Monday, July 28, 2008

Proper Disclosure of Technology

As you might have read, I recently moved some equipment into the NJ colocation. One of the documents I generated for that move was the rack diagram, showing all of the equipment being installed, and where in the rack it went.

Being sort of proud of it, I showed it to some people in the corporate HQ when I was in the office there, and the CEO saw it. He asked, "This is all the equipment in the rack?". I verified that it was, and he said, "Good. Now get with X (the head salesman) and work on text describing this for him. I want to use it in marketing materials."

Now, on a certain level, I don't mind selling the company's product based on our technology. In fact, I'm pretty proud of what I've managed to put together, and I think if you're going to throw almost $100,000 into technology, that technology should help you actively recoup the expenditures.

My main concern is security. I'm certainly not someone who relies on security through obscurity (although it never hurts to have some of that, too), but I'm questioning what information I should release.

I've gone to measures on this blog to not reveal the name of the company that I work for, mostly because I don't think it's important to the blog itself, but also because I'd rather not reveal the internal structure of my company to anyone interested in learning more about it. It's none of their business.

In that same light, I don't really want sales material handed out stating that I've got 2 Juniper SSG5s setup in a cluster configuration, and that when they hit our website, they're actually talking to high availability Kemp LoadMaster 1500s. If I've done my job right, even with that knowledge, they wouldn't be able to break in, but it's still more information than I feel is comfortable.

The path that I'm leaning to not having the sales guy release any of the diagrams I've made this far, and not mention any of the specific technologies we're using, but only vague generalities. "High Availability clustered firewalls" instead of SSG5s, and "multiple redundant load balancers" rather than LoadMaster1500s. I haven't decided what I want to do about operating systems. Personally, I think the fact that we're a linux house means that our servers are more reliable. I'm sure a Windows admin would feel the opposite. I suppose it's much like any other divisive choice, and that polite conversation should steer away from it. Religion, politics, income, and operating system choice.

Any ideas on how you or your company approach this issue (or how you would, given the chance?)