
Ask HN: Best practices for supporting remote employees? - methodover
Hey HN,<p>I&#x27;m the lead programmer working for a small startup (20 employees now) that&#x27;s beginning to staff up on customer support.<p>Our support folks have a great deal of power, most of which is accessed through a web app that we&#x27;ve created. We also have an extremely liberal work from home policy.<p>We&#x27;ve protected this application with IP whitelisting -- only IP addresses on the list can get to the admin site. Plus, each administrator has their own login with username&#x2F;password authentication.<p>Maintaining the IP whitelist has become annoying as the number of employees has increased, so I&#x27;ve started to look at other options. It&#x27;s also got me thinking about best practices with regards to remote workers. We don&#x27;t have any kind of policy written down. So far we&#x27;ve just been playing it by ear.<p>So, on to my questions:<p>- What are the security issues that I should be thinking about with regards to remote employees?<p>- Would a VPN be a good replacement for IP whitelisting? (I&#x27;m a bit worried IT overhead of supporting that. And we don&#x27;t have a separate IT support team or anything, just a small team of four programmers.)<p>- Do you have new employees fill out some kind of telecommute agreement, or agree to a telecommute policy? What&#x27;s in that agreement&#x2F;policy?<p>I&#x27;d also be interested in any of your experiences with telecommute policies in general, especially with regards to customer support teams.
======
ramtatatam
With regards to IP listing - you could make all of your remote guys logging in
through openVPN - you can issue each one of them a certifficate and assign
static IP to that certifficate and then do whitelisting basing on those static
IP addresses. That adds additional layer of security so your powerfull app is
not exposed to wider audience (even with whitelisting enabled, these days IP
can easily change its owner). Also app is exposed only for duration of OpenVPN
link being active - so when your support guy is on holiday and his
certifficate to OpenVPN is kept on encrypted container he would not even
initiate OpenVPN connection.

I do OpenVPN since beginning of the project and it's fafirly light when it
comes to maintenance. Granted - people using it will get a bit of OpenVPN
basics, also it may be challanging to have it working from Windows/OSX/Linux
(I have users working from all three) - but doable and certainly it's worth
time spent on deployment.

All of my team is working remotely (in different country) and there are a few
risks here. First of all - all work-related materials should be kept on
encrypted container with fairly strong password - in such case if their laptop
was stolen this would not result in your intellectual property leak. OpenVPN
adds another layer of security when it comes to access your internal resources
(i.e. you can easily revoke certain certifficates once your employee is no
longer with you and by doing that you would cut all online resources with one
move).

I have not been pushing through strict telecommute policies. All I was asking
in our agreements was that all company-related data is kept on separate
encrypted container (including any keys used to authenticate to our services)
with fairly strong password and that no work-related information can be
released in any form without my written permission.

