[Bus. Ops] Taking on an IT Support Tech
Things are looking well, business is good, lots of sales coming in every day, installers are working every day, and now I am looking at taking on a support tech to take over from me ").
The right person will have total access to the network.
This I am terrified of, if anything happens our relationship and he/she leaves disgruntled, they could potentially take down the network.
I know lots of ye guys here have it persons working for you. How do you overcome this problem?
That's a great question, and I'm sure you'll get a lot of answers. What I can tell you from experience, is that the right guy (or gal) will completely eliminate those concerns.
The hard part is finding that person. I spent literally the last two years looking for a solid developer for my other company (software dev, health care arena) and it was painful. But two years later I found the right person.
I like to start off contracting people. Don't give them more keys to the kingdom than you feel comfortable with. Don't force them to be responsibile - it's up to them to earn your trust, and that's what we're really talking about here.
The right person will show a willingness to take on more responsibility, and they will approach you with a problem solving attitude that shows you they're looking at the big picture. That's the one you take under your wing and forge a good relationship with. If the person you hire isn't doing that, they will likely become disinterested when you don't hand them the keys to the kingdom, and they'll leave on their own. Let them go.
Once you've got that right person, take a genuine interest in them. Look for ways to make them a better person. Do they have dreams and goals? Encourage them! Share what you've learned in business. Treat them like they matter. The right person will pay you back in spades for that.
Once you've got that right person, how you treat them is every bit as important to the success of the business relationship as the way you treat them.
Just my two cents. Good luck man!
|reply to Bigpaddy_Irl |
So in my experience, this is what I would do:
Authentication to each device is controlled via a central authentication server. In Cisco/Juniper land this would typically be TACACS. That way, there is a single (or perhaps two if using redundant servers) place where authentication can be controlled, meaning if you need to lock a user out, or change the password used to access your devices, you have minimal places to do it for maximal effect. TACACS can also log commands that are executed on the router, so you can review what has been going on.
Second, a central authentication server for logging in to PCs and servers in the office could also be employed. This could be the same server that is doing TACACS, and for *nix systems can be achieved with LDAP. This gives the same benefit, in that you have minimal places to change a password or disable an account to prevent access to office computers, servers etc.
And finally, access to office PCs/servers/etc, and other NOC based devices that allow further access in to the network should only be accessible via VPN from outside the office/NOC. Once again, authentication can be controlled centrally to prevent a user from logging in to the VPN to get access to your network.
And naturally, the use of ACLs to protect the management interfaces of your devices so that they are only accessible from office/NOC subnets will help to prevent someone from trying to brute force their way in from the outside, or perhaps stop them exploiting vulnerabilities that might exist. Particularly useful for devices that cant have their authentication centrally controlled - make them accessible only from somewhere that can.
And of course, if you do ever feel the need to let someone go on bad terms, with centrally controlled authentication you can disable their accounts before you give them any hint that you're about to boot them.
If they do manage to do something, backups would likely be key. You can also report them to the police, this kind of thing isn't usually taken lightly.
You should ideally have them shadow you for a couple of months, rather than trying to dump it all on them over a short period of time. Have them come up with configurations and ask them to solve problems so you can judge their competency. Only after you are confident that a) they wont break the network accidentally, and perhaps b) you dont feel like they are going to turn on you, then you could allow them unsupervised access.
Back up configurations of routers, switches, etc, and rotate backup media from the site between other locations they wouldn't have access, like your house.
Authentication servers and backups may be something you need to keep hold of to ensure that they aren't interfered with, since they are your life lines.
I suppose other than that, its all down to process. Have plans and procedures documented somewhere about how to retrieve backups, and re-instate them on to fresh devices if need be. In times of panic its nice to have a pre-formed list of steps that doesn't exist in your mind where you might forget something. And in the case that you aren't around when things go wrong, you might need to rope in someone else who isn't familiar with it all, they'll have something to work from.