Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing Files in a Hostile Workplace?

Posted by Cliff on from the for-authorized-eyes-only dept.

lockdown asks: "How do I secure the files used in my department? I work in an engineering department and I've been tasked with securing our electronic files. We are a likely target of pirates, both internal and external. The 'resale' value of our files is very large. Attackers would be interested in selling our files or just posting them publicly for bragging rights. While I trust our engineers, many of whom have been here over 10 years, we do have many short-timers and temps in other departments. Worst of all, our IT department is clueless and even hostile to our efforts. (They are proud that, 'our network is so outdated that it can't be hacked.') How do I came up with a way to secure our files in a hostile environment and still get our work done?"

"The constraints of my personal situation include:

  1. the world controlled by the IT department (the network, most servers, tape backups, external firewalls, etc) are out of my control,
  2. we do not have good physical control of our environment to prevent physical theft or PC access,
  3. we need to compartmentalize access to different teams,
  4. we need to be able to recover access in the event a bus hits an engineer,
  5. engineers need to be able to securely take files home,
  6. data files can range into the GBs,
  7. this can't get in the way of getting work done,
  8. being engineers, we tend to work with a wide range of obscure tools that are unlikely to be supported by commercial solutions and may not play nice with the OS
  9. we are stuck with Win boxes as clients, but we could have a local dept. *nix security server,
  10. each engineer need to be able to enable access to any other engineer,
  11. I would like at least 2 factor security, something you know and something you have,
  12. I would like the 'something you have,' attached to engineer's car key ring (something you can't go home without) and
  13. open source preferred (no proprietary pixie dust, please)."

1 of 88 comments (clear)

  1. Re:PGP by Mattcelt · · Score: 2, Informative

    Indeed, PGPDisk seems to be the best solution in the short term.

    PGP supports enforced corporate encryption key redundancy, allowing you to hold a master decryption key which will allow you to recover any file.

    Better yet, that master key can be broken into parts and only be restored by a subset of keyholders (an m of n reconstitution) so that no one rogue person can act alone, it requires m people to recover the master key.

    PGPDisk sets up a virtual partition on the hard disk, and is native to Wintel platforms, which would allow it to exist in your current environment.

    You can also use x509 certificates if you want. And either x509 certs or the native PGP key format can be stored on a hardware token such as a Rainbow iKey, Dallas Semiconductor iButton, Smart Card (Schlumberger, GemPlus, Datakey, etc.), or other PKCS#11 hardware crypto token.

    I'm fairly sure this will fit all your criteria if it is properly engineered. Poorly implemented security is worse than none at all.

    I have done this sort of implementation before, and it's not incredibly complex once you know what you are doing. You would do well to hire a professional to take a few days to architect the solution for you.

    Good luck!
    Mattcelt