jeudi 10 janvier 2008

Open Doors!

Vendor: really you should install our latest remote console platform..it's win-win for you and us
Me: we can, but only to send alerts , we don't want remote control over our infrastructure
Vendor: in that case we aren't interested in installing it. You know it's a very secure console, with VPN, encryption, strong authentication, CERT compliant, you really don't have to worry about security
Me: (here we go again with remote monitoring)...we cannot allow external people to take control over our infrastructure and risk downtime, that's as simple as that
Vendor: Listen, last day we received an alarm for a drive failure at a customer site. I got connected to the box to assess the state of it. That allowed me to check the reconstruct was taking place correctly and I even corrected the alerting plus one or two wrongly set parameters. You see it's very useful for you, we can take proactive actions, isn't that great??!!
Me: (is this guy dumb or what I wonder)....That is exactly what we cannot accept: we cannot allow that a guy, connects to our boxes to make corrective actions...can you understand this? You might correct things, but you can potential disrupt things. I tell you what we are going to do: if something breaks, you receive an alarm, you take your car and you come right away to fix the problem under our supervision; what do you think about that? isn't that what our $1M contract says anyway?

Do you think we are a fast-food?

As a customer, what kind of remote monitoring solution would fit my IT governance ?

1) One way remote monitoring
a remote monitoring that is only able to send reports and alarms to my vendor is acceptable system. I must make sure that only authorized data is sent over (non-confidential data is defined by IT security group, in accordance to IT Strategy&Principle policy)

2) Two way remote monitoring
if vendor puts in place a mechanism whereby we authorize him to
a) Only connect to the faulty component
b) troubleshoot only the concerned fault
The system in place must also record every actions done by storing securely (write-once) all the audit logs

Aucun commentaire: