Today in this edition of Unexpected Google admins, I’d like to introduce Tom Daly. He started his career in technology as the AV guy in his high school where his favorite job was setting up overhead projection machines. When he grew up he co-founded and was CTO of Dyn, an internet performance management and web application security company. It was purchased by Oracle in 2016.
I met Tom at Fastly where he had built their network. I soon learned that he is a networking and infrastructure wizard – who has a brain that is equal parts technologist and business savant. He knows better than anyone about how internet plumbing works and what it takes to keep it functioning.
After leaving Fastly, he focused on his angel investments (including YeshID) and most recently stepped into the CEO role and Google Administrator role at Big Network.
What is your role/company?
I’m the CEO of Big Network. Big Network creates private and secure cloud networks that enable businesses to simply connect their public and private clouds to on-premise infrastructure, devices, and people across the globe.
We are 16 people. We are a remote-first employer. We have folks in New Hampshire, New York, France, Slovakia, Ukraine, and the Philippines.
Why/How did you get designated as the Google Administrator? How long did you hold this role?
We are too small to have a dedicated IT person. We are a team of technologists, yet none of us wanted to assume the role of IT.
My slack profile used to say “internet janitor.” If you’re the CEO of a startup and nobody else wants to do the job, it’s your job. If the toilets need plunging, then I’m going to plunge the toilets. If I have to offboard some users from Google, I’m going to do it. That’s how it works.
I have delegated more of the operational role of IT to our COO. But in terms of policy design, implementation, and security, I still play a foundational role.
What is the strangest thing you encountered using Google Workspace?
Google is not prescriptive about how to set up a workspace for your business. What you need from Google Workspace looks different depending on your business and stage of growth. The most surprising thing to me is that there isn’t a playbook for best practices for each stage of your company for how to set up your security, workplace deployment, etc.
Google assumes everyone is a power user. Google should have a training course before they grant you super admin rights as a founder. Thanks for signing up for Google Workspace – you now have to take 4 hours of webinars on how to not suck at being a Google super admin. Instead, you have lots of dials and nobs and a manual that says “good luck.”
Any funny mishaps you want to share?
No, mostly annoying.
[Editor note: This question will be changed into the future to say “Any annoying mishaps you want to share.]
It’s probably the cynical network engineer coming out in me. Networking used to be the major approach for security for the company and employee base. Which I am a little familiar with. Now it is identity and access management. And it is really important for me to learn this completely new approach, but also I should probably really focus on my other 20 roles at our startup.
For instance, now there are so many things to consider when you’re offboarding. Obviously, you don’t want them to have access to any of your systems. But what should you do with email backups? Or drive backups? Who do you delegate the calendar to? If you don’t have a playbook established upfront for that, then you actually just end up creating a mess.
So then you find yourself in a scenario of “here’s a half a dozen suspended accounts” because you don’t want to complicate your life with delegation. And yep, I am paying a license fee for them. Suspend is Google’s way of suggesting you punt that decision-making down the road. I know the account is suspended, so I know it’s secured. That can just live on as long as you want. And Google’s going to keep collecting their $21.60 user/month happily. But what business value is actually being derived at this point? It is just a really expensive backup solution.
I’m also surprised at the sheer number of service accounts that I’ve found inside of our organization. We have workloads running inside GCP that always take service accounts. We have some integrations with third-party apps that form our core IT for the business. And they’re requiring service accounts and we just give them one. It is fast and like magic. How thoughtful were we in granting API level permissions to these service-level accounts? Not very.
A lot of this stuff predates me in the business. It is really easy to go through user accounts and know that a person isn’t there. But it is really hard to know if something is an enterprise accounting application and do they depend on this permission flag that might be too permissive for them to be using.
What is one thing you wish you had set up / known earlier in your IT career?
When I was at Fastly, HR knew me as Thomas Daly. And IT knew me as Tom Daly. And the two systems just constantly fought against each other because no one knew which was the source of truth.
So my advice when you start a company: immediately integrate your IT system with your HRIS system. Your life gets better the moment you do.
Which parts of Google Workspace did your org outgrow first?
We are a zoom shop for video conferencing. And slack for chat and chatops standpoint. We just started with them because we were comfortable with them and also because Google Meet and Spaces were just not where they needed to be.
Google Workspace is mainly used for Identity, email, drive, sheets, docs, and slides.
Did you ever find active accounts for users that did not exist or had left the company?
Yep, absolutely. Which relates to the topic of hygiene.
In the early startup days, you pull your friends in to help. There were a couple of folks that we gave a company email to so they could communicate to the world as Big Network.
As we’ve formalized the business operations, employee agreements, and consultant agreements, we’ve realized that Big Network “friends” either need to have a formalized relationship with us or be booted off our network. We still love them. But when you realize they haven’t looked at their account since 2021, you have an open connection into your business waiting to be exploited.
What is your advice for founders who find themselves with the Google Super Admin title?
I think the big thing that founders need to understand is that Google is very unopinionated in how you should do things.
You have to be super thoughtful upfront about what type of access you are giving applications. All of these SaaS apps you use have a similar goal which is to get on a monthly subscription and to retain that money. So the easier they make it for you to click a button and integrate & authenticate between applications the less likely you will remove their application. So the higher likelihood you will keep paying your bill.
You end up building this IT house of cards. You get business with your business and have more customers and more employees. And surprise, you are human, and you are going to forget that this little building block of an application over there. Why did you give it permission to Google Workspace or another application?
You have to be thoughtful about how you are constructing your business operations IT stack. I mean, I still have Google Admin anxiety about our stack. Like “I’m going to click this button over here…what’s going to go wrong?”
What advice would you give from a security perspective?
First, two-factor authentication for everything. It is non-negotiable. Standardize on an authenticator with your users like Duo, Google Authenticator, Authy. It is also helpful to make sure your OTP can be accessed from multiple devices, so you need a plan for a missing cell phone.
Second, and this is a bit outside Google Workspace, figure out machine secrets management. You have to be thoughtful about how you’re going store non-human, machine-readable secrets that your engineers and operations staff will need. That’s a whole different ball of wax, baling wire, and duct tape, and probably a different blog post.
