The Developer: the Weakest and Overlooked Link in Enterprise Data Security

Despite the use of Cloud or internal data servers, why is it still necessary to secure developers’ laptops? With a first article on this subject, I explain why even today, your developers are likely the weak link in protecting your data. To fully grasp this often overlooked, obscure issue, here’s a brief historical overview of the enterprise data storage evolution and how we got to the point.

Why Is There a Need for Secure Laptops in Development?

The need to secure laptops in organizations stems from the company data they carry. Moreover, this security issue has multiple facets, ranging from careless data management to intentional leakage by a malicious employee.

In the case of laptops intended for application development, the complexity of securing them is linked to the nature of the developer’s environment.

Development environments have notoriously complex configurations and often require significant maintenance. This is due to the numerous applications and data present in internal storage. The presence of this data is independent of online tools also used for collaboration, building, and deploying applications, such as CI/CD tools, Azure DevOps, and other platforms including GitHub, etc.

Notably, in the case of development laptops, confidential information must be stored locally to facilitate the work of developers. Info such as source code, and potentially test data (or even more concerning, “anonymized” data), as well as access credentials, are therefore at risk.

This is why companies need to secure developers’ laptops.

A Billion-Dollar Problem

A quick look back at the issue of laptop security: a 2010 study titled “The Billion Dollar Lost Laptop Problem” reveals that over 86,000 stolen or lost computers resulted in a loss of $2.1 billion. This was mainly due to the loss of data stored locally, on laptops. However, it’s essential to remember that in 2010, using the Cloud as a storage medium for enterprise data was still rare. Therefore, this cost should be reevaluated and adjusted to today’s economy.

Now, for many functions (other than development), the Cloud provides a solution by removing sensitive data from laptops through the use of web applications, such that users are able to access it remotely. For example, client data used for sales, as well as most documents and employee emails, are now stored online in the Cloud and accessed via the web.

For this reason, this migration has shifted the debate from laptop security to protecting credentials that allow access to these corporate resources, whether they are in the Cloud or self-hosted. With the progression of this digital disruption, a significant amount of data stored locally on laptops has vanished.

However, there is a notable exception to this migration: laptops used for application development.

As mentioned earlier, in most cases (I’ll address exceptions later), laptops provided to developers today require a local replica of the source code, work data, access credentials, and other corporate secrets. In particular, the use of online storage for source code, such as GitHub or GitLab, does not address this need because a local copy of the data is still required for developers to do their job! Therefore, the interest for companies to provide secure enterprise laptops to developers has not diminished with the use of the Cloud.

What Is the Incentive in Targeting Developers?

The incentive is quite diverse. For example, to gain access to intellectual property, source code, client data, strategic company information, etc. Source code in particular often reveals vulnerabilities in the application that it implements. This could be an internal application or one delivered to a client. It is vulnerable to an attack, even remotely, if deployed in the Cloud. Once compromised, it can provide access to sensitive data such as personal user information. Many entities such as LastPass (a password manager), Tesla, Microsoft, and even the Swiss Confederation have recently fallen victim to various cyber-attacks exploiting the information such as described above. In addition, many Swiss companies are hacked daily using application vulnerabilities or via phishing, malware, or internal threats from employees’ and developers’ laptops. 

Despite this, few companies today can accurately identify the precise location and nature of their development-related data. Consequently, they are poorly informed and protected against laptop loss, an external attack, or an unscrupulous employee.

Is It Possible to Remove Development Data From Laptops?

A typical solution is to have the developer work on a remote machine, or a “remote desktop.” For example, on a virtual machine in the Cloud. This removes a lot of locally stored data-related risks (with the exception of access credentials). Unfortunately, this solution has many drawbacks, especially when it comes to the way working on a remote machine reflects on developer productivity. Moreover, it is complex to implement, as well as expensive to maintain and operate. More importantly, it has no benefit regarding protection against phishing, malware or Insider threat.

It was only recently, with advances in new virtualization technologies, that companies became able to replace these generic solutions such as “remote desktops” with a new approach. One that is aimed at minimizing the impact on productivity, reducing costs, and increasing security, all tailored to the needs of a developer.

This new approach and its history will be the subject of my next article. Find out more articles on the subject at https://strong.network/resources/blog.