Ask HN: Best practices for supporting remote employees?
I'm the lead programmer working for a small startup (20 employees now) that's beginning to staff up on customer support.
Our support folks have a great deal of power, most of which is accessed through a web app that we've created. We also have an extremely liberal work from home policy.
We've protected this application with IP whitelisting -- only IP addresses on the list can get to the admin site. Plus, each administrator has their own login with username/password authentication.
Maintaining the IP whitelist has become annoying as the number of employees has increased, so I've started to look at other options. It's also got me thinking about best practices with regards to remote workers. We don't have any kind of policy written down. So far we've just been playing it by ear.
So, on to my questions:
- What are the security issues that I should be thinking about with regards to remote employees?
- Would a VPN be a good replacement for IP whitelisting? (I'm a bit worried IT overhead of supporting that. And we don't have a separate IT support team or anything, just a small team of four programmers.)
- Do you have new employees fill out some kind of telecommute agreement, or agree to a telecommute policy? What's in that agreement/policy?
I'd also be interested in any of your experiences with telecommute policies in general, especially with regards to customer support teams.
1 comment
[ 4.3 ms ] story [ 11.7 ms ] threadI do OpenVPN since beginning of the project and it's fafirly light when it comes to maintenance. Granted - people using it will get a bit of OpenVPN basics, also it may be challanging to have it working from Windows/OSX/Linux (I have users working from all three) - but doable and certainly it's worth time spent on deployment.
All of my team is working remotely (in different country) and there are a few risks here. First of all - all work-related materials should be kept on encrypted container with fairly strong password - in such case if their laptop was stolen this would not result in your intellectual property leak. OpenVPN adds another layer of security when it comes to access your internal resources (i.e. you can easily revoke certain certifficates once your employee is no longer with you and by doing that you would cut all online resources with one move).
I have not been pushing through strict telecommute policies. All I was asking in our agreements was that all company-related data is kept on separate encrypted container (including any keys used to authenticate to our services) with fairly strong password and that no work-related information can be released in any form without my written permission.