Your services, our computers

Thinking about the usage of personal services on hardware owned and controlled by a parent company

As part of my work I have been undertaking work to ensure that my company is GDPR compliant. As part of that work we have been doing a more general evaluation of our environment, including indexing all services used and all hardware touched by the company — the first step to enforcing good information hygiene through policy and (more) technological safeties.

Part of the guarantees the GDPR requires us to implement is the ability to either correct or purge personal data across our entire network of machines. It turns out, by and large this is not such a difficult requirement — simply centralising the data storage into a structured system allows us to provide this service … mostly.

The problem occurs with employees work machines.

The guarantees that companies are expected to provide

Broadly, there are two problems that are facing companies in terms of protecting user data:

Ensuring that data is managed and purged across all systems

In order to provide the necessary guarantees to users companies need to be able to guarantee that the data that has been requested to be deleted has been universally deleted across all systems that we have.

Leaving data on someones laptop after a request has been deleted is (in terms of the GDPR) an unacceptable outcome, and the business can face significant fines.

Ensuring that only the appropriate data is accessible by the people who should access it

Additionally as part of the GDPR (as well as a more general security position) companies need to ensure that only those need to have access to the data actually have access.

As part of their daily job all users of a company invariably require access to some personal data. Though companies limit exposure where they can, those in administration require access to employee data, developers who administer production environments require access to the infrastructure databases containing swathes of personal data. Employees all require access to the centralised store of customer details such that we can get in touch with the people who’s services we are building.

It’s not so difficult to implement policies to say a given user can only access that data. The problem is, companies are not only factoring in who is assigned a computer when we are determining when they should have access to that data.

Computers form part of our identity. We give them our credentials, be that simply stored in browser passwords or in AWS keys stored in the .home folder of our development VMs. This makes them targets for users who would seek to gain authorised customer data for criminal purposes.

There are various ways to monetise access to personal data:

• Blackmailing either the company or the user
• Identity Theft
• Shortselling public company stock
• Simple credit card theft

as well, I’m sure, a host of other ways that I am unaware of.

Accordingly, when companies plan what data and systems that you (and by extension your laptop) have access to companies need to be able to make judgements as to how “trustworthy” your device is when determining what it has access to, as well as on an ongoing basis. Further, when it’s invariably discovered that someone unauthorised has accessed an employee machine companies need to be able to determine how this occurred, and what steps can be put in place in future to mitigate it.

The sophistication of attacks mean that devices can be compromised down to their core. As I understand, a typical attack will look like:

1. Send a phishing email to an employee. Exploit out of date or bespoke software to get remote code execution on a machine.
2. Establish limited persistence, as much as possible within limited privileges. Start looking around the network for other vulnerable hosts (an old windows server no one looks at, for example)
3. Compromise that machine, and use known exploits to escalate privilege
4. Establish persistence here, and start abusing network protocols too steal network traffic.

In the position they’re in, attackers have access to a large swathe of data, and compromise machines to the highest possible degree. Accordingly, in order to provide satisfactory guarantees, companies also require access to hardware at these levels.

The requirements employees have

As much as it would be nice to lock down all work machines 100% of the time, it would provide such a hostile work environment that people would not wish to work here, or of they did, were unable to work at an acceptable rate.

There are some requirements that employers are simply unable or unwilling to provide. This includes:

• Checking personal email before and after work
• Playing personal music services via spotify or Google Music
• Visiting social media sites

Regardless of the controls put in place, employees tend to find ways to find access to services that they desire to use. Further, it seems reasonable that employees can access the sites they wish to — -so long as there is no loss to the guarantee’s that the company is required to provide.

Balancing requirements

The problem becomes then, how much leeway do we grant our employees to make decisions that may potentially affect the security and privacy of our customers, and their customers?

In a sense, Sitewards is quite lucky. We operate as a software development company. Our employees are abnormally equipped to understand the unique problems that face them, and we’re continually aware of the privileged position that we’re in.

Accordingly, we would like to defer the judgement to employees as much as possible. We do not wish to implement application white-listing policies, require virtualisation simply to access a corporate network or other such security controls. We trust our team to be well equipped, and to take this issue seriously.

Trust, but verify

Unfortunately, no matter how much I trust our team and now matter how well equipped they are to understand these issues, we will make a mistake. Phineas Phisher’s Hacking team hack is my canonical example of a company who should have security 100% sorted, but were still hacked sideways. Google, who is likely the most competent security company in the world, still got hacked.

In order to provide the necessary guarantees that we need to to function in the privileged position that we are in, we need to have an equal level of visibility into what we’re doing and why we’re doing it. That means the ability to requisition and inspect all machinery that touches our environments — daily work devices included. The nature of the work requires it — if not now, then certainly as the world becomes more technically sophisticated.

Respecting user privacy

Just as in customer environments, having access to this data does not mean accessing the data. On all local, testing and production systems we are presented with a warning when we do dangerous operations:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

It is a mantra that we take seriously. Accessing machinery is only done under conditions in which there is no other mechanism to determine that information, and access is limited to the scope of the investigation required. Additionally, access is logged against a specific administrator and must be justified.

All your data belongs to us. Or does it?

This gets tricky when thinking about the aforementioned personal services that many employees use on their work laptops. There are two problems:

1. Those services may introduce unacceptable risk to the privacy of our customers, and
2. Those services may contain private data of the employees or their friends and family that may in turn be accessed by the company.

There are no simple solutions to the above problems. In a sense this blog post is to help demonstrate that we understand the duality of this problem, and are working to balance the requirements as best we can.

In the case of 1, there may be certain things which we determine are not appropriate. For example, there is no acceptable use of DropBox within the company. This software, designed to make it easy to sync data between machines and services, presents simply too much risk to the privacy of our customers. Conversely, email accessed via a browser presents little risk — browsers are well developed, self updating and are used to dealing with an actively hostile audience. Conversely desktop applications are far more bespoke, and not nearly as well maintained — a much larger attack surface.

Guidelines will continue to be published as we understand more about this problem. We will treat issue on a case by case basis, making legislative decisions only when it’s clear what the implications will be. However, for now, the following general heuristics apply:

1. Any data on your laptop will shortly be subject to company oversight. If you do not want the company to know, do not put it on your laptop.
2. Applications accessed in the browser such as Google Music, Telegram, Spotify, Youtube or E-mail are probably okay. They might leave data on the computer that the company can read — you need to be okay with that if you use them on your company machine.

Thanks

• Zhivko Antonov for early review and grammar
• Peter O’Callaghan for an early review and grammaer