I write this blog in an attempt to produce some measure of clarity and truth to a very convoluted story that has been playing out on the front pages of our nation’s headlines for several months now. Regardless of political beliefs, all I know is the reputation of a great and noble profession, called managed services, must not be unfairly tarnished as a result of poor reporting and lack of knowledge about Information Technology.
Here are the facts related to Platte River Networks and their famous client, along with some conclusions other MSPs can draw.
Platte River Networks Timeline
September 2002 – Platte River Networks opens for business.
2008 – Hillary Clinton begins to use a private email server. From a March 10, 2015 Hillary Clinton press conference: “Well, the system we used was set up for President Clinton’s office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.
So, I think that the — the use of that server, which started with my husband, certainly proved to be effective and secure.”
February 1, 2013 – Hillary Clinton leaves post as Secretary of State
March 2013 – Romanian hacker “Guccifer” discloses existence of personal Hillary Clinton email address by hacking Sydney Blumenthal’s email.
June 2013 – Platte River Networks begins managing Hillary Clinton’s personal email server, eventually moving it out of her NY home and into a New Jersey data center. Platte River claims that at no time was the server located at their Denver offices.
December 5, 2014 – Hillary Clinton turns over her emails to State Department.
March 4, 2015 – Bengazi committee subpoenas Hillary’s emails
March 19, 2015 – Congressman Trey Goudy asks Hillary to turn over her email server
March 27, 2015 – letter from Clinton lawyer David Kendall to Congressman Trey Goudy: “No emails from hdr22@clintonemail.com for the time period Jan. 21, 2009, through Feb. 1, 2013, reside on the server.”
“During the fall of 2014, Secretary Clinton’s legal representative reviewed her hdr22@clintonemail.com account for the time period from Jan. 21, 2009, through Feb. 1, 2013. After the review was completed to identify and provide to the Department of State all of the secretary’s work-related and potentially work-related emails, the secretary chose not to keep her non-record personal emails and asked that her account (which was no longer in active use) be set to retain only the most recent 60 days of email.”
December 5, 2014 or later – Hillary Clinton’s private server was wiped clean. We don’t know if it was properly reformatted, if files were erased, or many details regarding this process but assuming the server was still located in the data center this means the file deletions and “wiping” occurred remotely.
Either this occurred remotely with the knowledge of Platte River Networks, or some other party had admin access and performed these actions.
August 11, 2015 – Platte River Networks is contacted by the FBI.
August 12, 2015 – Platte River Networks gives access to Hillary’s email where it is removed and taken into custody by the FBI.
Summary and Conclusions
So those are the facts as we know them. The conclusions we can draw from this are numerous but here are a few I believe are important for all MSPs.
- Understand who your clients are and what risks they want you to assume by managing their IT assets
- Develop risk based pricing models to deal with unusual customers or scenarios. In this case, a single email server wasn’t so simple to manage and should have been priced differently from other managed servers, solely because of who the client was.
- When customers begin making requests for radical changes to managed objects, MSPs should always log trouble tickets as a formal record of what was done to the object, who did it, and who authorized the change.
- Backups are critical to preserving customer data and could have avoided a lot of the questions and problems we are seeing play out in the media right now. Adequate backup and storage policies should be standard services offered by MSPs. When customers do not want those services, they should sign waivers agreeing not to hold the MSP liable.
- During the sales process, understanding the real scope of the project is important, before you begin delivering services. Again, this ties in directly with how the engagement is priced. Having clients withhold information about the nature of the managed object can put the MSP at significant risk, as seen in this example.
- If Platte River Networks had been MSP/Cloud Verified, they would have been able to demonstrate both to their client and to the FBI, exactly the methodologies they follow related to backup, remote administration, and other services delivered which are now in question.
I’m sure there will be more questions answered as time goes on, but this case has brought a lot of attention towards the IT industry and that is not necessarily a bad thing. However, all MSPs should take this opportunity to re-evaluate their relationships with existing clients and make sure there is an implicit understanding of expectations from the customer and the services to be delivered by the MSP.
In the end, this situation must be used by us to advance the cause of the managed services and cloud computing profession!