Trusting the Administrator
Read this interesting article in Slashdot
"I'm a manager at a startup, and decided recently to outsource to an outside IT firm to set up a network domain and file server. Trouble is, they (and all other IT companies we could find) insist on administering it all remotely. They now obviously have full access to all our data and PCs, and I'm concerned they could steal all our intellectual property, source code and customers. Am I being overly paranoid and resistant to change? Should we just trust our administrator because they have a reputation to uphold? Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"
Very relevant to my current job requirements and something that I have been persistently asking around.
The most apt answer that I felt answered this query was by mysidia:
"This suggestion above is equivalent to proposing that managers have to learn electrician skills to wire the most important room in the building, for fear the paid electricians might sabotage it, or they have to learn locksmith skils to key the locks on the most sensitive file room, because they can't trust locksmiths not to share a copy of the key or sneak in one night.
The simple fact is the management of key systems should be entrusted to skilled IT professionals whose primary responsibility is maintaining consistent, operational, available systems.
That doesn't just mean setting up systems and forgetting it, it also means implementing secure backups, monitoring audit trails, managing the complex access controls, monitoring system logs, and correcting problems."
When you hire an outsourcing company, you're hiring the company, not it's employees. You do due diligence on the company, it's achievements, it's reputation, and you hire the company. You sign a contract with them, with the same sorts of conditions you'd stick in a regular employment contract to try and ensure that you're going to get what you're paying for. The employees of the outsourcing agency are not your employees and there's really nothing you can do about them because your contract isn't with them, it's with the agency.
That doesn't of course mean you just go with "whatever you decide" on non staffing issues, the company works for you the same way an employee would and you take their advice as appropriate, but who they hire is really none of your business, so long as the company meets its contractual obligations to you. Most of the outsourcing problems are caused by companies not realizing that the outsourcing agency is essentially an employee and not writing stringent enough contracts, or hiring the cheapest option without looking at their ability to actually deliver(which is no different than hiring an18 year old to do a job which requires substantial education and experience simply because you can get them on the cheap).
Not all outsourcing is done on the cheap, sometimes it's done because it's more efficient that way. It's always good to have multiple people with your skill set to bounce ideas off of, and to have backup for absences and the like, but most smallish companies can't afford to have 3 or 4 DBA or sysadmins, etc. So they contract out to another company who, because they provide services to a number of companies, can afford to have more extra people to fill key roles. Their economic situation allows that.
There are advantages to outsourcing beyond just being cheaper, but there are disadvantages to. You don't have the same control of the staffing, you don't have the same kinds of relationships with the staff, and the loyalty of the staff is generally to their employer and not to you. That's not always a huge problem, but sometimes it is, and if it is, expect to have to pay for a redundant DBA or sysadmin so you can keep your place going when they go on vacation. There are pluses and minuses to everything, including outsourcing, and sometimes outsourcing isn't done because it's cheaper, and sometimes when it is, it doesn't turn out to be. When you run your business based entirely on trying to reduce costs, generally you eventually go out of business, that applies to pretty much every field, not just IT our outsourcing.
This is pretty interesting!! You have to follow the comments on this article to understand the passionate views of many, some pretty sane like this one, which I completely agree:
Right, and it's not just an issue of outsourcing. The reason you should trust your network administrator is that you *have to* trust your network administrator. Whether it's in house or outsourced, you have to trust someone to do the work. The only alternative is to do it yourself-- like literally you, personally.
If I'm your network administrator and I come into your office and work for you directly, I could still read your emails, steal your IP, etc. You could ask me to set up the security so that I can't do that, but you still have to trust me to do that well and not leave a back-door for myself. Also, you should understand that it might inhibit my ability to do some things. For example, if I encrypt your disk so that I can't even access it myself, and then you lose the password, I won't be able to recover anything on your hard drive. Sorry.
So that's the deal. You can try to institute some checks and balances, but there's a certain amount of trust inherent in the job. If you're concerned about security, then make the effort to find people that you can trust, and recognize that you might have to pay extra for better employees. It's an issue of what your priority is when you hire someone (or hire an outsourcing company). Which is most important, getting the person you trust most? Getting the person with the best resume? Getting the cheapest solution available?
Those might be 3 different people. Under most circumstances, I'd pick the person I trust.
Posts
No comments:
Post a Comment