scmeeven
asked on
Prevent downloading and saving of files when connecting through VPN
Hi,
I have a client with an in-house Windows 2008 server that stores proprietary documents (Word, Excel, PPT, PDF etc.) and videos (demos and training materials) of CAD/CAM software.
They have a mobile workforce (marketing & sales) that travels around the country and connects to the server using USB modems (dongles or data cards). When visiting prospective clients, they connect to the in-house server remotely and pull up the relevant documents and videos to show to the prospects.
The client wants to secure the remote connectivity using VPN, which is not too difficult. However, the client also wants to ensure that none of these proprietary documents or videos can be downloaded or saved locally by any member of the travelling workforce.
Is there a way to do this at all? After all, if they are able to open the application that's needed to open the file/video, they would obviously have the ability to access that application's File menu, which would let them save or download the file to their system?
A bit stumped here and would be thankful for any pointers.
Someone told me to implement a File Server on the Windows Server and then make that accessible only through the Web. Then, the VPN could be configured to access the File Server only through the Web, which would prevent the downloading and saving of files and only enable opening or playback. I am not sure this makes sense to me.
Thanks in advance.
I have a client with an in-house Windows 2008 server that stores proprietary documents (Word, Excel, PPT, PDF etc.) and videos (demos and training materials) of CAD/CAM software.
They have a mobile workforce (marketing & sales) that travels around the country and connects to the server using USB modems (dongles or data cards). When visiting prospective clients, they connect to the in-house server remotely and pull up the relevant documents and videos to show to the prospects.
The client wants to secure the remote connectivity using VPN, which is not too difficult. However, the client also wants to ensure that none of these proprietary documents or videos can be downloaded or saved locally by any member of the travelling workforce.
Is there a way to do this at all? After all, if they are able to open the application that's needed to open the file/video, they would obviously have the ability to access that application's File menu, which would let them save or download the file to their system?
A bit stumped here and would be thankful for any pointers.
Someone told me to implement a File Server on the Windows Server and then make that accessible only through the Web. Then, the VPN could be configured to access the File Server only through the Web, which would prevent the downloading and saving of files and only enable opening or playback. I am not sure this makes sense to me.
Thanks in advance.
"Opening or playing through a web interface" still doesn't equal "unable to save". You can make it harder, but not impossible (even if it was made impossible, there's still screenshots the person can take).
So you don't trust your own mobile workforce? What makes them so different from the other in house workforce?
So you don't trust your own mobile workforce? What makes them so different from the other in house workforce?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@RobWill and @Kimputer, thank you both for the ideas, comments and guidance. I will checkout Remote FX.
It's not about not trusting the workforce, either. It's just that the client had some bad experiences before with some of their mobile workforce and got rapped on the knuckles by their vendor as the training materials and documents were proprietary.
I am surprised to hear than VPNs are seen as insecure. Got to learn more about that!
It struck me just now that a DLP solution might help prevent the downloading? For example, one of the DLP solutions from McAfee:
http://www.mcafee.com/in/products/data-protection/data-loss-prevention.aspx
What are your thoughts about this? Would this take care of the data security aspect while the connectivity could still be through VPN or Remote FX etc.?
It's not about not trusting the workforce, either. It's just that the client had some bad experiences before with some of their mobile workforce and got rapped on the knuckles by their vendor as the training materials and documents were proprietary.
I am surprised to hear than VPNs are seen as insecure. Got to learn more about that!
It struck me just now that a DLP solution might help prevent the downloading? For example, one of the DLP solutions from McAfee:
http://www.mcafee.com/in/products/data-protection/data-loss-prevention.aspx
What are your thoughts about this? Would this take care of the data security aspect while the connectivity could still be through VPN or Remote FX etc.?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Rob, thank you for the explanation about the security concerns of a VPN.
I asked about McAfee because that's the only solution we are familiar with for DLP. You are right about the costs, though.
We were thinking of UTM boxes for the VPN and it was a tech guy from one vendor who suggested what I mentioned in my first post - that implementing a FileServer on the client's in-house server and accessing the docs on that file server through a web url (through VPN, which the UTM box would enable) would take care of this problem. I was skeptical and from your and other comments, it turns out that I was rightly so.
Glad to know I am not alone in this, though. :-)
I asked about McAfee because that's the only solution we are familiar with for DLP. You are right about the costs, though.
We were thinking of UTM boxes for the VPN and it was a tech guy from one vendor who suggested what I mentioned in my first post - that implementing a FileServer on the client's in-house server and accessing the docs on that file server through a web url (through VPN, which the UTM box would enable) would take care of this problem. I was skeptical and from your and other comments, it turns out that I was rightly so.
Glad to know I am not alone in this, though. :-)
Thanks scmeeven.
Good luck with the project.
Cheers!
--Rob
Good luck with the project.
Cheers!
--Rob
So there should be a strong company privacy policy to contro this, and employees should be trustworthy.
A reasonably shrewd employee would have a copy of the files on their computer before visting the client to prevent problems with live access during a presentation.
To your last comment, if you can open the file, you can save it elsewhere (even by copying the contents).
... Thinkpads_User