Is blocking file transfer to the outside a realistic objective?

Fred Marshall
Fred Marshall used Ask the Experts™
on
As a result of an audit, it's been suggested that we disable Dropbox and Google Drive to prevent distribution of sensitive information as an "inside job".
Yet, there are obviously more alternatives/"threats"
https://startupstash.com/dropbox-alternatives/
I can't imagine blocking these services one-by-one.
And, in the case of Google Drive, I haven't figured out yet just *how* to block it - perhaps by removing some Google app's from workstations?
I guess one could block outgoing ftp transfers....

I can well imagine that this is an unrealistic objective - given the number of "threats".
But, rather than jumping to that conclusion, I'd value other perspectives.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Drop Box you need to uninstall and block from installing (standard user).
Google Drive is much the same - uninstall it.

Remember there are many ways to take information away including simply reading it.

So have a Company Policy that clearly lays out the privacy of Company Information and it would be a firing offence to inappropriately take it away.

Company Policies are best for this because all technologies are doomed to fail (people can read and retain; people can copy portions of documents to a file on their own USB key, etc.)
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You can put in place all sorts of policies + there's no real way to block evil people shipping off sensitive data.

Only way to do this at a 100% level is to use Government style security protocols.

1) Every human scanned at points of entry.

2) Every item carried by a human scanned at points of entry.

3) Any electronic device - phone, tablet, watch, laptop - confiscated at points of entry, then returned a person exits.

4) All on premises devices BIOS locked, so they can't be booted into BIOS or single user mode.

Tip: Generally there are 2x types of companies. Those who hire anyone. Those who hire trustworthy people.

When companies grow to a certain point, you must consider every employee suspect.

For small companies, best to pay people well + only hire trustworthy people... because...

You will never be smarter than all the people, all the time...

In other words, if you think your management thinks they can block people stealing data, they're delusional... resembling management from Dilbert cartoons.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Policies do not prevent technology, BUT they do permit discipline which is the purpose of them
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018

Commented:
Let's redefine the goal: The goal should be to disallow uncontrolled outbound data flow.

Imagine the computers without direct internet access. What could go out?
-mails they send via your mail server
-files they copy on usb or burn to disk
-data they print or take home scanned on their phones

But clearly, not having direct internet access would be a start. And it's possible (we do it) to still get your work done.
We let people use a browser in a RemoteApp-Session. So the computer that provides the browser is a server, which is under total control - no uploads even possible. If you are interested in that concept, I will soon publish an article about it.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
@McKnife Yes please link to the finished article.
Top Expert 2016

Commented:
What you are looking for is a Rights Management Service like AD RMS or Azure Information Protection
https://docs.microsoft.com/en-us/azure/information-protection/compare-on-premise
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Even with Rights Management, some can read, remember and comprehend the document
Top Expert 2016

Commented:
If they don't have read or view access then they can't read it.
For every security measure there is a way around it.  If I have just view rights I can take my smartphone and take a picture of the document.
There is a saying that there is no such thing as fool proof since fools are so ingenious

More into on AIP and ADRMS https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection

Author

Commented:
Thank you all!!
I'm not surprised.

John did answer the specific Dropbox and Google Drive mechanisms.
I was able to block Dropbox with our firewall.
I was not able to do the same with Google Drive but still .... automated removal of the local software may be an approach.
There are those many other similar outside storage services and, as I mentioned, I don't want to deal with them one at a time.

I have to overlook that the actual objective (which McKnife nicely points out) is really being missed.
My sense is that McKnife is working in an environment that's more secure than this current one needs to be and will ever be.  I've been there so do understand.  No SCIF or the like.

David Favor provides a nice list and we have considered those aspects.  Yet, that's wasn't the focus of the direction or suggestion received.  It didn't go that far.  I can't help what's asked for but can only respond.  

I don't know enough about AD RMS to be able to judge how it plays into an organization's documents.  It mentions "app's" .. so I'd ask: "What app's?"  

As a practical matter, imagine a fenced pasture with 100 steers and 10 gates.  If you have all the gates open and then close one gate at some inconvenience, is that sensible? (likely not)  if you close 9 of the 10 gates, is that an improvement re: the ultimate objective? (yes).  And, might someone accept that improvement as "good enough"?
Even SCIFs are graded according to what they have to prevent penetration in order to be approved.  So the question always becomes "how good is good enough?" and then somebody is in a position to decide.  

So, while it may seem inadvisable to ONLY prevent outgoing file storage (leading to outside transfers/sharing), that's what was asked for.
So, I ask if there's a practical way to do that - accepting its limitations re: broader objectives.  The goal is to check off a box in a checklist.  Even I expanded on the objective by going from Dropbox and Google Drive to the *class* of outside storage services.
Either this slightly expanded objective is feasible or it isn't.  I suspect it isn't within *my* context.  But one never knows if they don't ask.

Should I conclude that it isn't feasible in a "normal" commercial environment?
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Should I conclude that it isn't feasible in a "normal" commercial environment?

I think so, yes.  You can take normal security precautions (no access to stuff people do not need) and have good protective policies in place. Our clients do this.
Distinguished Expert 2018

Commented:
You could look into implementing DLP. Certainly not a simple by any means, and could go a lot of directions..

1) Putting a web proxy into place, then work on blocking things categorized as file transfer services (not 100%, but far ahead of where you are now). Note you may have authorized tools or services, so take that into account.
2) Putting in rules to block USB flash drives
3) Putting in a system (i.e. Varonis) to detect movement of sensitive data

Is this a desktop only environment, or are there laptops also?

Author

Commented:
Thanks all!!
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You are very welcome and I was happy to assist

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial