

Ask HN: How do you protect your IP when you allow employees to work from home? - lazylabs

Hi, I would like to take your views on how you protect your IP, when you allow your employees to work from home? How do you ensure that they do not run away with all the code? Do you allow employees to do an ssh, VPN etc? Do they need to sign some kind of agreement?
======
abiko
For such things mostly get them behind a VPN, that is only routing network
towards your network ( your IP ranges ), setup a "login" server for them,
based solely on a SSH key auth - they can use this login server to access your
testing/production servers.

The trick on the login server is to have the ssh wrapper utility that will
allow them SSH access and also log their SSH activity. The app I wrote: \-
setup one user that the app will use where the SSH keys are store and secure
the home directory \- has 2 set of keys - admin in normal SSH keys \- users
that can access with admin SSH keys are added to the configuration, their UID
is checked and compared between the confiuration and system UID for their user
\- app then calls a the app via a "connect" \- this calls the "script" binary
to log the output of the SSH session

Consists of 2 scripts: First script is the "connect" script - it will check if
the user is permitted to use it (using the configuration file) the it calls,
via sudo -u sshkeyuser script [options] ssh root@server . The logs are stored
in /var/log/ssh-session/ where you can see all that it has been done in the
users shell when he had it open.

And lastly - a strong NDA and contract to protect your IP and prevent them on
bragging around on the "XY" feature they're working on.

~~~
lazylabs
Thanks. Sounds like a good setup to me.

------
enb
What exactly are you concerned they will steal?

When they are working in your office, in the room next to yours, are they
prevented from putting in a USB drive and copying files that way?

------
Codhisattva
Hire trustable, trustworthy people.

------
mattcofer
It has already been said, but it cannot be said enough -- Don't hire
untrustworthy people.

