Why Should I Trust My Network Administrator? 730
Andrew writes "I'm a manager at a startup, and decided recently to outsource to an outside IT firm to set up a network domain and file server. Trouble is, they (and all other IT companies we could find) insist on administering it all remotely. They now obviously have full access to all our data and PCs, and I'm concerned they could steal all our intellectual property, source code and customers. Am I being overly paranoid and resistant to change? Should we just trust our administrator because they have a reputation to uphold? Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"
On site is more expensive (Score:4, Informative)
You could mandate on-site support only, but you will get charged out the yang for it.
This is what being bonded is for (Score:5, Informative)
Don't trust them unless you meet them (Score:3, Informative)
I do a lot of remote support for my customers.
I also make sure I get face time with them.
Learning the work-flow of a company is very important when it comes to administering their network.
If the company you are hiring doesn't schedule regular visits than i wouldnt trust them to work in your best interests.
I'll add this as well. audit them periodically. Hire another company to check up on them.
My customers do this and I've received good feedback from the customer and the auditor.
Re:You should trust them (Score:1, Informative)
If you can't trust your admins you're screwed... (Score:5, Informative)
Seriously? You're thinking about this now AFTER they've put the whole network up with all remote access enabled?
What the hell makes you think they can't steal all your crap in person? Even if you assigned someone to watch every move they make it would be difficult for novices to even be able to recognize data theft happening as they watched if it happened through a command-line interface.
Contractual obligations (Score:4, Informative)
From the Admin side (Score:3, Informative)
I own a company that does outsourced IT support. Were it us, I wouldn't insist on being able to do remote support - but you'd pay so much for on-demand on-site support you'd be better off hiring someone in-house to do the job instead. The reality is that (were it us) we'd be coming in to your office periodically (depending on your size, from maybe once a month to as much as a couple of times a week. And most of the routine requests you will make we'd take care of by logging in remotely to deal with them for you. In most cases, we can log in and handle it a lot faster than we can free up enough time in someone's day to get them over to your office.
That's the reality of outsourced IT. You can get very good coverage that way, and any good company will give you face time with whomever is handling your account. I've got a lot of clients that trust my employees (and me) with their keys, passwords, and all the lot. I've got professional liability insurance, and a reputation that's even more important to me. If we were the company doing your support, I'd gladly sign an appropriate document guaranteeing we'd keep your data private.
I'm not pimping for my company (you're probably nowhere near where I work - else I would likely have been contacted as one of the firms bidding) but most companies like mine work that way. That's how we can do good work and still be affordable. But the reality a lot of these posters have pointed out stands: if you can't trust an IT company to handle things for you, then hire an admin in-house.
Are they bonded? (Score:3, Informative)
Such a service should be bonded, by an outside bonding company. It's the surety bonding company's responsibility to run background checks on the contractor's employees, and to pay up if they steal. (They'll try to get the money back from the contractor or the employee.) Banks carry surety bonds for their employees.
Here's a contract for network administration services with a bonding clause. [carrollcountyga.com]
Re:Worried about the results of your actions? (Score:5, Informative)
Outsourcing to IBM has lead to a 30 to 60 day lead time.
No BS.
To make a change to the software, they need to allocate resources away from all the other companies we are sharing the resources with.
To get new hardware requires 60 days after they get an approved PR. And the cost of setting up that hardware is incredible. $14,000 for a server for example-- more than the cost of the hardware.
Main reasons we do it... Sarbanes Oxley (sp?) and Disaster Recovery. If our corporate office is wiped out, we keep going. If IBM site 1 is knocked down, we keep going. If IBM Site 2 is knocked down- we keep going. Sites 1 & 2 are in very stable, very safe areas of the country.
But our productivity has gone to hell and our costs have skyrocketed.
And YET--- it's cast as a "savings" in the annual reports. Really laughable.
When executives set the rules, they *ALWAYS* make their goals.
CYA. (Score:3, Informative)
It's interesting that the realization comes after the ink has started to dry on the proverbial paperwork.
As others have already pointed out, you have to choose what you are willing to put up with. No solution has zero issues or problems, just different ones.
In all cases, your risk of data/ip theft? Greater than zero. It will never be zero, short of you getting all copies and all peoples who have had contact with it and lock them in an underground room for all eternity.
* Presumably, you have some form of agreement(written contract) with the outsourced IT group. If you don't, you should _address_ that issue.
* You should have insurance for your company, so that in the event of fraud, theft, etc... and your business goes belly up, you have the means to cover your debts.
* You should be just as equally concerned about data loss as you are about data theft. Ie, make sure you have enough copies of your data/IP.
Regardless of whether you have in-house staff or outsourced staff, you should have some means of auditing your environment to address and reduce the risks involved. If nothing else, it will give you visibility into the types of areas of knowledge that someone other than your IT admin would know and be able to pick up the pieces should one of the problem scenarios appear.
Assuming you decide you are happy with your current support situation, get them to produce a human readable run-book for you, so that should they go out of business, bail, or otherwise default on the agreement, you will be able to bring someone in to take over. Schedule time for someone other than the primary support person to use the runbook to perform downtime/maintenance tasks/etc with the runbook. If there are any issues or problems, have the outsourcing company update it. Make it part of the understood and written agreement. You want to be able to rebuild, in the case of any failures.
Quick summary:
- validate/verify terms of agreement with existing IT support partner
- affirm creation of run-book with support partner and verify that it is valid and up to date with regularly scheduled DR/maintenance tasks
- have an on-site "intern" learn the tasks and serve as your in-house backup IT resource. Presumably, this person can also do double duty, if they happen to be a coder/content developer/PM with prior admin experience, etc. That person is your plan "B". This makes the runbook that much more important.
- NDA(s) and the legal expertise on retainer will help alot in terms of enforcement and collection on damages, but it will not prevent theft.
- Know what your company's plan "B" is in case of theft. Should you be segregating your information? Should you be encrypting your communication? Is the fact that some of your coders are bringing in USB flash devices and bringing work home a problem in your mind in relation to remote IT support?
There are plenty of issues and potential areas for IP theft/leak/sabotage to occur.
Legal agreements will help you when dealing with another company entity, but those legal agreements will do precious little if the theft/release of your IP causes your business to go down the drain.
Are you deciding this now or have already done it? (Score:3, Informative)
You used the past tense. Therefore I see that you've already made the decision to do this and have executed on that decision. The agreements are signed and the admins are working on managing your systems as I write this. A lot follows from this having already gone down. In other words, this detail important to clear up before proceeding because there is a large difference between something you have not yet done and something you have already done and now have to live with.
Of course they all do. Look at this from their perspective: many organizations hire them to do what you hired them to do. None of these IT admin firms have the staff to do things in-person (as you later contemplate threatening upon the firm you hired) where people expect explanations and instruction while they do what you hired them to do (which, by the way, makes everything take at least twice as long). If you wanted teachers to train your staff, you should have hired said teachers. If you wanted something different, you should have considered this before you contracted with them. Be here now. Best to focus on where you are now and proceed from that point realistically.
Your so-called intellectual property [gnu.org] isn't the issue here, you've crossed that bridge. Your issue is you have post-commitment jitters about something you apparently didn't think through. Since you've already inked the deal, it's time to trust your new partners and understand that you don't have the power to "lock them out" in any way that wouldn't constitute a breach of contract or at least erecting circumstances that make them want to get rid of you as clients. You don't have the power to "make them administer the network in person so we can stand behind and watch them" nor would they likely want you to do that. You need to think ahead this time and consider the ramifications of being watched; I'm almost sure you wouldn't want to work that way because hardly anyone wants to work that way. Why would you think they'd want to work that way? You've described nothing unprofessional or bad on their part, so you have no cause to treat them as you describe.
Chalk it up to a lesson about thinking through the details before commitment.
Trust but verify (Score:1, Informative)
Whether on-site or off-site, network administrators can screw you.
1. Make sure you have an excellent employee screening process.
2. Know what security measures are in place where your data is being processed and stored.
3. Get the non-disclosure and other legal documentation in order.
4. From time to time, have an independent entity validate that all these things are in place and being managed appropriately.
You cannot ensure that no administrator will go bad.
You can mitigate the risks significantly and make the little SOB suffer if he screws your business.
The main difference here is the significant amount of damage that they can inflict, so make sure you are covered. There's insurance for this as well.
Re:Worried about the results of your actions? (Score:3, Informative)
The servers are mid-high end stuff-- about $10k.
When we used to do them, the first one would take about 3 weeks to set up-- and the rest about 3 hours each.
The costs are doubled (or more) if it is a high availability project- because then the same hardware/software are duplicated at both sites. More if mirroring is required.
Re:Worried about the cost of your actions? (Score:2, Informative)