I love QubesOS and have been using it for quite some time now, with a lot of success. I also think it’s the best OS in terms of security that’s actually usable for most workloads.
I’d love to see QubesOS used at work in more places as well, to drastically increase the security, especially in high-assurance workloads, but there is (at least) one problem. Many workplaces require MDM, such as Intune, Jamf or other solutions (especially Microsoft’s own tools). This makes it very difficult to have QubesOS installed and compliant with the workplace’s security policies.
In most situations, this means that although QubesOS would be significantly more secure in almost all avenues, the fact that it does not conform to the security policy and MDM (as mandated by e.g. ISO 27001), it is not possible to use the OS in the workplace.
I’m making this post to collect ideas as to what could possibly be done about that. If you have any ideas on how to help use Qubes in such an environment and make it compliant/possible to use with MDM, please post below, any and all ideas are greatly appreciated!
From experience, Qubes OS is far from matching requirements for regulated environments, the following bullets points are usually a problem, but depending on the security referential some may be ok or not
user is administrator
remote administration is hard
virtualization may not be considered safe enough
where to run MDM / antivirus
qubes are not encrypted independently
qubes are not hardened
Intune on Linux does not even do anything useful at the moment, and is poorly supported (officially ubuntu and red hat only)
provides a framework within which organisations develop their security
policies, and MDM is a tool that helps compliance within that
framework. I’ve seen cases where exceptions and exclusions are
acceptable within the IS management system.
The questions is whether Qubes systems can be brought within the system
in a way that is acceptable under 27001. In my experience this can
be done but it requires active engagement with IS and commitment from
management.
On @solene points, these are valid but our experience obviously differs.
No doubt - it is possible to run Qubes with a limited second user, but
it requires intervention and hand holding at the deployment stage. Even
where this is not acceptable, a properly conducted risk assessment and
policy structure can bring user/root cases within 27001.
In my experience, remote management can be set up relatively easily,
so that the whole Qubes system can be administered remotely. Auditing
and administration can be difficult but is possible, and can be brought
within the 27001 framework.
This is just a question for the organization - I’d be amazed if they are
not already using virtualisation at the server level, and I know compliant
organizations who use it at user level. (If they already use Xen,
perhaps as Citrix or Oracle, it’s a help.)
This is a great question, and is probably one of the most difficult for
IS/IT to understand and deal with. It requires an understanding of the
principles underlying their 27001 system and Qubes, and how they can be
applied in the Qubes case. Should there be AV in every Qube? Should
there be AV in only qubes that connect to the network? Should there be
AV only in Qubes that store and process data? Should there be AV only in
qubes where data leaves the system? These are all valid positions, and
will need to be considered and documented before roll out.
Harden them to a level that brings them within the 27001 system. Patch
and configuration management are very important here, and a decent
remote management system will help compliance,
Many people dont think of the ISO standards as providing a framework,
particularly if they use a consultant who has little interest in
providing understanding. But that is exactly what they do, and given
a good risk assessment and implementation it is possible to bring Qubes
use within an 27001 compliant system. The details of this will be
specific to each organisation, and some auditors may require detailed
walk throughs, but this is acceptable.
In my experience the benefits provided by Qubes can be highlighted and
the systems brought within a 27001 compliant ISMS, (confirmed by audited
and accredited cases). No doubt there are Qubes specific issues, but
with the right setup and onboarding, in my experience, calls on IT are
no greater than Mac/Windows.
As always, it really helps if there is a commitment at board level. If
there is a separate audit group, demonstrations and Q&A sessions are
useful before developing a roll out strategy. But there’s nothing Qubes
specific in these points.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Side note, I did not say Qubes OS can’t be used in such environments, but it might involve a lot more work than management would tolerate compared to using Ubuntu or Windows
