Data Security in Remote Location

Hi All,

I'm setting up a remote office.  All of the staff will be new to us.  We will hire a security guard, but realistically he could be easily bribed.  The office is in a 2nd world country so no matter how much we pay our employees, the value of the data on our servers and workstations there is worth many, many years of employment.  Temptation will be high.  The court system does not favour foreign companies.

For physical security, I plan to have the servers locked in a steel bar cage.  Desktops will be physically locked, but of course anyone with a torch can get around these restrictions.  24/7 security guard, but again, bribery is an issue.

For software security I plan to use Windows 7 PCs with Bitlocker whole drive encryption and Network Unlock. There will be Windows 2012R2 servers  The PCs are Dell T1700 with TPM and UEFI.  Servers are Dell T410 with TPM (not sure about UEFI).

There will be no printers.  No internet access to the desktop VLAN, only the Server VLAN and the MACs will be linked to the ports with switchpower security.  DHCP with static IPs.  There will be a site-to-site VPN from the servers to our global network.  USB will be disabled from Group Policy.  I will run Websense Data Security (DLP).   BIOS will be locked, only a single drive will be permitted.  No DVDRW.  

I'm concerned if the servers get stolen and someone is able to reset the local account.  Then take ownership of the Hyper-V servers and grab the files from there.  I'd like to encrypt the physical server hard drives with Bitlocker, but I don't think Network Unlock is an option if both servers go down.  I cannot trust a local user with a password or USB to unlock the drive.

What should I be doing here?  Missing anything?  Can you suggest something?  I'm open to anyone's thoughts.

Thanks!
LVL 1
encoadAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Carol ChisholmCommented:
Encrypt the inidvidual files and put in Windows Rights Management Serveices
https://technet.microsoft.com/en-gb/magazine/2006.10.howitworks.aspx
encoadAuthor Commented:
Hi Carol,

Thank you for the reply.  In my situation its a lot of files,  About a million.  Some contained in a weirdo hybrid SQL/Filesystem database.

Thanks!
McKnifeCommented:
Hi.

One thing: Win7 cannot be used for network unlock. That starts with win8. And all devices would need a tom and be able to use dhcp preboot via uefi.

Server encryption: Why not tpm based Bitlocker?
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

encoadAuthor Commented:
Hi McKnife,

Right you are on the Windows 8.  Guess I'll be free upgrading to Windows 10, eck.    I assume you mean TPM not tom?  The Dell Precision has TPM fortunately (in the USA).

Yes, I'm ok with the TPM based Bitlocker for the servers, but who authorized the unlock of the servers?  If the power is lost, then nobody can boot the servers because they are locked.  We can give a PIN, but then someone there would need the PIN and can single handedly defeat everything.  Who guards the guards?

Is there such a thing as one time use PIN?

Thanks
McKnifeCommented:
Just edited my posting. Yes, tpm, not tom...autocorrection fooled me. Is the hardware capable of preboot DHCP via uefi? If not, no network unlock.

Servers: Tpm based BL can be used transparently, no PIN.
encoadAuthor Commented:
Hi McKnife,

Yes, but if the physical servers are stolen and a workstation is stolen, they could use the server to unlock the desktop, I would think, regardless of where it is located.

Thanks
McKnifeCommented:
What would they do with that desktop, then? Data shouldn't be kept at the desktop anyway.
encoadAuthor Commented:
Hi McKnife,

I would assume they'd boot up the desktop and fine some method to copy files.  For example, reset the BIOS password with a jumper or a call to Dell, install a second hard drive and copy files to their hearts content.  This of course could happen too in the Office, but having it in your living room is easier and less difficult to explain to your co-workers.

Thanks
McKnifeCommented:
Sure - as I wrote: no files should be placed at the workstations. It's a common practice to save those to the file server instead. The encryption on the endpoints is not for guarding files but more for safeguarding system integrity.

If you use netunlock for your file server also and that one gets stolen together with the DC - well, then you sure have a problem. That's why at least the file server needs to be physically secured against theft. I know, now you might restart saying there's no one to trust over there - well then there is no way - sadly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Carol ChisholmCommented:
What about not hosting the whole lot on your own home site? And use Remote Desktop server to provide access? Sounds like even the cloud might be more secure.
madunix (Fadi SODAH)Chief Information Security Officer Commented:
All employees of an organization should receive appropriate security awareness training with written security policies and procedures. For new employees, this training should occur before access to information or service is granted. Data classification, procedures/policies, monitoring security awareness program for all employees and  periodic audits for data leakage  .... are a must.  For example, access control is often based on _least privilege_, which refers to the granting to users of only those accesses required to perform their duties.
encoadAuthor Commented:
Hi Carol,

A good idea, but these will be engineering type computers, Solidworks, so performance would be an issue.  If it was just General documents, you are quite right.

Madunix, this of course is part of the plan.  But the reward for theft is simply too high to ignore.

Thanks,
Nicholas
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.