The Seven Questions You Must Ask When Outsourcing Linux Support

Why outsource?

For most businesses, managing an IT infrastructure is not their core skill. For that reason alone, businesses often outsource such work to a specialist company.

Other benefits of outsourcing your Linux support include:

> Defined costs

So long as the deal is correctly structured, the costs will be known in advance and may be budgeted for. By ‘correctly structured’, I mean that the agreement should define a level of service rather than a number of hours or Incidents.

> Access to expertise

Linux is a vast subject. It includes determining which RAID system to use, how to configure highly-available clusters, which cloud infrastructure to use, which container system is appropriate, data encryption techniques – the list is huge. No one person has in-depth knowledge of all of it.

Outsourcing to a business with a team of experts that design, build and maintain Linux systems every day of the week means you have access to that expertise.

> Wide scope of experience

It’s likely that what you are trying to do – or something very similar – has been done before. A good outsourcing partner will be able to bring experience of working with other clients to your situation, which will result in a quicker and more robust solution.

> Support infrastructure

A specialist IT company will already have the components needed to manage an IT infrastructure, including systems for ticketing, monitoring, configuration management, backups, and so on. That means you don’t have to provide and manage that infrastructure yourself.

They will also have developed proven processes and methodologies to enable them to support their clients effectively and efficiently.

> Trained staff

A specialist IT company will invest in high-quality training for their staff.

> Up to date

Technology and the associated best practices are constantly evolving. A professional IT company will keep up to date with what’s current and ensure that the solutions it manages are fit for purpose.

> Core competence

Perhaps most significantly, for a company that provides out­sourced Linux support, that’s their core business. If they aren’t good at doing that, they won’t survive for long.

How to choose a Linux support company

If you’re looking for an outsource partner to design, implement or support your Linux systems, then by definition you’re looking for a company that knows more about those things than you do – so how do you choose who to work with?

Here are seven areas you should discuss with any potential partner.

1. Why them?

Most of the support companies out there can fix computer systems: if they couldn’t, they wouldn’t last long. So how do you choose between them? You could start by simply asking them:

Why should I choose to do business with you over any other option open to me?

Those other options include:

• doing nothing
• employing someone specifically to manage your systems
• managing the IT yourself
• using this company
• using one of their competitors.

If they cannot be crystal clear about why you should choose to do business with them, you can’t be clear either.

2. How do they handle security?

When you delegate the support of your IT infrastructure to another company, you are handing over the keys to at least part of your business.

Those who have keys to your house have built up trust with you, probably over a long period of time. Those who have the keys to your IT infrastructure need to earn that trust, too.

Security is a wide-ranging subject, but here’s a list of questions to ask that will at least give you some idea of how seriously a company takes security:

• How do you manage access to your customers’ servers?

What you’re looking for: use of firewalls or VPNs to control access.

• How do you store passwords to your customers’ systems?

What you’re looking for: passwords stored in a secure, encrypted database. Ideally the encryption will be to AES256 standard or better. The password store should be securely backed up.

• Who has access to those passwords?

What you’re looking for: The only staff that should have access to your server passwords should be the technical staff who will be supporting it.

• When do you use two-factor authentication?

What you’re looking for: That they mandate two-factor authentication (“2FA”) for access to anything that should be secure. That includes their clients’ servers. You can read more about 2FA under “Improving security” here.

• What is your process for keeping systems up to date with respect to security updates?

What you’re looking for: a systemised, verifiable way of keeping systems up to date. Ideally, the automated system monitoring will report any systems that need updates. It’s important that your
servers are kept up to date and secure, so this should be an integral part of the service, not a paid-for extra.

• How do you maintain an audit trail of work done?

What you’re looking for: a configuration management system, code repository and a ticketing system all working in harmony to provide a robust audit trail. Best of all would be if they can show you an actual audit trail.

• Are you certified under ISO27001 the Information Security Standard?

What you’re looking for: simply a “yes”, backed up by their current certificate. Certification shows that their security policies and procedures have been externally audited and found to be compliant with the Standard.

3. What’s their focus?

I know of support companies that are good at supporting Linux.

I know of support companies that are good at supporting Windows.

I don’t know of any support companies that are good at supporting both.

If your business has chosen to run Linux servers, you want a support company that is serious about Linux. You don’t expect your GP to be an expert on orthopaedic surgery; equally, you shouldn’t expect an IT generalist to be able to provide the very best Linux support.

4. How will they help reduce your costs?

IT is not an end in itself but rather a means to an end. Your outsourced IT company should understand why your IT systems are in place and what they are there to achieve.

If there is a better or cheaper way of achieving the same result, even if it involves fewer supported servers, they should tell you. Why would an IT support company tell you how to save money with them? Because they should be a partner, not simply an expense item.

Every service-affecting problem costs you money. A good IT support company will be proactive, fixing potential problems before they impact your business.

This is our philosophy:

We believe that if you have to tell your IT support company about a server problem, they have already failed.

You might like to ask:

• How quickly do you fix problems?
• Describe how you prevent problems occurring.
• How many support incidents are included my contract per month?
• If they monitor servers, ask:
  • Can I have access to that monitoring?
  • How many parameters are monitored on a typical server?

If you do have a problem, it must be easy to speak to someone who can actually help.

You’ve already heard “We are experiencing higher than normal call volumes” enough times.

5. What qualifications do their staff have?

Historically, there has sometimes been a gap in the IT industry between the technical qualifications held and the technical competence demonstrated. With that in mind, some Linux qualifications have been designed to be more rigorous.

The key qualifications in the Linux world (in no particular order) are:

• Red Hat Certified Engineer (RHCE)

The RHCE exam requires the candidate to configure a (Red Hat) Linux system in various ways. This is a not a multiple-choice written test; it’s a hands-on practical one.

Verdict: a very high standard.

• Debian Developer (DD)

This title is not achieved by passing an exam but by a peer-managed process of managing and maintaining Debian packages, and a deep understanding of the Debian philosophy.

Verdict: a very high standard.

• Linux Professional Institute (LPI)

These Linux distribution-agnostic written exams are administered by the non­-profit Canadian Linux Professional Institute. There are many levels of certification.

Verdict: a useful guide, but arguably not as deep as the RHCE and DD.

Be aware that qualifications lapse after a certain amount of time, so be sure to enquire about current qualifications.

6. Can you visit their offices?

Right now – April 2020 – we’re all in the middle (or, more likely, beginning) of an unprecedented lockdown as a result of the COVID-19 virus. The short answer to this question right now will be “no”, you can’t visit their offices.

But all things will pass, including COVID-19, so once things have returned to normal…

Most IT support companies won’t have an issue with you visiting their offices, and it is a valuable thing to do. As discussed above, you’re potentially handing over the keys to at least part of your business, so visiting their offices is a reasonable step in the process of due diligence.

When you visit, what are you looking for? Here’s a short list to get you started:

• Are they professional in their treatment of you and towards each other?
• How are they handling security with a stranger (you) in their midst?
• What’s the office culture? What’s on the desks and the walls?
• Would you want to work there?
• Are the answers given to your earlier questions reflected in what you see in the offices?
• Are the staff smart, professional and polite?

If their company website lists the IT support team, there’s no harm in Googling them to see what kind of people they are.

7. What does the contract include?

A professional IT support organisation will insist that both parties sign a contract. This isn’t legal advice, but I believe the contract should include:

• Any minimum term and the required notice period. Neither should be excessive – you should be staying with them because you want to, not because you have to.
• The days and hours of cover.
• A confidentiality clause. They are likely to have full access to all your data, so this is essential.
• A Service Level Agreement: this defines the response you are entitled to for a given severity of problem – but be aware that ‘response’ is not the same as ‘resolution’. This may also vary at different times of day.
• What additional costs are not covered by the contract? Check for the installation of security updates, operating system upgrades, user requests, additions/changes/deletions to the services supported, and any limits on the number of Incidents.

You shouldn’t expect to have to put the contract to test in a court, but having a contract ensures that both sides have a clear understanding of what will be provided at what cost.

Final thoughts

A good outsourced IT company can be a true business partner, able to help with not only the day-to-day support but also the other elements of building and managing a Linux solution.

The seven areas discussed above will help identify those businesses with whom a partnership is most likely to be successful. If you end up with a shortlist of more than one, there are two final considerations that may help you choose:

• Do you like them?

That may be unscientific, but you’re unlikely to have a successful business relationship with people you don’t like.

• What do their existing clients say?

Any respectable IT company will willingly provide references, and many people are more candid on the phone than in writing – so call a few.

As well as their overall opinion, ask them what they wish they had known when they took out their support contract. Ask them about the service level, the professionalism, the partnership. How quickly is the phone answered? How quickly are problems resolved? What is their server availability like? Would they recommend their support company to others?

Next steps

Arrange a no-obligation call and let’s discuss what you want to achieve with Linux.