Feb 8, 2019, 10:42 AM by qubes-...@tutanota.com: > Feb 8, 2019, 9:05 AM by frap...@gmail.com: > > > Hi! > > > > The system administrators working in my company do not want to let user access to the internal network with OS that are not under their control and they only support Windows at the moment. > > > > I would like to propose QubesOS as an alternative, with a Windows VM managed by them inside it, connected to the internal network via VPN (we already have this VPN in place for accessing the internal network while working outside of the building). In addition to this, users could run the operating systems and the applications they want in different VMs, thanks to QubesOS features. > > > > The system administrators would not have to support QubesOS, just the Windows VM, but this solution could only be accepted if I am able to show that there is a reasonable guarantee that tampering the Windows VM from QubesOS is as hard as tampering the same Windows system installed on a regular machine (with secure boot, hardware encryption, etc.). > > > > > > My question is: how secure is a VM if a user tries to tampers it? Is SGX a technology that can be used to provide that level of security? If so, is it used by QubesOS at the moment? > > > > > > Any suggestion, comment or link would be greatly appreciated. > > > > > > Frafra > > > > It shouldn't be an issue as employees were already given a certain level of trust in the organozation, based on their position and competencies. Employee with malicious intent can easily break into the current setup too, like copy and paste, deal with the critical information with malicious intent. Adding Qubes to the trusted setup doesn't make the situation significantly worse. It should, on the other hand, significantly increase the security of the endpoint, if set up properly. > > The issue you mention is more about trust in employees, the trust model, than about selected OS in usage.
The problem is that there are cryptolockers, phishing email, and so on, and some users are more vulnerable than others (a developer has a different background compared to an accountant), but it has been decided that is better not to differentiate between users ("your colleague can install whatever you want and you cannot") and keep a stricter security policy allowing only pre-approved OS on the internal network. Thank you all for your replies, Frafra -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAXPHZU7QWiBDQtOPv%3Dg0ANFcnP1QAQZ8cnxgZ5e3%3Du0VfCmZQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.