Business case: managing company laptops

Question

I've been searching and reading on this topic for a few weeks now, and this is my current understanding of the situation:

• Use case: employees working on company laptops. They need to be able to work offline as well as off the company network (with internet access).
• Security requirements: the data stored on the computer need to be secure and non recoverable by a third party.

In order to address the largest chunk of this use case, the first thing that came up in my research was disk encryption. One commonly used product for that would be Bitlocker. But I quickly realized that disk encryption alone doesn't solve the problem at all, if the user isn't forced to use a strong password (and doesn't keep his laptop idle for 3h without triggering a lock screen, etc.): there needs to be a way for the company to enforce policies (strong password, lock screen max timers, ...).

At this point in my research, Active Directory came up, answering pretty much any concern on that level, however there are several downsides that make its integration a problem: requirement for an on-site server, requirement to provide VPN access to the company network (this wasn't necessary in the case where users work with cloud based services such as Office 365), offline access, ... Active Directory doesn't seem to be designed for mobility, especially for small/medium companies. There is also a large overhead for managing it (server maintenance, configurations, ...). Other alternative: using remote desktops, but there is still the issue of requiring an internet connection 100% of the time.

After that point, I have been trying to find alternatives, and ended up looking at "endpoint" product offers by security companies (Kaspersky, McAfee, Norton, ...). Their solutions seem to be a mix of an anti-virus and a deployment software, and I haven't been able to identify precisely if all the security requirements would be met with these products.

Finally, I have also read (and agreed with!) that it was more important to make sure not too much data were kept locally rather than adding thousands of layers of security and keeping everything. However, with the mobility requirements, and the fact that people could need to work offline, no solution seemed to really be able to automate the reduction of the amount of files stored locally. Storing files on a remote drive is not an option, and Sharepoint or similar keep all the data locally when a folder is synchronized.

This being the current state of my research on the security of data and company laptops, I would be leaning towards software solutions with a centralized management and some security features (but not all). Did I miss something or made a judgment mistake? Would there be a better way to handle company laptops security while keeping a seamless end user experience?

Answer 1

The typical solution would be;

1) Connect the PC to the domain
2) Fully encrypt the HDD
3) Setup VPN access for external users

There are some issues with this setup. However a client will cache AD credentials for some time, so users don't need 100% 24/7 access to a DC. As long as they login before leaving the office, and login again before the credentials expire. So if they are coming and going, it's usually not an issue.

Also MS offers an AD service, via their Azure platform. I do not know the specifics, but there should be no heavy maintenance on your part besides paying the bill and configuring the users.

Another solution would be using a thin client, if you wanted to remove the endpoint encryption requirement. The user would login to a server somewhere, over VPN, so nothing would be stored locally.

Answer 2

You might want to look at the features of MS Intune. It does a lot of what you seek, particularly with the remote device management, VPN access and security. If you sync on-prem AD with Azure AD, it will help with the credential management too.