**Context**: My employer has been letting us remote in for a long time, but I always felt kind of weird about the security posture of it and now feel the need to ask for advice because we’re about to take in another employee who I’d probably end up mentoring.
Yes, I feel like I should be able to ask this question at work, and I don’t feel like I’d be ostracized for it; but it’s a little awkward for me, so even if I muster it, it’d be nice to have an unbiased second opinion(s).
I did come across the *NIST Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security*: [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf). Admittedly, I kind of skimmed it, but it seemed like when it came to specific remote software advice, it was to consult with the employer.
**Scenario**: Basically, our employer told us we can use VNC or TeamViewer. I never asked if those were specific restrictions or if those were just suggestions.
* I use a work-issued laptop which is password protected. I keep it updated and I live alone. I connect to my Internet via ethernet cable.
* I created my own Gmail account for work-related matters and used that to create a personal RealVNC and TeamViewer account. Work did not provide a license.
* I downloaded the RealVNC and TeamViewer server programs to the host machine.
* I downloaded the RealVNC and TeamViewer client programs to my work-issued laptop.
* I connect, I need to enter my credentials each time.
For some reason, it feels wrong to me that I’m using a Gmail account that I created myself. Is there any basis for that feeling? I mean, I guess it’d be slightly more “professional” if work provided the remote licensing/account, but how important or not is that?
Also, should I be using a VPN on top of these remoting programs? I did light research earlier that suggested VNC and TV protocols are VPNs, but never confirmed. What even are the implications if VNC and TV establish a VPN and then I use another third-party VPN on top of it? Redundant? More secure? Performance hinderance?
How much worse or not is it if I did all the same as above, but connected using my personal computer (presuming that said computer is just as secure)? It feels kind of silly that my work-issued laptop is just a machine that I use to boot up to connect to my remote computer using my same Internet connection. The work-issue laptop has no special authentication mechanisms like say, an on-site work computer might have card based authentication, etc. I don’t store any files on it at all, the only programs that were installed on it were VNC and TV
Any other thoughts on this matter are well appreciated!