Well…. Hand in all electronic devices at the door. Most will learn fairly quickly to leave them in their car or at home. They'll air-gap before they do this one. :)
Stop right there. Then the decision is already made. Seriously. Even with air-gap, they’ve got a major hole. I can take a video on my phone of a dev paging through source code. Far faster than it’s readable on the screen by a human. Take it home. OCR frame by frame. And now I own all the keys to the castle. And this is all using free tech. If you allow smart devices in the door, you’ve lost the game. From: [email protected] [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Thursday, December 17, 2015 1:14 PM To: ntsysadm Subject: Re: [NTSysADM] Protecting Sensitive Source Code Hey, MBS: >> If you have a particular dev you don’t trust, fire him/her. Yes, that's my starting point, but apparently there are folks we trust a little bit, so we need to give them *some* access, but not all of it. :) >> You could up the ante’ with MFA beyond 2FA. Require a second party to participate in providing a key to unlock the repository. Good point. I'll see if they want to go there... >> And, presuming we are referring to Windows, ensure that you are using GPOs that prevent the use of any USB devices. Already done -- I should have mentioned that. >> Hand in all electronic devices at the door. Most will learn fairly quickly to leave them in their car or at home. They'll air-gap before they do this one. :) Regards, ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market… GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Thu, Dec 17, 2015 at 12:49 PM, Michael B. Smith <[email protected]<mailto:[email protected]>> wrote: If you have a particular dev you don’t trust, fire him/her. You could up the ante’ with MFA beyond 2FA. Require a second party to participate in providing a key to unlock the repository. And, presuming we are referring to Windows, ensure that you are using GPOs that prevent the use of any USB devices. Hand in all electronic devices at the door. Most will learn fairly quickly to leave them in their car or at home. I’ve seen the first two used at “big money” companies. The last at military installations. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Andrew S. Baker Sent: Thursday, December 17, 2015 11:03 AM Subject: [NTSysADM] Protecting Sensitive Source Code Good morning: Does anyone happen to have any experience with the protection of sensitive source code? Essentially, we're looking to ensure that we can adequately mitigate the risk of critical portions of the code being copied and used inappropriately. This is beyond any protections (real or imagined) offered by the following, which we have in place today: -- An NDA -- Restricted access to the source code repository, on a need to know basis -- Two-factor authentication to access the repository (being considered) An air-gapped network is not currently on the table for discussion. :) Regards, ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market… GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A
