1 |
On Sat, Jan 16, 2016 at 2:39 AM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
2 |
> |
3 |
> As for the security levels of their personal machines, tell them what |
4 |
> you require and from that point on you really have to trust your people |
5 |
> so be security aware and with the program. |
6 |
> |
7 |
|
8 |
Most employers just issue laptops to their employees for this reason. |
9 |
Set them up with full disk encryption and VPN access. While I |
10 |
wouldn't recommend this to a general employer you might get away with |
11 |
the use of personal laptops if your employees all know what they're |
12 |
doing - I have no idea what line of business you're in. Most |
13 |
businesses are not 100% staffed by people who are qualified to |
14 |
properly maintain a workstation in a secure manner. |
15 |
|
16 |
I also view this as a matter of principle. If you're going to make |
17 |
employees provide their own hardware, you don't really have that much |
18 |
of a right to tell them exactly how you want it run. If you're the |
19 |
one providing the hardware, then you can provide it exactly how you |
20 |
need it to be. |
21 |
|
22 |
VPN is probably the easiest way to manage security though. It is far |
23 |
more secure than whitelisting IP addresses. It isn't the only |
24 |
solution - if you literally only need them to access a single |
25 |
web-based application you could use client ssl certificates or |
26 |
something like that, but you still need to control the security of the |
27 |
client either way. Just remember that laptops get lost so they really |
28 |
do need full disk encryption. Unfortunately on linux it seems LUKS |
29 |
and a hand-entered password is the only common solution for this (it |
30 |
looks like doing something TPM-based should be possible, but you |
31 |
basically have to DIY). |
32 |
|
33 |
Oh, if you are 100% web-based another solution is to just issue |
34 |
chromebooks. Those allow central provisioning/etc if you have a |
35 |
google apps account, and they do support VPN. Those have TPM-backed |
36 |
full disk encryption out of the box, and are probably going to be way |
37 |
easier for you to maintain, and certainly a lot cheaper. As far as I |
38 |
can tell (not having done this myself) they let you centrally |
39 |
provision VPN certificates and such and set up the networking |
40 |
settings. You just boot a new chromebook, hit Ctrl-Alt-E or whatever, |
41 |
and type in a google apps username/password that you gave access to |
42 |
provision devices. You also get remote wipe and all that other fun |
43 |
stuff, and from everything I've read the security on those is about as |
44 |
good as it gets. |
45 |
|
46 |
-- |
47 |
Rich |