I’m a software developer at a company doing contract work for multiple clients. My actual work is done almost exclusively inside clients’ remote VMs through Citrix Workspace. I have a company-issued laptop and a separate phone (thanks Microsoft for forcing MS Authenticator specifically for 2FA) and I strictly separate work and private matters. This is not required or enforced by either company, just my rule.
The issue is that sometimes things break and I recently suffered from failed BIOS update on my work laptop, it got completely locked up. That’s the one time I’ve broken my separation rule and accessed client’s VM from my private machine, which can be reached from the public web with just a browser.
Do you think it is secure enough to setup a “backup” environment for accessing company resources, for example in a VM? I am thinking of creating an encrypted VM with a copy of my password DB that I would only use for cases where my laptop breaks. I would want to keep it on my PC and on a private laptop I take when traveling. I sometimes work when traveling and I take both private and company devices. I’m living hundreds of kilometers away from my physical office so service or replacement may take multiple days.
As a rule of thumb, information on company devices is presumably confidential, and for that reason should not be written down to non-company assets or cloud storage.
If there is a need for a sort of backup solution like you mentioned, I’d go to your manager. If you’re needing to use your personal devices for work, I’d also get permission from your company.
The entire point is, there is no company data that would be stored. All I need is a browser with bookmarks to access portals. There is a matter of passwords, but I actually do remember randomly generated ones for key things as I need to type them sometimes multiple times a day.
My manager was fine with me connecting through personal device while my laptop was unusable for that one day. Fortunately the fix then was to just wait until the battery discharges, then it booted fine.
I just want some extra isolation from my personal stuff, hence the idea of putting it in a VM.
Maybe your company can provide a jump-host so you can remote into a computer of your company that holds all the info you need, then access clients systems from there.
That way you are still using your personal machine, but shielded away like the clients systems you were accessing in the past.
Th VM is nice as a psychological barrier I guess, but the fact is that you have encrypted credentials stored but no company data. That’s probably a reasonable thing to do unless you are dealing with some super confidential stuff.
If they are fine with this the only thing to do is inform them if you lose the device, it gets stolen or otherwise compromised. It should still be fine if you have a strong encryption password but at that point all our passwords should get reset.
If they are not fine with this ask them if they have some other solution for these cases. In the end, as a company they are responsible for this stuff as long as you use common sense and stick to their guidelines.
I’d raise it with your boss, perhaps a cheap NUC or netbook would serve as a backup work terminal. If they don’t feel it’s worth the $300, then that’s a them decision.
Consider if there’s ever a legal/security/etc problem and the company needs all the devices that touched company assets or data (encrypted or not). No one wants your PC and laptop sucked into that. That’s just a giant headache.
This is a tough question to answer, especially as the “common-sense” answer changes depending on which country you work in and the size/industry of your company & clients.
Personally I don’t see a big issue if you aren’t violating your companies polices, and if no client / company data is stored on it. Many big companies provide browser based solutions with Citrix Workspaces precisely so employees can use personal devices. Though permission from the boss when your laptop breaks is a nice CYA.
