Itomic – the custodians of your online assets

February 8, 2010

Ross Ross Gerring

We’re a proud company, in a non-arrogant sort of way. We’ve been around for a while, and have seen (and managed) a huge amount of change and innovation in our industry over the last 10+ years. Central to that change has been the rising importance that organisations have placed on their websites: in a relatively short space of time we’ve seen a dramatic attitude shift from “what’s a website?” to “we don’t need a website!” to “hmmm, suppose we’d better have one, my daughter knows a bit of HTML” to “our website isn’t performing, let’s build a better one with a professional website company” to “hey, our website is central to our operations, how can we realise even more benefits from it?”, etc.

We’re proud of the websites we design, develop, and host. We believe our clients wouldn’t want it any other way. With a strong focus on customer service from day 1, we aim to build and nurture sustainable (and therefore, by definition, mutually beneficial) business relationships with our clients. This relationship begins with the initial design and development of the site, and then after the site goes live we move into a long-term maintenance/upgrade/consultative/support relationship.

99% of the websites we design and develop we also host. ‘Hosting’ means that we provide the technical infrastructure (hardware, software, power, security, backups, connectivity, etc.) to ensure that your website is accessible to the world, 24/7, 365 days of the year (occasional server glitches notwithstanding – yes, we’ve had a few over the years).

So it’s natural and inevitable that we see ourselves as custodians of your website and related services. We feel ‘protective’ over that which we’ve created on your behalf. Again, we believe our clients wouldn’t want it any other way. One of the ways we’re able to be protective over your website is by controlling or limiting access to the site to only those who need it. Very broadly speaking, there are three levels of access to your site:

  1. Content Management System (CMS) access. Authorised persons can “login” to the “backend” of your website and make changes to the content on your site, e.g. they can add/edit/delete pages, words, photos, files, etc. Obviously if done clumsily this can have a significant negative effect on your site, but in actual fact this level of access is nowhere near the degree of mischief that can be achieved with the next levels of access…
  2. FTP access. FTP stands for “file transfer protocol”. A person with ftp access has the ability to really get stuck into the guts of your site. To use a motor vehicle analogy: CMS access is roughly comparable to your child sitting in your car and playing with all the dials when you’re not looking. My kids think this is a great game! FTP access is like your child opening up the hood/of your car, armed with a screwdriver and spanner. In knowledgeable hands, a screwdriver and a spanner can be perfectly compatible with your exposed car engine. In the wrong hands… well, you get the idea.
  3. Server administrator access, or ‘root password’ access. This is like the master key to every car in the parking lot. And the petrol station. And the spare parts warehouse. Everything. So with root password access to a server one has the power to make swift and sweeping changes that affect, positively or negatively, mildly or massively, every single website hosted on a server (and this may run to hundreds of websites).

It should come as no surprise to our clients that we NEVER give out root password access to anyone except those who strictly need it and are qualified and experienced enough to wield such power – and responsibility. Which basically means us, the data centre technicians who may occasionally need that information for “hands on” maintenance work, plus our advanced US-based 24/7 support team.

So who gets FTP access? Initially and usually, only us, your website developers. For most of our clients it’s natural that it stays that way, i.e. they don’t want to look at the guts of their websites, and wouldn’t know what to do with this access even if they had it. That said, we recognise that all our clients have a right to FTP access over their own sites, in same way that everyone has a right to look under the bonnet of their cars. Naturally we’ll always advise caution to the client with ftp access along the lines of “if you break it, we’ll charge you to fix it”. A reasonable position to take, we’re sure you’ll agree.

A relatively recent development has been the rise of the 3rd party provider of complimentary website services, most typically the online marketing / SEO (search engine optimisation) provider. Our clients are free to choose whoever they like to provide such services, Itomic or otherwise. Sometimes these 3rd party providers wish for changes to happen to your website, either to the main website itself, or for additional web pages to be added on the same hosting account (e.g. “landing pages”). This is completely reasonable and fine by us – they’re focussed (or should be!) on doing the best they can by the client in their specialised field of expertise, and don’t want to leave any stone untouched in their efforts to get the best outcomes. We get that.

The challenge for Itomic as custodians of your site is how much access to give 3rd parties? Sometimes, some or all of the adjustments they want to make can be achieved via CMS access, which is of course the safest way to do it, i.e. the least risk of an accidental/unintended negative outcome for your site. If the adjustments they wish to make require ftp-level access, then we now have two choices: we make the changes on their behalf (naturally we charge for our time), or we can grant them direct ftp access to make the changes themselves without reference to Itomic and whenever they like. However, it’s essential that the permission to grant ftp access to a 3rd party must come, in writing, from the owner of the site (our client), and only after it’s been made clear to them the implications of doing this. The primary implications are these:

  1. Ftp access by a 3rd party to the code of a website that we are a responsible for will void any warranties (if any warranties existing) in relation to that site. Irrespective of the skill level of the 3rd party with ftp access, we can no longer be sure that what happens, good or bad, to your website was our doing. If you give two security guards from two different companies the keys to your estate, you can no longer hold one of the security guards responsible for everything that occurs on your estate.
  2. We will charge the client for our time to research/investigate and resolve any issues with the website and/or website hosting account. Proving who caused an issue can often be challenging and time consuming – sometimes far more so than resolving the issue itself – and the client must be aware of this risk and be prepared to cover such costs.
  3. Communications must be good between Itomic and the 3rd party. If we’re actively maintaining your website, and someone else is also making changes at or around the same time, then it’s a bit like two mechanics working on your car at the same time with each mechanic being invisible to the other. Some very unintended outcomes can occur for both parties under these conditions! Therefore both parties, Itomic and the 3rd party, have a responsibility to understand how each other work and to minimise the chances of clashes. Itomic have an additional work-in-progress responsibility to attempt to make the experience of the 3rd party working on your site as smooth as possible, and to be able to recover things quickly (e.g. from backups) if things go wrong.

This article may sound like scaremongering and an attempt to dissuade our valued clients from employing 3rd parties to help evolve their websites. It’s not. It’s about explaining the risks and responsibilities in plain English, and then having the client make an informed decision about whether or not to proceed on that basis. It’s been our experience and observation that clients have entered into relationships with 3rd parties unaware of these risks, and they get an understandably unwelcome surprise when they receive an invoice for us for providing technical support to the 3rd party.

We passionately believe that our clients want us to feel a sense of ownership over the sites we develop for them. We believe our clients want us to care – and we do. Which is why we formulate and evolve policies and systems that help protect the web assets of our valued clients – and write articles like this one!