Separating business and home work flows
 

I am looking for links, articles, and experienced opinions related to best practices for separating/segmenting business and personal work flows when using my personal computers.

I need to have remote access to business servers. For example, we use Proxmox, which uses a web browser interface. I need remote access to the network monitor server (nagios).

One option is to use a computer dedicated to business access. Not budget feasible at the moment. Not practical as I do not want to carry two laptops with me.

Perhaps a separate browser profile for business related browser sessions might help. A separate login account might be another idea. Just thinking out loud -- I do not know at this point.

I access the business computers from home with an office desktop and a laptop. The laptop extends the range outside the home.

I accept that security and convenience tend to conflict. Just looking for information and experiential advice.

Thanks. :)

Since that's a pretty broad question, there is probably no definitive answer. I would suggest taking the time to work out exactly what your objectives are in separating the workflows:

• Security, so that if you have a security incident on your personal computer it won't put your work at risk? If so, what exactly (passwords you type? files you store locally?) are you concerned about keeping secure?
• Privacy, so that if a colleague looks over your shoulder while you are on your laptop, they won't see an embarrassing URL auto-complete in your browser?
• Are there specific legal or workplace requirements?
• etc.

Once you take the time to make a clear list of what you hope to gain from separating your workflows, it might be easier to decide the best way to do it.

Edit: Also, since you don't specifically mention either of these options in your post, I wanted to bring up the possibilities of dual boot, or using a virtual machine. Either will give you a whole separate OS install (and possibly the option to encrypt that OS's partitions, if necessary, so your home-use OS can't access them) if you need more separation than just separate browsers/separate accounts will give you.

Fair questions. I was not expecting definitive replies as what I decide to do is applicable only to my use case. :) Mostly I was hoping for others sharing their own experiences.

My primary desire is to protect business systems and data. My primary concern is my mobile laptop, which potentially is easily misplaced or stolen.

I store personal files on my home server, but I do not store personal files on my mobile laptop. I have to VPN into my home network to access personal files. Therefore personal protection is not a significant criterion in this topic.

I have not yet decided on a course of action. Again, I was hoping others would share how they deal with the topic. :)

Maybe a silly question: do you use encrypted partitions?

That would help if your laptop is stolen, at least.

Let me know if you need pointers. I have written a small article for users of the Slint distribution. It's in French I will translate it in Englich as soon as I find the time.

There is also LXC, but I have zero experience using that.

You said you don't really have a budget at the moment, and only mention one laptop. I'll go with others and ask about your drive being encrypted. If it is, do you have something like Prey installed on it?

Personally, I use Box. Great security, ease of access between multiple devices/platforms. You could attack separation several ways:

• Nothing but a different user ID on the linux box...one for work, other for personal. Have it mount your home VPN drive via .bashrc when you log in, and mount your work file(s)/server(s) when you log in with THAT ID. Same with Gmail (if you use it). One account for personal/another business..sync bookmarks (Nagios/etc.) that way. Totally separate but on one machine
• Have a tablet? Android works pretty well for Nagios/web browsing (can't speak for Apple), and a small bluetooth keyboard/mouse are both supported well. Separation can happen there. Tablet for business/laptop for work
• Online storage, again one for business/one for home. Mount as you see fit.

I use the separate account method personally; when I'm working, I sign into Gmail/Google for Business with my work ID. Has my Docs, bookmarks, Google Drive, etc., all ready for me. Even if I AM home, I can pop open an incognito tab and sign in...and there's my stuff.

No, I do not. Never had a need -- until now. Encrypting my /home partition is on my list of options.

Not installed but I am aware of the software. On my list of things to evaluate. I posed the question to the owner about whether tracking software should be normal policy for mobile devices.

I have considered using a VM. A VM can be encrypted too.

This is where I am leaning at the moment. I had considered a separate browser profile. I think Firefox supports a profile password, but that might be awakening sleeping dogs should anybody but me gain access to the profile manager. A separate login account is less obvious.

I do not use auto-login. I boot to the command line, which will puzzle non technical users. :)

With the separate login account I likely would use screen locking, perhaps with a short timeout such as 1 minute. I haven't been in the habit of manually invoking screen locking for a few years, but always did so when contracting on previous work sites.

At the moment I tote my laptop only to work when away from home. Small town rural area. Yet I am thinking ahead when I visit family and friends in the big cities. A VPN provides me tunneled encryption, but there is always simple loss or theft to consider when traveling.

I do not use cloud services or any tablets.

I'd either do full disk encryption or just /home and then use a separate login.
Other options (like separate browser) may become too confusing and you may accidentally start intermixing the two.
A separate login is clearly separate and will allow you to customize it as needed.

Also, instead of storing work files on your laptop, storing them on a computer with public ssh access can be a very convenient way to securely store files without using a cloud. A raspberry pi makes this a very accessible option (a setup I personally use currently)

I do not store work files on the laptop. To remotely access work files and servers when outside the work network we use SSH and passwords. I store my work related private SSH key on the laptop. The private key is pass phrase protected.

Work related passwords are not stored on any computer, including the web browser password manager. Passwords are always retyped.

The only thing work related that is discoverable on my computers are web browser bookmarks. Accessing any of those portals requires a password. The bookmarks do not reveal anything that an nmap or nslookup scan would not reveal, but I could delete the bookmarks too.

Now that I wrote that, perhaps I have decent separation already.

But I am human and I realize security often has much to do with ensuring we do not get lazy with our habits. :)

A separate login account probably remains prudent. Modify the desktop to provide visual reminders that are noticeable only to me, such as background color.

I am undecided about encrypting the entire /home partition. Would be more palatable to only secure the separate login account $HOME directory.

A fascinating topic. Lots to consider. :)

I have several user identities – all non-privileged – which I use "for different hats."

I find it very convenient: preferences are set up just the way I want them for each thing that I am doing. Home directories of one can't be peeked-into by any of the others.

System application maintenance is done by a separate, rarely-used identity which does belong to the wheel group. No one else does.

As do I, although my perspective to this point has been within the confines of my home LAN. All account $HOME directories are inaccessible by one another. One user is a member of the wheel group. Sounds like overkill for a home network, but years ago when I started with Linux I thought that learning basic admin strategies was prudent. That approach paid off with landing the current job. :)

Even my sole Windows computer, which gets powered on about once per month, is configured with a standard user account to limit damage. :)

The same principles apply when broadening this approach with work. Just new territory and not surprisingly, a bit tentative about this new area because I do not own the servers or data. I never expected to use my own computers to access work related systems, but this is a small company. I thought best to ask what others are doing. :)

I have never understood why Windows not only makes your account an Administrator by default, but in Home Edition it is quite difficult to do otherwise!

I like to remind clients that: "a computer is terrible at saying 'yes,' but it is extremely good at saying 'no.'"

Make separate virtual machines for work and home use?

Yes, the idea was suggested. :)

A VM seems to have advantages versus a separate login account. For example, no need to toggle with keyboard shortcuts and wait for the display to stablize after toggling. I could encrypt the VM without encrypting my host system. I could connect to work systems with the VM and my home VPN through the host and keep the two environments isolated from one another. I could minimize the VM to the host desktop with a single click and vice-versa.

I haven't yet decided. Currently I am observing how my usage at work differs from home and taking mental notes. For example, today during some field work I noticed a separate web browser profile, login account, or VM would have sufficed to provide isolation. This is one of those things I will let fester in my mind for a few weeks before deciding. :)

Few people like unfinished threads. :) For anybody interested, I separated work flows by creating a VirtualBox VM. VirtualBox is designed to support encryption, which I am using, and requires a password to launch or restore from a saved state. In the VM desktop I added a screen locker applet to the panel for quickly disabling access.

Having to separately start the VM is a nominal inconvenience compared to just using my normal desktop, but the additional security and encryption is worth the extra mouse clicks.

Thanks everybody for the help. :)

... and you can store the directories used by that VM in a separate, non-privileged user account on the host, setting permissions in such a way that the files cannot be accessed by other users. To start and use the VM, you must be logged-on as that user on the host.

All other settings related to "work" use can be similarly set up. For example, configuring VPN to your workplace so that you must be logged-on as that user in order to open the tunnel. All files and preferences related to "work" are neatly encapsulated – and protected – by that designated user account and its /home.

I always use a different desktop background and screen-saver for each user account so that I can literally "tell at a glance" where I am.

(A friend of mine who also works from his home had a sly sense of humor. When he'd log in to his work account, it played a sound-clip of beeping horns and traffic noises.) ;)

Only one user account is capable of sudo su or its equivalent, and it is never used for any purpose other than system maintenance and software installation.