Many corporations give laptops to their employees. Sometimes they work routinely from the road, from home, or from client locations. In most cases, steps to make that laptop secure against accidental loss or potential tampering are well understood. The dangers are fairly simple and easy to prepare for, like situations in which an employee leaves the laptop behind at a client location, or if an overly curious family member peeks in while the employee is out of the house. But sometimes trips go farther than on the other side of town. Sometimes, employees have to bring those corporate laptops overseas, in places where the risks go up significantly. This is particularly a concern recently, after U.S. intelligence agencies reported to Congress on the threat of computer-based espionage. For example, in China, the government itself is rumored to have highly sophisticated methods for snooping on people, blocking access, and even compelling the divulging of sensitive data. How do you properly prepare a business laptop for overseas travel?
There are two different parts to this: access and security. You need to ensure that your employees will be able to access the Internet and the corporate office regardless of where they are, and you need to make sure everything stays secure. The most basic feature is, of course, a VPN. It should be enabled by default, so that once logged in, the user doesn’t have to worry about it. Ideally, if you have the bandwidth for it, the VPN should be configured so that all Internet traffic goes over it. That way, everything the employee does online is encrypted through the tunnel up to the base office, and then is sent out to the Internet, preventing any kind of local snooping. Remember that VPNs are routinely being blocked in some foreign countries like China, so ideally you should have various means of connecting, like IPSec and VPN over SSL. You may also want to use alternative means if nothing works on the VPN front, like using uncommon ports, TOR, or having a SSH server just in case. If your own corporation doesn’t have the infrastructure in place for it, you can use a third-party VPN provider — just make sure you trust them to be completely secure, which isn’t always possible.
This is, of course, the ideal solution, in an ideal world, but we all know how rarely that happens. There are times when doing everything over a VPN just doesn’t work. Plenty of places will drop your bandwidth to unacceptable speeds, and you’ll have no choice but to use their local Internet access. In these cases, there are still things you can do to make sure users stay secure. All the basic security measures should be in place, like a software firewall, anti-virus, and so on, but you also need to protect that laptop against potential hijacking attempts.
Don’t set up the laptop to use the DHCP provided DNS servers; instead use a static DNS IP that you trust. Block your users from accessing sensitive websites, banks, and email providers, forcing them to use whichever secure email system you put in place. Remember that most users may not be tech savvy, so the laptop should be set to be secure even if they have to rely on local Internet access. You know how many users, when finding out their Outlook access is being blocked or throttled, would just fire up Yahoo! Mail and use that for a couple of quick corporate emails, not thinking of the risks?
As for security, steps must be taken to make sure the laptop is protected as well. Ideally, you would want all sensitive documents to stay back home, and for the user to access them through the VPN. But again, that’s just not always possible. If there are documents that they really need, you may have to accept that they will be bringing them on the plane, through customs. Full disk encryption is a must, either with BitLocker or TrueCrypt. Another good solution is something like IronKey, to protect data in a USB key. That way, it’s much easier for employees to keep their secure documents on their key ring, and if the laptop gets lost, or if an angry official asks them to unlock it for them, then the USB key may remain in the person’s pocket. You should also think about other utilities like Prey and Secunia PSI — things that will help mitigate threats — although when the data is in the control of a tech-illiterate employee, ultimately there is no perfect solution, so really sensitive information should just be omitted.
On top of the more drastic security measures, you of course need to apply all the common security practices such as:
- Make sure the computer goes to sleep quickly and asks for a password to unlock
- Do not give your employees admin access
- Enforce use of strong passwords
- Have aggressive anti-virus and GPO policies applied, etc.
Also, don’t forget the other devices that the employee may bring along, like a smartphone and tablet. These should be encrypted as well, along with remote wipe enabled. If you’re really paranoid, you can instruct the user to wipe their data before going through customs, although that involves reinstalling the entire thing, which may not be ideal. Overall, it’s a matter of mitigating risks, and making sure you do everything you can to anticipate problems.