On Sat, Jan 16, 2016 at 2:39 AM, Alan McKinnon <alan.mckin...@gmail.com> wrote: > > As for the security levels of their personal machines, tell them what > you require and from that point on you really have to trust your people > so be security aware and with the program. >
Most employers just issue laptops to their employees for this reason. Set them up with full disk encryption and VPN access. While I wouldn't recommend this to a general employer you might get away with the use of personal laptops if your employees all know what they're doing - I have no idea what line of business you're in. Most businesses are not 100% staffed by people who are qualified to properly maintain a workstation in a secure manner. I also view this as a matter of principle. If you're going to make employees provide their own hardware, you don't really have that much of a right to tell them exactly how you want it run. If you're the one providing the hardware, then you can provide it exactly how you need it to be. VPN is probably the easiest way to manage security though. It is far more secure than whitelisting IP addresses. It isn't the only solution - if you literally only need them to access a single web-based application you could use client ssl certificates or something like that, but you still need to control the security of the client either way. Just remember that laptops get lost so they really do need full disk encryption. Unfortunately on linux it seems LUKS and a hand-entered password is the only common solution for this (it looks like doing something TPM-based should be possible, but you basically have to DIY). Oh, if you are 100% web-based another solution is to just issue chromebooks. Those allow central provisioning/etc if you have a google apps account, and they do support VPN. Those have TPM-backed full disk encryption out of the box, and are probably going to be way easier for you to maintain, and certainly a lot cheaper. As far as I can tell (not having done this myself) they let you centrally provision VPN certificates and such and set up the networking settings. You just boot a new chromebook, hit Ctrl-Alt-E or whatever, and type in a google apps username/password that you gave access to provision devices. You also get remote wipe and all that other fun stuff, and from everything I've read the security on those is about as good as it gets. -- Rich
