I can also think of many things a bad employee might do that the employer should probably care about.
But if you hired someone you've given them a tremendous amount of responsibility and power, if you can't trust them to do their job without monitoring everything they do then you should just fire them and hire someone more trustworthy.
I would be interested of the reason because we've been fighting this successfully for a number of years with our clients IT departments (while we were smaller). They hired us to make the developement process better and one of the things we always found problematic was that when the software developers didn't have normal internet access (but instead tunneled everything through some bottleneck http proxy) they both lost the good developers because they were fed up with not being able to do their job efficently and thus the quality of their software went down.
A year ago we've been bought by a big company to help them do what we did untill then but on a much bigger scale. The first thing we did was to get rid of the restricted internet. And now we again help our customers (big car manufacturers) to make their processes better. And even for here every developer has free access to the Internet to be able to work efficiently.
But as I said in the beginning, I'm really interested in the reasons for this behaviour of those large companies. My suspission is that it's just easier for the IT department to work against the developers instead of helping them to do their job.
There are IT shops with large dev teams that don't put proxies between their users and the Internet, but in every one of them that I'm aware of, developer laptops are subject to intrusive continuous monitoring. And, even at firms where there are no proxies, VPNs are problematic.
The reason is that large firms are legally obligated to make sure that insiders aren't exfiltrating protected or confidential information.
The reason is that large firms are legally obligated to make sure that insiders aren't exfiltrating protected or confidential information.
If it makes people feel better about this, the same countermeasures also help with the case "Adversary pops any laptop in the company via e.g. phishing or malware and then pivots to All The Things." i.e. you don't need to posit non-trust of employees to want to implement continuous monitoring of work equipment.
> If it makes people feel better about this, the same countermeasures also help with the case "Adversary pops any laptop in the company via e.g. phishing or malware and then pivots to All The Things." i.e. you don't need to posit non-trust of employees to want to implement continuous monitoring of work equipment.
Even assuming we don't care about worker privacy and all the stuff, I think we can still do better.
I have no insider information about this (not a Google employee and definitely not associated with the project) but I read some good things about BeyondCorp
Regardless of the threat model, "security" has be practical. The main thing business should care about is productivity. I've done subversion checkouts that slow down to a crawl because the malware detection hogs down the disk IO. I've seen "anti-theft" agent go haywire sending a heartbeat too often and making network access unusable.
I haven't had to deal with being denied access to stack overflow and frankly I would take the first offer and quit if I ever had to.
That being said, I think I am OK with random crap running on company owned machines as long as it is reasonable and does not hurt performance. Oh and there should be no expectation that I will take them home with me.
This reminds me of another funny story. One place I worked at, we were not allowed to leave our computers at our desk at the end of the day. We either had to put it in a locked cabinet or take it home with us. Nobody believes me when I tell this story but it is true.
That would only make sense if tethering via your phone, USB-sticks, cameras, and every other way of doing copies weren't allowed on those premisses either. But this is (almost) never the case.
> But if you hired someone you've given them a tremendous amount of responsibility and power, if you can't trust them to do their job without monitoring everything they do then you should just fire them and hire someone more trustworthy.
Trust but verify, as Reagan used to say. We give even more power to the presidents and senators, but imagine what would happen in there was not plenty of people around to monitor what they did with that power.
To bring up just one thing that doesn't have to do with trustworthiness: If you let an employee onto a 3rd party VPN you open yourself up to a whole new vector of attacks that you can't prevent.
And then there's the problem with allowing unrestricted, unmonitored Internet access with regards to auditing and establishing a timeline of events if you ever need to do so.
You can visit sites that aren't blacklisted on the company's network which makes it easier to social engineer you. You have less control over what stupid things your employees can do.
You're right, this wouldn't be any more dangerous than being on a coffee shop's wifi but you already don't care about network security if that's how you're working.
