1 |
On Tue, Jan 19, 2016 at 9:02 AM, Grant <emailgrant@×××××.com> wrote: |
2 |
> |
3 |
> If that's the case then it sounds like 2FA doesn't really provide any |
4 |
> extra assurance. It's another layer but if the machine is hacked then |
5 |
> it sounds like it becomes a very thin layer. |
6 |
> |
7 |
> I'd most like to allow the remote employee to use their own computer, |
8 |
> but is there any way to have reasonable assurance that a remote |
9 |
> attacker can't log into my web stuff if the employee's computer is |
10 |
> compromised? |
11 |
> |
12 |
> With a Chromebook, how can I be assured that the employee is only able |
13 |
> to log into my web stuff with the Chromebook? |
14 |
> |
15 |
|
16 |
It looks like this is possible to do with a Google Apps account: |
17 |
https://www.google.com/intl/en/chrome/business/devices/features-management-console.html |
18 |
https://support.google.com/chrome/a/answer/2657289 |
19 |
https://support.google.com/chrome/a/answer/1375678 |
20 |
|
21 |
You can control who can log in, and what sites they can visit (just |
22 |
blacklist * and then whitelist specific sites). Schools commonly use |
23 |
this so that they don't have to deal with kids visiting sites of ill |
24 |
repute. You can also control application/extension installation. |
25 |
|
26 |
It looks like you can also use remote attestation if your application |
27 |
supports it which prevents access from a tampered device even if it |
28 |
has the right credentials/etc. (That's the whole "trusted/treacherous |
29 |
computing" thing.) You could in theory have security such that your |
30 |
application works with single-sign-on but doesn't work unless |
31 |
connected to using a trusted device (but I'd have to do more research |
32 |
on that). |
33 |
|
34 |
The one thing you will have to be careful about is printing. They can |
35 |
only print to PDF, or to cloud print. I'm not sure if that is an |
36 |
issue for your use case. |
37 |
|
38 |
I've never used it personally, but it is apparently quite popular with |
39 |
schools. I'd suggest looking into it. The service isn't free - you |
40 |
need google apps to make it work. However, it sounds like it is |
41 |
relatively cheap. I'd certainly be interested in hearing from anybody |
42 |
who knows more about it, but if I had a small business that was purely |
43 |
web-based I'd strongly consider a solution like this. |
44 |
|
45 |
-- |
46 |
Rich |