Re: Technical recommendations for conducting busin...

d46j48fx

Hi all!

I have a client who has an imminent need to expand their company's threat landscape to include a high-risk jurisdiction (from a data perspective), and I’d really value any insights or recommendations you may have on the topic.

In particular, I’m looking for recommendations for two scenarios:

Enabling their employees based in the high-risk jurisdiction to work with considerably limited access to the wider org's data.
Securing corporate data for employees traveling between our current office locations and the high-risk jurisdiction

My initial thinking is along the following lines:

For an employee based in a high-risk jurisdiction:
Locked-down laptops providing access only to a virtual desktop environment, strong MDM controls, segregated collaboration/storage (e.g., a separate SharePoint branch), etc.
For travelers from our current locations:
Burner phones and laptops, MDM enforcement, hardware-based MFA (e.g., YubiKeys), and related controls.

That said, this is a new ask for me, so I’d could be way off course, so I'm anxious to hear what the community is willing to share...alternative approaches, lessons learned, or “watch-outs” you’ve encountered in similar situations.

This is somewhat time-sensitive, as I’ll need to present my findings in meetings next week and the week after. Any guidance you’re able to share would be greatly appreciated.

Thanks in advance!

Aykar

STRATEGIC RECOMMENDATIONS

The initial strategy proposed is very accurate and provides a solid foundation. The next step is to evolve that mindset toward a model of total isolation and default distrust (Zero Trust), where the physical device is considered merely an access terminal rather than a data container.

VDI as the Core of the Strategy The use of Virtual Desktop Infrastructure (such as Azure Virtual Desktop or Citrix) must be the strict standard, not an option. The employee accesses a virtualized environment running in a secure region outside the high-risk jurisdiction. This way, if the laptop is confiscated, inspected, or stolen, there are no local files, history, or sensitive data; the device functions solely as a gateway.
Data Enclave and Sovereignty It is essential to create separate, geo-fenced storage instances (SharePoint/OneDrive) for these users. Strict rules must be configured so that data from that branch cannot be shared with the rest of the organization without manual approval or extremely rigorous Data Loss Prevention (DLP) workflows. This prevents risks from spreading to the global infrastructure.
Mandatory Hardware Tokens (FIDO2) In high-risk areas, SMS-based MFA is vulnerable to signal interception by local actors. Physical keys (such as YubiKeys or FIDO2 tokens) are the necessary gold standard to prevent phishing and ensure that only the authorized user can log in, eliminating dependence on local telecommunications infrastructure.
Compliance with Local Encryption Restrictions This is a critical watch-out: some countries legally prohibit certain encryption tools or specific VPN services. It is vital to validate that the security tools implemented do not place the employee in a position of legal non-compliance with local authorities, balancing corporate protection with the legal safety of the staff.

Conclusion for the Client: Transitioning to clean devices (laptops/burners) and exclusive access to virtualized resources minimizes the attack surface and protects the integrity of the global network, allowing operations in hostile environments without compromising the most valuable asset: information.

d46j48fx

@Aykar Thank you very much for these recommendations! They not only say "how", but "why", which will be beneficial if additional explanation/justification is required.

Do you have any thoughts regarding the client's staff traveling to and from the high-risk jurisdiction? For instance, should they be instructed to leave their BYOD phones at home, and carry a locked-down, MDM-managed phone instead? Regarding WIFI network access, is there technology that can restrict phone/laptop access to company-controlled WIFI networks, or blocks access to open WIFI networks?

Again, your thoughts are much appreciated!

Aykar

It was nothing @d46j48fx

The short answer is: Never carry a personal device (BYOD) into a high-risk jurisdiction.

Mandatory MDM: Mobile Device Management (MDM) is compulsory.

Post-Travel Protocol: Upon re-entry, all devices must be treated as contaminated (requiring a full forensic wipe or isolation).
SSID Whitelisting: Implement SSID whitelisting via MDM to ensure devices only connect to authorized access points.
Always-On VPN: Deploy an Always-On VPN configuration with a kill-switch to prevent any unencrypted data leaks.
Disable Auto-Join: Enforce the deactivation of Auto-Join features for Wi-Fi and Bluetooth to prevent automatic connections to rogue networks.
Travel Routers: Utilize hardware-based Travel Routers (where legally permitted) to create a private, secure perimeter for all team devices.

I hope this will be helpful

d46j48fx

Most certainly helpful; thank you!

kenmontenegro

These are great recommendations: I would just add reviewing the incident reporting protocol with the persons in that jurisdiction. It would also be good to tabletop a couple of scenarios just to make sure everyone is on the same page should something go wrong.

Technical recommendations for conducting business in a high-risk jurisdiction