38

Today, one of our developers had his laptop stolen from his house. Apparently, he had a full svn checkout of the company's source code, as well as a full copy of the SQL database.

This is one massive reason why I'm personally against allowing company work on personal laptops.
However, even if this had been a company owned laptop, we'd still have the same problem, although we would be in a slightly stronger position to enforce encryption (WDE) on the whole disk.

Questions are these:

  1. What does your company do about company data on non company owned hardware?
  2. Is WDE a sensible solution? Does it produce a lot of overhead on reads/writes?
  3. Other than changing passwords for things that were stored/accessed from there, is there anything else you can suggest?
HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
  • 7
    Was it stolen, or was it "stolen"? I had a case once where an employee laptop mysteriously disappeared, and by strange chance, it was the only thing that was "stolen" from their house. And of course there was $1000s of other hardware and valuables that were left untouched. They of course never called the police to investigate. Have you called the police in to investigate? – bakoyaro Nov 25 '10 at 16:59
  • I don't see the police investigating the theft of someone's personal laptop on the request of a company official. Yes, I know, you could argue that the source code was company property but, based on experience, cops would just shrug and not do anything about it. – Belmin Fernandez Nov 25 '10 at 17:18
  • 3
    @bakoyaro yes, the police have been informed. Only his wallet and laptop got nicked. Bit odd. – Tom O'Connor Nov 25 '10 at 19:32
  • So much for ServerFault's editor comment "This is subjective and likely to get closed" :P – Tom O'Connor Nov 25 '10 at 19:40
  • 1
    What I do is worry a lot since I can't convince my supervisor and coworkers that they should be worried. – Zoredache Nov 25 '10 at 20:54
  • 8
    @Tom - you're worried now? What if that personal data includes your bank account details? Yeah. That always gets one's attention, huh? The fact of the matter is, doesn't matter what industry you're in or what country you're in, business doesn't always take data security as seriously as it ought to, and even when intentions are good, *getting stuff done* can all too often get in the way of *getting stuff done right*. The real wisdom is in knowing when to split that difference and when to dig your heels in. – Rob Moir Nov 25 '10 at 23:03
  • Is it easier to dig ones heels in, or say "I don't care what you do, no matter what I suggest, you'll ignore it, I quit..." – Tom O'Connor Nov 25 '10 at 23:12

12 Answers12

30

  1. The problem is that allowing people do unpaid overtime on their own kit is very cheap, so managers aren't so willing to stop it; but will of course be happy to blame IT when there's a leak... Only a strongly enforced policy is going to prevent this. It's down to management where they want to strike the balance, but it's very much a people problem.

  2. I've tested WDE (Truecrypt) on laptops with admin-level workloads and it's really not that bad, performance-wise, the I/O hit is negligible. I've several developers keeping ~20GB working copies on it, too. It's not a 'solution' in itself; (It won't stop the data being slurped off an unsecured machine while it's booted, for instance), but it certainly closes a lot of doors.

  3. How about blanket ban on all externally held data; followed by some investment in remote desktop services, a decent VPN and the bandwidth to support it. That way all code stays inside the office; the users get a session with local network access to resources; and home machines just become dumb terminals. It won't suit all environments (intermittent access or high letency might be a deal-breaker in your case) but it's worth considering if home working is important to the company.

SmallClanger
  • 8,947
  • 1
  • 31
  • 45
  • 3
    +1 on the 3rd suggestion. Make the most sense for me. – Belmin Fernandez Nov 25 '10 at 17:21
  • 1
    #3 is the direction we are going in too. Why compile on a laptop when you can VPN in and RDP to a VM running on server hardware? You aren't checking code in and out over the VPN either cause it all stays in the office LAN. – August Nov 25 '10 at 17:41
  • I quite like the #3rd solution. I think it would be quite unpopular though. It means you can't work if you're travelling, unless you've got 3G or Wifi. – Tom O'Connor Nov 25 '10 at 19:34
  • True. It's the cleanest route, but does cut off a lot of working options. If you've got travelling front-line developers, then it might not be feasible. Even if 3G was available, you couldn't rely on it, since RDP would intolerable with even infrequent drop-outs. Perhaps give RDP to most and WDE to the select few; with a good indoctrination on the policy. (and a shiny new SSD in their laptop as a sweetener) – SmallClanger Nov 25 '10 at 19:55
  • Do most/all WDE solutions work with non-windows laptops? We have some ubuntu guys, and a few mac geeks. – Tom O'Connor Nov 25 '10 at 20:01
  • #3 doesn't work in my case (working in Israel, office in Boston). VPN has extremely high-latency. Totally impractical for dev work. – Yaakov Ellis Nov 25 '10 at 20:24
  • @Tom: I've only used Truecrypt in anger, but I believe the tech is the same in most implenentations: The volume is a device that needs a (typically custom) bootloader that starts the decryption and special device drivers that allow the OS too continue booting. Find something with drivers support for all your target operating systems and you should be away. I think TC covers most of the common ones. – SmallClanger Nov 25 '10 at 20:39
  • Oh, and I should at least mention the support overhead of WDE. Consider lost passphrases or data recovery from a damaged OS. These things can be a lot more problematic when the disk is encrypted. (Every silver lining has its cloud...) – SmallClanger Nov 25 '10 at 20:42
  • 2
    For people with Ubuntu they can use the built-in LUKS encryption that is part of the alt-installer. It works great, and is trivial to setup at install time. – Zoredache Nov 25 '10 at 20:45
  • 7
    Option 3 (RDP/VNC) tends to suck in my experience. The problem is that any latency tends to seriously screw with the auto-completion features of most popular IDEs. Unless your users have a rock-solid Internet connection with very low latency, they will almost certainly hate a Remote Desktop solution. – Zoredache Nov 25 '10 at 21:00
  • @SmallClanger: but you have reliable automatic remote backups, right? – poolie Nov 26 '10 at 00:20
  • 1
    @Tom as Zoredache says, you can use LUKS whole-disk encryption, or with a single checkbox you can get encryption of just /home. Arguably not quite as secure, though also arguably secure enough that it makes no difference and other attack vectors become more likely. – poolie Nov 26 '10 at 00:22
  • 7
    Has anybody who is advocating #3 actually tried it? I've spent probably hundreds or thousands of hours working that way and I hate it. Even over a LAN it's not fun, and over a VPN it reminds me of when I was on dialup. – Gabe Nov 26 '10 at 06:16
  • @poolie: I do, but WDE, in general reduces your recovery options to "Format and reinstall." (Bitlocker allows for some admin recovery, I believe). It can be more painful if a user stored a file in the wrong place or hasn't done a commit in 2 weeks. @Gabe - I've found RDP to be very usable at < 100ms latency. I've spent many hours using it. (VNC does suck in comparison though). I guess 'suck it and see' is the only way to find if it's suitable. – SmallClanger Nov 26 '10 at 12:00
  • 1
    @SmallClanger: Ubuntu ecryptfs and LUKS encryption would both let administrators either keep a copy of the full key, or install a separate IS-maintained recovery passphrase that can be given out to users when they forget. I'd venture that doing that is probably best practice, assuming you have a sufficiently safe place to store all those keys. – poolie Nov 28 '10 at 22:34
13

Our company requires whole-disk encryption on all company-owned laptops. Sure, there's an overhead, but for most of our users this isn't an issue -- they're running web browsers and office suites. My MacBook is encrypted, and it hasn't really impacted things enough that I've noticed, even when running VMs under VirtualBox. For someone who spends much of their day compiling large trees of code it might be more of an issue.

You obviously need a policy framework for this sort of thing: you need to require that all company owned laptops are encrypted, and you need to require that company data cannot be stored on non-company owned equipment. Your policy needs to be enforced for technical and executive staff, too, even if they complain, otherwise you're just going to run into the same problem again.

larsks
  • 41,276
  • 13
  • 117
  • 170
  • 5
    This is only possible if the compile times are fast enough on a encryption disks. Programmers will do **what ever** it takes to get a system that compiles fast. With or without your agreement. – Ian Ringrose Nov 25 '10 at 16:04
  • 4
    Yeah but if they're after those compile times, they would normally accept a desktop workstation at the office, non-portable but with awesome raw power ^^ – Oskar Duveborn Nov 25 '10 at 16:32
  • 3
    Too true. I'd definitely recommend running some benchmarks and *publishing* them to your developers if you plan to implement this. If you show a < 5% overhead for WDE under real-world conditions, then you might get them on board. Carrot: Offer SSDs to the devs to sweeten the deal. Stick: sack 'em if they cause a breach by subverting your mechanism. :D – SmallClanger Nov 25 '10 at 16:37
  • 3
    At least from what I have seen Compilation is usually CPU bound more then I/O bound. I am not saying saying encryption won't make a difference, but it doesn't seem like it should make much of a difference. It probably varies by project of course. – Zoredache Nov 25 '10 at 21:02
  • 1
    True for compiling being mostly cpu-bound but linking generally takes a lot of disk I/O as well (though still being cpu-heavy too). I can't say I've even noticed any difference on an i5 laptop with a G2 Intel SSD and enabling bitlocker on all volumes. It worked so well that I'm now completely sold on bitlocker To Go on my private gear as well ^^ – Oskar Duveborn Dec 20 '10 at 12:37
9

I would focus less on the equipment itself, and more on the data involved. This will help avoid the problems you're running into now. You may not have the leverage to mandate policy on personally owned equipment. However, you had better have the leverage to mandate how company owned data is handled. Being a university, we have issues like this come up all the time. Faculty may not be funded in such a way that their department is able to buy a computer, or they could buy a data processing server on a grant. In general, the solution to these problems is to protect the data, and not the hardware.

Does your organization have a Data Classification policy? If so, what does it say? How would the code repository be classified? What requirements would be placed on that category? If the answer to any of those is either "No" or "I don't know", then I would recommend talking to your Information Security office, or whomever in your organization is responsible for developing policies.

Based on what you say was released, were I the data owner I would likely classify it as High, or Code Red, or whatever your highest level is. Typically that would require encryption at rest, in transit, and may even list some restrictions on where the data is allowed to be housed.

Beyond that, you may be looking at implementing some secure programming practices. Something that might codify a development life cycle and expressly disallow developers from coming in contact with a production database except in weird, and rare, circumstances.

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
6

1.) Working remotely

For developers, remote desktop is a very good solution unless 3D is required. The performance usually is good enough.

In my eyes, remote desktop is even safer than VPN, because an unlocked notebook with VPN active allows quite a bit more than a view to a terminal server would.

VPN should only be given to people who can prove they need more.

Moving sensitive data out of house is a no-go and should be prevented if possible. Working as a developer without internet access can be prohibited because the lack of access to source control, issue tracking, documentation systems and communications makes the efficiency iffy at best.

2.) Usage of non-company hardware in a network

A company should have a standard of what is required from hardware attached to the LAN:

  • Antivirus
  • Firewall
  • be in the domain, be inventarised
  • if mobile, be encrypted
  • users do not have local admin (difficult if developer, but doable)
  • etc.

Foreign hardware should either follow these guidelines or not be in the net. You could set up NAC to control that.

3.) Little can be done about the spilled milk, but steps can be taken to avoid reoccurence.

If the above steps are taken, and notebooks are little more than mobile thin clients, not much more is necessary. Hey, you can even buy cheap notebooks (or use old ones).

Posipiet
  • 1,725
  • 14
  • 13
3

What does your company do about company data on non company owned hardware?

For sure you should only have company data stored on company devices no where else unless it has been encrypted by your IT Department

Is WDE a sensible solution? Does it produce a lot of overhead on reads/writes?

Any disk encryption software will have some overhead but it is worth it and all laptops and external USB drives should be encrypted.

Other than changing passwords for things that were stored/accessed from there, is there anything else you can suggest?

You can also get remote wipe software like you would have in a BES environment for blackberries.

Jeff Atwood
  • 12,994
  • 20
  • 74
  • 92
cpgascho
  • 753
  • 1
  • 9
  • 23
3

Computers not under your company's control shouldn't be allowed on the network. Ever. It's good idea to use something like VMPS to put rogue equipment in a quarantined VLAN. Likewise, company data has no business outside company equipment.

Hard disk encryption is pretty easy these days, so encrypt anything that leaves the premises. I've seen some exceptionally careless handling of laptops which would be a disaster without full disk encryption. The performance hit isn't that bad, and the benefit far outweighs it. If you need blazing performance, VPN/RAS into the appropriate hardware.

Cakemox
  • 24,141
  • 6
  • 41
  • 67
3

To go in another direction from some of the other answers here:

While protecting and securing the data is important, the probability that the person who stole the laptop:

  1. Knew what they were stealing
  2. Knew where to look for the data and source code
  3. Knew what to do with the data and source code

Is pretty unlikely. The most likely scenario is that the person who stole the laptop is a regular old thief and not a corporate spy bent on stealing your company souce code in order to build a competing product and get it to market before your company, thereby driving your company out of business.

That being said, it would probably behoove your company to put some policies and mechansims in place to prevent this in the future but I wouldn't let this incident keep you up at night. You've lost the data on the laptop, but presumably it was only a copy and development will continue without interruption.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • There's no worry about loss of data in the whole sense.. We've got backups and copies coming out of our ears. Still, It's a bit of a risk that our Business Secrets are in the SVN repo. – Tom O'Connor Nov 25 '10 at 19:35
3

Corporate owned laptops, should be using encrypted disks, etc, of course but you ask about personal computers.

I don't see this as a technical problem but rather a behavioural one. There is very little you can do from a technology viewpoint to make it impossible for someone to take code home and hack away at it - even if you can prevent them from checking out all the source to a project on a formal basis they can still take snippets home if they are are determined to do so and if one 10 line "snippet" of code (or any data) happens to be the bit that contains your secret sauce / valuable and confidential customer information / location of the holy grail then you're still potentially just as boned by losing those 10 lines as you would be by losing 10 pages.

So what does the business want to do? It's perfectly possible to say that people absolutely must not work on company business from non company computers and make it a "gross misconduct" dismissal offence for people who break that rule. Is that an appropriate response to someone who is the victim of a burglary? Would it go against the grain of your corporate culture? Does the company like it when people work from home in their own time and is therefore prepared to balance the risk of property loss against the perceived gains in productivity? Is the code that was lost used to control nuclear weapons or bank vaults or life saving equipment in hospitals and as such a security breach can't be countenanced under any circumstances? Do you have a legal or regulatory obligation with regards to the security of the code "at risk" because of this loss?

Those are some of the questions I think you need to be considering, but no-one here can actually answer them for you.

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
1

In a situation where there is source code involved, and especially where the machine used can't be controlled by the company IT department, I would only ever allow the person to develop in a remote session hosted on a machine on company premises, through a VPN.

Alan B
  • 503
  • 5
  • 15
  • Are you willing to loose a large order if the software is late due to the VPN connection failing? However most of time VPN does work well for software dev. – Ian Ringrose Nov 25 '10 at 16:06
  • Well, I guess you have to weigh up the risk of that against the risk of his laptop going walkies with a checked-out copy of the source on it. At the very least they should have the source in a Truecrypt volume. – Alan B Nov 25 '10 at 16:40
0

How about remote wiping software. This would of course only work if the thief is dumb enough to power up the computer to the internet. But there are tons of stories of people who even found their stolen laptops this way so you might be lucky.

Timed wiping might be an option too, if you havn't entered your password in X hours everything is deleted and you have to checkout again. Havn't heard of this before, maybe because it's actually quite stupid as it requires more work from the user that encryption. Maybe would be good in combination with encryption for those worried about performance. Of course you have the power-up problem here too but here no internet is required.

lalalamp
  • 1
0

My thought on this that your biggest problem is that this seems to imply that the laptop had access to the company network. I'm assuming that you have now prevented this laptop from VPN'ing into the office network.

Allowing non company computers onto the office network is a really bad idea. If its not a company laptop, how can you enforce adequate anti-virus on it. Allowing it on the network means that you have no control over the programs that are running on it - e.g. wireshark looking at network packets etc...

Some of the other answers suggest that out of hours development should be done inside an RDP session and the like. Actually this then means that they can only work where they have an internet connection - not always possible on a train etc.. but it also requires that the laptop has access to the server for the RDP session. You neeed to consider how you secure the RDP access against someone who has access to a stolen laptop (and probably some of the passwords stored on the laptop)

Finally, the most likely result is that the laptop is sold on to someone that has no interest in the contents and will just use it for email and web. However.... that's quite a big risk for a company to take.

Michael Shaw
  • 663
  • 4
  • 9
-3

A laptop lock would have prevented the issue in this case. (I have yet to hear of a desktop lock, but then again, I have also yet to hear of a burglar stealing a desktop.)

The same way you don't leave your jewelry lying around when you leave your house, you shouldn't leave your laptop unsecured.

MCS
  • 257
  • 2
  • 8
  • 1
    I've heard of burglars stealing desktops all the time. At $job-1 someone had their old Mac G4 nicked.. Those things weigh a ton. – Tom O'Connor Nov 25 '10 at 19:38
  • I would frown if my company dictated me to keep my personal laptop on a leash inside my own house. Better locks might have prevented the burglary altogether, etc., etc. Desktops do get stolen and locks exist and are used in many companies. All in all, not a useful answer. – Martijn Heemels Nov 25 '10 at 20:06
  • "Kensington" style locks are usually only enough to stop the casual thief. A decent set of bolt cutters would get through one very quickly. Usually I've seen them employed in offices simply to stop the cleaners from stealing laptops. – Richard Ev Nov 26 '10 at 14:16