Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Businesses Networking Privacy IT

Why Should I Trust My Network Administrator? 730

Posted by timothy
from the hire-two-and-aim-them-at-each-other dept.
Andrew writes "I'm a manager at a startup, and decided recently to outsource to an outside IT firm to set up a network domain and file server. Trouble is, they (and all other IT companies we could find) insist on administering it all remotely. They now obviously have full access to all our data and PCs, and I'm concerned they could steal all our intellectual property, source code and customers. Am I being overly paranoid and resistant to change? Should we just trust our administrator because they have a reputation to uphold? Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"
This discussion has been archived. No new comments can be posted.

Why Should I Trust My Network Administrator?

Comments Filter:
  • by HunkyDory (806866) on Thursday August 13, 2009 @04:51PM (#29058375)
    If it was really a worry, why outsource it in the first place?
    • by betterunixthanunix (980855) on Thursday August 13, 2009 @04:57PM (#29058483)
      I would guess that it costs less to outsource this sort of work than to try to keep your own full time IT staff employed. I might be wrong though.
      • by rtfa-troll (1340807) on Thursday August 13, 2009 @05:32PM (#29059013)

        I would guess that it costs less to outsource this sort of work

        That's true. It's mostly a tax and shareholder benefit (you don't have assets and depreciation (CAPEX) instead you have costs and service charges (OPEX)) but it's also true that since the outsourcing company probably works for several other companies they can share costs and normally come in cheaper.

        This means that it's a simple calculation in theory. If the extra cost of doing on site administration properly, or at least better than the external company, is more than the value of the information (asset) that might be lost times the chance of it being lost (risk) then forget about it. There's a slight chance might save your company money, but you guarantee to lose it some money.

        Simply put; in business, especially start ups; there's always risk. If you have a fire in your office your company is probably dead. Probably there's a key person in your team who, if he leaves, will stop the company working. List all the risks you can think of and handle those risks where you can get the best benefit for the least money. Do that in the cheapest way possible (maybe a contract change will reduce the risk of your administrator to a reasonable level). It is possible that there's some special data where that risk is the system administrator in which case you might be worth adding extra protection. For the rest just accept the risk and move forward.

        In the end; you seem to be the responsible manager. You have to calculate the above things to your satisfaction and spend your money to make things work best taking into account all possibilities and not just this one. Since we don't have enough information about the information we can't really help you.

        • by Nefarious Wheel (628136) on Thursday August 13, 2009 @05:47PM (#29059213) Journal

          In the end; you seem to be the responsible manager. You have to calculate the above things to your satisfaction and spend your money to make things work best taking into account all possibilities and not just this one.

          Absolutely correct, it' all about risk management.

          You can't outsource responsibility to your shareholders, though, and that has to be added to any risk equation.

          One of the risks that has been rearing its head lately about outsourcing critical data is that data security walls seem to be thinner the further afield you go. It's especially bad where bribery is an entrenched part of the economy. Bottom line: if you don't have good reason to trust your outsourcer then don't trust them with your data. It's the keys to the till and should be as carefully controlled.

      • by Opportunist (166417) on Thursday August 13, 2009 @06:00PM (#29059393)

        Does it cost less than the loss of the IP, in case the outsourced staff is crooked?

        Another case of ignoring "risk" when assessing cost.

        • Re: (Score:3, Insightful)

          by pclminion (145572)
          "IP loss" does not exist. At least not loss of copyright, patent, or trademark rights. If somebody infringes your IP, you sue them. I don't really see what the problem is, unless all of your IP is kept as a trade secret such that third party disclosure completely fucks you. Copyright your software, patent what's patentable, and stop being so damn paranoid. Do you think some company could actually start up, using your software and patented methods, and steal your customers, and you won't NOTICE? Are you jus
          • by mcrbids (148650) on Friday August 14, 2009 @12:29AM (#29062277) Journal

            "IP loss" does not exist. At least not loss of copyright, patent, or trademark rights. If somebody infringes your IP, you sue them. I don't really see what the problem is, unless all of your IP is kept as a trade secret such that third party disclosure completely fucks you. Copyright your software, patent what's patentable, and stop being so damn paranoid. Do you think some company could actually start up, using your software and patented methods, and steal your customers, and you won't NOTICE? Are you just completely oblivious to your own market sector or something?

            Spoken like somebody who's never owned any significantly important, private information.

            Information leaks can devestate a business, and I'm not just talking credit cards. Let's say that you have AIDS, and somehow, that very private information leaks. Let's say that you are a private school, and you are teaching Nicholas Cage's kids, but under assumed names. What if one of the kids has some kind of mental problem, or is a hermaphrodite? You think that keeping this information free from the prying eyes of the Papparazzi isn't a very, very high priority?

            You can build a very nice, successful business simply by making discretion your focus point, adhering to industry & security best practices, and promoting the h*** out of it! If you combine that with a premium technical service, like *nix system administration or mainframe maintenance, you're pretty much free to fill the blank checks they'll give you.

            But if you do, don't ever, ever, ever let your security be compromised! I've said this many times: "My basic plan is to get into positions of trust, and then never, ever, ever, violate that trust".

          • Re: (Score:3, Interesting)

            by Opportunist (166417)

            You're a pharma startup. $big_global_pharma_corp steals your research.

            Good luck suing. By the time you might get close to getting a positive verdict, your company has been in chapter 7 for long enough that it doesn't exist anymore.

    • by egcagrac0 (1410377) on Thursday August 13, 2009 @04:58PM (#29058509)

      Mod parent up.

      Either you trust your outsourcing company to do what they do how they do it, or you hire an admin to be on site.

      Disclosure: I'm an on-site admin, because the company I work for doesn't trust outsiders.

      • by JimMarch(equalccw) (710249) on Thursday August 13, 2009 @06:32PM (#29059747)

        Whether it's an "insider" who works for your agency or an outside contractor, it doesn't matter: either way you have to trust somebody.

        The only solution that makes sense is an audit trail that records file transfers and can't itself be modified - which is a real bitchkitty to implement. Does anybody know of any decent products that cover both servers and workstations?

    • Re: (Score:2, Insightful)

      by Z00L00K (682162)

      Exactly - Don't outsource if you are wary about your data.

      There will not be any personal responsibility and the consultants working with your IT system will change over time and responsibilities will never stick.

      You can end up in a long period of disagreement about what's not in the written agreement while the systems grinds to a halt. And the "paperwork" for getting things done can be horrible. An emergency fix can take ten days and be executed by someone in a different country that has a hard time underst

    • by Moryath (553296) on Thursday August 13, 2009 @04:59PM (#29058525)

      Basic advice: Make sure your CONTRACT specifies what they can and can't do.

      If they break the contract, they (and anyone they did it on behalf of, including if they sell the info to some competitor later) are in for a world of legal hurt.

      You agreed to outsource this rather than hire someone to do it in-house. Either cough up the money on lawyers to make sure your butt is protected legally, or hire someone yourself who works just for you and is directly accountable to you.

  • by kperrier (115199) on Thursday August 13, 2009 @04:51PM (#29058379)

    You could mandate on-site support only, but you will get charged out the yang for it.

  • by Dr_Harm (529148) <(moc.oohay) (ta) (mrahdm)> on Thursday August 13, 2009 @04:51PM (#29058385) Homepage
    If you're concerned, ask them to carry a performance and fidelity (aka surety) bond.
  • by jasenmh (125829) on Thursday August 13, 2009 @04:52PM (#29058395)

    That's the service they are offering. If you want someone to be on property so you can look over shoulders, hire an IT staff.

  • Facepalm. (Score:5, Insightful)

    by SatanicPuppy (611928) * <Satanicpuppy@@@gmail...com> on Thursday August 13, 2009 @04:52PM (#29058401) Journal

    Either that, or learn to do it your damn self.

    Obviously you want to find someone reputable, and bonded, but you're never going to get to a point where you can have a network infrastructure that is secure from the people who do your network infrastructure.

    I've had enough experience with paranoid managers who hysterically insist that I'm reading their email, or their online banking passwords and crap like that. You think that some schmuck who is working fixing problems remotely really gives a crap about the plans for your Facebook-killer? Think that they care about your boring ass emails? You think they care about your customers??!? Are you kidding? You obviously don't sell networking, so what would be in it for them? Selling a customer list is like selling a used phone book.

    No outsourced company is going to send a person to your building every time there is an issue, and frankly, you don't want them to because they'll charge you out the ass for that sort of service. Even if you did decide to pay the price for in-person service, anyone who is out to screw you will be able to screw you while you're watching them over your shoulder, because you won't know what to look for.

    If it's really that important to you, bring it in house. And, word of advice, if you do bring it in house, don't treat the guy like a criminal or he's going to start reading your email.

    • Re:Facepalm. (Score:4, Insightful)

      by nine-times (778537) <nine.times@gmail.com> on Thursday August 13, 2009 @05:49PM (#29059239) Homepage

      Either that, or learn to do it your damn self.

      Right, and it's not just an issue of outsourcing. The reason you should trust your network administrator is that you *have to* trust your network administrator. Whether it's in house or outsourced, you have to trust someone to do the work. The only alternative is to do it yourself-- like literally you, personally.

      If I'm your network administrator and I come into your office and work for you directly, I could still read your emails, steal your IP, etc. You could ask me to set up the security so that I can't do that, but you still have to trust me to do that well and not leave a back-door for myself. Also, you should understand that it might inhibit my ability to do some things. For example, if I encrypt your disk so that I can't even access it myself, and then you lose the password, I won't be able to recover anything on your hard drive. Sorry.

      So that's the deal. You can try to institute some checks and balances, but there's a certain amount of trust inherent in the job. If you're concerned about security, then make the effort to find people that you can trust, and recognize that you might have to pay extra for better employees. It's an issue of what your priority is when you hire someone (or hire an outsourcing company). Which is most important, getting the person you trust most? Getting the person with the best resume? Getting the cheapest solution available?

      Those might be 3 different people. Under most circumstances, I'd pick the person I trust.

  • by Anonymous Coward on Thursday August 13, 2009 @04:53PM (#29058411)

    At some point, you're going to have to trust SOMEONE
    Can you trust your Significant Other not to get all stabby when you are in bed sleeping?
    Can you trust the drivers on your commute route not to suddenly get out their guns and start shooting at you?

    It's all risk management. If you have super-important data, then don't farm out the management to someone you don't trust. If you have regular data, then farm it out to basically anyone.
    SH*T happens... but if you are paralyzed with fear that bad things are going to happen because nobody is as trustworthy as yourself, you aren't going to be leaving your house.

  • by Anonymous Coward on Thursday August 13, 2009 @04:54PM (#29058419)
    For the same reason you trust your accountant.
    Tell me, do you trust your sales people with your customer database? In my experience, they're the ones to watch.
  • by tlambert (566799) on Thursday August 13, 2009 @04:54PM (#29058423)

    That is an incredibly dumb question.

    You should trust him because, as the manager of the startup, it is within your area of responsibility to ensure apriori that the people you hire to do this are trustworthy, or you are simply not doing your job and you should be fired and replaced with someone who can. Since your company is already on a path for doing outsourcing, I am sure your job could be outsourced to someone more competent in Bangalore.

    -- Terry

    • by thomasinx (643997) on Thursday August 13, 2009 @05:03PM (#29058595)
      There are no dumb questions.

      He's here asking for advice, so give it to him. Even though most of the people who read/post this board are heavily involved with IT, and it might be a common sense answer, the fact is that to this person it isn't as simple a solution.

      In many cases, people have sensitive information that they are handling on their servers, and whether or not to trust the IT staff is a valid question. (not all geeks are trustworthy). Also, in many cases, (especially with startups) they dont have the resources to hire on-site IT staff, so they have to outsource it. It introduces a dilemma that many will have to deal with.

      -T
      • Re: (Score:3, Funny)

        by owlstead (636356)

        "There are no dumb questions."

        Oh, yes there are. I remember in college that we all had a laugh when each and every professor told us this. Problem was this guy who was really good at learning things but had zero capability for performing logic thought. And this being a computer science study, we sure had a lot of fun when the professors subsequently tried to explain things to him after his "not dumb question".

  • by Blackneto (516458) on Thursday August 13, 2009 @04:54PM (#29058429) Journal

    I do a lot of remote support for my customers.
    I also make sure I get face time with them.
    Learning the work-flow of a company is very important when it comes to administering their network.
    If the company you are hiring doesn't schedule regular visits than i wouldnt trust them to work in your best interests.
    I'll add this as well. audit them periodically. Hire another company to check up on them.
    My customers do this and I've received good feedback from the customer and the auditor.

  • by Narcocide (102829) on Thursday August 13, 2009 @04:55PM (#29058447) Homepage

    Seriously? You're thinking about this now AFTER they've put the whole network up with all remote access enabled?

    What the hell makes you think they can't steal all your crap in person? Even if you assigned someone to watch every move they make it would be difficult for novices to even be able to recognize data theft happening as they watched if it happened through a command-line interface.

  • Hold them accountable. Track everything they do, and audit that it was in fact necessary and honest. Get a contract that holds them liable for damage they cause.

    Outside of these terms, I'd suggest that you are absolutely right. The IT company that I cut my teeth under would have had no oversight of this kind of access whatsoever. Their employees would have been accessing your files from home, for kicks, in-between rounds of Unreal Tournament.

    On a side note, aren't you legally obligated to monitor this a

  • And this is different from hiring an employee to keep your IT support in-house? If anything, an external provider is less likely to be a nutcase [news.idg.no] or otherwise disgruntled enough to take punitive action against you. What about your cleaning staff? Your office security firm? Your hookers?

    Security is important, but there can be a tendency for entrepreneurs and startups to over-vector. Pick a respectable vendor. Trust them, and keep an eye on their work.
  • by IgnacioB (687913) <matt_c_watkins@yahoo.com> on Thursday August 13, 2009 @04:57PM (#29058493) Homepage
    If you think watching over their shoulder of a person that you aren't sure you trust will make a difference...it probably won't. If they're bent on stealing stuff they just put in a back door in the 4 seconds you're not watching them like a hawk and probably wouldn't catch anyway. You should probably back and decide how much of a risk it is to outsource the admin gig to begin with. If your files are that valuable maybe your business model should afford somebody you can trust and see on the payroll with stock options. Perhaps you need two admins. One the outsource company that obviously would have technical abilities you don't have, but maybe another one that you do trust that at least has minimal abilities to at least monitor for anything unusual?
  • Who do you trust? (Score:4, Insightful)

    by Spazmania (174582) on Thursday August 13, 2009 @04:58PM (#29058499) Homepage

    Do you trust your bank with your money? Even though they don't keep it at your business and you can't stand behind them and watch what they do with it? Your fortune is at stake. Why do you trust them?

    Do you trust your grocer to give you clean, fresh meats? Even though you can't go in the back,
    see how they're stored and watch them being cut? Your health is at stake. Why do you trust them?

    Do you trust your pharmacy to give you the correct medication? Even though you dropped the prescription off, will pick it up later and don't know the look of one pill from another? Your life is at stake. Why do you trust them?

    I trust I've answered your question.

    • by dkleinsc (563838) on Thursday August 13, 2009 @06:12PM (#29059541) Homepage

      No, you haven't. The answer to the first question is FDIC. The answer to your second and third questions is the FDA. There's no such regulatory agency for IT.

    • Re: (Score:3, Insightful)

      by demonlapin (527802)
      All three of those are audited and subject to civil and criminal penalties for failure to do their jobs. Is that what you meant?

      Incidentally, my butcher has a visible thermometer in the case (and based on the feel of the meat, it's right) and cuts it right in front of me. And it's actually pretty easy to use pill markings to look up what it is.
    • Re: (Score:3, Interesting)

      by seifried (12921)

      Do you trust your bank with your money? Even though they don't keep it at your business and you can't stand behind them and watch what they do with it? Your fortune is at stake. Why do you trust them?

      Do you trust your pharmacy to give you the correct medication? Even though you dropped the prescription off, will pick it up later and don't know the look of one pill from another? Your life is at stake. Why do you trust them?

      Yes, because they are regulated industries and professions, they are well understood (we've been doing banks and pharmacies for many decades), we've worked most of the kinks out. IT/computers/etc. on the other hand is still in it's infancy (and may always remain so due to the rate of change). We're making it up as we go.

  • What does your legal agreement with this firm say?

  • by consumer_whore (652448) on Thursday August 13, 2009 @04:59PM (#29058521)
    They're stealing your IP while you're goofing off on slashdot.
  • Look, it's really simple: If they give you the creeps, don't hire them. Go with someone who is not insistent on administering your network remotely, or who you are otherwise comfortable working with.

  • by Reapman (740286) on Thursday August 13, 2009 @05:00PM (#29058547)

    You seem to be conflicted. You don't want to have inhouse IT, but you want them there and available anytime you need them onsite. I think you first need to determine which is important: reduced costs of outsourcing (And all the issues that goes with it) or the improved service of inhouse (and all the issues that go with that)

    Even if they're onsite, are you going to have someone paid to stand over their shoulder and watch? if so pay that person to do the damn work for ya.

    To be honest your probably safer with an outsourcing company since no sane company would risk their reputation by stealing your "zomg important" secrets.

  • Once upon a time there was a kid in charge of watching a flock to protect it from wolves. He got bored and cried 'wolf'. Everyone came running, but there was no wolf and the kid laughed at the gullible townspeople. He did this three times. Then one day there really was a wolf. He cried 'wolf' again, but this time nobody responded. Half a dozen sheep - and the boy - were killed.

    What's the moral of the story (the real moral, not the 'story for kids' moral)? Don't put someone in charge of your stuff if you d
  • Remote access is secure - SSH, RDP, decent VPNs are fine for remote administration.

    If you don't trust the admin if you don't have them in your direct line of sight, why would you trust them if you're out of the room temporarily?

    If you don't trust them when you're not looking over their shoulders, why do you trust them at all?

    Either you trust them - and where they are sitting is irrelevant to that question - or you don't. If you don't trust them, fire them and get someone else you trust. If you don't trust

  • You shouldnt... (Score:3, Insightful)

    by alexborges (313924) on Thursday August 13, 2009 @05:03PM (#29058585)

    Nobody should trust their BOFH.

    Sadly, it just happens to be the case that we can't live without them, but trustable as a group, they are not.

    Trust people, not jobs.

  • by dave562 (969951) on Thursday August 13, 2009 @05:03PM (#29058591) Journal
    If you are so worried about it then have them sign a contract that stipulates they won't do what you're worried about them doing. I've done consulting for the SMB market. We did the majority of our support remotely. We were constantly busy taking care of clients and didn't have the time or the inclination to try to steal from our clients. Look at it this way, if your consultant leaks your super duper secrets to your competitor, and you go out of business, where does that leave them?
  • Curious (Score:4, Insightful)

    by Dunbal (464142) on Thursday August 13, 2009 @05:09PM (#29058685)

    And you come to slashdot to ask that question?

    Start by hiring someone with real business talent to run it for you because you sound like your own worst enemy.

    IF YOU CAN'T TRUST THE PEOPLE YOU HIRED THEN WHY DID YOU HIRE THEM?

  • by pak9rabid (1011935) on Thursday August 13, 2009 @05:11PM (#29058701)
    ...just hiring a real network administrator? Honestly, it's an employers market right now. There's lot of people who have been recently laid off who would kill for a job right now...probably even for a below-average salary.
  • by fuzzyfuzzyfungus (1223518) on Thursday August 13, 2009 @05:11PM (#29058715) Journal
    It is certainly harder to trust an offsite guy, for monkey reasons(can't see the look on their face, body language, that sort of thing) if nothing else; but I'd be curious to know if you have any reasonable grounds to believe that you could detect malfeasance in person.

    An atttacker, even a modestly skilled one, given the level of access an admin would need, could do all sorts of terribly serious things in the blink of an eye, whether or not you are watching him. When I'm wearing the admin hat, I routinely run executables on numerous client PCs, manipulate server settings, write and run scripts that gather all sorts of data, make backups, and so forth. Are you really going to be able to see the difference between me tarring the contents of your OMG_Sourcecode directory for backup and me tarring for backup && sneaking a second copy somewhere? And, if you are that good, why are you hiring me to sit there while you watch me, when you could just do it yourself?

    If you are paranoid enough, you can use some sort of intrusion detection/exfiltration detection setup, with shell logging, and firewalls, and disabling usb mass storage devices, and uniquely barcoded hard drives, and cavity searches, and so forth; but somebody you trust will have to build that as well.

    Obviously, going to Shady Bob & Pradep's House 'o Discount Outsourcing is a bad plan; but so is hiring Shady Bob to work onsite. I'm less sure, though, that there is a significant security difference between offsite and onsite people of otherwise similar levels of cheapness and shadiness.
  • by onyxruby (118189) <.onyxruby. .at. .comcast.net.> on Thursday August 13, 2009 @05:15PM (#29058775)

    You really need to ask yourself if you want a professional or a peon? You write your question as if you want someone you can piss on, that tells me you want a peon. Heck, you'll save money on the peon, you can get one from any local technical college, they might even know what they're doing.

    If you want a professional and don't want to pay for one, your outsourcing some part time work. You get a portion of a professionals time, that makes you a part time customer, a small fry for the outsourcing company. They are essentially offering a courtesy to you at all to work on your network in the off chance your company grows as this will leave them in a good position.

    The bottom line is that professionals that live in your country need to be trusted, they have to much to lose. Most professionals will undergo a background check one to every two years. No professional is going to destroy their livelihood by leaking something like your customer list. No professional is going to risk going to prison or getting sued for crossing the line as long as they live in the same country as you. They will lose their ability for references. Outsource to India and the like and all bets are off, there's no reputation to maintain.

    Really, the question is why would your customers trust your company, and is a professional service really any different?

    The biggest problem is that the vendors you are talking to are being honest and setting your expectations and you don't like what your hearing. Your about to discover how every extra service has an additional charge and you'll quickly bury yourself in extra fees in the event your company does grow. If you want to position yourself for growth and don't want to be sunk under a slew of fees you should hire a professional in house and then trust them to do their job.

  • by wowbagger (69688) on Thursday August 13, 2009 @05:15PM (#29058795) Homepage Journal

    You say "Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"

    Given that you aren't administering your own network, I'd guess that you don't have the skills to do so. Would you know trouble if you saw it?

    Would you know enough to see them setting up a remote service that they could get back into? Would you know enough to catch them copying sensitive files from where-ever they live to some staging directory, then later copying that directory off to a flash drive, or to some external server? Would you be able to catch them downloading a root kit and installing it?

    In short, given that you don't have the experience to admin your own gear, do you REALLY think "standing behind them and watching them" is going to do anything but waste your time?

    And IF you have the skills to admin your own machine, but want to outsource that due to some idea of "I have better things to do than this" - you have the time to stand behind them and watch them do the work, does that not imply you have the time to do the work?

    Like others have said: If you are concerned, make them put up a bond.

  • From the Admin side (Score:3, Informative)

    by jht (5006) on Thursday August 13, 2009 @05:21PM (#29058871) Homepage Journal

    I own a company that does outsourced IT support. Were it us, I wouldn't insist on being able to do remote support - but you'd pay so much for on-demand on-site support you'd be better off hiring someone in-house to do the job instead. The reality is that (were it us) we'd be coming in to your office periodically (depending on your size, from maybe once a month to as much as a couple of times a week. And most of the routine requests you will make we'd take care of by logging in remotely to deal with them for you. In most cases, we can log in and handle it a lot faster than we can free up enough time in someone's day to get them over to your office.

    That's the reality of outsourced IT. You can get very good coverage that way, and any good company will give you face time with whomever is handling your account. I've got a lot of clients that trust my employees (and me) with their keys, passwords, and all the lot. I've got professional liability insurance, and a reputation that's even more important to me. If we were the company doing your support, I'd gladly sign an appropriate document guaranteeing we'd keep your data private.

    I'm not pimping for my company (you're probably nowhere near where I work - else I would likely have been contacted as one of the firms bidding) but most companies like mine work that way. That's how we can do good work and still be affordable. But the reality a lot of these posters have pointed out stands: if you can't trust an IT company to handle things for you, then hire an admin in-house.

  • by Custard (45810) on Thursday August 13, 2009 @05:41PM (#29059131)

    I'm unclear as to why you think having them work onsite is more secure. The statement "administer the network in person so we can stand behind and watch them" implies that you have network skills at least as great as they have. In which case the watchers can do the work themselves.

    Would you really notice if I ran a batch file that planted a trojaned your computer and uploaded your SAM file(s)? I doubt it. Your IT guy knows everything; that is just a fact of life. Hire a professional and it won't matter. Or you can hire Geek Squad level. Just plan on those "private" pictures of your wife to be added to his personal collection.

    I also suspect that you might be hobbling yourself in other ways. (Unless your are geographically isolated or have a non Mac/Windows environment) there is a large number of consultants who will do on-site work. I know; I'm one of them. You will pay more, but there are some situations that require hands-on support. It is very hard to replace a power supply over a VPN connection.

    Good luck, and I'm glad you're not my client.

  • Are they bonded? (Score:3, Informative)

    by Animats (122034) on Thursday August 13, 2009 @05:42PM (#29059141) Homepage

    Such a service should be bonded, by an outside bonding company. It's the surety bonding company's responsibility to run background checks on the contractor's employees, and to pay up if they steal. (They'll try to get the money back from the contractor or the employee.) Banks carry surety bonds for their employees.

    Here's a contract for network administration services with a bonding clause. [carrollcountyga.com]

  • by hendersj (720767) on Thursday August 13, 2009 @05:46PM (#29059197)

    I worked in IT for about 15 years, and always held that if a company doesn't trust its network administrators for a justifiable reason, then those people shouldn't be the network admins.

    Remote/local doesn't matter. If they are not trustworthy and you can document why, then don't make them your admins. If they are, then don't worry about it until they do something to violate that trust. And if they do violate that trust, then go after them guns a-blazing (figuratively, not literally, OBVIOUSLY).

    Most network admins want to be trusted - and need to be. Being untrustworthy is the kiss of death in that entire career path.

    As others have said, local or remote doesn't matter. In-house or outsourced doesn't really matter. You need to accurately assess their trustworthiness and then deal with it in an appropriate manner.

  • by oh (68589) on Thursday August 13, 2009 @05:47PM (#29059225) Journal

    There seems to be an assumption that you can "keep an eye" on an on-site network administrator, and that's why you can trust them.

    How would you tell if they were up to no good? Will you be looking over their shoulder constantly?
    I have worked in medium size IT shops (appro 100 people), and have seen the system admin team all stand around a computer as they go through their manager's CV (they had left it on there home drive). This was practically outside the manager's office, but you can't be everywhere at once.

    Maybe you assume that you will only hire trustworthy people, but how can you tell if you can trust someone just by working with them?

    Personally, I think the bigger risk to your operation will be if you hire a bad sysadmin.

            Owen.

  • CYA. (Score:3, Informative)

    by digital photo (635872) on Thursday August 13, 2009 @06:33PM (#29059751) Homepage Journal

    It's interesting that the realization comes after the ink has started to dry on the proverbial paperwork.

    As others have already pointed out, you have to choose what you are willing to put up with. No solution has zero issues or problems, just different ones.

    In all cases, your risk of data/ip theft? Greater than zero. It will never be zero, short of you getting all copies and all peoples who have had contact with it and lock them in an underground room for all eternity.

    * Presumably, you have some form of agreement(written contract) with the outsourced IT group. If you don't, you should _address_ that issue.
    * You should have insurance for your company, so that in the event of fraud, theft, etc... and your business goes belly up, you have the means to cover your debts.
    * You should be just as equally concerned about data loss as you are about data theft. Ie, make sure you have enough copies of your data/IP.

    Regardless of whether you have in-house staff or outsourced staff, you should have some means of auditing your environment to address and reduce the risks involved. If nothing else, it will give you visibility into the types of areas of knowledge that someone other than your IT admin would know and be able to pick up the pieces should one of the problem scenarios appear.

    Assuming you decide you are happy with your current support situation, get them to produce a human readable run-book for you, so that should they go out of business, bail, or otherwise default on the agreement, you will be able to bring someone in to take over. Schedule time for someone other than the primary support person to use the runbook to perform downtime/maintenance tasks/etc with the runbook. If there are any issues or problems, have the outsourcing company update it. Make it part of the understood and written agreement. You want to be able to rebuild, in the case of any failures.

    Quick summary:
    - validate/verify terms of agreement with existing IT support partner
    - affirm creation of run-book with support partner and verify that it is valid and up to date with regularly scheduled DR/maintenance tasks
    - have an on-site "intern" learn the tasks and serve as your in-house backup IT resource. Presumably, this person can also do double duty, if they happen to be a coder/content developer/PM with prior admin experience, etc. That person is your plan "B". This makes the runbook that much more important.
    - NDA(s) and the legal expertise on retainer will help alot in terms of enforcement and collection on damages, but it will not prevent theft.
    - Know what your company's plan "B" is in case of theft. Should you be segregating your information? Should you be encrypting your communication? Is the fact that some of your coders are bringing in USB flash devices and bringing work home a problem in your mind in relation to remote IT support?

    There are plenty of issues and potential areas for IP theft/leak/sabotage to occur.

    Legal agreements will help you when dealing with another company entity, but those legal agreements will do precious little if the theft/release of your IP causes your business to go down the drain.

  • I'll say it (Score:3, Insightful)

    by MBGMorden (803437) on Thursday August 13, 2009 @06:33PM (#29059769)

    My response is one of many just like it, but bottom line is you HAVE to trust your network admin. Whether he's on site or off, he has access to your stuff. And frankly, I don't care if anyone walks in and sees what I'm doing randomly, but outside of a performance evaluation, the day anybody steps into my office and starts watching what I'm doing is the day I quit.

  • by jbn-o (555068) <mail@digitalcitizen.info> on Thursday August 13, 2009 @06:33PM (#29059773) Homepage

    I'm a manager at a startup, and decided recently to outsource to an outside IT firm to set up a network domain and file server.

    You used the past tense. Therefore I see that you've already made the decision to do this and have executed on that decision. The agreements are signed and the admins are working on managing your systems as I write this. A lot follows from this having already gone down. In other words, this detail important to clear up before proceeding because there is a large difference between something you have not yet done and something you have already done and now have to live with.

    Trouble is, they (and all other IT companies we could find) insist on administering it all remotely.

    Of course they all do. Look at this from their perspective: many organizations hire them to do what you hired them to do. None of these IT admin firms have the staff to do things in-person (as you later contemplate threatening upon the firm you hired) where people expect explanations and instruction while they do what you hired them to do (which, by the way, makes everything take at least twice as long). If you wanted teachers to train your staff, you should have hired said teachers. If you wanted something different, you should have considered this before you contracted with them. Be here now. Best to focus on where you are now and proceed from that point realistically.

    They now obviously have full access to all our data and PC's, and I'm concerned they could steal all our intellectual property, source code and customers. Am I being overly paranoid and resistant to change? Should we just trust our administrator because they have a reputation to uphold? Or should we lock them out and make them administer the network in person so we can stand behind and watch them?

    Your so-called intellectual property [gnu.org] isn't the issue here, you've crossed that bridge. Your issue is you have post-commitment jitters about something you apparently didn't think through. Since you've already inked the deal, it's time to trust your new partners and understand that you don't have the power to "lock them out" in any way that wouldn't constitute a breach of contract or at least erecting circumstances that make them want to get rid of you as clients. You don't have the power to "make them administer the network in person so we can stand behind and watch them" nor would they likely want you to do that. You need to think ahead this time and consider the ramifications of being watched; I'm almost sure you wouldn't want to work that way because hardly anyone wants to work that way. Why would you think they'd want to work that way? You've described nothing unprofessional or bad on their part, so you have no cause to treat them as you describe.

    Chalk it up to a lesson about thinking through the details before commitment.

  • by JRHelgeson (576325) on Thursday August 13, 2009 @06:39PM (#29059835) Homepage Journal

    I am a remote administrator for dozens of companies. I have been doing this for many, many years. My business success is directly dependent upon your business success. I have a vested interest in every single one of my customers growing and flourishing in business. As such, I only recommend solutions that are justifiable in direct, easy to understand terms.

    You have proprietary information? So what. So does every other company and government agency I do work for - all of which is done remotely. Only on rare occasion do I visit on site.

    If you cannot place your trust in the people holding your admin password, then administer it yourself. Otherwise be prepared to pay 2-3 times more for simple administrative tasks.

    I'm sure I have access to tons of proprietary information, sensitive information, etc. but so what - I'm an honest guy. If I see the stuff, my first reaction is do we have this properly protected? I know the first reaction in a criminal mind is "What can I do with this?". Criminals don't usually want to work for a living.

  • No choice. (Score:3, Insightful)

    by Spit (23158) on Thursday August 13, 2009 @07:18PM (#29060175)

    Either you trust your sysadmins or you don't give them the access they need. Administrators require access to all of your files, your network traffic, your email, your financial data. Not all of the admin staff needs it, but at least one of them does need some access.

    The problem with outsourcing is you are treating sysadmins like janitors, a necessary evil farmed out to the lowest bidder. Where the reality is the function is a critical professional appointment which requires vetting, just as you would your accountant and lawyer.

  • by holophrastic (221104) on Thursday August 13, 2009 @07:27PM (#29060239)

    You don't outsource to a random idiot -- that's step one. Welcome to referrals. Ask a friend, or a competitor, whom they've used. At least that way, if the IT guy screws you over, he loses more than just you.

    Second, hopefully you have NDAs with your clients. Those NDAs undoubtedly say that you have to have an equivalent NDA with your contractors. So make your IT guy sign an NDA.

    Third, "stand behind and watch him"? Are you nuts? Not only are you not going to actually do that, but if you did, are you going to read every command? Are you going to understand them? You can watch a magician, or other slight-of-hand artist as much as you want -- most of them depend on your trying to pay attention.

  • 3 letters (Score:5, Insightful)

    by smash (1351) on Thursday August 13, 2009 @07:29PM (#29060265) Homepage Journal
    NDA. If your stuff is that important that a leak would be a really bad thing, ensure that you're able to be compensated appropriately for it.

    Bear in mind that there's nothing to stop an angry local administrator stealing/selling data, and being more intimately involved with the company's business activities, he probably knows better where to look.

    But, I'd suggest not outsourcing if posssible for a different reason. It normally doesn't work. The lack of local site knowledge is hugely detrimental to knowing wtf is going on. I was with a large aussie mining company that tried it - after 18 months they couldn't get away from the outsourcer fast enough. Main problems are that there is usually no continuity in who deals with a problem, no sense of personal responsibility, no problem ownership, and any admin who gets a clue at the outsourcer leaves and gets a real job as soon as they can.

    You'll end up dealing with muppets who either don't care, have no clue, or both.

  • by billcopc (196330) <vrillco@yahoo.com> on Thursday August 13, 2009 @08:20PM (#29060693) Homepage

    It's kinda funny, I joked about this very same idea, that the $2.00/hour outsourcers might be intentionally raping our servers for profit. Then the next day one of my support clients had that exact thing happen to him... one of his developers in India decided to create a bunch of email accounts and spam off of them. I have to admit, it makes perfect sense: he probably made more money selling spam runs for a few days, than a week of regular salary, plus he's not going to get into any immediate trouble... I'm not going to fly over there and beat the tan out of him, he just lost one smallish contract - big whoop.

    It's not about "you get what you pay for", and certainly not a racially charged disconnect (at least not in my case), it's just the risk vs reward balance that's tipped against us. Globalization is a double-edged sword. White collar crime is just as big a problem in western societies, but we do it bigger and badder. As an American, if someone offered you $100 a day to sacrifice one of your clients, you'd probably tell him to blow you. In India, $100 might be equivalent to $1000 to us, maybe more. I don't know about you, but in my neighborhood if you want to make $1000 a day you either have to sell your ass, or sell gobs of crack and blow. The incentives vs risks aren't on the same scale at all.

    I'm not saying we should treat all outsourcers as hostile crooks, we have plenty of those right here at home, on the payroll even. We just need to approach it sanely. If you underpay someone, they are more likely to fuck you over - that much should be common wisdom in the business world. It's the dirty side-effect of living in an entitlement culture.

Building translators is good clean fun. -- T. Cheatham

Working...