Securing my files and data

first_MCITP
first_MCITP used Ask the Experts™
on
I have a file server where all my folders and files are located. those file are distributed according to department. Security and permissions are done as per department. SO for each folder I have three types of users, FUll Control, write no modify, and read only.
I am afraid that those users can copy files or send it by e-mail to any competotor or someone outside the company.
Does anyone have a solution on how to prevent this and have more control
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If a user has read access then they can print it, copy it to a USB stick, or attach it to an email. You can monitor the print queue, frisk your employees, and monitor outgoing emails... or you can make sure your employees feel that they are part of the company by paying them well and giving them further incentives to feel like the company they work for is actually taking care of them... apart from that, there are always laws and confidentiality agreements that you could consider employing.
I don't think this can be done using windows rights because if you have given read access to user this enable user to copy that file and there is no option available in windows to stop this, maybe this can be done using third party application but not sure.

A solution for this type of users (which is not very good) is allow them access these file through terminal service instead of folder sharing.
There are some ways to control what you're talking about, but I don't see it done very often.  Mostly in larger companies with legal regulations or implications related to data loss.  A compliance specialist would be able to help with this a bit more.

Having worked in a hospital environment, I've had to work with some of these solutions.  Vericept is one product we used: https://www.vericept.com/index.php?id=1097.  This product allowed us to automatically flag email and web traffic that matched content types, including medical or personal information.  It can be configured to trap all kinds of information.  I believe it can also be used to stop/block some of this as well, but I haven't seen this done personally.

There are numerous solutions to the USB issue, from disabling front-panel ports to software solutions.  Here's one group of people who have taken on the task:
http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks
The Kbox from Kace provides all kinds of management and IT admin tools.  In the following document they also list the ability to block USB fobs: http://www.kace.com/pdf/white-paper/KBOX-HIPAA-Approach.pdf

All in all, this is a tough problem to solve with technology; possible but expensive in $$ and time and not 100% effective.  Combining policy/procedures and some technology measures is likely the best solution.  If this is critical to your business due to regulations or management decisions, then you may want to see about hiring a compliance consultant or an in-house security officer to help select protection systems, but then also to review the large amounts of data generated by these solutions to identify issues and research as needed.
I pretty much agree with the other experts: the challenge you pose it's very expensive to overcome, and money is probably better spent elsewhere. However, according to the type of data you are trying to save there could be different solutions: for instance Microsoft Office offers Digital Right Management products which could be what you need. Whatever you implement, keep in mind that you have to cover ALL ways out: no sense in spending money and leave just one small trapdoor to the outside.
I'll add a vendor here, Verdasys (http://www.verdasys.com/), which is by far the market leader.
Oooh...good call on the DRM.  Adobe also allows you to put restrictions on PDF documents like no copy/paste and no printing.  DRM is a way of embedding the "allowable uses" within the file themselves.  This frequently relies on the author of the document to configure the DRM rules, however, and this means you are trusting your users.

One other thought I had was it depends on what you're trying to prevent.  Some techniques will put up a barrier, although not an impenetrable one.  This would likely help keep honest people honest.  It would be quite hard to prevent a user from taking and sharing data if they really wanted to do so and also had technical ability.  There are all sorts of ways to bypass controls you may have put in place like screen shots/captures, "printing" to PDF or MDI, and using a web-based email like Gmail to email out documents bypassing your corporate mail server's policies.

Make sure people only have access to information they need to complete their job and make sure they would not have a desire to pass information to a competitor.  Lastly, when someone leaves your company, make sure their account is disabled immediately.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial