Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Should I Trust My Network Administrator?

timothy posted more than 5 years ago | from the hire-two-and-aim-them-at-each-other dept.

Businesses 730

Andrew writes "I'm a manager at a startup, and decided recently to outsource to an outside IT firm to set up a network domain and file server. Trouble is, they (and all other IT companies we could find) insist on administering it all remotely. They now obviously have full access to all our data and PCs, and I'm concerned they could steal all our intellectual property, source code and customers. Am I being overly paranoid and resistant to change? Should we just trust our administrator because they have a reputation to uphold? Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"

Sorry! There are no comments related to the filter you selected.

Worried about the results of your actions? (5, Insightful)

HunkyDory (806866) | more than 5 years ago | (#29058375)

If it was really a worry, why outsource it in the first place?

Worried about the cost of your actions? (4, Insightful)

betterunixthanunix (980855) | more than 5 years ago | (#29058483)

I would guess that it costs less to outsource this sort of work than to try to keep your own full time IT staff employed. I might be wrong though.

Re:Worried about the cost of your actions? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29058933)

The prison niggers appreciate those crackers in IT setting up my Windowz Nigger Edition. Now we know we have whitey looking after the computers and we look to take white chicks up the ass. It be the best thing to run a train on a chubby low self esteem white chick, fucking her pussy and asshole all night long. It is almost as good as tapping some puerto rican ass, but that shit is tighter and when that bitch get violent (PR chicks always do) we just duct tape that mouth shut while we take turns cumming in that ass over and over. Mexican bitches be the best cause you can run up on a bitch with a fat ass in broad daylight and run a pimp train on that bitch in her anus and that immigrant husband won't do shit. When we got some gay ass niggers who want to fuck some male asshole, we just run up on a mexican man, who they gonna report. Sometimes we just abduct the bitch to our projects apartment for the week and fuck the shit out of her, until we get tired of that bitch. White bitches are more fun though, sometimes when the bitch is chubby and horny enough we just fuck her through for 2 weeks and come back in another week cause her fat ass is ready for more. Smack bitches with a 10 inch cock. I once raped this indian chick, she was mad weak, so i got my boys to run a train on her that lasted 3 days. She looked like frosty the snowman after we all got done with cumming on her. She got that shit so hard she must of spit cum for a month. I recently visted her and punched her in the face before I got inside that ass again. We be abnormal.

Re:Worried about the cost of your actions? (2, Insightful)

davester666 (731373) | more than 5 years ago | (#29058983)

Does it make a big difference?

If you keep it in house, you still need to trust the people you hire.
Hell, you need to trust your non-IT staff to not steal whatever IP (or physical equipment) they have access to.

So, you can treat this as hiring employee's that happen to work offsite.

Re:Worried about the results of your actions? (5, Insightful)

egcagrac0 (1410377) | more than 5 years ago | (#29058509)

Mod parent up.

Either you trust your outsourcing company to do what they do how they do it, or you hire an admin to be on site.

Disclosure: I'm an on-site admin, because the company I work for doesn't trust outsiders.

Re:Worried about the results of your actions? (1, Insightful)

Z00L00K (682162) | more than 5 years ago | (#29058519)

Exactly - Don't outsource if you are wary about your data.

There will not be any personal responsibility and the consultants working with your IT system will change over time and responsibilities will never stick.

You can end up in a long period of disagreement about what's not in the written agreement while the systems grinds to a halt. And the "paperwork" for getting things done can be horrible. An emergency fix can take ten days and be executed by someone in a different country that has a hard time understanding your language.

Re:Worried about the results of your actions? (0)

stuckinphp (1598797) | more than 5 years ago | (#29058905)

Outsourcing in this context does not mean outsourcing overseas. It means outsourcing to a different company. Your 10 days bs story is hardly relevant there is many companies that provide different levels of emergency coverage (within the hour upgrades and such)

Re:Worried about the results of your actions? (5, Insightful)

Moryath (553296) | more than 5 years ago | (#29058525)

Basic advice: Make sure your CONTRACT specifies what they can and can't do.

If they break the contract, they (and anyone they did it on behalf of, including if they sell the info to some competitor later) are in for a world of legal hurt.

You agreed to outsource this rather than hire someone to do it in-house. Either cough up the money on lawyers to make sure your butt is protected legally, or hire someone yourself who works just for you and is directly accountable to you.

Re:Worried about the results of your actions? (5, Insightful)

Tubal-Cain (1289912) | more than 5 years ago | (#29058601)

This is a startup. The law may be on their side if the contract is broken, but they may not be able afford pursuing the issue in court. After all, they can't even afford an in-house admin.

Re:Worried about the results of your actions? (1)

egcagrac0 (1410377) | more than 5 years ago | (#29058827)

Just call up an ambulance chaser and sign over 50% of the proceeds of the lawsuit.

Re:Worried about the results of your actions? (2, Funny)

Moryath (553296) | more than 5 years ago | (#29058831)

Sounds like someone is improperly prepared to start up their business then...

Re:Worried about the results of your actions? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#29058957)

Right. There are plenty of monkeys fresh out of college who have the skills and are willing to work for cheap. And if the startup involves data and they are too cheap to hire an IT monkey, then why isn't 1 or more of them manning the fuck up and learning the job themselves?

Must be a bunch of sushi-eating bourgeouis punks with nose rings and dyed hair who sucked off a venture capitalist and didn't realize how much running a startup cuts (captcha: cuttings) into their WOW and bath house time. Sheesh, it's 1999 all over again!

-- Ethanol-fueled

Re:Worried about the results of your actions? (1)

DerekLyons (302214) | more than 5 years ago | (#29058981)

He didn't say he couldn't afford an in-house admin did he?

On site is more expensive (3, Informative)

kperrier (115199) | more than 5 years ago | (#29058379)

You could mandate on-site support only, but you will get charged out the yang for it.

Re:On site is more expensive (1)

lukas84 (912874) | more than 5 years ago | (#29058729)

Seems fair. Personally, i don't see why a company should refuse to do all service on-site.

We usually earn a lot more for service done on-site, because:

* You can bill more time - especially the drive time can rack up cost quite easily, while it's almost no effort on my part
* You'll take longer - fixing something on-site usually requires more time, because you'll stay around till everyone sure that everything fixed - no "call me again if it doesn't work"
* You might generate additional business "oh, if you're already here could you look at this please"

We have one or two customers which insist on everything done on site. 3 hours driving billed at 185 CHF an hour, 1 hour of work billed at 185 CHF on hour. Well, it works out for me.

This is what being bonded is for (5, Informative)

Dr_Harm (529148) | more than 5 years ago | (#29058385)

If you're concerned, ask them to carry a performance and fidelity (aka surety) bond.

Re:This is what being bonded is for (1)

lazyforker (957705) | more than 5 years ago | (#29058629)

...Or pay them enough to send someone to your site. The main reason the outsourcers want to do stuff remotely is that they can easily support multiple customers from their site - thus they are losing money when they send their staff to your site. Plus they lose time, possibly incur travel costs etc.
But - you could also get lawyered up and stipulate an NDA etc with the surety bond.

Re:This is what being bonded is for (1)

lukas84 (912874) | more than 5 years ago | (#29058791)

What? On-Site work pays a lot better than remote work. Unless you don't bill for travel time, which would be immensely stupid.

If you really want to trust them... (0)

Anonymous Coward | more than 5 years ago | (#29058391)

Seriously, if you really want to trust yer IT admin, push for government certification.

Because, after all, we all know we can trust the government.

Oh god! (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#29058393)

Slashdot I broke my penis in my boyfriend's asshole! What do I do to fix it?!?!? It's bleeding all over the place and cum is dribbling out!

Re:Oh god! (0)

Anonymous Coward | more than 5 years ago | (#29058903)

Sure, that'll be the gay. Day! That'll be the day.

You get what you pay for... (5, Insightful)

jasenmh (125829) | more than 5 years ago | (#29058395)

That's the service they are offering. If you want someone to be on property so you can look over shoulders, hire an IT staff.

Re:You get what you pay for... (1)

trainman (6872) | more than 5 years ago | (#29058511)

And if my boss (as an IT staff member myself) was looking over my shoulder all the time, I'd quit.

Does the original question asked check their employee's bags every night for confidential documents? Mandate no USB drives?

Your employees are who you should be more worried about, jumping to a competitor and taking your client list with them.

But it all comes down to trusting your staff. I certainly hope you're not one of these paranoid bosses that only gives keys to the top managers.

Re:You get what you pay for... (2, Insightful)

petermgreen (876956) | more than 5 years ago | (#29058749)

But it all comes down to trusting your staff.
In the case of outsourcing it also comes down to trusting your outsourcing providers staff. These are people you did not chose and have no particular loyalty to your company. Further you have little knowlage/control over how they are treated. There may also be far more of them than if you had a dedicated IT staff.

Re:You get what you pay for... (1)

onionman (975962) | more than 5 years ago | (#29058691)

If you want someone on-site, you can certainly get them. You just need to be willing to pay for it.

A buddy of mine works as a consultant for a major IT consulting firm where the clients usually pay about six times his salary to have him on-site for 3 days each week. That seems crazy to me, but it is evidently worth it to the clients who want to have all the liability for IT issues on the contractor's back.

As for trust, well there is always a risk... but being a paranoid jerk is a great way to eliminate any loyalty that might otherwise have existed.

Simple answer (1)

GeorgeMonroy (784609) | more than 5 years ago | (#29058399)

Yes. =)

Facepalm. (4, Insightful)

SatanicPuppy (611928) | more than 5 years ago | (#29058401)

Either that, or learn to do it your damn self.

Obviously you want to find someone reputable, and bonded, but you're never going to get to a point where you can have a network infrastructure that is secure from the people who do your network infrastructure.

I've had enough experience with paranoid managers who hysterically insist that I'm reading their email, or their online banking passwords and crap like that. You think that some schmuck who is working fixing problems remotely really gives a crap about the plans for your Facebook-killer? Think that they care about your boring ass emails? You think they care about your customers??!? Are you kidding? You obviously don't sell networking, so what would be in it for them? Selling a customer list is like selling a used phone book.

No outsourced company is going to send a person to your building every time there is an issue, and frankly, you don't want them to because they'll charge you out the ass for that sort of service. Even if you did decide to pay the price for in-person service, anyone who is out to screw you will be able to screw you while you're watching them over your shoulder, because you won't know what to look for.

If it's really that important to you, bring it in house. And, word of advice, if you do bring it in house, don't treat the guy like a criminal or he's going to start reading your email.

Re:Facepalm. (1)

Eggplant62 (120514) | more than 5 years ago | (#29058893)

OP is very much in touch with reality. I have worked in field service repairing PCs for hundreds of companies in Southeast Michigan. All I care about is fixing your problem and moving on to the next customer. Your data? You think I got time to futz around with that? Yeah, there's that small 1% or less of assholes who might pull something like that but ever since '94 of my working in the field and knowing people who still work out there, I've never heard personal recount of the experiences you fear.

You'd be much smarter to distrust any idiot you'd overpay to sit on his ass to lord over your equipment and play Minesweeper all day long.

Re:Facepalm. (1)

pak9rabid (1011935) | more than 5 years ago | (#29058901)

If it's really that important to you, bring it in house. And, word of advice, if you do bring it in house, don't treat the guy like a criminal or he's going to start reading your email.

Or worse...

You've got to be kidding (4, Insightful)

Anonymous Coward | more than 5 years ago | (#29058411)

At some point, you're going to have to trust SOMEONE
Can you trust your Significant Other not to get all stabby when you are in bed sleeping?
Can you trust the drivers on your commute route not to suddenly get out their guns and start shooting at you?

It's all risk management. If you have super-important data, then don't farm out the management to someone you don't trust. If you have regular data, then farm it out to basically anyone.
SH*T happens... but if you are paralyzed with fear that bad things are going to happen because nobody is as trustworthy as yourself, you aren't going to be leaving your house.

Re:You've got to be kidding (4, Insightful)

nametaken (610866) | more than 5 years ago | (#29058917)

Can you trust the drivers on your commute route not to suddenly get out their guns and start shooting at you?

You obviously don't live in Chicagoland.

Re: (0)

Anonymous Coward | more than 5 years ago | (#29058413)

Part of the process of choosing a company is questioning them on moral issues. As much as IT is about technology, we are entrusted with incredible power and are truly held to the highest moral and ethical standards. This should figure into any choice you make - a new hire, an outsourced company, etc.

You should trust them (5, Insightful)

Anonymous Coward | more than 5 years ago | (#29058419)

For the same reason you trust your accountant.
Tell me, do you trust your sales people with your customer database? In my experience, they're the ones to watch.

Re:You should trust them (2, Informative)

ezwip (974076) | more than 5 years ago | (#29058431)

This is the best answer you will get.

Re:You should trust them (5, Insightful)

SatanicPuppy (611928) | more than 5 years ago | (#29058489)

Absolutely. The sales people have an existing relationship with your customer; knows the guy by name, knows about his kids, his dog, his business needs. They will turn that around on you in a fricking heartbeat.

Sales is a mercenary business. Your competitor offers more money, they'll take it.

Re:You should trust them (1)

egcagrac0 (1410377) | more than 5 years ago | (#29058869)

Also, sales guys like to spend a lot of time racking up debt playing online poker. On top of that, most people in sales that I've met have no personal objections to staying in ethical grey areas - so long as they benefit.

That is an incredibly dumb question. (5, Funny)

tlambert (566799) | more than 5 years ago | (#29058423)

That is an incredibly dumb question.

You should trust him because, as the manager of the startup, it is within your area of responsibility to ensure apriori that the people you hire to do this are trustworthy, or you are simply not doing your job and you should be fired and replaced with someone who can. Since your company is already on a path for doing outsourcing, I am sure your job could be outsourced to someone more competent in Bangalore.

-- Terry

Re:That is an incredibly dumb question. (5, Insightful)

thomasinx (643997) | more than 5 years ago | (#29058595)

There are no dumb questions.

He's here asking for advice, so give it to him. Even though most of the people who read/post this board are heavily involved with IT, and it might be a common sense answer, the fact is that to this person it isn't as simple a solution.

In many cases, people have sensitive information that they are handling on their servers, and whether or not to trust the IT staff is a valid question. (not all geeks are trustworthy). Also, in many cases, (especially with startups) they dont have the resources to hire on-site IT staff, so they have to outsource it. It introduces a dilemma that many will have to deal with.

-T

Re:That is an incredibly dumb question. (0, Funny)

Anonymous Coward | more than 5 years ago | (#29058789)

There are no dumb questions.

What about this one?

Re:That is an incredibly dumb question. (1)

PCM2 (4486) | more than 5 years ago | (#29058837)

In many cases, people have sensitive information that they are handling on their servers, and whether or not to trust the IT staff is a valid question.

Valid, but still kind of stupid. What about building security guards? They have keys to every room in the building, which means they have physical access to all your stuff. Some of them even carry guns, which means your entire staff is at risk of being slaughtered whenever they're in the building.

I'm with the guy who said that if you call yourself "manager" of anyone and you have to ask /. for the answer to a question like this, you might consider stepping down.

Re:That is an incredibly dumb question. (1)

egcagrac0 (1410377) | more than 5 years ago | (#29058891)

There are LOTS of dumb questions.

Re:That is an incredibly dumb question. (2, Funny)

owlstead (636356) | more than 5 years ago | (#29058897)

"There are no dumb questions."

Oh, yes there are. I remember in college that we all had a laugh when each and every professor told us this. Problem was this guy who was really good at learning things but had zero capability for performing logic thought. And this being a computer science study, we sure had a lot of fun when the professors subsequently tried to explain things to him after his "not dumb question".

Re:That is an incredibly dumb question. (1)

interkin3tic (1469267) | more than 5 years ago | (#29058673)

Don't heap abuse on someone asking a question you happen to think is obvious, asking questions is what people are supposed to do. Admitting you're ignorant in an area, even one you should be informed of ideally, to me is noble, or at least a much better path than that which most people would take: assuming. I'm guessing there are tons of manager out there who would just assume they're not trustworthy and work on convincing whoever they are accountable to that it's the admin's fault everything is falling apart, not the managers because he wouldn't trust the admin with access to information essential for the job.

You, on the other hand, are doing your best to further the stereotype and make more non-computer literate people afraid to correct their own ignorance. "I don't want to ask the IT department what I should do, they usually try to make me feel stupid. I'm just going to assume the computer virus will clean itself up."

Re:That is an incredibly dumb question. (1)

the eric conspiracy (20178) | more than 5 years ago | (#29058829)

It is a pretty lame question.

It also has me thinking about a boss I had who went nuts when he found out I could read his email. He wanted his own email server (and like who is going admin it?).

In any case I have to wonder about the future of this startup is the people involved are so inexperienced.

Re:That is an incredibly dumb question. (0)

Anonymous Coward | more than 5 years ago | (#29058805)

I agree with Terry. They should hire the IT guy and outsource the manager to bangalore. He can't affect business in any way for a lower cost.

Re:That is an incredibly dumb question. (0)

Anonymous Coward | more than 5 years ago | (#29058977)

So according to you you should trust the guy because before the fact you should trust the guy or because you are doing your job? Methinks you have taken one to many philosophy classes without actually understanding what the prof was saying.

You trust someone because you have done your research and they check out to whatever standard you looked for. There are lots of people that get checked out and the process of vetting someone is meaningless until it is complete.

Don't trust them unless you meet them (3, Informative)

Blackneto (516458) | more than 5 years ago | (#29058429)

I do a lot of remote support for my customers.
I also make sure I get face time with them.
Learning the work-flow of a company is very important when it comes to administering their network.
If the company you are hiring doesn't schedule regular visits than i wouldnt trust them to work in your best interests.
I'll add this as well. audit them periodically. Hire another company to check up on them.
My customers do this and I've received good feedback from the customer and the auditor.

If you can't trust your admins you're screwed... (5, Informative)

Narcocide (102829) | more than 5 years ago | (#29058447)

Seriously? You're thinking about this now AFTER they've put the whole network up with all remote access enabled?

What the hell makes you think they can't steal all your crap in person? Even if you assigned someone to watch every move they make it would be difficult for novices to even be able to recognize data theft happening as they watched if it happened through a command-line interface.

trust who you want to trust (1)

soutener (820034) | more than 5 years ago | (#29058451)

you are the business owner, its your stuff. if your current admin cant do what you want, find some one who does. i'm an owner of a small it firm and i like to do all remote admin, but i have a few customers i do in person, i charge more (40% more) but they insist that that's what they want and i do it for them....at a price.

You could split the difference... (1)

BobMcD (601576) | more than 5 years ago | (#29058453)

Hold them accountable. Track everything they do, and audit that it was in fact necessary and honest. Get a contract that holds them liable for damage they cause.

Outside of these terms, I'd suggest that you are absolutely right. The IT company that I cut my teeth under would have had no oversight of this kind of access whatsoever. Their employees would have been accessing your files from home, for kicks, in-between rounds of Unreal Tournament.

On a side note, aren't you legally obligated to monitor this access anyway? GLB, HIPAA, something of the sort? If you're in the 10% of the IT world that isn't covered by something like this, great. Otherwise, maybe you should call a lawyer...

Re:You could split the difference... (1)

Jim Hall (2985) | more than 5 years ago | (#29058575)

Hold them accountable. Track everything they do, and audit that it was in fact necessary and honest.

I'm an IT Manager, and it scares me to think anyone would set up an arrangement like this and not have auditing in place, with reporting going to the customer (i.e. this guy.) I would assume as part of the initial contract, there were requirements in place that specified audits and reporting and transparency. You don't want to know everything they are doing in detail but you need to have enough information about what work is getting done, and the status, so that you can report to the CEO. That means auditing, that means project tracking. And you need to review those audit reports. Or at least, I would do that.

Re:You could split the difference... (4, Insightful)

Anonymous Coward | more than 5 years ago | (#29058735)

Yup, you're a "manager", that's for sure. The post was about data access trust, not whether they're doing the job. Do you think an audit report is going to say sniffed network, copied browser caches, installed key loggers?

Outsource to a legal firm... (1)

swanzilla (1458281) | more than 5 years ago | (#29058463)

First step. Get a good lawyer (who understands tech) and a good accountant. Protect yourself and your property; you and your employees can focus on what you do best.

You're correct to be paranoid (0)

.Bruce Perens (150539) | more than 5 years ago | (#29058471)

You're correct to be paranoid, but that's just the shitty state of the industry that consumers of the service have allowed it degrade into. They have a specialty service and you either play by their crappy rules, or you do it yourself. Kind of like doctors, but without a Hippocratic oath. You could maybe set up some other terms, but then you'll have to pay for it with blood. It sucks, but what are the alternatives. We should demand better, yet we keep allowing this blind faith security hole to continue.

WTF? Don't trust me, don't hire me. Simple. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29058479)

As a guy whose worked in-house and as a contractor I'll say that you can give me full access to the system so I can charge you a reasonable fee or you can lock me out and breath down my neck while I'm trying to work. At which point I'll hand you a BIG honkin' bill for the hassle.

BTW, if you're standing right behind me watching, you still won't know when I'm stealing your data. Not that I would, cause I don't care a bit about your stuff.

I just want to do a good job for you. Make it easy for me to do that and I'll go easy on you. Be a paranoid, obstructive so-and-so and I'll still do a good job, but I'll stick it to you on the bill when I'm done.

Relative Risk (1)

Lev13than (581686) | more than 5 years ago | (#29058485)

And this is different from hiring an employee to keep your IT support in-house? If anything, an external provider is less likely to be a nutcase [news.idg.no] or otherwise disgruntled enough to take punitive action against you. What about your cleaning staff? Your office security firm? Your hookers?

Security is important, but there can be a tendency for entrepreneurs and startups to over-vector. Pick a respectable vendor. Trust them, and keep an eye on their work.

Re:Relative Risk (1)

betterunixthanunix (980855) | more than 5 years ago | (#29058613)

However, remote access is a security liability in and of itself. When you allow someone to access your critical systems from a system that you do not control, you become unable to enforce data security policies; if the remote user wants to break the rules and print out some secure documents (thus making it impossible to keep track of who is viewing the data), he can do it from his system, and all of the rules you set up on your system become worthless. For on-site staff, you can set up auditing, you can record their every move, and you can thwart attempts to leak data, but once you allow off-site access with devices that you have no control over, that all becomes impossible. I doubt that that is the case with the person who is asking this question, but in general, yes, a remote admin is more of a liability than a local admin.

Rethink Earlier Choice of Outsourcing (4, Insightful)

IgnacioB (687913) | more than 5 years ago | (#29058493)

If you think watching over their shoulder of a person that you aren't sure you trust will make a difference...it probably won't. If they're bent on stealing stuff they just put in a back door in the 4 seconds you're not watching them like a hawk and probably wouldn't catch anyway. You should probably back and decide how much of a risk it is to outsource the admin gig to begin with. If your files are that valuable maybe your business model should afford somebody you can trust and see on the payroll with stock options. Perhaps you need two admins. One the outsource company that obviously would have technical abilities you don't have, but maybe another one that you do trust that at least has minimal abilities to at least monitor for anything unusual?

Who do you trust? (3, Insightful)

Spazmania (174582) | more than 5 years ago | (#29058499)

Do you trust your bank with your money? Even though they don't keep it at your business and you can't stand behind them and watch what they do with it? Your fortune is at stake. Why do you trust them?

Do you trust your grocer to give you clean, fresh meats? Even though you can't go in the back,
see how they're stored and watch them being cut? Your health is at stake. Why do you trust them?

Do you trust your pharmacy to give you the correct medication? Even though you dropped the prescription off, will pick it up later and don't know the look of one pill from another? Your life is at stake. Why do you trust them?

I trust I've answered your question.

Encrypt if you're paranoid (1)

grahamsaa (1287732) | more than 5 years ago | (#29058503)

If you're really that paranoid why not store all of your super secret data on an encrypted volume and only mount it when you're using it. . .

Of course, if your network admin really wanted to he could probably sniff your password off the network or install a keystroke logger, but 99.99% of network admins out there wouldn't even attempt to do that. Not only is it unethical, but you probably don't have any data they really want anyway. It would probably just be a huge waste of time.

Should be in the contract (1)

bcong (1125705) | more than 5 years ago | (#29058505)

This is why there are confidentiality agreements, data protection and security procedures defined in the contract with large fines if they are not followed.

What does your legal agreement with this firm say? (1)

harmonise (1484057) | more than 5 years ago | (#29058515)

What does your legal agreement with this firm say?

Why would you trust anybody? (1)

Evro (18923) | more than 5 years ago | (#29058517)

If you're concerned with trust, why would you outsource in the first place? Why wouldn't you just hire someone in-house who you can interview in person and run a background check on? Sure it costs more, but at least you have control. If the company you've hired hires someone new, that's yet another person looking at your stuff.

As for having them come on-site, what good is that? An 8 gig USB Flash drive is like $10 now, and that could probably hold your entire SVN repository and all your .doc/.xls/.ppt documents.

Right out from under your nose. (4, Funny)

consumer_whore (652448) | more than 5 years ago | (#29058521)

They're stealing your IP while you're goofing off on slashdot.

Security Is About Trust (1)

gers0667 (459800) | more than 5 years ago | (#29058523)

If you are that afraid of them doing something wrong, it better be in the contract you sign with them with all of the penalties plainly laid out.

I would much rather have the IT Admin in house, but then again, I'm an IT Admin. We have to sit in a weird spot in the company. We have to learn all of the dirty secrets. If someone is divulging secrets, we are the ones that have to pull up their email records and browser history.

I take that responsibility very seriously. You have to find someone that takes it seriously, too.

Re:Security Is About Trust (0)

Anonymous Coward | more than 5 years ago | (#29058727)

Trust is a weakness.

It's really simple. (1)

wcrowe (94389) | more than 5 years ago | (#29058533)

Look, it's really simple: If they give you the creeps, don't hire them. Go with someone who is not insistent on administering your network remotely, or who you are otherwise comfortable working with.

Inhouse Servicing for Outsource Pricing? (4, Insightful)

Reapman (740286) | more than 5 years ago | (#29058547)

You seem to be conflicted. You don't want to have inhouse IT, but you want them there and available anytime you need them onsite. I think you first need to determine which is important: reduced costs of outsourcing (And all the issues that goes with it) or the improved service of inhouse (and all the issues that go with that)

Even if they're onsite, are you going to have someone paid to stand over their shoulder and watch? if so pay that person to do the damn work for ya.

To be honest your probably safer with an outsourcing company since no sane company would risk their reputation by stealing your "zomg important" secrets.

Why should you trust them? (1)

PieSquared (867490) | more than 5 years ago | (#29058551)

Once upon a time there was a kid in charge of watching a flock to protect it from wolves. He got bored and cried 'wolf'. Everyone came running, but there was no wolf and the kid laughed at the gullible townspeople. He did this three times. Then one day there really was a wolf. He cried 'wolf' again, but this time nobody responded. Half a dozen sheep - and the boy - were killed.

What's the moral of the story (the real moral, not the 'story for kids' moral)? Don't put someone in charge of your stuff if you don't trust them. Seriously, you should trust them because if you don't they can't do their job properly. Or at *best* the actual people doing it won't like you and may go out of their way to screw you within their contract.

Wrong question (1)

georgewilliamherbert (211790) | more than 5 years ago | (#29058571)

Remote access is secure - SSH, RDP, decent VPNs are fine for remote administration.

If you don't trust the admin if you don't have them in your direct line of sight, why would you trust them if you're out of the room temporarily?

If you don't trust them when you're not looking over their shoulders, why do you trust them at all?

Either you trust them - and where they are sitting is irrelevant to that question - or you don't. If you don't trust them, fire them and get someone else you trust. If you don't trust them but think watching them in person makes it better, you're misjudging the situation and asking the wrong question.

Trust or no? If no, replace.

You shouldnt... (3, Insightful)

alexborges (313924) | more than 5 years ago | (#29058585)

Nobody should trust their BOFH.

Sadly, it just happens to be the case that we can't live without them, but trustable as a group, they are not.

Trust people, not jobs.

Would it help anyway? (0)

Anonymous Coward | more than 5 years ago | (#29058589)

Look--if you have to outsource to somebody for whatever reason--what makes you think you're even competent enough to catch them doing something malicious right in front of you?

I'm not trying to suggest you're a poor manager--but the whole point of outsourcing is to save resources--be they time, money, or space--and hopefully all of them. These guys should be faster than you, and will hopefully be using tools and utilities you're not familiar with. How will you know whether the CD they throw into the drive contains a trojan, or the latest set of patches for sharepoint coupled with windows scripting?

If you don't trust them--don't hire them. Otherwise--turn on system/account auditing if you must, but stay out of their way--looming behind their shoulder is likely to get you worse service anyway, as they may feel rushed. Even if they did have the motivation to steal your customers--most people only know enough security to keep honest people honest--a dishonest person will find a way to the data even with an armed guard over their shoulder.

Contractual obligations (3, Informative)

dave562 (969951) | more than 5 years ago | (#29058591)

If you are so worried about it then have them sign a contract that stipulates they won't do what you're worried about them doing. I've done consulting for the SMB market. We did the majority of our support remotely. We were constantly busy taking care of clients and didn't have the time or the inclination to try to steal from our clients. Look at it this way, if your consultant leaks your super duper secrets to your competitor, and you go out of business, where does that leave them?

Trust but verify (1)

Yakisoba_noodle (1617819) | more than 5 years ago | (#29058617)

You are outsourcing a mission critical part of your firm. Take it seriously, interview the folks you are using, and treat them like adults. Develop a set of requirements that you and your board are happy with, and get it down on paper, and in the minutes of your board meeting. Then hire someone to do your network, using your criteria, and documenting why they fit and where they do not. Trust is essential in business, I think, but should also be followed by a good contract, yes?

run it in-house (0)

Anonymous Coward | more than 5 years ago | (#29058623)

It's that simple. You can have them "telecommute" part of the time, maybe even most of the time, but if they work for you then you can trust them as much as you can trust any other employee.

They could do it while you watch. (0)

Anonymous Coward | more than 5 years ago | (#29058631)

A sufficiently advanced IT outfit could steal your data while you watched them administer your servers. They just wouldn't do it manually, using the UI; they'd write one or more applications that could do it all silently as soon as they plug in the USB drive.

And if you think you can watch them and prevent them from connecting a USB thumb drive, remember that a USB mouse is far larger than a USB thumb drive, which means logically it could contain one inside it. Remember also that USB is designed to support hot-swapping and that there are only two wires in USB that would truly have to be switched to make a hacked mouse change between USB-drive and mouse operation. (The truly cunning would, of course, secret an entire USB hub inside the mouse, solving the problem even more elegantly.)

Re:They could do it while you watch. (1)

Narcocide (102829) | more than 5 years ago | (#29058843)

Oooh good idea.

Don't Outsource (1)

4pins (858270) | more than 5 years ago | (#29058635)

You mentioned source code, so you have the skills to hire and manage technical people. Please leverage those talents and hire someone. Outsourced IT works best as a supplement for when your employee doesn't have a particular skill or the project is too big for one person.

Screw it. (1)

Snarkalicious (1589343) | more than 5 years ago | (#29058637)

Just have google put in a bid now and save yourself the hassle.

Worth their salt... (0)

Anonymous Coward | more than 5 years ago | (#29058671)

Because any Network/System Administrator worth their salt doesn't have time to go snooping around your fucking data. They're on the front line against those whose active goal is to own your box, and possibly steal your so called, 'data'.

Should you fear the Netowrk Admin? Sure. Fear that they get tired of the measley salary you're paying them, the stupid questions that users ask, and the incompetent Manager that breathes down their necks wondering why they're tracking bugs on software forums, IRC channels, and Technology news sites.

Yes. You should fear your Network Admin. Fear that they'll find something better, and leave that position up to someone less competent.

Curious (3, Insightful)

Dunbal (464142) | more than 5 years ago | (#29058685)

And you come to slashdot to ask that question?

Start by hiring someone with real business talent to run it for you because you sound like your own worst enemy.

IF YOU CAN'T TRUST THE PEOPLE YOU HIRED THEN WHY DID YOU HIRE THEM?

Have you ever considered... (4, Insightful)

pak9rabid (1011935) | more than 5 years ago | (#29058701)

...just hiring a real network administrator? Honestly, it's an employers market right now. There's lot of people who have been recently laid off who would kill for a job right now...probably even for a below-average salary.

If you give them the job, you have to trust them. (1)

CopaceticOpus (965603) | more than 5 years ago | (#29058713)

If they know that much more about your network than you do, they could easily install a back door to give themselves remote access, even while you are watching them.

Would you be able to see over their shoulder? (2, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#29058715)

It is certainly harder to trust an offsite guy, for monkey reasons(can't see the look on their face, body language, that sort of thing) if nothing else; but I'd be curious to know if you have any reasonable grounds to believe that you could detect malfeasance in person.

An atttacker, even a modestly skilled one, given the level of access an admin would need, could do all sorts of terribly serious things in the blink of an eye, whether or not you are watching him. When I'm wearing the admin hat, I routinely run executables on numerous client PCs, manipulate server settings, write and run scripts that gather all sorts of data, make backups, and so forth. Are you really going to be able to see the difference between me tarring the contents of your OMG_Sourcecode directory for backup and me tarring for backup && sneaking a second copy somewhere? And, if you are that good, why are you hiring me to sit there while you watch me, when you could just do it yourself?

If you are paranoid enough, you can use some sort of intrusion detection/exfiltration detection setup, with shell logging, and firewalls, and disabling usb mass storage devices, and uniquely barcoded hard drives, and cavity searches, and so forth; but somebody you trust will have to build that as well.

Obviously, going to Shady Bob & Pradep's House 'o Discount Outsourcing is a bad plan; but so is hiring Shady Bob to work onsite. I'm less sure, though, that there is a significant security difference between offsite and onsite people of otherwise similar levels of cheapness and shadiness.

You should trust him . . . (1)

PolygamousRanchKid (1290638) | more than 5 years ago | (#29058723)

. . . as far as you can throw him . . .

. . . this ancient bit of pseudo-Zen probably makes more or less sense as any other answer to that question . . .

to trust or not to trust (1)

Ingcuervo (1349561) | more than 5 years ago | (#29058725)

i would start in a different order, not to contract with someone, and then see if i trust them, first find somebody you can trust, (partner companies can give you hints on good ones). the point is that even if the one in charge is just been observed for an army of people (who will become expensiver than anything else), there are no warranty that they can avoid data stealing if one member is really trying to. so, contract some big firm, make the contract to cover data leakages, and please realx yourself a little, maybe your information is worth the problem to steal it, but first there should be someone wanting to get it, there is a very low probability, your information gets stolen and then it hurts you. btw, im an IT manager for a region with several countries, and we hacve outsourcers in many countries, just occasionally go a see what are they doing, a small control should be fine if you hire big ones

do you trust your cleaners? (2, Funny)

cluemore (1617825) | more than 5 years ago | (#29058733)

the cleaners have physical access to your everything. what contract did you sign with them? you know, to minimize your risk, you should outsource your IT to the cleaners. they already have physical access to everything, so it's not much of an extra step to let them maintain your systems too. they're even in the office on a daily basis. if you have any IT issues, just leave them a note!

Are you really outsourcing your Admin? (1)

medv4380 (1604309) | more than 5 years ago | (#29058737)

It depends on the level of secrecy you need for your data. If you have very valuable IP like a blue print for a Anti Matter reactor then it would probabaly be best to Higher an IT Admin that works for you. That way you can do a security and background check and make sure they're up to code. They'll probably still put in some Remote administration stuff but that's normal. If you're protecting a calendar for a lawyer then outsourcing the IT would be a pretty good bet to save some money since it would be expensive to higher 1 admin for 2 computers. It really depends on what you're doing and what you're protecting.

What you win? (1)

gmuslera (3436) | more than 5 years ago | (#29058757)

Forcing them to do the administration locally don't fixes the security/trust concern. If that server have internet access, they could set the remote administration themselves or at least the (paranoid hypothesis) information stealing, or even take whatever they want with an usb key or things like that. Also will not add exactly sympathy to you, and will make emergency fixes slower.

Of course, when you are going remote you just don't trust in a person or company, but in its security practices too.

Do you want a professional or a peon? (2, Insightful)

onyxruby (118189) | more than 5 years ago | (#29058775)

You really need to ask yourself if you want a professional or a peon? You write your question as if you want someone you can piss on, that tells me you want a peon. Heck, you'll save money on the peon, you can get one from any local technical college, they might even know what they're doing.

If you want a professional and don't want to pay for one, your outsourcing some part time work. You get a portion of a professionals time, that makes you a part time customer, a small fry for the outsourcing company. They are essentially offering a courtesy to you at all to work on your network in the off chance your company grows as this will leave them in a good position.

The bottom line is that professionals that live in your country need to be trusted, they have to much to lose. Most professionals will undergo a background check one to every two years. No professional is going to destroy their livelihood by leaking something like your customer list. No professional is going to risk going to prison or getting sued for crossing the line as long as they live in the same country as you. They will lose their ability for references. Outsource to India and the like and all bets are off, there's no reputation to maintain.

Really, the question is why would your customers trust your company, and is a professional service really any different?

The biggest problem is that the vendors you are talking to are being honest and setting your expectations and you don't like what your hearing. Your about to discover how every extra service has an additional charge and you'll quickly bury yourself in extra fees in the event your company does grow. If you want to position yourself for growth and don't want to be sunk under a slew of fees you should hire a professional in house and then trust them to do their job.

Why trust the outsourcer? (1)

hemp (36945) | more than 5 years ago | (#29058781)

The same reasons clients will be trusting your start-up company.

its an old paradox (1)

circletimessquare (444983) | more than 5 years ago | (#29058793)

you hire a locksmith to make sure your security is top knotch, but now there's a guy out there, a locksmith, who can enter your business anytime he wants

if you want to trust professionals to do a job for you that involves the security of your business, you need to actually trust them. based on what evidence? no evidence is possible. you need to take a tiny leap of faith, and rely upon the usual indicators of trust in such a business situation: reputation, track record, time in business, contacting other customers, etc.

in business there are plenty of times you need to take a leap of faith and make a judgment of trustability and character and integrity. this ranges in all aspects of business: distributors, employees, accountants, managers, etc.

absolutely nothing in this world insulates you from the risk of being screwed by someone in your employ/ in a business relationship with you unless you do it yourself. so get out your bullshit meter, set the guy down on the other end of a table, and start measuring. and if you are spooked in any way, don't hire him or cancel the contract or fire him. you don't get any other guarantees in business beyond that

if this is not enough security for you, well then maybe the business world isn't suitable for your comfort zone and you should pursue a job where someone else worries about these kind of things

all i could think after reading your question is that life as a businessman does not suit your character

Would you know trouble if you saw it? (2, Insightful)

wowbagger (69688) | more than 5 years ago | (#29058795)

You say "Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"

Given that you aren't administering your own network, I'd guess that you don't have the skills to do so. Would you know trouble if you saw it?

Would you know enough to see them setting up a remote service that they could get back into? Would you know enough to catch them copying sensitive files from where-ever they live to some staging directory, then later copying that directory off to a flash drive, or to some external server? Would you be able to catch them downloading a root kit and installing it?

In short, given that you don't have the experience to admin your own gear, do you REALLY think "standing behind them and watching them" is going to do anything but waste your time?

And IF you have the skills to admin your own machine, but want to outsource that due to some idea of "I have better things to do than this" - you have the time to stand behind them and watch them do the work, does that not imply you have the time to do the work?

Like others have said: If you are concerned, make them put up a bond.

I handle mine like Blackbeard (1, Funny)

Anonymous Coward | more than 5 years ago | (#29058857)

You see, I hire an admin to do a job, and then, I kill him and place his body in the server cabinet. With all that heat and dry air circulating, it mummifies the dead ex-admin. Now, as an additional profit source, I sell the mummified bodies to mummy collectors. I have an artist who's into Ancient Egypt and ancient Peruvian art so I can pass off these mummies as the real thing. I'm currently working with a chemist to fake bog mummies, but that's off-topic. The downside? When a job applicant asks what happened to the previous guy. it's awkward, but I just say the old guy moved on to another life. The applicant usually nods in understanding - I think he's thinking that the old admin moved on to management or medicine or something.

There you go! I'm thinking of writing one of those management books that sell millions of copies - you know, the ones that your boss walks in every other week with the management idea du jour. Mine will be called - Pirate Mangement: How to succeed in a cut throat business environment as taught by Blackbeard.

Anyway, that's how I have an ultra trust worthy admin staff. Now, what to do with all those cops poking around.

From the Admin side (2, Informative)

jht (5006) | more than 5 years ago | (#29058871)

I own a company that does outsourced IT support. Were it us, I wouldn't insist on being able to do remote support - but you'd pay so much for on-demand on-site support you'd be better off hiring someone in-house to do the job instead. The reality is that (were it us) we'd be coming in to your office periodically (depending on your size, from maybe once a month to as much as a couple of times a week. And most of the routine requests you will make we'd take care of by logging in remotely to deal with them for you. In most cases, we can log in and handle it a lot faster than we can free up enough time in someone's day to get them over to your office.

That's the reality of outsourced IT. You can get very good coverage that way, and any good company will give you face time with whomever is handling your account. I've got a lot of clients that trust my employees (and me) with their keys, passwords, and all the lot. I've got professional liability insurance, and a reputation that's even more important to me. If we were the company doing your support, I'd gladly sign an appropriate document guaranteeing we'd keep your data private.

I'm not pimping for my company (you're probably nowhere near where I work - else I would likely have been contacted as one of the firms bidding) but most companies like mine work that way. That's how we can do good work and still be affordable. But the reality a lot of these posters have pointed out stands: if you can't trust an IT company to handle things for you, then hire an admin in-house.

Go with your comfort level. (1)

ChrisKnight (16039) | more than 5 years ago | (#29058875)

As a sysadmin-for-hire who works for an IT outsourcing company, my suggestion is to make them work within your comfort level. My company will work on-site, or remotely, at the client's discretion; and I believe we offer a discounted rate if we are able to work remotely.

You are the customer. If they won't write up a contract that meets your requirements they are not the right company for you.

-Chris

Computer repair people (2, Insightful)

dixonpete (1267776) | more than 5 years ago | (#29058887)

A few weeks ago I read an investigative report on repair shops in Britain. Aside from over charging and finding non-existant problems they looked at and copied information off the computers that were being serviced. Have reason to trust anyone that you give that kind of access to. Then trust, with as much verification as is economical and doesn't unduly make the service provider think that you don't trust them, since unwarranted distrust chips away at the relationship.

Try Server Monitoring (1)

crosstecdoug (1617823) | more than 5 years ago | (#29058919)

No, that's a good question. To save money and maybe even take advantage of more knowledge and experience - you may need to outsource such activities and for THEM to save money, which saves you money, they want to remote access into your system. Others may want to outsource their servers to farm (like a web or email server). This could open up the server to the remote vendors admins. You may not know them and the vendor may not even know them if they new. You can never be to careful - we've all worked with newbees who have crashed us. Spectorsoft (I use their employee monitoring software for investigations but others may know them for their kid monitoring software) has JUST released a new server monitoring software (might be called Spector Server at spectorserver.com). From what I read it records only when an admin logs in and then records everything each one does including screen snap shots (which, along with their keylogger is the best that can be found.)I am looking at it to monitor my Citrix Server but I can see where it might give you peace of mind with vendors, etc.

My $.02... (1)

steppin_razor_LA (236684) | more than 5 years ago | (#29058947)

I've had this same conversation with Sr. Management at companies I've consulted with and companies where I've managed the IT staff. Watching over someone's shoulder is a "fail" strategy. I'm not going to get into the details of why, but consider that my executive summary. Let's move on. From a trust perspective a third party isn't necessarily more or less trustworthy than your own staff. A bitter employee is (in my opinion) more likely to do something awful to you then a consultant for hire. I suggest that you consider encrypting your most sensitive documents. This can protect your key intellectual property from your network admins while still providing them the access they need to do their job (namely allowing you to keep accessing those documents reliably). This approach works fine for basic documents but doesn't lend itself well to source code unfortunately.

I think... (1)

SlashDev (627697) | more than 5 years ago | (#29058979)

.. the real problem is that can you trust the network where that remote administrator is located. Do they have a clean network? Trojans? Sniffers? Etc.. You should really audit their network before giving them permission on yours.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?