Is it Time to Fire the IT-Guy?
Anyone who has even a simple medical condition like a broken leg, will have been sent by their family doctor to a range of other professionals, such as radiologists, physiotherapists and pharmacists as part of their treatment. It is taken for granted that each is a specialist in their own area. Similarly, your house would be maintained by plumbers, electricians, gardeners and painters for similar reasons.
However a very large number of organisations, usually small to medium enterprises, have a role known as "the IT guy".
This person, is expected to provide, server administration, backups, network management, desktop support, system support, database management, disaster recovery and, of course, security. And that's just for starters. In some cases, it's a part-time role.
Larger organisations with a higher IT budget frequently have more people, however it is often only in very large organisations where security is a specialist role. More often than not, it's the duty of the System or Network Administrators who may not have extensive training in the area. As a result, while information security management becomes more complex daily, it is often being managed by people who are barely, if at all, qualified to do so.
Put another way, while your plumber might know how to change a light fitting, would you let him?
The question of outsourcing has been one that has affected a number of industries, sometimes with mixed results. We all know the frustration of ringing a call centre and having it answered by a person completely unfamiliar with your needs. However, done well, outsourcing IT Management can have significant benefits, to both the quality of service and your company's bottom line.
At its most simple, companies hire outside contractors to assist them in managing IT infrastructure. These contractors have access to a network of colleagues and tools, which an in-house person may not.
At the other end of the spectrum, companies may outsource all of their management to a provider who hosts their servers, with staff connected to 'a cloud' via a lightweight (thin) workstation. This provides a number of benefits on which I will be concentrating in this article.
I have long argued in these pages that businesses must may attention to both physical and IT Security, as ignoring either will result in an insecure organisation. (Pitch: Our company is the first in Australia to well and truly combine both for end-to-end results). There is little point having the world's most heavily protected building, if hackers can steal assets via your network. Equally, a well protected, hardened server is a waste of time if it can be carried out the door of your office.
Physical security also takes into account environmental protection of systems, which often includes Very Early Smoke Detection Alarms (VESDA), waterless gas-based suppression systems that won't harm computers if activated, high volume air-conditioning, redundant power and backup power supplies. Not cheap, and well beyond the resources of most organisations. A number of larger 'Datacenters' however, lease space by the square-metre to companies who wish to install a single server, or rack full of them, and share this infrastructure (and its cost) with others. Each company has a cage for their equipment, which is locked and inaccessible to others (including the building owners). The buildings are usually protected by extremely robust security, well beyond that of most organisations, including 24 hour guards, airlocks, biometric access controls and even blast proofing.
No More Servers
Anyone who has used the Internet will appreciate that it is usually irrelevant whether a server is in the next room, or another country. So there is little disadvantage to hosting machines in other premises, except for the very rare occasion when you need to unplug something. You also have a higher degree of assurance that your systems aren't going to spontaneously combust (yes, it happens) or have their data corrupted by power spikes and be unavailable due to extended power failure (hello Melbourne!)
To connect to your servers, now off-site, your organisation would require a suitably large network connection, say to the Internet or a private network. Usually a back-up connection with another provider would also be provisioned for when the primary connection fails, as Australian links often do, for example Primary with Optus and Backup with Telstra. If configured properly, the experience for the end-user (i.e. your staff) would be identical.
Staying abreast of IT Security threats requires daily reading, study, training and experimenting with technology. It's rare that IT staff can find time for this activity when they are busy holding systems together, or performing revenue-generating work.
As servers can be hosted off-site though, it's just as easy for them to be remotely administered. You no longer require "the IT Guy" to sit in your office (or your chair) to control your systems.
Rather than relying on skills-sharing or a single ineffective 'jack of all trades', you can now have access to a far greater number of professionals, a networking guru, security genius, database god etc. (actual qualifications may vary) who are all managing your service and protecting your corporate information assets from evil.
Economies of scale mean that solution providers hosting systems for a number of organisations can implement enterprise level security systems usually outside the reach of smaller organisations. These include highly resilient firewalls, intrusion detection and prevention systems, antivirus, encryption and backup technologies. As well, these are closely monitored where most organisations would only check logs after something has happened. IT Security is now so specialised that it is a full-time role, which often can't be justified. As a result, it is often ignored, or management are misled and advised 'everything is fine', when it may not be. Outsourcing gives you access to skills and talent often beyond an in-house resource.
Managed Services are often charged on a per-user basis. For example, $10 per month per user. Properly specified, the costs can be less per annum than hiring a single qualified IT practitioner in-house and result in a higher level of service. As your company changes in size, you can simply add more users, and let someone else worry about bandwidth, storage and system capacity. If you are using your solution provider's hardware, you can also save on leasing expenses and the frustrating and common challenge of how to get rid of hardware that is only a couple of years old, yet worthless.
An important issue is how to be confident that these organisations aren't themselves stealing your information. In many cases these fears are overblown. You are essentially taking the same risk letting your own staff access systems, except that when your own employees misbehave, you usually can't sue for large damages. In contrast, organisations who perform this type of work and lose their reputation probably stand to lose far more, such as their entire business, than the worth of the stolen information itself. Chances are that your data routinely travels over networks outside your control anyway.
If still nervous, consider that a number of sensitive government departments have their servers hosted by other, non-government organisations. There are also technical means to retain control within your organisation, including encryption and strong access controls. You just need to strike the right balance between what you plan to administer locally, versus farm out to others. At a minimum, auditing controls can be applied such that you can see what your service provider is doing. Accountability encourages responsibility.
Service Level Assurances
When you outsource systems, it is important to know that they are going to work when you need them. It is quite common for SLA's to be developed to the extent that if the systems don't work, harsh penalties apply to the provider, which they will go out of their way to avoid. In contrast, when your in-house IT staff break something, there's little you can do short of firing them, which usually won't solve the problem anyway. Third-party organisations can monitor your systems and advise whether your provider is meeting their Service Level Assurance.
As your systems are now accessed effectively over a network or the Internet, you can relocate office very easily. This has significant benefits in case your primary site is inaccessible. If required, it also allows teleworking or remote offices to have equivalent access to corporate systems in a secure fashion.
The term Cloud Computing is used to refer to "development and use of computer technology, whereby dynamically scalable virtualised resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure "in the cloud" that supports them" [Wikipedia, 13 Feb 2009]
Virtualisation refers to a number of 'virtual' systems running on a single physical computing system. Whereas traditionally, you would have one 'box' for email, another 'box' for your file-server and so forth, now the multiple systems run on a single highly powerful 'box' and have its resources divided dependent on requirements. This keeps costs down and also means resources can be dynamically assigned. If your mail server is having a hard week, it can get some more processor time, without needing to be totally replaced (or running crippled).
As with most systems, third-party audit is useful to ensure organisations are doing things properly in the case of outsourced services, your organisation can mandate that they subject themselves to audit. Alternatively, you may choose to rely on various certifications such as ISO27001 (Information Security Management) or related IT standards.
Although many organisations effectively lock themselves into a particular platform e.g. Microsoft, Lotus at least they tend to 'own' those. With outsourcing, make sure you aren't locked into something you may later regret. Obviously there will be a degree of difficulty moving, however this should be balanced against the ability to move if required.
Calamity.com.au is the first Australian security company to fully address both physical and IT security matters for true, end-to-end security, from guards and guns to firewalls and hackers. As well as assisting organisations with risk-assessment, review and development of security, Calamity has a well-proven record of inexpensive, yet highly effective, ways of increasing return on security investment, raising assurance and staff awareness.
For further enquiries or reprint information, click here to contact Calamity.