Corporate security while working internationally
December 18, 2012 7:11 AM   Subscribe

My company has a security policy against using their equipment outside the U.S.A. What steps can I take to get them to make an exception for me?

I work for a financial services software company, and my job is well-suited to working remotely. My goal is a lifestyle of global travel—if all goes according to plan, I'd like to explore a single place with my SO for 2–9 months, then move somewhere else.

Corporate policy forbids bringing their equipment outside the U.S.A. They've made exceptions before—on short-term, emergency bases—and I'd like to find out if they'll make a [long-term, semi-permanent] exception for me. So I'm looking to write a proposal outlining the details of my plan and the security steps I'm willing to take to make it work.

What I need help with is:
1. What is the purpose of their restriction on international travel in the first place? Are there security risks unique to non-U.S. network access, or are they just concerned about the lack of IT/helpdesk infrastructure?
2. What steps can I take to demonstrate that I take security seriously and will go above and beyond standard security protocols to keep their data and equipment secure? What would it take for them to regard my working from Ushuaia or Addis Ababa or Kuala Lumpur as a great idea?

Standard security measures include—
– The computer doesn't leave my possession unless its locked in my own room.
– I use only private, password-protected networks with WPA encryption, and never a public hotspot.
– I follow recommended procedures for frequency of password changes and password strength.
– The VPN uses two-factor authentication with an RSA token that generates a new password every minute or so.
– My laptop hard drive is encrypted & requires a password to even boot up.

Brainstorming about "enhanced" security—
– Would it help if I promised to only use wired internet, and not Wi-Fi connections?
– I could ask for a computer with no corporate data or software at all on it except the VPN and Remote Desktop—and remote-connect to computers physically housed at headquarters.
– I could get a notebook lock.

What else?
posted by puddleglum to Technology (13 answers total)
It may be an insurance issue. Their insurance company may not pay for equipment lost outside the USA. Perhaps you could offer to take out a policy on your own with your employer as beneficiary? A rider on your existing renters/homeowners insurance should not be too expensive.
posted by Rock Steady at 7:13 AM on December 18, 2012

What is the purpose of their restriction on international travel in the first place? Are there security risks unique to non-U.S. network access, or are they just concerned about the lack of IT/helpdesk infrastructure?

Yeah, there are actually laws regulating this. At the university I work for, our Export Controls team have to work with people/computers going into/coming out of the country to make sure everyone is following regulations. I'd figure out what the laws are in relation to the countries you want to visit.
posted by leesh at 7:20 AM on December 18, 2012

I could ask for a computer with no corporate data or software at all on it except the VPN and Remote Desktop—and remote-connect to computers physically housed at headquarters.

If this is possible, then can't you supply your own computer, owned by you and not them? Or is there a policy that only computers they own can access their network? Especially if the issue is with the physical equipment, for insurance or other reasons.
posted by vacapinta at 7:20 AM on December 18, 2012 [1 favorite]

There could be a lot of reasons for such a policy, including insurance as mentioned above. Though I would surmise other issues such as concerns of confidential, proprietary information falling into the hands of agents of governments hostile to the United States, and the liabilities that would create for your employer. Among many other reasons. This is a financial services firm, after all.

So, I'd be surprised if they were willing to make this kind of exception for you based simply on what you've proposed here.

Now, if you were a high-level executive at this company, perhaps you could throw your weight around and get some kind of personal exemption, but if you were you would not be asking this question to AskMe.

So...I doubt that you'll have much of a shot at getting what you want. But the worst that they can do is say no to your request.
posted by dfriedman at 7:21 AM on December 18, 2012

It may be an insurance issue. Their insurance company may not pay for equipment lost outside the USA.

It's not. They don't care about the computer. They care about the very high value of the information contained therein and accessible via network keys contained therein. I have worked at places that gave people brand new computers with less access on them specifically to take to China in the case they were confiscated. The value of the machines themselves is trivial.
posted by tylerkaraszewski at 7:24 AM on December 18, 2012 [6 favorites]

I don't see anything in your plan about the benefits to them of your plan. It's all how you will minimize risk, but there is still risk. Why wouldn't they just replace you with someone as good as you are at your job, but whose roaming will be limited to the United States?
posted by kindall at 7:26 AM on December 18, 2012

Best answer: Security guy here. Without knowing your job function, it's hard to know how much SOX or other regulations impact your particular position. There's a good chance this will just be shot down because you're creating additional audit and management headache for the company with little benefit. That said, this would get me to at least think about your proposition:

- You don't want to refer to these things as "additional security steps." You are implementing "compensating controls."
- You will need to keep your corporate devices on your person at all times.
- VPN+Remote Desktop is a _great_ idea -- this solves a lot of issues.
- You will want a privacy filter for your laptop screen. This will prevent some shoulder surfing.
- The equipment loss insurance thing is not an issue. A laptop is peanuts, and any company over 50 people self-insures on items that cheap.
- You will want to spell out how you can make sure that IT is keeping your bare-bones laptop patched and updated -- this will be a SOX requirement.

That said, even a good technical argument has a good chance of being shot down by the business. Make sure you make a good business case here too.

I still think you'll get a no. You'd do better to try this while working for a company not subject to SOX or HIPAA. But best of luck, regardless.
posted by bfranklin at 7:26 AM on December 18, 2012 [2 favorites]

They are concerned about someone getting physical access to your machine and pwning the company. Including state-sponsored espionage and malware installing at say airport checkpoints where you will not have control of the machine because of a) laws backed up by b) people with guns.

There is about .0001% chance that a company with this policy will make an exception.
posted by zippy at 7:29 AM on December 18, 2012 [4 favorites]

I came in to make the same point that Kindall made. So far, you're identifying ways to bolster security to compensate for the fact that you are taking a risk they have already determined they're uncomfortable with (likely for the various reasons above). Why should they accept any incremental risk at all? You can promise that you'll only work in cover of darkness on a VPN from inside a Faraday cage, but it's still just more risk to the employer, without any benefit to them, other than your happiness. Unless you're invaluable, I'd expect employers will prefer to replace you rather than let you gallivant around the world.
posted by Admiral Haddock at 7:31 AM on December 18, 2012

There is also the knowledge that US government representatives can search your laptop when you reenter the US. Any time a third party has access to your computer, there is risk.
posted by Quonab at 7:43 AM on December 18, 2012

As a side note, there are also legal/visa/tax issues when working from foreign countries. I work at a global company, and there's rules about how long you're allowed to stay in various places as a "foreign worker" before you (or the company) have to pay local taxes, apply for special visas, etc. You'll need to be aware of this and have things worked out with your company (and possibly your current country of residence) before you go anywhere.

Generally anywhere we don't already have offices are "no work" locations when traveling. And locations where we do have offices still have time limits. Any employees wishing to live in those countries are actually re-hired by the local foreign subsidiary (at which point you're paid in local currency at the local competitive wage).
posted by jpeacock at 7:53 AM on December 18, 2012

Best answer: We have similar issues. The only way we can travel outside of our country is the VPN/Remote desktop method. The computer itself has to be entirely anonymous, with no software beyond a stock windows install but the security and VPN software. We are also not allowed to write/copy any information to the local harddrive. Essentially working means requiring a reasonable quality net connection, full-time, over a multi-factor VPN. We are explicitly not allowed to use removable storage (CDs/USB drives/portable hard drives) either.
posted by bonehead at 10:30 AM on December 18, 2012

Agreeing with kindall -- there is zero upside for the company to accommodating your desired lifestyle, and a whole boatload of potential downside.

I'm in the same situation as you -- highly portable work, high security strictures that disallow international locales -- and have happily reconciled myself to focusing on living a magical gypsy lifestyle within the "confines" of the U.S.

Man, this is a gorgeous country, and I probably won't even scratch the surface of it for the remainder of my career.

I do sympathize with wanting to have a longer leash, but I think you have slim chances of making it stretch. I'd skip trying to make it happen...the request would only paint you in an unfavorable light within your organization.
posted by nacho fries at 1:08 PM on December 18, 2012

« Older This Takes Five Seconds On My iPad   |   Copying between iCal calendars, Exchange to Google... Newer »
This thread is closed to new comments.