| 1 |
On Sat, Jan 16, 2016 at 2:39 AM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 2 |
> |
| 3 |
> As for the security levels of their personal machines, tell them what |
| 4 |
> you require and from that point on you really have to trust your people |
| 5 |
> so be security aware and with the program. |
| 6 |
> |
| 7 |
|
| 8 |
Most employers just issue laptops to their employees for this reason. |
| 9 |
Set them up with full disk encryption and VPN access. While I |
| 10 |
wouldn't recommend this to a general employer you might get away with |
| 11 |
the use of personal laptops if your employees all know what they're |
| 12 |
doing - I have no idea what line of business you're in. Most |
| 13 |
businesses are not 100% staffed by people who are qualified to |
| 14 |
properly maintain a workstation in a secure manner. |
| 15 |
|
| 16 |
I also view this as a matter of principle. If you're going to make |
| 17 |
employees provide their own hardware, you don't really have that much |
| 18 |
of a right to tell them exactly how you want it run. If you're the |
| 19 |
one providing the hardware, then you can provide it exactly how you |
| 20 |
need it to be. |
| 21 |
|
| 22 |
VPN is probably the easiest way to manage security though. It is far |
| 23 |
more secure than whitelisting IP addresses. It isn't the only |
| 24 |
solution - if you literally only need them to access a single |
| 25 |
web-based application you could use client ssl certificates or |
| 26 |
something like that, but you still need to control the security of the |
| 27 |
client either way. Just remember that laptops get lost so they really |
| 28 |
do need full disk encryption. Unfortunately on linux it seems LUKS |
| 29 |
and a hand-entered password is the only common solution for this (it |
| 30 |
looks like doing something TPM-based should be possible, but you |
| 31 |
basically have to DIY). |
| 32 |
|
| 33 |
Oh, if you are 100% web-based another solution is to just issue |
| 34 |
chromebooks. Those allow central provisioning/etc if you have a |
| 35 |
google apps account, and they do support VPN. Those have TPM-backed |
| 36 |
full disk encryption out of the box, and are probably going to be way |
| 37 |
easier for you to maintain, and certainly a lot cheaper. As far as I |
| 38 |
can tell (not having done this myself) they let you centrally |
| 39 |
provision VPN certificates and such and set up the networking |
| 40 |
settings. You just boot a new chromebook, hit Ctrl-Alt-E or whatever, |
| 41 |
and type in a google apps username/password that you gave access to |
| 42 |
provision devices. You also get remote wipe and all that other fun |
| 43 |
stuff, and from everything I've read the security on those is about as |
| 44 |
good as it gets. |
| 45 |
|
| 46 |
-- |
| 47 |
Rich |
Archives