My company is increasingly blocking services such as Gmail from work devices.

This is causing me some pain as I get notifications from my kids school via it and also use it as my ID for things like hotels.com, trainline etc.

They also block Recaptcha which is a Google service and is needed for lots of sites – some even work related.

My initial thought was to use a cheap tablet connected to the guest wireless network but that is extremely flakey and also implements the same blocks.

There is no talking sense to our security team – apparently gmail is a data exfiltration risk but other mail services that are accessible are fine.

I am thinking that paying for a cloud based virtual PC or server might be a solution for this. I have looked at Digital Ocean’s entry level droplet which costs $4 a month. This would be Linux which would be ok for me but if a Windows option were available for similar outlay I would probably go for that.

Are there any other services that would be worth looking at? I might also end up using it for some simple dev work as our laptops now have something called Threatlocker installed which blocks most packages for Python and Powershell and has made doing any scripting next to impossible.

Any reason you cant use a phone?

can’t you just use your phone for it? if they’re blocking gmail I’d be very surprised if they let you vpn over to a some cloud hosted vdi

Should you not just use your phone for this stuff?  If it is data exfiltration they are concerned about then having something else open in a browser window might be just as much a risk in their eyes.

Edit:waaaay too slow typing

Or if you don’t want the phone then an iPad with a cellular plan?

My company is increasingly blocking services such as Gmail from work devices.

This is causing me some pain as I get notifications from my kids school via it

… which is exactly why it’s blocked. Today little Timmy has done well in Art, tomorrow here’s a copy of Cryptolocker. It’s a massive security risk.

You need to be a little bit careful here. If you’re deliberately trying to bypass company security measures then – no matter how misguided they may appear to be – you could find yourself talking to HR facing a misconduct charge. You shouldn’t be using work resources for personal reasons.

If IT / Security are blocking resources which you need to do your job then you need to talk to them / your manager to have them whitelisted. Or just work to rule, “sorry boss, I’d love to but I can’t because it’s blocked.”

Today little Timmy has done well in Art, tomorrow here’s a copy of Cryptolocker. It’s a massive security risk.

Oh don’t be silly. Timmy’s teacher is nice, she’s a real person, I’ve met her, her email is full of videos of cats from her Facebook friends and she’d never send me ransomware.
Also without her daily emails how else would I know what time to pick Timmy up today or what he needs for cookery tomorrow?

If our kids school email us it’s nothing important that can’t wait until that evening. If it is important they’ll phone.

Like Cougar says you’ll need to be very careful if you start trying to bypass stuff.

she’d never knowingly send me ransomware

We have a public WiFi at work and personal devices (and visitors) are free to connect to that. Otherwise phone. On my phone Outlook for iOS has my work account managed by work, Mail runs my personal accounts. On my personal MacBook, outlook runs both.

If our kids school email us it’s nothing important that can’t wait until that evening. If it is important they’ll phone.

Like Cougar says you’ll need to be very careful if you start trying to bypass stuff.

All of this.

Personal stuff on personal devices using public networks. They may be popping open and recording / monitoring encrypted connections on work devices / networks and you wouldn’t be happy about that, so just don’t try and mix the two.

EDIT and you want to write code for not work on a work laptop? Then you accuse the infosec bods of ‘not seeing sense’?

Depending on how they block things, you may end up finding that your newly subscribed service gets blocked within a short amount of time anyway.

The one we use catagorises everything, and either allows or disallows based on category, or individual exception. If a site/service is not known it goes into an unknown category which is (currently) permitted – but security report on each and every site in that particular category and will try to catagorise the site appropriately.

The policy is there for a reason. These are company assets you are using and their arguement is you should be using them for work purposes onley – and going above and beyond to ensure you do not find yourself the entry point for a data breach or other malware. I assume they have an IT security policy that covers this along with concequences for actively trying to evade said policy.

Use your phone, or get a tablet that you can wifi hotspot to your phone/connect to a cellular network.

So glad I work for a company where I have full admin rights on my machine…

Sat at home doing my French grammar homework on my work laptop….

It’s a real balance.  At work I separate out the guest wireless from the staff  which allows people to bring in iPads etc without getting blocked. The downside though is that they can’t print as I keep the networks completely separate.  I think the days of doing home stuff on work machines are going.  I even notice that if I’m on stw at work it triggers more stuff in our security systems than other sites so that is now on the phone as well.  it’s just good behavior

So glad I work for a company where I have full admin rights on my machine

We don’t do that as even if the staff can be trusted to take care they let their kids use the machines as well and no 12 year old boys should ever he let near a computer:(

you should be using them for work purposes onley

We have a slightly more relaxed policy, but Rule 1, and they can take it away. And monitor of course. Same for the work phone.

The public WIFi was really for visitors who couldn’t get online. Looks a bit silly when some company comes to pitch and can’t get to their online application! Of course there is a button to acknowledge Rule 1 one has to press.

So glad I work for a company where I have full admin rights on my machine…

Good grief, how irresponsible/naïve of them. 🙄

“risk balanced”.

I have admin rights on my machine, but a) it’s a Mac (so more or less standard) and b) I do not mess about with it because I try to work within the corporate security policy. My Windows device is bone standard and, for e-mail and stuff, works just fine without Local Admin.

People have said it above, but the policy exists for a reason. An exception process should also exist so if things are not possible, then it should be possible to apply for one if it impacts your ability to work. Cellular notifications on your mobile is so much the best way here.

We’re moving towards a much stricter IT policy at work.
Staff should use thier own devices for personal use.
Work devices for work use – and subject to our/our IT suppliers oversight and caution.

This follows
A) a couple of staff having virus / hackers / dodgy shit get into our systems and machines through personal emails on a work email address.

B) a few really focussed attempts, one successful, to intervene in our financial control systems. This has involved faked emails purporting to be various managers or staff attempting to change bank accounts for salary payments or send (very large) gifts and vouchers. Very targeted, and our bank and IT team suggests may stem from one of the incidents outlined in A) which meant the hackers had eyes on emails or forms internally.

C) a couple of brute force attacks on our website – again the hackers knew which members of staff have website access and oversight. See A) and B). Although lots of the recent efforts come from ‘Ukraine’….

It’s a minefield. So I support closer controls for work machines.

It is also a GDPR risk to the company. They have to monitor the network to protect against data leaving, malware, etc. But by monitoring they are seeing sensitive personal data of the staff members if they are allowed to do personal stuff. There is a huge amount of guidance on this being an absolute no-no. The guidance from the working group 29 which wrote much of the GDPR was that full separation of work and personal activities is recommended to be GDPR compliant, as well as human right law compliant.
In human rights law, this is under the right to privacy which extends to the work place. It is why there are restrictions on cctv in the workplace.

So the company has a choice, either they cannot effectively monitor for threats, or the breach GDPR unless personal activity is completely separated off of company devices.

Good grief, how irresponsible/naïve of them. 🙄

That’s nothing, I have VPN access and admin rights to various national telecoms networks, could put them off line for weeks if I was in the mood…

At one point, a few years back, I had access to all the MNOs in one country – could have switched off all their mobile networks at the same time – that would have made the news…

However, I spend most of my time analysing them and optimising them for efficiency instead.

On the one hand it means I can do my job very efficiently, on the other hand it’s simply mad that I even have access.

Yes but common sense says you should use an account with the least amount of privilege so that damage is limited if it were compromised, obviously if your job is an administrator then you need administrative access to do certain stuff on certain systems but that shouldn’t mean you log on as an administrator on a work laptop to browse the Internet…

Just my opinion though. 🤷‍♂️

but that shouldn’t mean you log on as an administrator on a work laptop to browse the Internet…

It is interesting, we work for a whole host of major Telcos as a subcontractor and they range from utterly paranoid (which means we can never help them), to here have root access to our whole network from home….

The former are a PITA as they’ll phone up with some urgent problem and ask you what the issue is and you say ‘can I take a look’ and the reply is ‘no’ which pretty much ends the conversation. It normally ends with, phone me back when I can have access otherwise don’t bother….

What was amazing was how slack one of the UK major Telcos was. They had this split personality where on one day I’d go to a never ending meeting discussing SLAs, processes etc and the next day I’d go to site where no one seemed to follow any process what so ever – it was like working in Africa (which is an experience).

I once had to point out to the CTO of an African MNO, who had just launched their 3G network, that all their 3G traffic in the capital went through a single fibre cable which ran across the floor of their NoC and whenever anyone moved their wheeled desk chairs, they ran over said cable. I suggested it wasn’t a particularly good idea. I had suggested it to the locals running the NoC who just shrugged their shoulders and carried on…

yes, very interesting and I agree that if you need the access then you need the access. Do you agree with the least administrative privilege protocol though?

I once had to point out to the CTO of an African MNO, who had just launched their 3G network, that all their 3G traffic in the capital went through a single fibre cable which ran across the floor of their NoC and whenever anyone moved their wheeled desk chairs, they ran over said cable

That’s hilarious but doesn’t surprise me in the least!

n one day I’d go to a never ending meeting discussing SLAs, processes etc and the next day I’d go to site where no one seemed to follow any process what so ever

Yeah, I know places like that. Departmental silos not working to same policies / procedures.

Need a PAM solution for mitigating potential of breached admins to fully bork stuff, really.

BTW I fully agree with not using work equipment for personal use, whether work allow it or not. Better to keep these things separate.
I usually avoid the guest wifi. Given 5G just no need.

All I use work equipment for is a bit of light web browsing (weather, news etc).

Oh yes and all the amazing work I do of course!!!! :-p

Do you agree with the least administrative privilege protocol though?

Absolutely as well as security zones/tiers (e.g. you have a non privileged account to log in to your laptop, a separate privileged laptop admin account for the odd time you actually need local admin rights, then a separate server admin account if you need admin rights on servers then finally a domain admin account if you need domain admin rights). The client I work for now has different air-gapped classified environments – you wouldn’t believe the amount of accounts I need to use on a daily basis (and no I don’t have a lot of post-it notes stuck on my monitor :p ).

The access Footflaps has into 3rd parties (some of which sound like critical national infrastructure) is beyond crazy and the IT department/suppliers need a good kicking. It doesn’t even sound like he needs to follow a change process – stuff like firewall rule changes where I work have a 2-man rule so even once the change is approved you can’t just do it yourself (although admittedly currently there aren’t technical controls preventing you but there will be once we get JITA sorted…).

Obviously how tightly you control things and how much you spend on IT security should have some relation to what’s being protected but there’s no excuse for not doing the basics and just taking the convenient option of giving everyone local admin rights so your service desk calls go down (at least they might until the point you get hit by ransomware)

Absolutely as well as security zones/tiers (e.g. you have a non privileged account to log in to your laptop, a separate privileged laptop admin account for the odd time you actually need local admin rights, then a separate server admin account if you need admin rights on servers then finally a domain admin account if you need domain admin rights).

Look at “Enterprise Access Model.”

Here.

https://docs.microsoft.com/en-us/security/compass/overview