypodermics for this dosing. The doctor (after asking what the sodium hydroxide was for), said he would allow the dosage after I provide him with a record of clinical trials. I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any local trial, to ensure it has no major issues, but I'd rather not let anyone else have the secret formula. What do the readers of Slashdot think? Should I give doctor the clinical trials of a formula that is not owned or managed by him?
So go ahead, inject caffeine into your veins all you want.
You can have it fast, accurate, or pretty. Pick any 2.
Create a Google Calendar and share it with everyone. Have everyone use this URL instead of what you were going to use for your server.
https://www.google.com/calendar/dav/YOUREMAIL@DOMAIN.COM/user
This turned into a "lets flame the OP" comment section. Obviously he doesn't know any better. Cut him some slack. (coming from an experienced sysadmin)
Long story short, they shouldn't even allow your box on the network, but asking for a user account certainly isn't unreasonable.
Cmdr, please stop taking the trolls out for a walk in the park. Admittedly, the trolls do enjoy it, and there seems to be a lot of public interaction, but really,it's a bit of a nuisance. Please, the next time they ask, just say no....
jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented).
I don't watch "Scrubs", but Wikipedia says that J.D. Dorian is a "residency director" on the show's teaching hospital.
I don't let random employees set up machines on the network and then allow outside access to them. I would want root access and a full rundown on what you were running on the system and who would have access.
They are being completely reasonable by requesting a non-root account.
Check out JoshJitsu.info for Brazilian Ji
Setup a dummy computer that does nothing. Put in all sorts of interesting looking things.
Then let him have access to it.
When you take your car to the mechanic, do you give him the keys?
So great you bought your own server to serve your department's needs but what happens when the server has hardware problems. What happens when there is a software issue? I'll bet you go running to the IT department to fix the issue. It happens all the time where I work. Do you think that is right to just dump this new server on them claiming that it is 'your' server. You have good intentions but the effort is short sighted. If every department purchased their own servers, then you'd have to hire more IT admins which costs more money. You can't expect your IT admins to support all IT related hardware/software. That's impossible.
Once you plug a server into someone else's network, it's their server. IT has all kinds of accountability for anything plugged into their network. You plug your server into their network without their knowledge or consent, and you are basically operating a black box that they cannot control or audit for compliance.
So....I vote YES...give IT whatever they ask for.
If a simple non-root account is all they're asking for, consider yourself lucky that they are still granting you the privilege of operating a server on their network.
My question is how did this work in the first place? The second he plugged his personal server into the hospital network port security should have shut him down. Also I wouldn't be happy just knowing what is on port 8443, just because that is what you have running on that port when they inspect your server doesn't mean that is what will be running on it 5 minutes later.
If your IT department was anything like ours, they'd shut down the port your rogue server is on as soon as it was detected. Then you would make the dejected call to your helpdesk demanding that the port be re-enabled. The helpdesk would log the call, and most likely refer it to their manager. IT would probably then refer the matter to your manager for disciplinary action.
Just... stop! IT departments hate users like this who think they are above established policies simply because they know more about computers than the average bear. Chances are that they will be less likely to accommodate future requests after this incident.
"Ask not what your country can do for you." --John F. Kennedy
It isn't an approved machine on the corporate network. IT not only has the right, but the duty to have it shut down immediately.
You wanna run your calendar from off site? That's fine. But inside the corporate network?
Naughty user. Bad user. Stop. Stop.
The simple answer to this is use Google Calendar!
I'm of two minds on this one.
On one hand, my experience with corporate IT has been very poor. Usually, they're the ones preventing you from having the tools you need to do your job, or making poor use of resources, or sneaking in and doing something to break a previously working situation. One good example, my department is responsible for maintaining a number of industrial PCs and servers, and not only are we blocked from the Microsoft download site (so we have to download patches on our own time at home), but there have been times in the past where IT has sneaked in and made changes to working machines that make them non-working machines. These machines control and monitor life or death situations, so we're working on getting IT off our machines out out of our systems.
On the other hand, It *is* their network right up to your server. You have to understand that their mandate is to operate and protect that network.
It's been a long time.
iPhone compatible calendar tool
Your hospital must be big enough to have active directory and exchange. Exchange is iphone compatible! If your IT refuses to set up exchange for iphone, tell your boss to hire a new CIO. This is not how your IT department should be working. p.s. I am the head of IT of radonc, I feel your pain.
Your eloquent response didn't answer the question. Would this prevent someone from running a packet sniffer?
Godaddy is a scam and a ripoff.
Too often have I had to listen to people saying: Oh but its (Open)BSD, so it's 'secure' (whatever that means). Ok the base install might have very few holes in it, but whatever software running on it can be just as vulnerable as on any other platform. Crappy PHP code for example will be just as crappy on OBSD. I'll prefer a well managed Windows or Linux box in my network over one running OpenBSD administered by an amateur.
9 year ago I stand on the same problem, not in an hospital but in a hight school. I did mount a server at home, not on the hight school's network. It runs since them, and there is no calendar software at the highschool network, tha calendar is used by almost all students, the IT people does not have any account.
I think you should take your server from teh hospital and have it run at another site - no problem if it is only a calendar.
1. register MyDepartmentOnCall.com (don't name the hospital for various reasons)
2. sign up for google apps
3. set everyone up with accounts on there
4. pray no one puts patient info there,and only "i'm working/I'm not working/I'm on call" info, because you'll be the one sued.
Did Slashdot take up trolling?
I love how this submission brought out all the IT pricks who get their noses bent out of shape whenever someone does something that they can't control. Oh noes! I am the god of IT and thou shall not do anything without my permission! IT pricks are even worse than union pricks.
...IT is a service industry. Hospitals exist to support the work of doctors (healing). If doctors find it convenient to run their own calendar servers to make their lives easier and the exercise of their work more convenient, who the f*** cares what their IT departments think?? Sorry, but I'm fairly appalled at the arrogance of a number of the responses from (presumably) sysadmins here.
Lots of hate-ons from the sys-admin crowd here, probably understandable though. Why don't you try a scheduling company like DocRoster, or use Google Calender. Google Calender works seamlessly with Android smartphones and is the favoured tool for scheduling classes for students at my university.
Just kidding.
Seriously the only real answer is to get that server out of the building and far away from the network and setup a calendar server correctly with monitoring and backups.
Your question is summarized as "Should I give IT a login account on a server that is not owned or managed by them?" Turn it around. "Should IT give your server access to the network (opening specific ports) which is not owned or managed by you?" I'm amazed that you're allowed to do this. As many others have said, this server would have been immediately cut off and confiscated in my work environment. And I work in academia, where we don't have a whole lot of rules (at least compared to the corporate world). You've gotten away with a severe bending of the rules by even having this server. Now you want to bend/break the rules even more by not giving IT a login account? Then take it home, where it belongs. It's users like you that make those of us in IT support bang our heads on the desk, and drink half our salary in beer, on a regular basis.
--- "Maybe you can interface with my ass. By biting it."
Come on.
IT is there to support the organization, they are not the organization. Why didn't IT set up a a server? The server could be separated by a firewall from any critical or sensitive servers.
I haven't read all the 987 comments but..
Where did he say that the server is INSIDE the hospital's network??
It's not clear but he could have set up the DAViCal server outside and is simply asking to give access FROM INSIDE.
Cuz when I find it (and I will find it) I'm going to confiscate it... it will be fun to destroy this guys hard drive, you know, for security purposes. I'm sure you signed a waiver when you filled out the HR paperwork when you got hired. It ain't my fault you didn't read it moron.
Heya jddorian, A lot of slashdotters have jumped straight onto the defensive bandwagon, and given that most of us are IT professionals it's understandable. I'm suspecting that if you have to go to the effort of building your own servers, there’s a distinct lack of IT support from your IT support. I've seen both sides of these types of arguments; I hope you can resolve it! There's no harm in asking IT and Networking why they want access to the machine. Good Luck!
I guess I shouldn't be surprised that so many comments are from the "IT" point of view. However, I feel that IT departments should be there to provide the services that are needed, not to dictate policy or limit what you can do or what hardware is supported. Should you give them access? Well, that depends on if you feel they can be trusted. If the answer is yes, then sit down and try to have a conversation as to what the IT department expects and what you expect of them in return. If the person you speak to is only capable of communicating properly with computers, not with fellow-humans, then by all means go up the chain. I have no patience whatsoever for the type of self-important arrogant attitude many IT "professional" display. I reiterate: As the doctor, the IT department is supposed to be there to help you accomplish your goals. Any attitude other than that is unacceptable. Your goals may not be realistic, they way you went about it might not be ideal, but in the end your IT department should be polite, professional and helpful, and should work with you (not against you) in finding a solution for your needs.
Seek professional assistance.
As an info-sec pro for a hospital, the best guidance I can provide you is to seek help from an IT person you trust that has knowledge of HIPAA and HITECH act. You are entering an area governed by law not just the whims of your IT folks.
Your institution is required to maintain strict control of what is attached to and available on its network, what access is allowed to and must be audited and reviewed. They must maintain records and be able to make them available on request to prove who has accessed what when. The main question to be able to answer is; will there be any electronic patient information (the 18 elements uniquely protected by HIPAA) in the scheduling program or data that server sends receives? Much of where things go from here hinge on that one detail.
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
“Individually identifiable health information” is information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual which includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing. But HITECH Act may. http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Right on! Mordac, the Preventer of Information Services, (not "the goat with a thousand young", more like "the ass with a thousand cracks") seems to have posted along with all of his/its clones in this thread. If they won't do what is requested, they must be bypassed or fired. They don't seem to understand that they aren't meant to have any power to delay or prevent use of computers and networks for whatever the real producers say they want to do. Advise, fine. Try to get broad support for more integrated solutions, fine. But if they don't provide requested services immediately, if they carve out fiefdoms and try to throw their weight around, pretending to be "administrators" and "owners" they need to be replaced. Their value somewhere between janitor and mechanic, they should not put on airs.
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery?" - Patrick Henry
Study the OWASP top-ten & you might get an inkling *why* IT would want this. It's to plug into automated scanning tools that, among other things, try documented hacks for privilege escalation. The best way to accomplish that is to start with a normal user account.
I think some people are missing some of the medico legal aspects here, although electronic calendar functionality isnt likely to be much of a problem in that respect I suppose but any hospital records pose problems for IT people. Of course working in a medical field I'm sure they have policy and experience with this.
Also it will probably come down to whatever the existing policy is for things like this but in the absence of that information I think it's fair to deny the IT dept. Access as long as you accept your making yourself responsible for it and are willing and able to take a 3 am call from them if it leads to problems they aren't able to fix because of that decision.
Is this port 8443 going out of the facility or into it?
In both cases I think that the IT department would be negligent if they didn't at least occasionally monitor what was going on at that port, so requesting only a regular account for IT is actually a very lenient policy. You wouldn't have to add them to any of the groups that can access real data, so it's just the means to examine if the application you claim to be running is actually the one that is really there.
If it were up to me, my answer to the request of any staff member to run unaudited software on unsupervised systems anywhere would be very simple: NO, NO, NO.
I have about 25 years as a sysadmin, and a manager of sysadmin departments. Sometimes my department was corporate admin, and sometimes I was hired as a local admin for a development group within the organization.
What I've observed, from both sides, actually, is that if corporate admin does not meet the needs of its users, little IT departments will (not may, will) spring up all over the company. Many of them will be manned by wannabees who don't know what they're doing and/or don't understand security issues. The trivial example is the department that's tired of requesting that the corporate wifi gets extended into their building, and puts up their own unsecured wifi in order to get their work done. Yes, they had a point. No, they shouldn't have done that.
Some departments will hire a professional and start loading a wiring closet up with servers.
The way to prevent this is not to forbid it. Life finds a way. Instead, take the hint and try to understand what they're trying to do and why, and how this incorporates into the existing infrastructure. Sometimes the answer really is "no", but you will be able to articulate why, and offer alternatives.
If you insist on battling your users over control of your infrastructure, you will lose, because there are more of them than you.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
The original poster could be a troll, or they could be someone trying to get advice without revealing who they are. In some academic environments, IT is stretched very thin and it lacks authority to enforce what should be standard operating procedure. If someone wants something done, they refer to their local, unofficial IT staff and jury-rig it.
Eventually IT inherits the kludge and has to figure out how to make it work. If IT is lucky, it comes before a disaster occurs. If IT is unlucky, it happens because of a disaster.
Our corporate firewall allows very few social sites through. One notable exception is Slashdot, and the consequences will be harsh if jddorian is traced back to one of the company hospitals. Due to the size of our company, the probability of this one being one of ours is high.
I am the CIO/CTO of a major medical organization. Had you plugged that server in on my network without authorization from IT, without a security audit performed, and without any compliance auditing performed - you'd be looking for a new job. That being said, I completely understand the desire for tinkering and providing a good solution to your colleagues and peers. But, to do that without consulting the IT department is very inconsiderate. They are working their asses off to make sure that everything is working as it should, while managing user complaints, hardware failures, asset tracking, data retention policies, and a myriad of other odds and ends. By plugging in that server, you've just undermined everything that they are doing. You're putting an untested application onto a network that you're not familiar with and hoping it doesn't break anything - without any consideration of the port mapping schema, or IP addressing schema that is in place. The next time you're feeling technically savvy, my recommendation would be to consult your IT department beforehand. At the very least, you should be severely reprimanded for your actions. You are jeopardizing the reliability and security of hospital systems with your little project.
And this is why I made sure our whole office(s) networks use port authentication. In this situation he could have plugged in his little device on our office network and nothing would happen without talking to the IT department.
If this were my dept I'd block the port, initiate an audit of all your machines, and have already reported this to my superiors.
Before you even get into liability or fines just the mandated actions that have to be taken after a HIPAA breach can cost your institute a small fortune.
You might not have personal health information on that machine but what happens if somebody compromises it and uses it to launch attacks on the internal network against machines that do ?
I'm amazed your IT dept even allowed your new machine on the network (our switches won't even *talk to a system before it goes through IT)
Actually I'm guessing they do have a policy and either you don't know it or are ignoring it.
If you're the head of the dept you owe it to your institute to make sure this is done right - else you deserve to be fired.
Is your system HIPPA compliant? If it's not vetted for HIPPA compliance, then you potentially place the hospital as a whole at legal risk.
It's been my experience that Hospital IT are guys who want to empower the end user who have legitimate reasons, but can be constrained by their own budgets to give "cutting edge" technology to the end user. However, it's always easier to catch flies with honey than vinegar. I would tend to agree that you need to be pretty transparent to the IT group. They certainly can help you do what you want, and perhaps even make what you're doing more efficient and maybe even more broadly available.
If you have patient information on the schedules, or potentially could have patient names or other details, you really need IT to help you be HIPPA compliant.
(And, if you're not in the US, then whatever version of HIPPA compliance your country has in place.) :-)
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
I have never seen such a unanimous opinion in Slashdot comments.
No, in a properly run network you don't have random open ports to plug in to. If there isn't a device currently plugged in that is authorized, the port is OFF. Leaving open hardware ports "laying around" is a huge risk.
Now, that doesn't mean that you couldn't cheat and try putting a switch of your own on that one live port in your cube, but there are solutions to prevent that from being effective too.
---- Booth was a patriot ----
This is the user perspective and every IT person is up in arms! Its simply easier to do it myself than deal with the IT department. For good reason!
We laugh at the stereotypes of IT people often because they're somewhat true. We're not always easy to deal with, we sometimes talk over non-IT folk, we sometimes act as the King of our domains (more than sometimes!). Aside from the fact that this guy is breaking all sorts of rules, I'm curious what has led up to this point. What I see in the question is ignorance of policies related to IT (often the fault of IT for not proactively educating the user base) and a little frustration with IT's lack of offering for what is now a very common phone ("the IT department doesn't offer ... "). I also see hubris that "experts" in their fields typically have. You'll get what you want or complain loudly. IT people do the same.
In any event, the IT people are being protective of the network and ensuring the security of its systems. You are not in compliance. Flying it up the chain would make you nothing short of a dick. The IT department will likely help you meet your goals if you ask. If they don't, they're dicks. No need to get in a cockfight.
Hi, I work as a doctor in the NHS in the UK and over here we can't do what you propose. The main problem here would be connecting your server to the NHS network. I know of a senior consultant (the equivalent of the US attending physician) who was disciplined for connecting his own computer to the NHS network. Another problem would be that IT would not be able to control your iPhones or whatever remotely, so if you lose one with confidential data, they would not be able to delete the data remotely. In my hospital we wanted email/calendar/dictation on the go, we asked the nice IT people and they set this up with Blackberries. This works well. The way we organised this was through the hospital's IT/IG group. When something does not work, when the dictation client needs to be reinstalled, when we don't know what we are doing we ask them and they do know and are very helpful. We look after the patients, they look after the computers. They backup everything. Say your hospital agreed to let you have your little server. Would you be doing the backups and help people get their data back when something goes wrong? Are you going to give your colleagues your mobile number so they can ring you whenever they have a problem? Would this interfere with whatever it is that you normally do at work? Don't bother. It is going to be a major headache even if your hospital agrees to let you do this. Regards
OP, You sound some what security conscious so I would ask you the question: Would you let the IT guy plug a small server into your home network. Would you let IT guy plug the server into your home network if he gives you a regular user account on the machine? Would you let IT guy plug the server into your home network if he gives you a root account on the machine? If you are actually security conscious I assume that you would answer no to all 3 questions. A better solution would be: why not plug your little server into your home network and punch open the hole in your own firewall. You would have full control, and would never have to give IT guy an account. In the mean time you can keep pushing them to set up the service on an official hospital machine.
Yep, I was thinking about Access as an example too. I think I'll do a two day surgery course and start operating on patients in the corridor...
Consider it to be a CYA type thing. It is a computer. It is on the network. While you may have set it up, IT ultimately has to answer for things that are on the network. If your machine ends up being a security hole, they will get the blame at first because some part of the network was hacked. If they can't sign in to your machine to verify that everything is up to date, they can only assume that your machine is the cause and they can't fix it.
Note that the lab servers are probably locked down so they won't do much damage if they are hacked. They may even be managed by IT, even if the content comes from the labs.
Remind yourself: You may be technical but you don't work in IT. You job responsibility is not IT.
Fuck NO ABSOLUTELY NOT.
Working 10 years so far in IT healthcare and I can say this, every-time there is any hint of a possible data being compromised whether it be incoming or outgoing (this isn't even touching on HIPPA and the incredible pain in the ass it is) the hospital IT department ultimately has to to answer to the CEO why server X is on the network and why is it doing XYZ. I can tell you that in every facility I have worked in as soon as this came to light the switch port would be shut down and there would be a nice little team from IT in the dept asking alot of questions as to why there is a piece of equipment on the network that the hospital didn't purchase. My advice, take your server home and go through IT channels for your scheduling.
The world called out for a hero and all it got was me...
If you bought the server with your own cash, why not simply run it from home? Then theres no issue with the local IT people. You may still have HIPAA compliance issues, though, depending on the data thats stored on it.
Better option: gift it to IT and wash your hands of it.
What makes you think that will stop them from trying ... then reimaging the server when it doesn't respond?
So you want to hang out in a city of a million ungoverned men? I hope your Uzi-wielding and ultimate fighting skills are up to snuff, not to mention your ability to gather a protective gang around you through a combination of intimidation and loot-sharing.
Where are we going and why are we in a handbasket?
about half of the power users capable of doing that in access were ALSO capable of doing it properly in a real sql db/server setup. IT likely laughed or never gave them that option, so they went with what they had. Can't blame the "pinheads" who automated their own workload and increased efficiency, now can we? Blame the company for not giving them a proper avenue to do that with. And then blame the company more for dumping those systems on IT :P They should have shelled out the money to hire a maintainer, if the VBA was truly that important.
I've seen this happen with MS Access and other pieces of software. Operations needs to use their data in certain ways, but IS thinks it is a waste of time. Operations then invests in tech solutions without buy-in from IS. Operations then improves their operations (And yes, usually it is an improvement in the short term, even if they use technologies that make us cringe). Eventually, these systems become so important to Operations that letting them die becomes infeasible. Some time after they become critical, something happens (Employee that made it quit/fired/hitbyabuss, upgraded desktops are no longer compatible, scale changes, etc), and Operations needs IS Support to help them fix this critical system. This is when the system starts costing more than the solution IS would have implemented initially.
IS/IT likes to blame Operations, but it is their (our) fault. If we had been on the ball to start with, and supported Operations needs, they wouldn't have needed to go outside IS/IT for their needs. I've seen it happen far too often. Focus on assisting Operations, not just minimizing your work. Leads to less work and more results in the long run.
"these little POS solutions suddenly become the most critical production apps without anyone telling IT" .. You mean, other than the time when the manager asked IT if they could create a solution from scratch, and instead got an excuse from designed to make the manager want to give up on the solution that is urgently needed.
You guys should learn to ignore the trolls
I'd LOVE to see a follow up article on how this all nets out. Maybe insight from the IT person requesting access. Was he willing to let the box stay on the network or did he just want to go fishing to find out what was going on?
they DID ask IT.
IT said: its too hard.
Why do you want the server hosted inside your hospitals firewall?
What if your server get hacked, and some journals leak or something else.. i would never
dare to do anything like this and i think you should consider your judgement.
The number of aggressive, obscenity laced postings from supposedly "professional" IT practitioners exemplifies the deep problems in that field today.
Over the last 30 or so years, I've had the privilege of working with many truly talented and effective IT people.
The best of them, like the best people in all fields, were modest, flexible and had a keen understanding of how they could best contribute to the wider enterprise.
Over the past decade, or so, I've seen a cultural change in IT. There are still a lot of awesome people in the field, and I respect the profession highly.
But I've noticed an upswing in practitioners who seem to be poorly skilled and highly aggressive (perhaps to compensate for any self perceived inferiority).
Strangely, these people are often not promoted and so they are increasingly in the front line of IT.
So when a person talks to IT, they often are confronted by appalling poor skills and overblown aggression. Overtime, this taints all IT people.
Have you wondered why supposedly smart people do "end runs" around IT? Have you ever experienced people diverting funds that should go to IT into other groups? Do you complain that people never come and talk to IT about their projects anymore?
Conversely, do you find yourself simply saying NO to people rather than trying to solve their problem? Do you find yourself getting angry when people challenge your "authority"? Do you regard IT processes as superior to your organization's goals?
====
So I say give IT a login, but of course make sure they reset the pw on first login. And you should make sure their account is set up for a secure password - requiring mixed upper, lower, alpha, numeric, and at least 16 characters long with two punctuation characters (you can't tell them all the requirements at once though, each time they try to create a new password, you must tell them only one error).
And it's a restricted account of course, so IT can only login and logout to their own messages, of which there will likely only be messages reminding them that their password is about to expire. Speaking of their password -- for securities sake, make sure that it must be reset no more than every 7 days (and don't forget -- after 3 bad login attempts, they must use the phone to call in for a reset!!)
====
At our local hospital, where I have done some consulting work, most of the doctors are not employees of the hospital but do their work there because the hospital has services that the doctors, individually, would find difficult to duplicate. The hospital IT staff is understandably concerned about internal security in light of HIPAA regulations and the inherent insecurity of the Windows platform. In addition, many patients and visitors want WiFi access to the Internet. I can certainly understand that IT might be somewhat concerned at a server on their network which they do not have any control over. The IT guy was pretty reasonable, I think, in asking for an account - not a root account mind you - to let him get a handle on what the server is doing and how well it is secured.
My question is: Why not provide a separate Internet link to this server and let the doctors worry about their own security? We did that at a local hospital when the doctors wanted a server. We simply wired up the doctor's lounge with their own ISP account which was not connected to the hospital's network in any way. The docs had their own router and their own workstations and paid their own ISP bill.
This was no problem until the docs wanted WiFi access and the hospital IT staff were worried about "interference". I haven't heard the latest on that part.
A simple request to IT should have been your start. If I was your IT manager, I'd shut down your server. Are you prepared to be responsible for security risks, etc from putting this server in place? Will you accept responsibility when someone accesses your server and then places a trojan or other malware onto your network? This is exactly why you should go to your IT dept.
How much do you want to be involved in the on-going maintenance/patching/upkeep/user support of this machine? What happens when you go on a 3 week vacation with your family and the server breaks? Would you prefer the IT person to load up a disk, reset the root password, and hack and slash through your system to get things working, or would you prefer that a trusted IT person have an account on the box so they can monitor things if you're too busy?
The more reliant people become on a service, the louder the cries when it breaks. And if people are being provided an IT service, they'll likely go to the IT guy first for troubleshooting (as it should be).
As an IT administrator for a number of years now, the more you can put in the hands of your resident IT people, and have a good relationship with them, the better off things will usually go. Especially since they likely have the setup to take things from a user box you setup to the next level (like backups, feature additions/advising, etc).
If it is on the network, it will own it
I'm going to play Devil's Advocate and go against the IT sympathizing majority and say that it depends. I can see it being entirely possible that inside a place like a hospital, in a department that is as high tech as the OP is claiming, that a Department Head may be in charge of organizing the set up and maintenance of medical equipment that is outside of IT's direct (or at least day to day) control. A territorial Department Head, especially a knowledgeable, may want to keep IT's involvement as minimal as possible, if only to avoid red tape.
I work as the head of IT for a library which, admittedly, is not nearly as regulated as a hospital, but we've had some similar issues. The library system we are a member of will, for a fee, manage our network, we choose to run our network and servers internally. Every once in a while, we'll make a change to our internal network, such as a superscope addition, and they'll scream bloody murder, and say we can't do that, that they need access to everything to keep it all from blowing up or something. Without telling us why. So, without knowing the full scope of IT's role at the hospital, I can potentially see a situation where the Department Head may not be completely unjustified in asking why IT wants access.
An awful lot of the comments here are jumping down the OP's throat because he had the audacity to plug a computer into a network without bowing down to the IT gods, and I think this demonstrates a fundamental misunderstanding of the differences between the corporate IT environment and the healthcare IT environment -- especially the academic healthcare IT environment. Academic healthcare operates, for better or worse, much more like a university than a hospital. Imagine an academic computer science department or an engineering department having to go through their university's central IT department anytime they wanted to do anything that might involve computer, including research.
The IT in very large hospitals, particularly academic hospitals, is fairly fragmented. In the academic hospital I work at, every major department -- radiology, cardiology, pediatrics, medicine, etc -- maintains its own IT apart from the official hospital IT department. On top of that, half the staff are managed by the hospital and the other half are managed by the affiliated university, meaning they are under the jurisdiction of different central IT departments. People are constantly creating their own systems and projects to meet their own specific needs because the central IT group does have the time or resources to accommodate everyone. This fragmentation is a tremendous pain in the butt, tends to hinder more than it helps, and I really wish it wasn't this way...but it is. One would hope that the OP's hospital has a central calendaring system like Exchange, but it wouldn't surprise me if they didn't. It also wouldn't surprise me if central IT required departments to pay for it, which means not everyone uses it, which means it isn't universal (that is, looking someone up in the directory is pointless because there's a good chance they won't be in it, even if they work there, for example). With regard to the OP's original problem, I haven't run into too many hospitals that have iphone resources -- they're almost all blackberry -- so asking central IT to set up a service like this probably wouldn't go anywhere. Whether IT should actually consider an iphone service over the more secure blackberry service is a different issue.
It's possible the OP is the head of research within his dept, or his dept does a lot of research that involves significant computer use, which is where his knowledge comes from. Depts like radiology, pathology and genetics may even have cluster computing systems for their basic science researchers to work with. These are the groups that usually pioneer new IT systems, not central IT; central IT's job is mostly to keep mission critical stuff going. Sometimes people will get the bright idea to set up their own mail servers or web servers -- things that should probably be more properly done by central IT -- but it certainly doesn't mean they don't know what they're doing. The OP's department wanted to set up their own iphone-compatible calendaring system and the hospital didn't offer them any solutions, so they learned how to set it up themselves. You'll note that central IT didn't tell him that what he was doing was against policy and he needed to shut the system down -- they only wanted access to it. This indicates to me that these types of things are allowed by central IT but that perhaps there are rules that must be followed. I'm running several servers in my dept (we are more on the academic side of the hospital than most), and I'd be pretty irritated if someone from central IT wanted an account to go poking around with, particularly since I've dealt with our helpdesk and I don't have confidence in their technical skill.
Finally, *if* the OP's server does not store any patient data and it does not have a direct connection to a system that does, then it does *not* violate HIPAA. HIPAA only applies to patient info that is considered "protected health information" (PHI), and the doctors' on-call schedule doesn't count. If the system *does* contain PHI, then they would be subject to HIPA
If I am reading this correctly, something does not really make sense. Going with the part about "...installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out,..."
If you tested it out and it worked, then I assume you were able to update your iPhone cal with your set up. That being the case, you are using openLDAP for the accounts, your iPhone is working, sounds like you don't need the LAN access you are looking for if you take issue with issuing accounts to the people whose LAN you want access to. You are not using the company directory (if you are using openLDAP), you have a working setup, what am I missing?
They didn't buy it, they don't maintain it, they don't use it. Let them scan it and check everything over, but don't give them login credentials.
Unfortunately it's just another IT department with a God complex.
I think not. If you want to put something on my network, I need to approve it *before* you connect it to my LAN. We get root/Administrator/whatever and you get user access to the application only -- certainly not console access. If you don't want us to have access, then don't put it on our network. That's not a god complex -- We're *responsible* when something goes wrong, not you. We're expected to make it go when it breaks, not you. When bad things happen it's our fault, not yours. As such, users *will* keep their greasy little paws off of *my* servers. Period.
If the OP's IT staff has a problem (e.g., they're morons or provide crappy service to their customers) then they should fix the problem, not start their own IT infrastructure.
The IT folks at the OP's site should implement NAC. That'd fix his wagon but good.
No device (mobile devices and laptops on my guest wireless network don't count) gets on my network without the explicit knowledge and approval of IT *first*. That's how it's supposed to be. Not because we like to annoy users, but because if we know about it, we can (gasp!) monitor and support it. We can also make sure it's not going to interfere with other network traffic or cause problems for other applications.
i've seen way too many rogue implementations over the years and, for the most part, they were far more problematic than any systems we knew about. Invariably it was IT's fault of course. "So what if I didn't tell you that we hired consultants to install this Sun cluster and a half-dozen workstations eight months ago. Those consultants were costing way too much money so I fired them. But now it's broken! Fix it! How should I know what the root password is? You're IT! Figure it out!"
I'm sure the above paragraph will sound painfully familiar to many.
No, no, you're not thinking; you're just being logical. --Niels Bohr
clearly op is a silly question
but it is also clearly silly that these 'it departments' control all systems in the first place.
Can you imagine the DESK PAPER department checking on what is on your desk?
Same thing for computers. It is a tool. If you know how to use it, you should be able to
You guys are REAL assholes. IT is meant to facilitate the needs of the users not to dictate the use of computers. You people give us real IT guys the bad name. Stop whining about users actually using the equipment and help them out. For crying out loud, he just needs a damn port open. It's only for a web calendar, which IT doesn't provide. The red tape involved to get these user-hating desk maggots to actually help out is probably monumental. Stop being a fucking barrier to progress and actually support the user.
As to the IT, why the hell do you want a login. You are better off not being involved with their system. They will support it, they will maintain it. It won't harm your precious network. Run a penetration scan against it.
IT is nothing more than janitors and mechanics. We keep things running. We support the business and drive it. We don't put a strangle hold on things to maintain some power. That is the quickest way to get yourself outsources. Become a barrier to management and you will find out just how much you are needed.
I've been where you are now, and I've been the other side of it.
The problem is that IT have a bunch of standards that they have to obey. Those standards are there for good reasons, and ultimately stop the company infrastructure from degenerating into a mess.
What you've (and the OP has) done have circumvent all those standards and create a mess. I know it works now, and it 'gets the job done'. But in 3-5 years you'll leave, and it'll stop working, and your VP's will ask/demand/scream at IT to come fix them, and some poor bastard will have to unpick all your work and migrate it to a stable state on stable platforms that actually allow it to work properly. That effort is going to cost a lot more than the 2 years and half a million dollars that it would take to do it properly from the start.
Basically, what your VP's have asked you to do will take 2 years and half a million dollars to do, at the cheapest. They either pay that now, or pay much more later fixing the mess you've just created.
You think you're doing good and helping the company make money. Trust me, you're not. Stop now and go back to the VP's and tell them IT stopped you from fulfilling their request and they need to go through IT to get it done.
Remember the Maker's Triangle: Quick, Cheap, Good...Pick 2. Ultimately, someone has to take your Quick & Cheap and make it Good, and that will be Slow and Expensive.
Business/App ideas are like arseholes: everyone's got one, they're mostly shit, but very rarely they contain a diamond
Just create a Google Calendar, share it among coworkers, sync with all your phones and be done with it? It's fucking calender for fuck's sake, why try to make it complicated? http://www.google.com/support/calendar/bin/answer.py?answer=37082
How exactly did you get approval to even plug in your server? My wife is a hospital pharmacist. She and the other pharmacists are kind of annoyed that they have to manually shake vials to reconstitute drugs when making chemo. This hospital doesn't allow techs to make chemo, so they are paying pharmacists $50/hr to shake vials. My wife finally convinced her boss to get a shaker. Anything that gets plugged in has to get a sticker from Materials Management indicating that the device has been tested and is safe to use. After sitting in Materials Management for 18 months they denied the shaker because they deemed that the location was too small because it didn't provide for the 6 inches of clearance all around as the owners manual had recommended. Never mind that the 6 inches of clearance was only on full power, well beyond a setting they would ever use. Also, there was adequate clearance on the back and sides, but the shaker would have been too close to the edge of the table by about 2 inches. Back to my original question, if something that is actually useful and would improve the productivity of the pharmacists, save the hospital money, and get drugs to patients faster can get denied for stupid reasons, how in the hell did this moron get permission to install his server just so he can have access to a calendar on his iPhone?
As I saw another poster mention, there is one simple reason why IT should never allow access to a machine that it does not control - HIPAA. Violating HIPAA is a serious infraction that will result in termination at any hospital. Being a hospital pharmacist my wife has to go into patient's records as part of her job. If she goes into some patient's chart, even mine, for any reason other than providing patient care, it would be a fireable offense. Hospitals lose a lot of stupid nurses because they look into charts of their friends, relatives, or neighbors. The computer system flags any time my wife accesses a chart for a person with the same last name because it could be a potential relative. (The closest relatives live 4 hours away.) So, every month she has to fill out paper work indicating the person was not a relative and that she was accessing the chart during the course of doing her job.
Whoever posed this question to Slashdot is a moron and needs to be fired ASAP.
There is another variation of this problem that's worth mentioning that involves hosted services. Individuals in the company may be tempted to create unauthorized individual accounts on cloud services and put company information there. Like the OP could have created a bunch of calendar accounts for his coworkers on some popular service. This has the potential to be even messier than the rogue in-house server case as the data is likely already non-compliant by being on some other organization's servers.
Another more minor issue is if the company decides to use such a service and create logins linked to the domain name. In that case there may be account clashes whereby the users much jump through some hoops to access their rogue account as well as the official one since they may use the same email account to access both services.
Your eloquent response didn't answer the question. Would this prevent someone from running a packet sniffer?
That depends. On my network, unless your MAC address is configured to access the production network, you get kicked to the guest network with all the access to the Internet you like -- but no access to my production network. As such, you could absolutely connect a sniffer and, if it suited you, you could capture all the broadcast and multicast traffic you wanted *on the guest network*.
However, the network policies where I work aren't nearly as paranoid as I'd like them to be. If I had my druthers, any unapproved device plugged in to the network would get no access at all, in which case a sniffer would be completely useless.
Then again, if (and it seems that it is at OP's place of business) you're not using some form of NAC, then yes you could plug a sniffer into the production network. However, in a switched network (assuming the switch port in question isn't trunked), all you would see is broadcast and multicast traffic, plus any unicast traffic directed at you.
N.B., this applies only to a snffer such as Wireshark. Using other tools in conjunction with the sniffer, coupled with knowledge of the network you're hacking could net you much, much more.
No, no, you're not thinking; you're just being logical. --Niels Bohr
I could say the same thing about Excel
I seen spreadsheets with 20 sheets and 1000+ rows and of course nothing that can be normalised
With cause.
If you do not give them a login account they will use it to shut you down!
Grant the login account request and for security reasons you should require the following
password aging on the account. Password will need to be changed daily
password must be 18 characters none may repeat.
password must have at least one upper case character
password must have at least two non alpha characters
password may not contain blank spaces
password history kept forever, used passwords may not be re-used
login is jailed to users home directory
login has a 15kbyte quota on the home directory
set no execute user stack variable in kernel
make it so they don't want to login. security can be used to deter any unwanted access and is a non -arguable point.
I work in the IT department for a level 1 trauma hospital and can say unequivocally you are completely off base with this one. There are rules we all must follow, but apparently you have trouble following the rules set forth by your IT department - which are there for specific reasons. Your "cowboy" approach could cause irreversible and catastrophic damage to all of IT and thereby potentially cause personal injury - or death - to patients. You should be ashamed of yourself.
If the IT person wants access to the system, it's to make sure that nothing is going to cause any harm to the network or infrastructure. Man up and give him access.
It's your equipment you have the right to decide who accesses it. It's their network, they have the right to determine who may access it. If you want to play with their toys you follow their rules... or buy the company and make your own rules.
But why can't the IT organization come up with "quick solutions"? Are there no people in IT who know more than me who could make something "as good" as the POS I cobbled together in a week or two?
Because you asked the IT staff for a solution that everyone in the business can use. So they were trying to make one that would be able to handle the load, and the stress, and the security requirements.
YOU, on the other hand, cobbled together a piece-of-shit implementation that will cause nothing but headaches over time, will crash when it hits the Windows filesize limitations, and that can't be used by anyone but you.
I also know this makes a mess for the IT department when they have to inherit the POS I made. But just imagine how much easier things would be for the IT folks if they would provide people to help with these quick solutions so that they are designed reasonably well and are easier to support. Considering how much time and effort they have to spend on the back-end of it, dealing with crappy databases and data, it would probably actually require less time and effort if they availed themselves at the front-end when the business needed a quick solution.
See above, you fucking incompetent nitwit. They offered you the solution that would WORK FOR THE ENTIRE COMPANY. You wanted everything now and for zero cost.
Fast, Cheap, or Correct. Pick ONE.
You've failed.
I used to sell outsouced IT. When we ran into an inflexible IT department that would not support new stuff (which at the time were PDAs and old-school Blackberries), it was almost a guaranteed sale. Why? When people hate something, they are willing to commit ritual suicide to get rid of it. Companies with IT departments that constantly veto business plans, treat users with contempt and basically are hated by everyone will give up a great deal of control to get rid of pain.
The way you beat outsourcers is to destroy their value proposition which is: "same thing you got, cheaper" or "same thing you got, without the pain in the ass"
Here's how you beat it: understand business reality and deliver a net positive. That's the part where revenues are down, and the company has to shrink/adapt/change/deal with new challenges. When a board is seeing IT as an outsource play, it means one of two things: either they can get the same thing, or they are sick of IT standing in the way. In either case, it means IT IS TIME FOR A SURVIVAL DEPENDENT CHANGE IN HOW IT DOES BUSINESS.
BTW - when you start seeing lots of SAAS invading your company... you are being outsourced.
-- $G
Arew you a noob? If you have to ask then you have no business in IT.
Simple answer is your machine is a potential security threat to the entire intranet they have there. And you probably know that a network is as secure as the weakest node. BUT, there are other middle ground solutions to this and whether they can be implemented or not depends on how the IT has proactively design their infrastructure for this. If they did not take into account the possibility that some one can add their own server inside their network you may ask them to do a LOT of work now. My advice would be to collaborate with them on this issue. You may be amazed how smart and inventive are those IT guys when you give them the opportunity to help you.
Val
I'm a Network and Security Engineering engineer for a large Health care organization.
Are you plugging your equipment into network equipment they own/operate? If so, they have every right to require that information they are asking. Especially now that HIPAA fines are a reality now. How can the organization know that you are patching and protecting the data on there? They can't, and anything going through their equipment is they're problem.
I do understand you had a business need, but thats the tough part, balancing security and letting the business operate.
If you spent the money for this server and setup everything that is needed... why in the world would you ever consider bringing it into the office? I would just run the server from home. Tell the IT guy to F*&k off and just move forward.
Most of the comments above are 100% right on about how bringing your own devices into the office place and hooking them up to the network... Its a HUGE mistake.
Ehh. so make your life easier and host off site!
MAC addresses are configurable.
My point is, you have to be careful who you hire and then give them the resources to get their work done. In corporate IT, users are the customers, not the adversaries.
Godaddy is a scam and a ripoff.
See above, you fucking incompetent nitwit. They offered you the solution that would WORK FOR THE ENTIRE COMPANY. You wanted everything now and for zero cost.
Actually, we have about 500 users using the application in 30 countries, and the application is actually quite stable. In five years, we've only had a couple hours of unplanned downtime, and half of that was a Citrix server problem (out of my control). Most of our planned downtime has typically been for upgrading servers (moving from SQL2000 to SQL2008 servers, or from a single Citrix box to a farm of Citirix servers for the application) and happens on holidays.
When I started, we supported this process for 8 countries and it took over 3 weeks every month to do (we were doing it by hand, in multiply-linked excel sheets, checking things in and out of an "e-room"). Now we support 30 countries and complete the process in 5 business days (with about 10 times the amount of data and detail). We have daily backups and have never lost a piece of data that couldn't be restored within a day.
Every year or so, we keep going back to IT asking them to propose a replacement solution. We're not even asking them to "take over" what I've done, but to come up with their own way of solving the problem with whatever tools they want to use (Teradata/Cognos, in-house job?). After about 40 hours of meetings, they come back and say they can't do it (for any price). And unlike the first effort with them, we now have a working prototype that actually captures all the business requirements and business rules. We're now in a position to more clearly explain exactly what we need and they still can't or won't do it.
So, exists and doing it its job, or doing it by hand waiting for a solution that will never come. Pick one.
Note, I'm not struggling with the entire IT organization. The people in IT who provide servers: SQL servers, shared-drives, and Citrix platforms, etc. are fantastic. I ask for what I need and they work with me to clarify what's actually needed then cheerfully provide it. I couldn't keep this going without them.
I have 2 words for you... hipaa and DMZ
The fact that you felt you needed to create this server in the first place means that you and your IT department are not working together. If there is a need for something from the clinical side weather that is scheduling or medical records then your IT department should be working with you to get what you need. If you don't have that kind of relation with your IT department then you need to build it. If its your fear that the problem then you need to suck it up and deal with what IT's policy is. If your IT group is being difficult and not working with the clinical side then you need help find ways that to create a better IT group.
Don't forget that the IT department is a service group if they are not servicing your needs then they aren't doing there jobs. As distasteful as that might be to admins like my self that's the truth. That's doesn't however give the right to mistreat them just a reminder that they are there to facilitate the organization as a whole.
Cutting off the IT group is no solution, just the same as the IT group cutting out the clinical side is no solution. Work together and if you feel strongly enough about IT then step and and become a liaison between the IT group and clinician.
C. Particle
Yes, HIPAA applies heavily... but there's the other question: does IT have any *Nix expertise, or are they all Windows (and maybe Mac)? If no *Nix, then the issue is that they have no idea of what to look for, and will a) want to misapply Windows criteria to a *Nix system, and b) want to take it over and make it M$.
mark
Yes, you should give IT a login on your rogue server. A root login. And you should beg their pardon for setting up a server on their network without their permission. How are they supposed to run their network and keep it secure with people like you popping up servers in every nook and cranny? (Rest assured you're not the only one.)
Stop with the anarchy. If I were running IT there, I'd give you 3 minutes to turn that box over to the people who run boxes like that for a living or get your whole department removed from the network.
but you will lose the war. either continue building a kingdom or start looking for a new job.
This whole conversation has gone way off base. The unasked core question should be "How do I get a working scheduling solution without the assholes in IT saying NO?" I think we can all agree that in most organizations the IT department is a huge roadblock to progress. This occurs for many reasons but the simple truth is that it is not usually in the best career interests of most IT managers to be flexible. IT is rarely rewarded for a problem free IT department; in fact most IT departments that run flawlessly probably suffer cutbacks. But IT is punished for any problems. New things cause problems thus new things are bad. Thus in order to make the original poster happy he would need to get the top management reinvent the entire incentive program for the IT department.
Most IT heads would rather roadblock some low level employee instead of having to explain to the CEO that payroll will be a few days late because the experimental add on to the accounting system blew up.
I had a similar problem with ports years ago. A company that I worked for had a new huge project involving ship to shore communications. This required opening up a few of ports to match the client set up. IT would have none of this. So my team rented the office next door and got a simple commercial account with an ISP and a dlink router. The sales people marveled at how stunningly fast our connection was (T1 as compared to the dual ISDN shared by 50 people) and 3 moved to our space next door in the first week and cut themselves off from the company net. Our IT guy was desperate to take over our net which he clearly stated would involve cutting off our "rogue" port use. By the end of the project we ended up hiring a full time administrator who bought some better routers and whatnot. About 15 staff were working out of our space to get the better speed with the old IT screaming about security risks the entire time.
Long battle cut short our IT guy replaced the old IT guy and our network entirely replaced the company network with all the old servers being sold. (good riddance Novell)
When we tossed the ISDN lines the telephone company guy said we had been almost the last users of ISDN in the city. The old IT guy never had any money issues and I never understood why he refused so vigorously to keep up with reality. But the moral of the story was that he thought it was best for the company to dump a 23 million dollar project to keep a few ports closed.
PS the old IT guy did know how to manage a network; just wouldn't.
Comment removed based on user account deletion
You have to look at the reasons why IT Fiefdoms develop.
On the one hand it's because information is power, so it's no wonder every department head wants their own info server and databases.
On the other hand it may be because "Official IT" is too slow-moving and conservative. Every had the meeting with Dr. No? Incredibly frustrating.
So what if IT services had a few 007 types (special agents) whose job was to "GET THINGS DONE AS WANTED, FAST" for the departmental
stakeholders, while the special agents themselves were totally expert at and immersed in the safe practices of IT. I'm not talking about
fixes of broken things here. I'm talking about rapid (but security compliant) implementation of new small info systems that departments need.
I'm talking agile.
Now wouldn't that be refreshing.
Where are we going and why are we in a handbasket?
I also know this makes a mess for the IT department when they have to inherit the POS I made. But just imagine how much easier things would be for the IT folks if they would provide people to help with these quick solutions so that they are designed reasonably well and are easier to support. ...
Actually, we have about 500 users using the application in 30 countries, and the application is actually quite stable. In five years, we've only had a couple hours of unplanned downtime, and half of that was a Citrix server problem (out of my control). Most of our planned downtime has typically been for upgrading servers (moving from SQL2000 to SQL2008 servers, or from a single Citrix box to a farm of Citirix servers for the application) and happens on holidays. ...
Note, I'm not struggling with the entire IT organization. The people in IT who provide servers: SQL servers, shared-drives, and Citrix platforms, etc. are fantastic. I ask for what I need and they work with me to clarify what's actually needed then cheerfully provide it. I couldn't keep this going without them.
Something you are saying here does not compute.
Seems you're getting a TON of support from IT with servers, from what should be a server-side application. Especially since you admit it already ties in to their existing databases.
Seems also, your little app requires a significant amount of money (in either parts or time monitoring) to support it.
Seems also, you admit that you gave incomplete design specs in your initial proposal and may still be doing so each time you propose it.
Seems also, we are still missing information from you. You say it's not the "entire IT organization." What are you doing, submitting this to the rejected Indian monkeys running your frontend helpdesk whose primary job is to handle people who are having "trouble" opening their email?
Have you submitted this to the head of IT? Or to the head of the server support desk? Or if not, where HAVE you been submitting it to?
I don't think it's IT's fault you are having this trouble. I think you're either holding information back from them deliberately, or you're so bad at communication that they can't make heads or tails of your proposals, or you're talking to the wrong damn people who are already under-budgeted and overloaded with crap from every OTHER person at your company that operates in this fashion.
MAC addresses are configurable. My point is, you have to be careful who you hire and then give them the resources to get their work done. In corporate IT, users are the customers, not the adversaries.
Yes, I am aware that MAC addresses are configurable. In fact, I use LAA (Locally Administered Addresses) for a number of purposes. Most of my users wouldn't know a MAC address if it came up and bit them.
Then again, I don't (at least not right now) work for a technology vendor. I have done so in the past and it adds additional dimensions to the IT management environment. In those circumstances, technical people will be given wide latitude to manage and implement on their own workstations and on development/engineering networks. I've been on both sides of that and, as a rule, that arrangement works well. On a production network however, I stand by my original statement: "Users *will* keep their greasy little paws off of *my* servers."
It is very important to hire trustworthy people. However, even scrupulously honest and reasonable people can do non-optimal things because they don't understand the implications of their actions. Anyone (other than appropriate IT staff) installing a sniffer has moved out of the realm of "non-optimal" to "potentially criminal."
I work for a large law firm and lawyers are notorious for thinking they know better than everyone else. At the same time, they need to generate billable hours, which limits their interest in running IT for themselves. That certainly doesn't stop them from making "helpful" suggestions. The solution here, just like any professional services environment, is for IT to get the bullshit out of the billable resource's way to give them more time to do their job -- generating revenue.
If you wanted to make a point about end-users being customers, then you should have said so in the first place. That is, of course, quite correct. I treat my customers with respect and do everything I can to exceed their expectations. Most of the time, I succeed. However, that has to be a two way street. Sometimes users do stupid things (as do IT people). I've had users forwarding confidential emails to personal email accounts, abusing the network and all manner of dumb stuff. The appropriate way to handle this is to discuss the issue calmly with said customer, gather their requirements and determine an appropriate solution.
That said, when a user tries to do an end run around IT, it's usually because they're doing something they know is inappropriate, has a huge ego, and/or isn't getting the appropriate support from IT. None of these are good reasons for circumventing the IT process for all the reasons detailed by me and other folks on this thread.
My language was colorful and certainly doesn't reflect how I would address my customers. However, you (and the OP for that matter) aren't my customers. The ire expressed by many on this thread is understandable, mostly because the few bad apples who go outside the IT process are the first ones to blame IT for the failure of the rogue implementation that the user spent significant time trying to hide from IT.
All in all, a well management environment and a responsive IT staff can head off these issues 95-99% of the time.
No, no, you're not thinking; you're just being logical. --Niels Bohr
if they don't need root access, what could they possibly need ANY access for? Make an SSH honeypot and give them an account there... that's what I would do. Betting it will be months, if ever, they figure it out.
You come of as a bit of an asshole (Indians are people not monkeys), but I'll answer your questions anyway.
So at my company (a Fortune 500), if you want/need things like shared-drives, generic email accounts, Citrix platform for an application, a sql server database, you submit a request and it gets made. I think of this is the "operational infrastructure" of our IT organization.
Now, it's up to you, as the user, to build that database, populate it with tables, views, stored procedures, etc. They won't help you with that. Just like if you ask for a shared drive, they won't make the files that you want to store in it - that's up to you. However, they do handle day-to-day backups of that database and will do restores as needed. And yes, there are costs for these services - and our department is billed for those. I never said we wanted anything for free.
We also have another part of our IT organization who take care of the data and reporting part of the business ("Business Intelligence", I suppose). They manage all the various systems that capture data out of our transactional systems (e.g. SAP) and make reports based on that data. This is the part of the organization that should be providing a tool or system that does what our "home-built" system does.
So this application is essentially a "balanced scorecard" tool. In a nutshell, it's standalone (not attached to other databases) and allows for data to be keyed in or loaded via excel and produces PowerPoint decks and Excel reports. There are also some trivial administrative forms that allow for things like users checking boxes to indicate the data from their country is ready for reporting. The key requirement is that it has to be flexible. If the primary VP for this reporting wants to see a new report or changes to existing reports, we need to be able to turn that around in a week or two, not several months. The other key challenge is that it has to handle data that isn't provisioned through the certified data paths. Some data that needs to be reported simply does not exist in any current systems and is the result of offline analysis or it may be in systems that are otherwise not connected (not even all the "sanctioned" systems inter-operate). We have to report based on that data, so it gets loaded via a manual process of some kind. And there's no way to avoid that.
We've engaged several times with the BI team (the appropriate part of the IT organization for this kind of proposal... and yes the VP of IT is aware of the situation) to see how they can try to support our needs. Again, I'm not asking them to take over the application we've built, but instead come up with their own proposal based on approved systems and tools.
Each time, we provide a detailed list of requirements (must haves, really should haves, and like-to-haves) along with use cases, example reports, lists of source-systems for data, etc), with lots and lots of meetings to clarify what we're asking for. And then we ask them to propose an "approved" solution (approved meaning one they will support and manage). And that's where it hangs up.
But here's the challenge. From my end, regardless of the tools and methods available, I'm required to collect data from global systems and from 30 countries and then prepare decks of reports (up to 20 pages each) for each of those, usually by the 10th of the month. I can do that manually with linked excel sheets, vba macros, and checking files in and out of e-rooms (like sharepoint)... and if that was the only way to do it, I'd still be expected to do it (though I don't think it would be possible to do now - with all we have to do). On top of all that, we have to provide ad-hoc analysis based on our data, because management may want to explore specific details of potential problems.
Now, I've seen the threads here about how bad it is for businesses to "store" data in excel sheets and I agree. A database is the right place to store data. So we asked for a database and "report building" solution. We were told it couldn't be done (or could only be done for an impossible amount of money and in a very long time), so we did it ourselves... because we had to or we'd have to do it all by hand.
So, what would you do (aside from quitting)?
I am part of the IT staff in a hospital. Once I needed a MR-Scan urgently, but the machine is always occupied and so I had to wait 3 weeks to get an appointment. I decided to buy a MR by myself and took pictures from myself and some other patients of the hospital, but after comparing the pictures with ones from google images to find suitable medication, the hostpital staff said, I am not qualified to prescribe medication....should I ignore them and order meds online?!?! My fellow slashdotter, this (satirical) story is only to convince you, that by setting up a server by yourself, you will end up in a big pile of poo-poo, if something goes wrong. Especially in health care, where data is higly sensitive, NOBODY should be able to bypass security policys....and this is what you do, by setting up your own server (without putting it into the DMZ and ignorig other security principles as well) If I would be working in your IT dept. I would shure find a suitable LART which could be applied, so give your dept. root access, and I am shure they find a way to get rid of your server.
You come of as a bit of an asshole (Indians are people not monkeys), but I'll answer your questions anyway.
I refer to the morons who get my order wrong consistently at the drive-thru as monkeys, too. As in, "trained monkeys could do this job and probably are." ...
We've engaged several times with the BI team (the appropriate part of the IT organization for this kind of proposal... and yes the VP of IT is aware of the situation) to see how they can try to support our needs. Again, I'm not asking them to take over the application we've built, but instead come up with their own proposal based on approved systems and tools.
Each time, we provide a detailed list of requirements (must haves, really should haves, and like-to-haves) along with use cases, example reports, lists of source-systems for data, etc), with lots and lots of meetings to clarify what we're asking for. And then we ask them to propose an "approved" solution (approved meaning one they will support and manage). And that's where it hangs up.
If I am reading your previous statements correctly (and I am pretty sure I am), what actually happened is that BI responded to your request with a proposal of a certain scope - probably including the cost of hiring someone to maintain it and purchasing hardware on which it would run. Their quote may even have included a quote cost from OI for server purchases, personnel that OI wants, etc.
Then, you told them it would take too long and be too costly, and you opted to use your own salaried hours from your own department to create an alternate front-end (which you then tied into the existing database setup available from the other side of IT) that consists of a semi-rogue install. Is that somewhere near the neighborhood of an accurate guess? For that matter, what sort of cost comparison have you made between the server-maintenance costs from OI and hours used on maintenance by your own group for your own solution, as opposed to what you were quoted by BI?
But here's the challenge. From my end, regardless of the tools and methods available, I'm required to collect data from global systems and from 30 countries and then prepare decks of reports (up to 20 pages each) for each of those, usually by the 10th of the month. I can do that manually with linked excel sheets, vba macros, and checking files in and out of e-rooms (like sharepoint)... and if that was the only way to do it, I'd still be expected to do it (though I don't think it would be possible to do now - with all we have to do). On top of all that, we have to provide ad-hoc analysis based on our data, because management may want to explore specific details of potential problems.
(paste from earlier in same)So this application is essentially a "balanced scorecard" tool. In a nutshell, it's standalone (not attached to other databases) and allows for data to be keyed in or loaded via excel and produces PowerPoint decks and Excel reports. There are also some trivial administrative forms that allow for things like users checking boxes to indicate the data from their country is ready for reporting. The key requirement is that it has to be flexible. If the primary VP for this reporting wants to see a new report or changes to existing reports, we need to be able to turn that around in a week or two, not several months. The other key challenge is that it has to handle data that isn't provisioned through the certified data paths. Some data that needs to be reported simply does not exist in any current systems and is the result of offline analysis or it may be in systems that are otherwise not connected (not even all the "sanctioned" systems inter-operate). We have to report based on that data, so it gets loaded via a manual process of some kind. And there's no way to avoid that.
If your proposals are as accurate as you claim (and I'm getting a better idea of what you are looking at here), it sounds like the problem is still that you aren't talking to them in
As others surely has mentioned already, the IT-department shouldn't have asked for a login-account on your private computer.
They should have told you to take your privately owned computer off the hospital network.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
I've been working in IT for 10 years and the past 4 as a IT manger in a Health Care organization.
If you wish to keep your job you should drop this immediately I'd even recommend taking the server off the network.
You have a rather large HIPAA violation brewing here. Under no circumstance are you allowed to store company data on personal equipment. This is a huge violation. If you push this any further someone farther up the chain is going to find out and there's a VERY good chance you WILL BE FIRED over this. At the very least you should expect a encounter with your compliance department in the next few days.
This should go into dailywtf. And should get the first prize. And the OP fired. The sooner the better.
I'm in a small office in the legal field and have run into similar situations. In my case, I installed the software on a spare machine with ITs blessing. He (the department of one) was happy to have one fewer server to set up and appreciated the respect I showed by keeping him in the loop.
Being in the legal field, the last thing I wanted was to have my ass on the line for a rogue machine on the network. Get IT on your side now and CYA for later.
It's probably also AGAINST THE LAW. Christ. Submitter is an unmitigated moron. People are going to jail for HIPPA violations and you want to dump any old crap on the hospital network for a CALENDAR? Just use an external web based thing ya moron. Try Google Apps.
Did you read your comment before posting?
Do you really think that using Google Apps to maintain appointments {which might be medical related such as "do 'x' surgery on patient 'y'" are acceptable under HIPPA?
You must be one of those people who use their personal laptop on the company LAN and use GMail for 'saving' company documents...