I started working at a large financial institution several weeks ago as a softwa
ID: 660550 • Letter: I
Question
I started working at a large financial institution several weeks ago as a software engineer and despite every other aspect of this job being great, I am haunted by the constant restrictions that workstation security policy here puts us through. We are not allowed local administrator rights on our Windows 7 workstations which is normal and I agree with. What is more of a concern is that we are only allowed to use software on these workstations that has been approved and added to our Advertised Program list. Being on a greenfield project and working closely with a vendor to get a POC off the ground, this process is too slow and sometimes prevents us from doing our jobs.
I know that other teams have run into this issue and I am unsure how they tackled it, but apparently it is a battle that has already been fought and lost by several groups, even for exceptions to be granted.
I am preparing a document that seeks to demonstrate how if we were allowed to run VirtualBox on a Windows 7 workstation that we can get all the benefits of local admin rights while not causing any undue security risks on the machine or network. I know they are going to look for the easiest way to dismiss my proposal so I am trying to rebut in my document any security concerns that this group might have.
Are there any significant security concerns that are introduced by the introduction of local virtual machines on a restricted workstation? If so, how can such security concerns be mitigated?
My apologies if this question is too broad or posted in the wrong place.
Explanation / Answer
Technically speaking there is very little risk in running an insecure VM on a secure machine IF that VM does not have network access (after all this is how you research malware). If it does have network access then you've essentially just circumvented all security safeguards.
From a security perspective, assume that your VM will be insecure and thus full of malware (let's just assume). If you have the VM completely isolated from the outside world and therefore your own system, it's perfectly benign. This is akin to a proper biological lab with a hot agent -work gets done, people go home, no problems. If you were to have network access to that VM, it's akin to that same biolab but leaving the doors open.
As a developer, I constantly run into problems like this and to be honest, changes/exceptions like this generally are not a decision your employer can make. The security policies are devised when the contract is created. You just have to do your best to work within them.
As per your comment, there are no real secure ways to truly 'limit' the VMs network access because it is inside the host PC (and thus its network). At the VM level there are very strict (not invulnerable, but strict) methods in place to prevent network access if you deny it as setup. If you choose to enable say a certain port during setup that introduces so many vulnerabilities associated with that port.
As you stated, your company allows you to RDP to your machine at work. While personally, I find this a huge security risk, this does give you some options...
The simplest option is to simply RDP out to your machine at home and do some heavy unrestricted lifting there.
None of these methods are the most efficient for a programmer nor are the security policies in place to make things easy.
I would suggest opening a dialogue with your employer and outline your frustrations. If there is something you need and do not have then that is a legitimate concern. In the world of contracting there is very little room in negotiating just how tasks are done.