Right now the majority of employees have a desktop workstation and for the occasional working from home you were allowed to connect to the internal network from private devices via company VPN (if you satisfied some additional constraints). The new policy requires absolutely everyone to get a company-provided laptop which is the only device you're allowed to use VPN on to work from home.
In discussion about security vs usability one of the killer arguments of the proponents always has been that "every major (software development) company does it this way". Does anyone have any experience if this is true? How is occasional working from home/company VPN handled for devs/engineers at your place?
what's far more irritating than a work machine is work-related corporate crapware on the work machine. e.g. mandatory antivirus that bogs down disk io, security policy settings that restrict your ability to install software, etc etc.
> How is occasional working from home/company VPN handled for devs/engineers at your place?
i offer three data points:
* at small young software-oriented business (headcount 10-20): work provided each employee with a laptop they could use to work from home or from the office on, but people could pretty much do whatever they wanted with those machines, or work using other computers if they chose.
* at large new non-software company (headcount ~10,000): working as a contractor, the company let you remote in from your own machine, and started offering BYOD as an option when you were on site, or to use work-provided hardware on site.
* at huge old non-software financial company (headcount ~50,000): thou shalt follow the company IT and company security policies, thou can work from home using company equipment, although the company configures the equipment to make it very difficult to get any software development work done (because security)
Up until now I haven't noticed any restrictive bloatware on company machines, so that's a plus.
BYOD is popular but has some caveats - as the company grows, you wind up needing to secure ways company data can leak. It becomes necessary to plan for losses. Our computers are all encrypted and are not allowed offsite if they aren't. We also have remote-wipe capabilities, which is something a typical user isn't going to let the company install on their personal device.
We mostly allocate users laptops; a few have desktops, and most of those employees also have laptops to take home. We have allowed BYOD in the past but are now very firm on what we permit. Most users are happy to have company-supplied equipment, and I think the separation of work and personal is beneficial to most people. I like having work only on my work laptop. I only allow VPN access on a computer-by-computer basis. Admittedly we're a cloud company, so for most purposes all we need is an internet connection. The VPN gets used mostly by me to work from home, by employees who need their more powerful desktops or for me to do tech support remotely. It's not covered by an SLA but it works well for my purposes.
Sure, a lot of companies trot out the 'everyone does it this way' excuse, but there's actually a good reason for this - it works.
Since everyone agrees on this point I now absolutely consider that a fair argument. I just don't want to believe without a little research first. In fact I think I learned more than I expected from everyone's responses.
Considering the power of laptops these days, I don't understand what you're losing in usability.
Either way, it's a good policy, and your users are better off for it.
I feel it'll be a loss of usability since they want to have a one-size-fits-all laptop. The model I've seen is noisy and a bit heavy. Suddenly having to carry one every single day irks me a bit. Having to (un)plug monitors and periphery at home is going to be additional effort (but explicitly allowed). Not saying it's not worth it (and somewhat complaining on a high level), but it is a loss of comfort.
1) Get docks for home and work, so it's just one step to connect peripherals. It's actually a lot more convenient than having separate machines for work and home.
2) Find out if you can use a virtual desktop setup, where everything is running on your work machine, but you can use RDP to control it. A competent IT dept should be able to set that up in a way that's not less secure.
3) If you're in the US, your company can't force you to carry a heavy laptop if you have any issues with strength or mobility. If you want to exploit this, you can ask your doctor for a note saying that you shouldn't carry a laptop to/from work. This is actually probably true for the many people who have issues with back pain.
I even strive to keep it more separate than that. I have both my work and personal laptop KVMed to the same monitor/mouse/keyboard, and I'll switch over to the personal one for most general web browsing. I use Slack to send links/files to myself if there really is a need to share something between the two, because of course we aren't allowed to put USB drives in the work system either.
It feels extreme when you start working this way, but you get used to it, and I've even grown to appreciate the complete wall between work and home.
If it's the former, I'd understand, if it's the latter that sounds like a lot of additional effort.
The reason being (in his own words) - "it takes too much time and hassles to sign up to Corp VPN BS. And then it logs you off, timeouts, enforces stupid policies, etc...". His ZeroTier setup is more reliable and I suspect as secure as his startup VPN.
His faces (and realizes) potential risk of: "How come you were sign-ed up to our Corp network when our VPN provider was down?????".
No one (at his startup) knows about what he does and the reason is - he does lots of moonlighting and it's very convenient for him to:
1. Use single machine for work and off-work activities.
2. To protect himself against potential of his Corp to claim rights to his own projects.
He is vigilante-type of guy, in other words "don't tell me what i cannot do".
That said his corp and his corp's customers are super happy with his work and support.
From a security standpoint it is risky and amateurish to allow VPN from an unknown device under someone else's management.
The only exception that I would consider would be allowing for remote virtual desktop or virtual app access. Even that has risks that needs to be considered.
Remember that with BYO, unless you're providing stipends for employees to buy equipment with string attached, you're not dealing with just your employee -- you're potentially thinking about the employee's extended circle of associates. The employee's kid, parent, drunk roommate, etc all have access.
I don't know if this is specific to here, but you'd have to toggle the VPN explicitly on and off and with another password, separate from your user account. Along with the usual drill to have another password to access the machine and lock it when you're away. I agree it ultimately comes down to trust however.
If we need to nuke your machine from space, much easier it’s corporate property.
> https://www.cfodailynews.com/how-a-single-stolen-laptop-cost...
Expecting you to work on a personal device is irresponsible, not only beyond cheap.
I wouldn't put company stuff on my own PC even if they demanded it. Corporate laptops are usually filled with official spyware
