We help IT Professionals succeed at work.
Troubleshooting Question

Work from home and contingency setup question

89 Views
Last Modified: 2020-10-04
Hi Expert
 
I was asked to setup a “work from home” and contingency project.
 
I am thinking to allow staff bring company laptop to home, and connect to their office PC by remote desktop.
 
One of my challenge:
 
1. How can prevent the staff from relocating company data? They don’t have administrator right and no USB, but use DHCP. I am thinking they can setup FTP to move out everything
 
2. We are considering Citrix VDI, but seems too expensive for this and not reliable?

Any good reference?

Comment
Watch Question

James RankinMedia Hound
CERTIFIED EXPERT

Commented:
Citrix is pretty reliable if set up correctly. It also gives you a lot of security control over things like data exfiltration, cut and paste, printers, keyloggers on the remote client, etc. RemotePC is a Citrix feature which is very useful for connecting to office PCs. It can be expensive but depends what you use.

You need to control the applications on the desktops if you want to stop them setting up FTP. AppLocker would be your friend here.

Author

Commented:
Checked RemotePC is part of VDI, right? The main concern is contingency that once the server down, the whole company PC down.

Applocker seems very good and seems need more time to digest,  many thanks for your recommendation  
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
Why not configure an always on VPN?

James RankinMedia Hound
CERTIFIED EXPERT

Commented:
What do you mean, "once the server is down"? If you're building Citrix brokering infra, you build it redundant. Or use Citrix Cloud and then Citrix manage all the infrastructure.

Author

Commented:
Hi Alex, VPN is not secured enough. It is only data transmission encryption, but no data / system protection

Hi James, yes we can setup redundancy to failover. It is hardware side. For system side, there is no redundancy. What we can try is to distribute the VDI on two VM server. Only half user is affected if one of them is down.

For cloud, personally it is more not reliable. I dont like cloud service that it keeps updating the security and feature, and lots of unexpected downtime.
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
I've been on Citrix Cloud for over two years and we have had two instances of downtime, both in the 4 hour region.

If you want to be able to tolerate failure of the target machines, then consider some virtual instances as well. If you have pooled machines you can fire them up as required.
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
1. How can prevent the staff from relocating company data? They don’t have administrator right and no USB, but use DHCP. I am thinking they can setup FTP to move out everything 

 Using a vpn to connect from home network into the business network doesn't magically give the user more permissions to do things on the business network. Working at work what is to prevent the user from simply copying the files to a usb drive or dropbox or emailing the files out of the network? Just because they are connecting in to the network differently doesn't change things. The user has the same permissions and access restrictions that they have when the laptop is at work. 

Author

Commented:
My scenario is

1. The staff download company files on their laptop from office
2. Then at home, staff connect to their home wifi for internet. But dont connect VPN
3. Then they can do anything they want, right?

So how can I prevent this situation?

In my office, all cloud uploading service and USB is blocked.
Media Hound
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Yes, it is a good question and ppl often asks.

My boss said our role is try our best to prevent it happen. In case there is data leakage, the legal liability will depends on how much we do to prevent it happen.

So take photo is never be avoided, but staff will be rarely do it as it is difficult to take out large volume of data.

For citrix, it is good but very expensive. They have a feature for recording. It is good even not good for privacy, but it really can avoid staff from taking out company data

David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
set up role based access controls. and sort you data by location, department, job role. and then enable access accordingly.