Hi all, we are hiring a remote worker and will be supplying a laptop to them. The laptop will be running a Debian variant of Linux on it.
We are a small shop and this is the first time we have entrusted somebody outside of our small pool of trusted employees.
We have sensitive client data on the laptop that they need to access for their day-to-day work.
However, if something goes wrong, and they do the wrong thing, we want to be able to send out some kind of command or similar, that will completely lock, block, or wipe the sensitive data.
We don’t want any form of spying or tracking. We are not interested in seeing how they use the computer, or any of the logs. We just want to be able to delete that data, or block access, if they don’t return the laptop when they leave, or if they steal the laptop, or if they do the wrong thing.
What systems are in place in the world of Linux that could do this?
Any advice or suggestions are greatly appreciated? Thank you.
You need a legal solution, not a technical.
What you’re asking for is an mdm solution, but once a user has access to data, that user can copy it whether you like it or not, whatever mdm solution you use.
Even if you lock down everything, break the USB ports physically, I can photograph the screen, for example.
This has been an age old problem and honestly mdm tools are kind of a hammer where you need a screw driver. It advertises a lack of trust on your end, adds a lot of complexity and potential usability problems and in the end will still never be able to protect you 100%
Go for a legal option and find people you can trust. Also know that 100% security does not exist. The only 100% secure computer is off and on fire.
You’ll first want to lock down the laptop with using the TPM so it only boots kernels signed by you, and also encrypt the drive using the TPM as the locking key so the key is only ever available to a kernel you signed. From there you’ll probably want to use dm-verity to also verify the integrity of the system or at least during the boot process.
Then, on top of that, once online and the machine is still authorized to access that data, you download a key from a server under your control to unlock the rest of the drive (as another partition). And log those accesses of course.
Then, when you want to revoke access to it, all you have to do is stop replying with the key whenever requested. That just puts a ton of hurdles to overcome to access the data once the server stops handing the key. They would have to pry out the key from the TPM to unlock the first stage and even be able to see how it works and how to potentially obtain the key. They could still manage to copy the data out while the system is fully unlocked and still trusted, which you can make a lot harder by preventing access to external drives or network shares. But they have physical access so they kind of have the last word if they really really really want to exfiltrate data.
This is the best you can do because it’s a passive: you stop supplying the unlock key so it’s stuck locked encrypted with no key, so the best they can do is format the laptop and sell it or use it for themselves. Any sort of active command system can be pretty easy to counter: just don’t get it online if you suspect the kill signal is coming, and it will never come, and therefore never get wiped. You want that system to be wiped by default unless your server decides it’s not.
This is honestly an extremely expensive (in terms of skills, maintenance, chance of messing up) solution for a small shop that doesn’t mitigate at all the threats posed.
You said correctly, the employee has the final word on what happens to the data appearing on their screen. Especially in the case of client data (I.e., few and sensitive pieces of data), it might even be possible to take pictures of the screen (or type it manually) and all the time invested in (imperfect) solutions to restrict drives and network (essentially impossible unless you have a whitelist of IPs/URLs) goes out the window too.
To me it seems this problemi is simply approached from the wrong angle: once the data is on a machine you don’t trust, it’s gone. It’s not just the employee, it’s anybody who compromises that workstation or accesses it while left unlocked. The only approach to solving the issue OP is having is simply avoiding for the data to be stored on the machine in the first place, and making sure that the access is only for the data actually needed.
Data should be stored in the company-controlled infrastructure (be in cloud storage, object storage, a privileged-access workstation, etc.) and controls should be applied there (I.e., monitor for data transfers, network controls, etc.). This solves both the availability concerns (what if the laptop gets stolen, or breaks) and some of the security concerns. The employee will need to authenticate each time with a short-lived token to access the data, which means revoking access is also easy.
This still does not solve the fundamental problem: if the employee can see the data, they can take it. There is nothing that can be done about this, besides ensuring that the data is minimised and the employee has only access to what’s strictly needed.
I’m not the most up to speed on TPM’s, but does it have the capability to directly do network access in order to pull the key? Otherwise, you’re going to need the regular OS to get it to the TPM somehow, in which case that’s the weak link to pull the key instead of ripping it from the TPM itself.
And once they have the key once, how do you enforce them having to re-request it? Is there a reason that that point they couldn’t just unplug from the Internet (if even necessary) and copy the entirety of that drive/partition somewhere else?
No, that’s why signed kernel+initramfs+LUKS+dm-verity: protect the boot process all the way into userspace where you do have network access. From there you can request the TPM signs messages with a preloaded key it will only allow using it if you went through the whole secure boot process. It’s exactly what Android does with Play Integrity and the strong integrity flag.
That way you can prove to the server that the computer is still secured and untampered with up to that point, which means the script that deals with the periodic checkin should be running untampered as well. If you’ve secured down the Linux install appropriately, it should be impossible for the user to gain enough privileges to request the key again from the TPM or extract the data key out of the mounted filesystem. That also means you can trust the system to block mounting any drives, force VPN on, make sure your MDM runs, all that stuff.
You can reset the BIOS, boot from USB, all that stuff still, but then it would also wipe the TPM and so the OS no longer bootable, and obviously no signed TPM messages either so even if you find the script and how it works, at that point you don’t have the ability to sign the messages so the server won’t give you the data partition’s key either. The moment you tamper with it, it breaks the trust chain and the keys are gone. Can’t flip a single bit on the system and boot partitions without the checks failing.
It’s not bulletproof, some laptops you can sniff the TPM bus in minutes due to design flaws, but in theory as long as the hardware holds it’s pretty secure. And obviously you can always just take a picture of the screen, no avoiding that. But it puts enough hurdles it’ll stop most opportunistic exfiltration. One bad move and you wipe the keys, so you better know exactly what you’re dealing with or you have one embarassing and incriminating email to write to IT to have them reprovision the keys.
ScaleFusion does this.
Unrelated, but their w*bsite has tablets (as in type of computer) translated as pills in Russian
There is a fundamental issue with this approach: the rogue employee has already copied the data to a USB drive by the time you try to wipe it.
If the data is confidential, you either need to set up standard disk encryption and trust the employee, or not let them access it in a way it can be bulk copied. For instance, might it be possible for them to use a webapp that you control access to or a remote desktop type setup?
A lot of employers (at least the larger ones) block USB drives and have software to monitor for data exfiltration - monitoring where files are copied to, usage of copy/paste in browsers, etc.
You should always assume that your work devices are being monitored.
I agree that you should assume you’re being monitored, but, while that helps against malware type exfiltration, it does little to stop someone who is determined to exfiltrate the data as there are a myriad of ways to do so that aren’t possible to monitor, such as simply taking a video of the screen whilst displaying the information.
Ultimately, the company has to trust the employee or not give them access to the sensitive data, there’s no middle ground.
This is fundamentally true. However it is possible to limit the bandwidth of data the employee can exfiltrate.
Assuming a privileged employee suddenly becomes a bad actor. Private-keys/certs are compromised, any kind of shared password/login is compromised.
In my case I have a legit access to my company’s web-certs as well as service account ssh-key’s, etc. If I were determined to undermine my company, I could absolutely get access to our HSM-stored software signing keys too. Or more accurately I’d be able to use that key to compile and sign an arbitrary binary at least once.
But I couldn’t for example download our entire customer database, I could get a specific record, I could maybe social engineer access to all the records of a specific customer, but there is no way I’d be able to extract all of our customers via an analog loophole or any standard way. The data set is too big.
I also wouldn’t be able to download our companies software source code in it’s entirety. Obviously I could intelligently pick a few key modules etc, but the whole thing would be impossible.
And this is what you are trying to limit. If you trust your employees (some you have to), you can’t stop them from copying the keys to the kingdom, but you can limit the damage that they can do, and also ensure they can’t copy ALL the crown jewels.
This is fundamentally true. However it is possible to limit the bandwidth of data the employee can exfiltrate.
That’s fair, but the OP was talking about having the sensitive data directly on the laptop, which rather limits your ability to control access to it, and why I was suggesting keeping the data on a server and providing access that way, so limits can be put in place.
Assuming a privileged employee suddenly becomes a bad actor.
Your threat model probably isn’t the employee who suddenly goes rogue and tries to grab everything, but the one who spends and extended period of time, carefully, extracting key data. As you, the former can be be mitigated against, but the latter is very much harder to thwart.
But I couldn’t for example download our entire customer database, I could get a specific record, I could maybe social engineer access to all the records of a specific customer, but there is no way I’d be able to extract all of our customers via an analog loophole or any standard way. The data set is too big.
That’s well set up, but, whilst your competitor would love the whole database, what they’re really interested in is the contact details and contract information for maybe your largest three customers. When the dataset to extract is small enough, even quite advanced rate limiting can’t really help much. Making sure no one person has access to all of the most valuable data is a good start, but can present practical problems.
And this is what you are trying to limit. If you trust your employees (some you have to), you can’t stop them from copying the keys to the kingdom, but you can limit the damage that they can do, and also ensure they can’t copy ALL the crown jewels.
I think we’re basically saying the same thing. The OP talked about putting all the sensitive information on the employee’s laptop, and that’s what I was trying to steer them away from.
In the past I’ve been asked if we can provide our developers access to pull the full source tree, but not copy it anywhere, and, to quote Charles Babbage, “I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.”
I enjoy the security side of sysadmin work, but I find it rather depressing, as all you can hope to do is lose slowly enough that it’s not worth attacking you.
