Feb 8, 2019, 10:42 AM by qubes-...@tutanota.com:
> Feb 8, 2019, 9:05 AM by frap...@gmail.com:
>
> > Hi!
> >
> > The system administrators working in my company do not want to let user
access to the internal network with OS that are not under their control and
they only support Windows at the moment.
> >
> > I would like to propose QubesOS as an alternative, with a Windows VM
managed by them inside it, connected to the internal network via VPN (we
already have this VPN in place for accessing the internal network while
working outside of the building). In addition to this, users could run the
operating systems and the applications they want in different VMs, thanks
to QubesOS features.
> >
> > The system administrators would not have to support QubesOS, just the
Windows VM, but this solution could only be accepted if I am able to show
that there is a reasonable guarantee that tampering the Windows VM from
QubesOS is as hard as tampering the same Windows system installed on a
regular machine (with secure boot, hardware encryption, etc.).
> >
> >
> > My question is: how secure is a VM if a user tries to tampers it? Is
SGX a technology that can be used to provide that level of security? If so,
is it used by QubesOS at the moment?
> >
> >
> > Any suggestion, comment or link would be greatly appreciated.
> >
> >
> > Frafra
> >
>
> It shouldn't be an issue as employees were already given a certain level
of trust in the organozation, based on their position and competencies.
Employee with malicious intent can easily break into the current setup too,
like copy and paste, deal with the critical information with malicious
intent. Adding Qubes to the trusted setup doesn't make the situation
significantly worse. It should, on the other hand, significantly increase
the security of the endpoint, if set up properly.
>
> The issue you mention is more about trust in employees, the trust model,
than about selected OS in usage.
The problem is that there are cryptolockers, phishing email, and so on, and
some users are more vulnerable than others (a developer has a different
background compared to an accountant), but it has been decided that is
better not to differentiate between users ("your colleague can install
whatever you want and you cannot") and keep a stricter security policy
allowing only pre-approved OS on the internal network.
Thank you all for your replies,
Frafra
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAAXPHZU7QWiBDQtOPv%3Dg0ANFcnP1QAQZ8cnxgZ5e3%3Du0VfCmZQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
