Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 44
  • Last Modified:

protecting sensitive data from being downloaded to USB or other devices

Hello.

I am in the process of searching for third party or microsoft built in tools that will protect sensitive data from being downloaded to a usb or other device by users. Currently we have users on win 7 pro. Any suggestions or comments would be greatly appreciated.
0
Newguy 123
Asked:
Newguy 123
  • 4
  • 2
  • 2
  • +3
1 Solution
 
John HurstBusiness Consultant (Owner)Commented:
You can disable USB devices, but then people can email sensitive data to themselves, print sensitive data, or even memorize sensitive data.

It is a bit of a losing battle and the real solution is to build trust with users and employees.
1
 
Wayne HerbertCommented:
Or upload to Google Drive, Dropbox, OneDrive, or a host of others.  Or file transfer with Skype.  How does one lock out a user from office.com?

One of the questions I had to answer for an E&O insurance renewal questionnaire was:

Does your firm control access to information that can be displayed, printed, and/or downloaded to external storage devices?

I mean... what is the answer to that?
0
 
John HurstBusiness Consultant (Owner)Commented:
That just amplifies what I said. No way to truly prevent taking sensitive data (short of not letting suspected employees use computers).
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
Adam BrownSr Solutions ArchitectCommented:
There are plenty of Data Loss Prevention solutions out there that can be used to prevent the theft of files. Active Directory Rights Management is the one that comes with Windows Server. https://technet.microsoft.com/en-us/library/cc771627(v=ws.11).aspx has some information on the technology and what can be done with it. https://digitalguardian.com/products/digital-guardian-platform/data-loss-prevention is another potential DLP solution that could work, but I haven't used it. It's just one that could do what you want.

It's important to note here, though, that implementing a DLP solution to secure your files is going to significantly increase the workload and cost of managing the IT environment, so you have to determine if the potential cost of losing files is significant enough to justify the increased cost of managing a solution to secure those files more thoroughly than they are already.
0
 
John HurstBusiness Consultant (Owner)Commented:
Also (and I am highly cynical), nothing stops me from memorizing what I see or even taking a photo of a screen on my personal device. If people want the information they will get it. There needs to two way trust built up.
0
 
Adam BrownSr Solutions ArchitectCommented:
You can't keep people from remembering stuff they work with regularly (passwords and such), or taking pictures of file contents with personal devices (though this is much more obvious and easy to catch than a file transfer based on visual examination), but there is a very low upper limit to what people can remove from the premises (without getting caught) using those methods, barring an employee with serious photographic memory capabilities.

Security isn't about absolute prevention. It's about making things difficult enough that the vast majority of attempts to do something are technically impossible. You can't create a password that is unbreakable. Given time, every password can be broken. That is not a good justification for failing to implement passwords, though, because it *is* possible to create passwords that take so long to crack that the universe will implode before it can be done with current technology.

In the same turn, the fact that you can't prevent people from memorizing documents or taking pictures with their phones doesn't justify ignoring security solutions that prevent people from taking the files themselves, if the potential risk of losing those files justifies the costs involved in implementing such solutions.
0
 
LearnctxEngineerCommented:
There is no full proof way to stop people from ex-filtrating data from your company. You can put in DLP but it can be bypassed or tricked. You can do whatever you want, if someone wants to get data out they will one way or another. It could be using a camera, printing the documents, memory, etc. What you need is proper security auditing combined with DLP protection and user education.

If someone is looking at data they should not be looking at you need to be able to detect that.

If someone is looking at data they have a right to look at; this is a trust thing then. You are at the mercy of that person's integrity. If they're looking at data they are allowed to be looking at but the scenario is suspect, you should be detecting that (for example someone looking up a friends finances). Where is the inbound request for them to take that action?

If someone wants to photo/scan/manually record documents...how can you stop that? I can tell you how we stop that for some of our staff.

1. When they enter the building they are searched top to bottom. Even their clothes are checked.
2. Everything they carry is taken off them.
3. They are weighed very accurately on entry and exit.
4. They are never allowed in on their own.
5. The environment is extremely locked down (physically, network and application levels).
6. They are watched on camera as well as an on the floor supervisor who is monitoring.

We do this for some of our people in China. It costs a lot of money and is a painful and arduous process. It would still not stop them sitting down and over time memorising something to ex-filtrate that data. So if one of these people was truly determined to memorise some data to get it out...what can you do? Unless its 1984 and you have the thought police, nothing. The point is to dissuade people from taking data. I would say the best way to do this is to keep them happy and make them have a vested interest in your business. Someone who feels part of something is less likely to screw you.
0
 
John HurstBusiness Consultant (Owner)Commented:
I would not do that to people and I would not enter any premises that did that.

To my point above, simpler to engage in Trust and to restrict documents "for your eyes only" to a restricted, trusted group of people.
0
 
McKnifeCommented:
More than 2 cents to add:

technical measures to solve the core question (stop downloads to removable devices) do exist. If you don't want to block removable devices completely, which is possible using GPOs, you can at least make sure that the data people copy to their USB devices can only be viewed on computers that belong to your domain. I wrote an article about this fairly unknown method. Please note that in order to take advantage of it, you'd need windows 8.x or windows 10, so you'd have to upgrade.
Please read A-new-aspect-to-securing-USB-data-SID-protectors
0
 
Senior IT System EngineerIT ProfessionalCommented:
Or you can use the Symantec Endpoint Network Access Control (SNAC).
0
 
McKnifeCommented:
Only one solution was helpful? All helpful solutions should be honored.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now