protecting sensitive data from being downloaded to USB or other devices

Posted on 2016-08-12
Last Modified: 2016-08-20

I am in the process of searching for third party or microsoft built in tools that will protect sensitive data from being downloaded to a usb or other device by users. Currently we have users on win 7 pro. Any suggestions or comments would be greatly appreciated.
Question by:Newguy 123
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
LVL 96

Expert Comment

by:Experienced Member
ID: 41754122
You can disable USB devices, but then people can email sensitive data to themselves, print sensitive data, or even memorize sensitive data.

It is a bit of a losing battle and the real solution is to build trust with users and employees.

Expert Comment

by:Wayne Herbert
ID: 41754206
Or upload to Google Drive, Dropbox, OneDrive, or a host of others.  Or file transfer with Skype.  How does one lock out a user from

One of the questions I had to answer for an E&O insurance renewal questionnaire was:

Does your firm control access to information that can be displayed, printed, and/or downloaded to external storage devices?

I mean... what is the answer to that?
LVL 96

Expert Comment

by:Experienced Member
ID: 41754208
That just amplifies what I said. No way to truly prevent taking sensitive data (short of not letting suspected employees use computers).
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 41

Accepted Solution

Adam Brown earned 500 total points
ID: 41754230
There are plenty of Data Loss Prevention solutions out there that can be used to prevent the theft of files. Active Directory Rights Management is the one that comes with Windows Server. has some information on the technology and what can be done with it. is another potential DLP solution that could work, but I haven't used it. It's just one that could do what you want.

It's important to note here, though, that implementing a DLP solution to secure your files is going to significantly increase the workload and cost of managing the IT environment, so you have to determine if the potential cost of losing files is significant enough to justify the increased cost of managing a solution to secure those files more thoroughly than they are already.
LVL 96

Expert Comment

by:Experienced Member
ID: 41754237
Also (and I am highly cynical), nothing stops me from memorizing what I see or even taking a photo of a screen on my personal device. If people want the information they will get it. There needs to two way trust built up.
LVL 41

Expert Comment

by:Adam Brown
ID: 41754281
You can't keep people from remembering stuff they work with regularly (passwords and such), or taking pictures of file contents with personal devices (though this is much more obvious and easy to catch than a file transfer based on visual examination), but there is a very low upper limit to what people can remove from the premises (without getting caught) using those methods, barring an employee with serious photographic memory capabilities.

Security isn't about absolute prevention. It's about making things difficult enough that the vast majority of attempts to do something are technically impossible. You can't create a password that is unbreakable. Given time, every password can be broken. That is not a good justification for failing to implement passwords, though, because it *is* possible to create passwords that take so long to crack that the universe will implode before it can be done with current technology.

In the same turn, the fact that you can't prevent people from memorizing documents or taking pictures with their phones doesn't justify ignoring security solutions that prevent people from taking the files themselves, if the potential risk of losing those files justifies the costs involved in implementing such solutions.
LVL 17

Expert Comment

ID: 41754500
There is no full proof way to stop people from ex-filtrating data from your company. You can put in DLP but it can be bypassed or tricked. You can do whatever you want, if someone wants to get data out they will one way or another. It could be using a camera, printing the documents, memory, etc. What you need is proper security auditing combined with DLP protection and user education.

If someone is looking at data they should not be looking at you need to be able to detect that.

If someone is looking at data they have a right to look at; this is a trust thing then. You are at the mercy of that person's integrity. If they're looking at data they are allowed to be looking at but the scenario is suspect, you should be detecting that (for example someone looking up a friends finances). Where is the inbound request for them to take that action?

If someone wants to photo/scan/manually record can you stop that? I can tell you how we stop that for some of our staff.

1. When they enter the building they are searched top to bottom. Even their clothes are checked.
2. Everything they carry is taken off them.
3. They are weighed very accurately on entry and exit.
4. They are never allowed in on their own.
5. The environment is extremely locked down (physically, network and application levels).
6. They are watched on camera as well as an on the floor supervisor who is monitoring.

We do this for some of our people in China. It costs a lot of money and is a painful and arduous process. It would still not stop them sitting down and over time memorising something to ex-filtrate that data. So if one of these people was truly determined to memorise some data to get it out...what can you do? Unless its 1984 and you have the thought police, nothing. The point is to dissuade people from taking data. I would say the best way to do this is to keep them happy and make them have a vested interest in your business. Someone who feels part of something is less likely to screw you.
LVL 96

Expert Comment

by:Experienced Member
ID: 41754504
I would not do that to people and I would not enter any premises that did that.

To my point above, simpler to engage in Trust and to restrict documents "for your eyes only" to a restricted, trusted group of people.
LVL 55

Expert Comment

ID: 41754761
More than 2 cents to add:

technical measures to solve the core question (stop downloads to removable devices) do exist. If you don't want to block removable devices completely, which is possible using GPOs, you can at least make sure that the data people copy to their USB devices can only be viewed on computers that belong to your domain. I wrote an article about this fairly unknown method. Please note that in order to take advantage of it, you'd need windows 8.x or windows 10, so you'd have to upgrade.
Please read A-new-aspect-to-securing-USB-data-SID-protectors

Expert Comment

by:Senior IT System Engineer
ID: 41754808
Or you can use the Symantec Endpoint Network Access Control (SNAC).
LVL 55

Expert Comment

ID: 41763678
Only one solution was helpful? All helpful solutions should be honored.

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question