2026-06-07 · 11 min read

No More “Remote IT”: A CTO Playbook for Contractor Identity and Device Posture

By Diogo Hudson Dias
Engineer in São Paulo using a USB security key to log into a company laptop at a home office with a router visible.

Ransomware crews have stopped guessing your passwords. They’re showing up as “IT contractors,” badges and résumés in hand. In recent advisories, Google and the FBI warned about criminals infiltrating companies by posing as tech workers—sometimes even on-site. If your controls assume that a convincing Zoom call equals trust, you’ve already lost.

This is not a hiring problem. It’s a systems problem. As a CTO, you need a repeatable way to prove two things for every person touching prod: who they are, and what their device is. Everything else—SSO, IAM, RBAC—sits on top of that foundation. If the foundation is fake, your entire access model collapses.

The nearshore reality: time zone overlap doesn’t mean control overlap

Brazil and broader LatAm give you 6–8 hours of overlap with US time zones and access to 750K+ developers. That’s great for execution. It also means your controls must work across varied devices, ISPs, and legal regimes (LGPD in Brazil). You can’t fly everyone to HQ for badge checks. You need hardware-backed identity, device posture you can verify, and network access that assumes the home router is hostile.

A five-layer control model that actually survives impostors

If you only implement one or two layers, attackers route around them. You need all five, with explicit guardrails and telemetry:

1) Identity proofing at intake (and quarterly)

  • Document + liveness: Use a vendor that performs ID document validation plus selfie liveness (no static photo) and phones-home risk checks. Aim for sub-2 minute flows and record a verification session ID you can audit.
  • Regional validation: For Brazil, require CPF on file and validate format/issuance. Don’t store scans longer than necessary; bind an attested verification result to the person’s HR record to stay LGPD-compliant.
  • Re-verify quarterly: People change roles and circumstances. Expect 1–2% of rechecks to fail due to expired IDs or mismatches; that’s a feature, not a bug.

2) Hardware-backed authentication for everything that matters

  • FIDO2 mandatory: Enforce platform passkeys or roaming security keys for SSO and admin consoles. No SMS, no email OTP fallbacks. Provide at least one backup key per person.
  • Git signing that’s real: Require hardware-backed signing for commits and tags (sk-SSH or Sigstore). Pair this with DCO and branch protections so a stolen cookie can’t rewrite history.
  • Break-glass with proof: For emergency bypass, require a second approver and store a tamper-evident reason code linked to the incident ticket.

3) Device posture you can attest, not just assert

  • COBO beats BYOD: Company-Owned, Business-Only laptops give you consistent posture. If you must do BYOD, demand MDM enrollment with disk encryption, secure boot, and a current OS baseline (macOS within one minor, Windows 11 current, Ubuntu LTS current).
  • Measure posture at session start: Gate access on TPM/secure enclave signals, EDR health, disk encryption, firewall state, and kernel version. No posture, no prod.
  • EDR that’s tamper-resistant: Choose an EDR that ties into kernel drivers and refuses to run on rooted/jailbroken machines. Telemetry should include process starts and suspicious tooling (credential dumpers, packet sniffers outside approved profiles).

4) Network that assumes the ISP is compromised

  • ZTNA over VPN: Use a zero-trust access broker that binds identity to device posture and issues short-lived client certificates. WireGuard-based brokers are fast and scriptable.
  • Egress pinning: All sensitive systems should see traffic from a small set of IPs you control. If you can’t pin by IP, pin by mutual TLS client certs issued by your broker.
  • Regional policy: Geofence sensitive consoles to countries where your team operates. If you work with Brazil, allow BR+US; block the rest. Combine with impossible travel detection.

5) Access that expires by default

  • JIT everywhere: Admin roles, cloud consoles, database shells—no standing privileges. Access requires a ticket, manager approval, and auto-expires in hours, not days.
  • Session recording for admin UIs: Where supported, record keystrokes and screens. Attach recordings to tickets. You’ll use this to triage whether a risky action was malice or incompetence.
  • Service account hygiene: Rotate secrets on a schedule and enforce short TTLs for tokens. If your agent or script can’t handle refresh, your risk model is wrong.

Costs and trade-offs: what this actually takes

Security that works isn’t free, but it’s predictable. For a nearshore pod of five senior engineers in Brazil:

  • Laptops (COBO): USD $1,400–$1,800 per device. Amortized over 24 months: ~$60–$75 per month.
  • MDM + EDR: $8–$20 per user per month, depending on vendor and features.
  • ZTNA/WireGuard broker: $5–$12 per user per month.
  • Security keys: $50–$80 per key; buy two per person. Amortize to ~$6 per month.
  • Shipping/import to Brazil: $100–$250 per laptop depending on route and customs. Do batch shipments and use a local logistics partner.

Total: roughly $80–$120 per person per month in operating controls after initial device capex. If that feels expensive, price a single ransomware recovery or a customer trust event. The math flips fast.

Trade-offs to be honest about:

  • Friction vs. flow: Senior engineers hate friction. So route friction to high-risk moves (privilege elevation, prod data access) and keep read-only dev flows light.
  • BYOD optics: BYOD feels easy until your EDR fights with a personal antivirus or a rooted Android tether. Budget to move to COBO in 90 days.
  • Offline realities: Brazilian ISPs can be flaky. Provide tethering allowances and make your ZTNA reconnect gracefully. Don’t fall back to password-only in bad network conditions.

Decision framework: minimum viable controls vs. mature stack

Not every company needs the same rigor on day one. Choose a level, then evolve deliberately:

Level 0 (What you may have now—too risky)

  • Zoom interview + résumé → Google Workspace invite
  • Email OTP as MFA; password managers optional
  • SSH keys on laptops you don’t control
  • Shared VPN with a single PSK and no posture checks

Level 1 (Minimum viable zero-trust for contractors; 30 days)

  • Identity: Document + liveness at intake; re-verify every quarter
  • Auth: FIDO2 for SSO and critical apps; kill SMS/voice fallback
  • Device: MDM enrollment mandatory; disk encryption + OS baseline enforced
  • Network: ZTNA broker for admin apps; start egress pinning for prod APIs
  • Access: JIT elevation for admin roles; break-glass with approval + audit

Level 2 (Credible defense; 60 days)

  • Hardware-backed Git signing enforced on protected branches
  • EDR with tamper protection and process monitoring
  • Mutual TLS client certs bound to device identity for sensitive services
  • Session recording for cloud consoles and support tools
  • Secrets: Short-lived tokens everywhere; scheduled rotation with automation

Level 3 (Mature stack; 90–120 days)

  • COBO laptops across the board; BYOD phased out
  • Posture-based gating at session start and continuously (kill-switch on drift)
  • Geofencing + impossible travel alerts with automated lockouts
  • Periodic surprise liveness checks tied to JIT requests
  • Vendor risk program with technical audits for any third-party with prod access

Implementation details that matter more than brands

Identity proofing

  • Demand evidence, not PDFs: Store a verifiable receipt from your proofing vendor (transaction ID, methods used, timestamp). That’s what auditors and insurers will ask for.
  • Keep PII off your systems: Retain only the verification result and minimal identifiers. Let the vendor carry the document storage burden under their compliance envelope.
  • Secondary channel challenge: For high-risk roles, include a second data source challenge (e.g., local tax ID knowledge) during intake.

Hardware-backed auth

  • Two keys, two admins, two geos: Issue two security keys per person. Keep one in a safe at home; escrow a sealed spare at your nearshore partner’s office. Rotate when people change addresses.
  • Kill weak fallbacks aggressively: Remove SMS and email OTP flows from critical apps. Offer a time-limited recovery window via helpdesk with video liveness + second approver.

Device posture

  • Attest or block: Your access broker should read secure boot/TPM state and EDR health at connect time. If those signals are absent, block access automatically.
  • 14-day patch SLA: Enforce OS and browser updates within 14 days of release. Noncompliant devices lose access until they patch.
  • No local admin: Disallow local admin on COBO devices; provide a timeboxed elevation tool with audit when needed.

Network controls

  • One egress, many paths: Terminate all sensitive traffic via a regional egress you own in São Paulo/Ashburn. Latency stays low; policy stays simple.
  • DNS you trust: Force DoH/DoT to a resolver you control. Block known dynamic DNS and residential proxy exit nodes.
  • Home router entropy: Assume the router is compromised. Your broker should encrypt device-to-broker and broker-to-service; never rely on LAN trust.

Access hygiene

  • Ticket or no access: Wrap JIT in your ticketing system. If there’s no approved ticket ID, the broker won’t grant elevation. It’s amazing how many “emergencies” vanish when there’s a form.
  • Admin session journaling: Prefer built-in recordings (e.g., cloud provider session managers) over screen-scrapers when available. Otherwise, deploy a privileged access gateway that journals keystrokes and screens.
  • Service accounts with owners: Every service account has a human owner, a rotation schedule, and an alert when it’s used from an unexpected path.

How to roll this out in 90 days without breaking delivery

Days 0–30: Close the biggest holes

  • Mandate FIDO2 on SSO and critical consoles; remove SMS/voice fallbacks
  • Inventory devices; enforce MDM, disk encryption, OS baselines
  • Implement ZTNA for admin tools; stop using shared VPNs
  • Start JIT flows for cloud admin roles; add a break-glass policy with approvals
  • Do an intake re-verification for all contractors with liveness; document results

Days 31–60: Bind identity to device and network

  • Roll out hardware-backed Git signing to protected branches
  • Turn on EDR with tamper protection and alerting
  • Enable egress pinning for prod APIs; enforce mutual TLS for sensitive services
  • Add session recording to admin consoles
  • Geofence admin access; configure impossible travel alerts with auto-lock

Days 61–90: Standardize and audit

  • Transition high-risk roles to COBO laptops; plan BYOD sunset dates for the rest
  • Implement quarterly re-verification cadence in HRIS
  • Automate token rotations; set TTL policies in CI/CD and infra
  • Run a red team exercise focused on contractor impersonation and device compromise
  • Create a single “contractor security baseline” doc; have nearshore partners sign it

What “good” looks like in telemetry

  • 100% of active contractors with successful document+liveness verification in last 90 days
  • 100% FIDO2 enrollment; zero successful logins via weak fallback
  • 95%+ devices meeting posture at connect; the remainder blocked until remediated
  • All privileged actions tied to JIT tickets with session recordings
  • Zero prod endpoints accepting traffic from non-pinned egress or without mTLS

Why this works against fake IT workers

Impostors thrive where identity is social and access is persistent. This stack breaks both assumptions. They can’t pass liveness checks repeatedly without slipping. They can’t log in without a hardware factor. They can’t reach prod unless the device’s secure enclave says yes. And if they do get in, their session is short, recorded, and bound to a ticket you can yank without arguing about “intent.”

Brazil-specific realities (and how we handle them at DHD Tech)

  • Logistics: We batch-import COBO laptops and security keys with local partners to avoid customs surprises and to handle repairs locally.
  • Connectivity: We standardize on ZTNA that tolerates flaky ISPs and gracefully reconnects. For critical incidents, we provision LTE failover SIMs.
  • Compliance: We design flows to be LGPD-friendly—minimize PII retention, lean on vendor attestations, and segregate verification data from general HRIS views.
  • Culture: We explain the “why” during onboarding and put friction where it matters. Senior engineers accept guardrails when they see they’re targeted, not blanket slowdowns.

Don’t outsource trust—operationalize it

The “fake IT worker” wave is just the latest reminder: your attack surface is people on devices. You can’t buy a single product that makes that go away. But you can operationalize trust with layered, auditable controls that travel with your team whether they’re in Austin or São Paulo. Do it in 90 days, measure it monthly, and sleep better knowing a friendly Zoom smile can’t move your crown jewels.

Key Takeaways

  • Assume contractors can be impersonated; prove identity with document+liveness at intake and quarterly thereafter.
  • Make FIDO2 mandatory for SSO and admin consoles; kill SMS/voice fallbacks.
  • Gate access on device posture you can attest: secure boot/TPM, disk encryption, patched OS, and healthy EDR.
  • Use ZTNA with egress pinning and mTLS; assume home routers and ISPs are hostile.
  • Adopt JIT access with expiration and session recording; no standing privileges.
  • Budget ~$80–$120 per person per month for operating controls after device capex.
  • Roll out in 90 days: close holes (0–30), bind identity to devices (31–60), standardize and audit (61–90).

Ready to scale your engineering team?

Tell us about your project and we'll get back to you within 24 hours.

Start a conversation