Improving security by sandboxing work for different purposes on my laptop
During my freelancing time over the last couple of years, I’ve been trying different setups that would satisfy my wish to use a single laptop for different clients whilst maintaining proper security.
After all, I do not want to explain my client that their servers got infected with Crapware because I felt the need to run Spotify on my laptop or visiting an infected site that one time.
Naturally as a infrastructure guy, I run a lot of virtual machines. The Vagrant + Virtualbox is a very good fit for puppet development work.
I tried running some of the ‘production’ work in VM’s, but it never really panned out. Having a dedicated homebanking VM or a ‘Client X VPN VM’ just was too much a different workflow to feel natural and effective.
So now I decided to split workloads in set of task with a similar security need / boundary and create VM’s for that.
To improve the security in the virtual machines, there is only limited VMWare filesharing between the VM and the host OS, only a specific folder. Also, I disabled drop and drop + copy and paste support in the VMWare options.
I try to minimize risk in the host operating system, by perfoming the least amount of tasks directly in this layer. I suspect I can further reduce the tasks that I run in the host OS with a future generation of hardware.
Currently I still do puppet development / testing in the host OS. Running the virtualbox VMs nested in a VMware VM leaves me too much of a performance penalty.
The biggest limitation I’ve run into is video support in the OS X virtual machine. Video does work OK enough but it lacks proper retina support, so screen elements are really tiny or kind of blurry as before retina. Not a show stopper though.
Will report in a couple of weeks or so how well it went.