General discussion


Monitoring without customer knowledge

By gbdickinson ·
This is one of those "what do you think?" questions.

I work for a company that has the contract to maintain the network for a large local school system, which I manage. Part of this contract is to run a 24x7 Network Operations Center, where they log server outages and follow up on problem resolutions. To do this, they have several tools (OpenView, IP Sentry, etc) that watch the network, and all of this data is available to the customer.

I've recently noticed that there is a server running in our NOC that is running a piece of switch management software to watch all the switches on the network. When I asked my on-site supervisor, his response (paraphrased) was "Yeah, they've been running that for a month or so to watch the network. Don't tell the customer."

I'm a bit conflicted. Yes, the purpose of the NOC is to watch the network, but IMO the data that comes off the customer network should be available to the customer, or at the very least they should *know* that it's being gathered.

What do you think?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Depends but it should be okay

by stress junkie In reply to Monitoring without custom ...

The real answer is that it depends on the exact details of the service agreement.

In practice it seems to me that the customer is paying for a service and your employer is providing that service. This particular monitor is used to help provide that service. No problem as far as I can see.

Collapse -

It depends

by JamesRL In reply to Monitoring without custom ...

I take it this server is not caching all the network traffic. Rather it sounds like it is reading information about uptime, spikes in activity etc. No customer "data" is involved, more or less a log of whats happening on the switch.

If thats the case then it depends on the contract. If the contract is to manage the network on their behalf, then there isn't anything wrong with collecting the information.

But there are some ethical qualms about not sharing the information freely and openly with the customer. Why wouldn't they want the customer to know how well or poorly the network operates? If they are being paid under a service level agreement and the data from the switch indicates they aren't meeting their service levels, then this is a bad place to be in. Its dishonest.



Collapse -

Ay, that's the rub

by gbdickinson In reply to It depends

That's the position I find myself in. If we're monitoring the data, and the network performs well from a hardware infrastructure standpoint, why wouldn't they want the customer to know? The whole statement of "Don't tell the customer" has me a little skittish.

Collapse -

scope of the contract

by TjD In reply to Ay, that's the rub

Is the monitoring within the scope of the contract? Is there some legal issues with monitoring hardware/service not specifically noted in the contract? Is the particular piece of software "iffy" or maybe its been installed on a customer machine without proper permission/documentation beforehand.

I would say there are two options: Remove the switch monitoring or tell the customer (of course explaining why its a great thing and benifits them greating and maybe begging forgiveness for not telling them earlier).

Good luck,

Collapse -

Customer Data

by BFilmFan In reply to Monitoring without custom ...

The customer might take a very dim view of their network being sniffed without their knowledge, even if they pay you to do it.

Collapse -

Ethical Aspects of Network Security Management

by chandresh In reply to Monitoring without custom ...

I read very good article about the ethical aspects of being the sys admin. I agree with, what was mentioned in the article. If we are concerned with the Information security inturn network security, then we will have to monitor the customers network and user activities.
But the customer has to be aware of fact and we should have strong reason for monitoring the user activities or customer network. Sell the benefits of such a monitoring to the customer rather than hiding it from him.
And yes the NOC engineers should sign a NDA (Non Disclosure agreement) with the NOC owner. Customer inturn should insist on the NDA, as well
as promise of not misusing the details gathered in the process of monitoring.
I guess in some or the other way engineers will be anyway exposed to the confidential data so NDA should always be in place with the engineers.
I hope information was useful.

Collapse -

Oh dear....mushrooms at work

by IanR41 In reply to Monitoring without custom ...

I think your supervisor is a first class idiot. The customer has a perfect right to know what is going on. And also, the controls that have been put in place to safeguard the company data. (Presuming there are controls in place).

I would frame a note to the customer as follows:

"Due to the requirement to ensure optimum performance of network switches monitoring of those switches is taking place. This does permit the exposure of company data to the monitoring team. However, they are subject to confidentiality agreements not to disclose your company's data to any person, and not to monitor the switches (or data) except for the purpose of assuring the performance is within the agreed service levels.
(Or something to that effect). AND I would get the customer to sign their agreement to this.

Have a great day from down-under.

Collapse -

The customer needs to be made aware

by mareshg In reply to Monitoring without custom ...

First the customer needs to be aware of what is going on! If the customer finds out on their own then you could loose a contract, or worse find you in a law suit.

Second the customer should have access to all of the data aquired because he is paying for it through your services even if they they don't care what it is. It also shows that you aren't hiding anything. If your manager is hiding something then maybe he is hiding something more about the system possibly a sniffer.

The other thing that I would be concerned about is that the IT security has not found the system already, but then as with most organizations security is not an issue until an attack or loss of data.

Related Discussions

Related Forums