[andrewstuart]

The biggest security hole for every organisation is its remote work from home workers.

I'd be interested to hear how this Monzo bank addresses the problem of someone walking in the home of one of their programmers and lifting access keys to AWS whilst that person is at the supermarket, and leaving with no-one the wiser.

Or installing a keylogger USB device onto their keyboard cable.

[cameronh90]

Not Monzo but I can tell you SOME ways we deal with this kind of risk.

* Work laptops are all using trusted computing, tamper detection and remote attestation which, while imperfect, does provide some verification that the hardware isn't being tampered with.

* Additionally it means if you try to access any service from a non-work laptop (or a work laptop failing remote attestation), it doesn't let you in. Even if you have all the credentials.

* Passwordless authentication means capturing PIN codes with a keylogger is of very limited value unless you also steal the laptop. Even then, an additional factor is required such as mobile push or biometric.

* No developer should have access to any AWS keys that would grant access to production data. But in any case, we use AWS SSO which only returns temporary AWS keys.

* There are lots of systems that monitor for anomalous activity. For example if a user account suddenly starts hitting lots of access denied errors or accessing things they don't normally access, that's a hint they've been compromised.

[gbrindisi]

It's not like office networks are a security paradise either

[mrtksn]

Not Monzo, but I have a friend who works at a large global bank HQ in a mid-senior position.

They do remote desktop connection into their PC at the office. The work laptops given to them can't connect to anything but the PC in the office(so, it's merely a thin client). A fingerprint reader device connected through the USB port and a physical device for generating single use codes are used in addition to username/password.

At the start of the pandemic they used their own laptops to VPN into the work network and then connect to the remote desktop but not too much later they switched to complete solution.

I know this because I helped with troubleshooting connection issues. Does look quite secure to me, the only difference to an office environment security seems to be the possibility of an intruder to make an employee do something at a gunpoint.

[GordonS]

I did some work for a Dutch bank a while back, they had a similar setup.

The lag from remote access (Citrix) drove me nuts!

[vladvasiliu]

I'd say the keylogger can be an issue if they're able to be alone with the computer for a while. I'm not sure that all laptops can detect that they've been opened (my HP Elitebook and previous Probooks don't), but I'd assume it unlikely that the attacker wouldn't leave other traces in the house.

But other than that, enforcing session auto-locking should work fairly well. Of course, if this is combined with some kind of agent that checks whether you're doing something that the employer defeated with a mouse jigger, all bets are off...

They can also enforce using MFA for AWS (and probably for GCP and Azure, too, but I don't use those) and not use plain access keys.

[JMS2021]

You wouldn't run or develop code locally. AWS keys would be secrets managed by Vault or something.

If you have AWS keys on staff laptops at home, you've already failed.

We don't allow any code at all on local machines.

[madjam002]

Where is the codebase kept then? Do you have to remote desktop in to your development environment?

[tixocloud]

Remote desktops are generally the access point for anything sensitive like source code or data.