How to Secure Your Notes and Home Network When Using a Company Laptop?
Work laptops are meant for work but what about internal work notes? Also what if IT has installed specific tools on the device?
Prefer video? There’s a video version of this blog post on YouTube that goes into a bit more detail about certain topics listed below.
To be clear up front, this post does not suggest or cover any material related to circumventing or purposely trying to prevent a company or your employer from collecting the information its policies require.
It’s about protecting your privacy when performing remote work on a device that your company has issued. This device will likely run on your home network.
This device may end up being a stock laptop straight from a hardware vendor with no tools installed or it might come pre-installed with a bunch of company issued software for monitoring and tracking what you do. This is up to the company.
The goal here is to prevent the work laptop from gathering information about your home network and to help protect some of your internal work notes from being collected because these notes could be classified as an internal brain dump of work related thoughts. It’s work related but if it feels very personal.
I’m curious how other folks handle this. The network is easy to isolate but I haven’t figured out a truly secure way to protect the internal work notes.
Internal Work Notes
I don’t know about you but I tend to write a lot of internal work notes on my work issued laptop. Every note is specific to work in one way or another, such as:
- A high level bullet list driven work log for each day (~2min of effort per day)
- Informal TODO lists
- Quick reminders for myself
- Chicken scratch of temporary documentation or research
- Upcoming ideas for tickets, projects and proper documentation
A lot of these reference specific things about the business such as ticket IDs, sometimes employee names (innocent mentions like “Chat with John about xyz next week”) and generally anything related to the code I’m writing.
99% of the code is generic and wouldn’t be classified as “business secrets”. Think about a snippet of Kubernetes configuration, a couple of lines of Terraform related to a specific AWS resource or the output of some command.
None of it would be considered bad and it’s not rant driven or diaries, but it does feel like dumping thoughts from my brain which is very personal. Since it’s stuffed with “work stuff” that makes me hesitant on keeping this stored on my personal box due to liability concerns.
Plus, even if it were fully vetted as non-business secrets it would be extremely tedious doing something on the work laptop and wanting to copy a link or config snippet to your personal device. You’d end up wasting a huge amount of time manually typing it and it would be a constant reminder of a crappy inefficient workflow.
The work laptop doesn’t allow any external storage to be connected so digitally transferring the files is out of the question. Setting up a 1 way SSH connection from your personal box into the laptop is also out of the question due to needing to run both devices on the same network (more on this soon).
How Would You Protect These Notes?
In my specific case (which I think is common), it’s a company issued Macbook that has:
- An auto-patching tool for keeping xyz software up to date
- An anti-virus tool capable of transmitting files it deems are a threat
- A way to actively scan and potentially dump memory related to threat detection
- A way for IT to control which processes are running for threat detection
- Remote desktop sharing capabilities, but you’d be notified if IT connects
All of the notes are plain text but I don’t think encrypting or password protecting a directory would offer enough protection because once the notes are decrypted they would be sitting in a standard text viewing tool in memory that could get included in a memory dump.
The company assured us they don’t take screenshots of your desktop and any type of remote access would be possible to detect on our end since we’d be prompt for a key code to allow the connection.
They also mentioned no files on disk are accessed unless they are tagged by the A / V tool as a threat in which case they would be quarantined and transmit for analysis.
Given the above, what would you do?
Fortunately this isn’t too bad to solve. If your connection is stable over Wi-Fi most routers support the idea of a guest network. You could run your work laptop within a guest network which is isolated from the rest of your devices on a different subnet.
In my opinion that’s important because depending on which tools are installed on your work laptop, it could be seen as a black box sitting on your personal network.
On Windows and macOS you can run command line tools like
arp -a to get a list of some devices on your network and then you can run an
nslookup on those device IP addresses to get the names of the devices on your home network. There’s lots of ways for software on a box to learn more about the network it’s on.
If Wi-Fi is out of the question due to it not working well you can perform network segmentation with a vLAN (virtual local area network). Some routers support this out of the box and it’s not too bad to set up.
There’s also OpenWrt which is firmware that you can install onto some routers.
It’s not that easy to set up but there’s a lot of documentation and videos going over how to do this. It gives the same end goal as a guest network except you’d be able to use a wired connection. It’s a great option if you can pull it off since there’s only a 1 time cost of getting a OpenWrt compatible router – which can be found under $100.
If all else fails you can get a dedicated 2nd line ran to your apartment or house and have (2) distinct cable modems, hardware routers and in turn local networks. In my opinion this would be a last resort move but it’s an option.
Chatting about This Topic on Video
- 0:19 – 2 sides of the laptop tools spectrum
- 1:25 – I haven’t been exposed to this up until now
- 2:31 – Jotting down private work related notes
- 4:15 – Is your brain a non-managed work device?
- 5:03 – Personal notes and reminders about your co-workers
- 6:29 – Are encrypted directories good enough? Maybe not
- 7:53 – Keeping your home network secure with network segmentation
- 10:08 – The company gave me permission to find a solution
How do you secure certain files on your work laptop? Let me know below!