Data Security and why trust matters when picking a Microsoft Cloud Partner
While there will always be a few brave souls who will take on new technologies all on their own, most people will seek out assistance when it comes to new things. Especially when these things are business-critical. It reminds me of that saying “the doctor who operates on himself, has a fool for a patient”. Since you found this post, I assume you are looking for help with your transition to Microsoft’s Cloud Solutions. You certainly took the right first step by searching for guidance on how to pick a partner.
In prepping for this post, I too did a similar search. I found a lot of self-serving advice, and to be fair, this will be self-serving advice as well. But, by the end of this post, I am going to expose you to a few things that no one else out there is willing to.
Anyone can spout anecdotal evidence of why you should pick them, number of employees, number of customers, etc. And while we can support that approach also, it is a stupid way to pick a partner. I have occasionally found myself on the receiving end of someone asking me some “qualifying” questions in an effort to compare Forceworks to some other partner(s). Invariably, I find they ask the wrong questions. It’s not that they are not asking me questions I wish they would ask, it’s that they are not asking me the questions I would be asking if I were them.
For example, our knowledge and capability of any particular solution, can be clarified with one question: “What Microsoft Competencies do you have?”. Microsoft has already done the work for you of testing and confirming that we know what we need to know for a particular thing or they would not have issued us that competency (ours are listed in the left sidebar BTW). If we do not have a competency for the primary skill you are looking for, you should probably look elsewhere. You don’t want someone learning on your dime. Before I leave competencies, let me add one more thing. Microsoft awards two levels of Competency; Silver and Gold. The difference between a Silver and Gold partner is the number of certified professionals and total Microsoft revenue generated by the firm. While Gold Competency partners are typically larger than Silver Competency partners, the skills measured by the Competencies are the same; so bigger is not smarter, or better… it’s just bigger. If your company or need is big, maybe you need a big partner. So, tip number one: no two Microsoft Partners are the same; find a partner with competencies (silver or gold) that match your needs.
Tip number 2: Customer references are usually bullshit. The fact of the matter is that any company that has been around for any length of time can give you a few names of happy customers, even if the other 95% of their customers feel they are incompetent boobs. Unless someone is unable to give you the names of any satisfied customers (clearly that would not be a good sign), I would take provided references with a grain of salt. Most people who provide references do so with the knowledge that most often this is a litmus test and that the odds are almost guaranteed that you will not contact any of them. I would at least pick one at random and call them. If someone gives you a name of a supposedly happy customer, and you actually call them and they say that they are not happy, that is also not a very good sign.
Tip number 3: If you are in a defined vertical industry, there could be an advantage to finding a partner who has worked in that vertical if it matters for your need. We get calls from all kinds of customers in all kinds of businesses. A common question is whether we have any experience in their industry. If we do, that means two things for them, first, they do not have to pay us to learn their industry, and second, they benefit from the fact that someone else paid us to learn it earlier. However, I will also say that email is email for most businesses. In other words depending on the problem you are solving for, vertical expertise my not be relevant at all. If you are launching Dynamics CRM Online, yes, it will matter, SharePoint Online, yes, probably there too. Email?, unless you have a compliance issue, probably not.
So there were three basic tips, fairly obvious, and most similar “partner picking” posts mention one or more of those, but now I want to expose the most important and also the most difficult to ascertain factor: Trustworthiness. Every day we hear about data breaches, NSA snooping, hackers etc. While these make great headlines, the fact is that you are far more vulnerable to data loss from your own staff, or consultants. I find it interesting that the concern persists among some customers that the cloud is not as secure as their own infrastructure. In some of our client discovery efforts, I have seen instances where an I.T. Manager, who probably feels underpaid and underappreciated, was the worst offender. Setting themselves up as delegates on their coworkers’ or boss’s email accounts, backing up confidential information to remote devices in their homes, building back doors to wreak havoc should they ever be fired, etc. I find it amazing how ignorant leadership often is to the I.T swiss cheese they are sitting on while they are asking me about how safe their data would be in the cloud. I think every single company should do an IT security audit every year (we don’ t provide those), but actually I think most don’t want to know the result. So what does this have to do with Microsoft Partners? Well let’s look at your important data, whatever it is, like it’s a carton of eggs.
Who is handling your eggs? First of all, in opposition to flashy media reports, I think the least of your concerns for your own business is some foreign hacker. A lot goes into hacking data from another country; for Target, or Home Depot or a Defense System the payoff may be worth it, but these guys don’t give a shit about your puny eggs. And what about that pocket-protector wearing geek with the horn-rimmed glasses at the Microsoft data center? Ironically, if your data is stored there, he can’t see it even if he wanted to. No, for most of you, the threat is much closer to home. Even if your eggs are handled by a very small group, think Six Degrees of Kevin Bacon.
Can the risks be eliminated? Nope, at least not without severely impacting your business. Can they be minimized? Maybe, providing you are even aware of them. So let’s think about who is handling your eggs right now. Obviously your employees have varying levels of access to one or more eggs, you need to have tools to monitor what they are doing with this data, and prevent them from gaining access after they have left your employ, or siphoning off during their employment. Your I.T. Department? Yeah, even the helper flunkies have enough access to make you puke if you understood it. Your own I.T. department has a ridiculous amount of access to every single thing. Yes they can read all of your email, yes they can look at all of the websites you viewed, yes they can pluck your usernames and passwords to stuff, and much more. Have you done a background check on these people? Maybe you should consider Fidelity Bonds.
The next level of risk involves the outsiders that you bring in to help with things, like us. At the very least, any outside firm that will be in the vicinity of your data should be under a Non-Disclosure Agreement. I am amazed at the number of people, who in my first phone call, are offering me their administrative credentials to check something out. As a matter of policy, we will not access a client’s system without an NDA in place, I don’t care that you are fine with it, it’s just dumb. Of course once we do have the NDA and we login to check things out, we frequently find past partners and employees with admin access accounts left behind. Before we will go any farther, we need to clear these out.
So let’s talk about what we as a partner actually have access to. This depends on the level of access you gave us. Making us Partner of Record does not provide us access to anything. You need to explicitly grant us access by accepting, with your global admin credentials, our request for Delegated Administration rights. If you actually read the link before you accept this, that tells you what this will allow us to do, you will see that we can touch a lot of your eggs, but not all. We do not have the full access that a global administrator does. If this makes you more comfortable, don’t be, because ironically one of the things we can do is create a new account and make it a global administrator, log back in with those new credentials and we can now do and see everything you can as the Global Administrator. Why would we do this? And why would Microsoft allow us to be able to do this? Well, as of today, the delegated access role does not give us enough rights to do some of the things you want us to be able to do. For example, we can’t do squat with your CRM with that role, and there are other limitations also. Until Microsoft further develops this role, you are stuck with having to grant us access to all of your eggs. So now I have circled all the way around, finally, to the title of this post “Why trust matters when picking a Microsoft Cloud Partner”.
Okay, so today, you have little choice but to expose all of your eggs to your Microsoft Partner in order to get the full benefit of the products. With that as a given, you really need to focus on this “Partner”. What are their policies and procedures about handling someone else’s eggs? How are they protecting your eggs? I can’t speak for other partners, but I can tell you how we approach this. First of all, access to your eggs is limited to only the resources that need access. We don’t put your credentials out on a whiteboard in the lobby. They are also not added to an internal database accessible by everyone in our organization. When a staffer or team has completed their tasks for you, a partner in our firm, changes the password that is provided to the next staffer or team and so on. Most partners will bring on external resources (subcontractors) for certain specialty items, in fact we are often brought in by other partners for SharePoint and/or Dynamics CRM work as a subcontractor. Security can easily go out the window if this is not monitored properly. In our case, any external resource we bring on, also signs an NDA, and we also change the passwords as soon as they are done with whatever we had them do for us. We also don’t work with anybody we don’t know. It probably goes without saying that we will never work with any off-shore resources. This is a very common practice for a lot of partners, particularly in competitive situations. Offshoring can be pretty tempting with the low hourly rates, providing plenty of margin while still undercutting a competitor’s rates…but who the hell are these people? I get 5 emails a day from offshore companies in India, Russia, Thailand, etc. First of all I am committed to “Made in the USA”, but do they seriously think I am going to let them touch my customers’ eggs when I can’t even see their faces? But apparently a lot of other partners are fine with this, as when I explain to these offshore reps why Forceworks working with them is an impossibility, they are genuinely perplexed that I am even concerned. Maybe it’s your fault, for trying to buy something for less than what it should cost and trading off all your data security in exchange.
So, to summarize a very long post, you cannot fully protect your eggs and get the help you need. So you need to know how the people you are sharing your eggs with think about protecting them. I told you how we think.