Link to home
Start Free TrialLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

Is blocking file transfer to the outside a realistic objective?

As a result of an audit, it's been suggested that we disable Dropbox and Google Drive to prevent distribution of sensitive information as an "inside job".
Yet, there are obviously more alternatives/"threats"
https://startupstash.com/dropbox-alternatives/
I can't imagine blocking these services one-by-one.
And, in the case of Google Drive, I haven't figured out yet just *how* to block it - perhaps by removing some Google app's from workstations?
I guess one could block outgoing ftp transfers....

I can well imagine that this is an unrealistic objective - given the number of "threats".
But, rather than jumping to that conclusion, I'd value other perspectives.
Avatar of John
John
Flag of Canada image

Drop Box you need to uninstall and block from installing (standard user).
Google Drive is much the same - uninstall it.

Remember there are many ways to take information away including simply reading it.

So have a Company Policy that clearly lays out the privacy of Company Information and it would be a firing offence to inappropriately take it away.

Company Policies are best for this because all technologies are doomed to fail (people can read and retain; people can copy portions of documents to a file on their own USB key, etc.)
Avatar of David Favor
You can put in place all sorts of policies + there's no real way to block evil people shipping off sensitive data.

Only way to do this at a 100% level is to use Government style security protocols.

1) Every human scanned at points of entry.

2) Every item carried by a human scanned at points of entry.

3) Any electronic device - phone, tablet, watch, laptop - confiscated at points of entry, then returned a person exits.

4) All on premises devices BIOS locked, so they can't be booted into BIOS or single user mode.

Tip: Generally there are 2x types of companies. Those who hire anyone. Those who hire trustworthy people.

When companies grow to a certain point, you must consider every employee suspect.

For small companies, best to pay people well + only hire trustworthy people... because...

You will never be smarter than all the people, all the time...

In other words, if you think your management thinks they can block people stealing data, they're delusional... resembling management from Dilbert cartoons.
Policies do not prevent technology, BUT they do permit discipline which is the purpose of them
Let's redefine the goal: The goal should be to disallow uncontrolled outbound data flow.

Imagine the computers without direct internet access. What could go out?
-mails they send via your mail server
-files they copy on usb or burn to disk
-data they print or take home scanned on their phones

But clearly, not having direct internet access would be a start. And it's possible (we do it) to still get your work done.
We let people use a browser in a RemoteApp-Session. So the computer that provides the browser is a server, which is under total control - no uploads even possible. If you are interested in that concept, I will soon publish an article about it.
@McKnife Yes please link to the finished article.
What you are looking for is a Rights Management Service like AD RMS or Azure Information Protection
https://docs.microsoft.com/en-us/azure/information-protection/compare-on-premise
Even with Rights Management, some can read, remember and comprehend the document
If they don't have read or view access then they can't read it.
For every security measure there is a way around it.  If I have just view rights I can take my smartphone and take a picture of the document.
There is a saying that there is no such thing as fool proof since fools are so ingenious

More into on AIP and ADRMS https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
Avatar of hypercube

ASKER

Thank you all!!
I'm not surprised.

John did answer the specific Dropbox and Google Drive mechanisms.
I was able to block Dropbox with our firewall.
I was not able to do the same with Google Drive but still .... automated removal of the local software may be an approach.
There are those many other similar outside storage services and, as I mentioned, I don't want to deal with them one at a time.

I have to overlook that the actual objective (which McKnife nicely points out) is really being missed.
My sense is that McKnife is working in an environment that's more secure than this current one needs to be and will ever be.  I've been there so do understand.  No SCIF or the like.

David Favor provides a nice list and we have considered those aspects.  Yet, that's wasn't the focus of the direction or suggestion received.  It didn't go that far.  I can't help what's asked for but can only respond.  

I don't know enough about AD RMS to be able to judge how it plays into an organization's documents.  It mentions "app's" .. so I'd ask: "What app's?"  

As a practical matter, imagine a fenced pasture with 100 steers and 10 gates.  If you have all the gates open and then close one gate at some inconvenience, is that sensible? (likely not)  if you close 9 of the 10 gates, is that an improvement re: the ultimate objective? (yes).  And, might someone accept that improvement as "good enough"?
Even SCIFs are graded according to what they have to prevent penetration in order to be approved.  So the question always becomes "how good is good enough?" and then somebody is in a position to decide.  

So, while it may seem inadvisable to ONLY prevent outgoing file storage (leading to outside transfers/sharing), that's what was asked for.
So, I ask if there's a practical way to do that - accepting its limitations re: broader objectives.  The goal is to check off a box in a checklist.  Even I expanded on the objective by going from Dropbox and Google Drive to the *class* of outside storage services.
Either this slightly expanded objective is feasible or it isn't.  I suspect it isn't within *my* context.  But one never knows if they don't ask.

Should I conclude that it isn't feasible in a "normal" commercial environment?
ASKER CERTIFIED SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You could look into implementing DLP. Certainly not a simple by any means, and could go a lot of directions..

1) Putting a web proxy into place, then work on blocking things categorized as file transfer services (not 100%, but far ahead of where you are now). Note you may have authorized tools or services, so take that into account.
2) Putting in rules to block USB flash drives
3) Putting in a system (i.e. Varonis) to detect movement of sensitive data

Is this a desktop only environment, or are there laptops also?
Thanks all!!
You are very welcome and I was happy to assist