Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing Files in a Hostile Workplace?

Posted by Cliff on from the for-authorized-eyes-only dept.

lockdown asks: "How do I secure the files used in my department? I work in an engineering department and I've been tasked with securing our electronic files. We are a likely target of pirates, both internal and external. The 'resale' value of our files is very large. Attackers would be interested in selling our files or just posting them publicly for bragging rights. While I trust our engineers, many of whom have been here over 10 years, we do have many short-timers and temps in other departments. Worst of all, our IT department is clueless and even hostile to our efforts. (They are proud that, 'our network is so outdated that it can't be hacked.') How do I came up with a way to secure our files in a hostile environment and still get our work done?"

"The constraints of my personal situation include:

  1. the world controlled by the IT department (the network, most servers, tape backups, external firewalls, etc) are out of my control,
  2. we do not have good physical control of our environment to prevent physical theft or PC access,
  3. we need to compartmentalize access to different teams,
  4. we need to be able to recover access in the event a bus hits an engineer,
  5. engineers need to be able to securely take files home,
  6. data files can range into the GBs,
  7. this can't get in the way of getting work done,
  8. being engineers, we tend to work with a wide range of obscure tools that are unlikely to be supported by commercial solutions and may not play nice with the OS
  9. we are stuck with Win boxes as clients, but we could have a local dept. *nix security server,
  10. each engineer need to be able to enable access to any other engineer,
  11. I would like at least 2 factor security, something you know and something you have,
  12. I would like the 'something you have,' attached to engineer's car key ring (something you can't go home without) and
  13. open source preferred (no proprietary pixie dust, please)."

7 of 88 comments (clear)

  1. Dear slashdot, by Godeke · · Score: 4, Insightful

    I have a laundry list of requirements that would tax any reasonable persons mind, no control over my environment, obscure software tools and no money. Please fix this for me.

    Thank you,
    Hopelessly Clueless Engineering, Inc.

    Geeze. Having implemented document control for ISO compliance at an engineering firm that does aerospace parts, I can safely say there is no way your requirements are compatible with any software solution. You have *systematic* problems that are far greater than any humble software could aspire to solving.

    --
    Sig under construction since 1998.
  2. You're screwed. by dougmc · · Score: 4, Insightful
    Assuming that all your constraints are unalterable, you're screwed.

    1) if you can't trust your IT department, you're screwed, especially if management thinks they should have access (they're IT -- it's their job.) You could deny IT access, by handling everything yourself, but that's often a political nightmare.

    2) without physical security, you have no security. You could encrypt the filesystems, but that has it's own set of problems. It wasn't that long ago that somebody stole an entire mainframe in Australia.

    4) if things are encrypted, more than one person needs to know the passcodes. But the more people who have access, the more people that can do bad things ...

    7) is a big one. If you can only trust some of your engineers, then only the engineers you can trust can have access to the files. But obviously engineers you can't trust need access too ... you're screwed.

    10) yikes.

    1. Re:You're screwed. by sakyamuni · · Score: 2, Insightful

      ...and don't forget:
      5) yikes.

      5. engineers need to be able to securely take files home

      That's another Sysiphean predicament. It's hard enough to control the company network, but effectively impossible to control your engineers' home environment.

      There's no magic technology bullet that'll solve your problems.

  3. do what the US does with classified networks by Anonymous Coward · · Score: 1, Insightful

    install the AirGap(TM) firewall.

  4. You might as well ask... by deque_alpha · · Score: 2, Insightful

    What is the meaning of life? Seriously, your situation and requirements basically preclude any solution. The only way to get this done is to change either the security requirements, or the existing situation. Since I am assuming that the security requirements are there for good reason, you have to change the half-assed existing situation that is getting in your way. Once that is conplete, the only thing that comes to mind if PGP / GPG encryption using a token on a USB keychain or something similar as the decrypting key with DVD-R of some flavor to move the data, but even that is not as platform portable as you want.

  5. Your requirements are incompatible by Circuit+Breaker · · Score: 4, Insightful

    .. even without the hostile environment.

    If engineers can take the files home, you'll have to secure their home networks as well. Can you trust them to do that competently?

    If any engineer can given access to any other engineer, you can't effectively divide teams. Within very little time, all engineers will acquire access rights to all processes. That's what usually happens.

    You'll need to rework your requirements to a list that is consistent with itself first (which means, mostly, thinking which of these requirements are more important). Then you can start looking for a solution.

    And don't trust security advice from Slashdot. For every competent answer, you'll get ten incompetent ones, and unless you have a good security background, you won't be able to tell the difference.

  6. Ask a unicorn about it by cybermace5 · · Score: 2, Insightful

    Or else fix some of those requirements. The biggest one is the physical access problem; the only mostly secure way to do that is full encryption. And encrypting & decrypting gigabyte files will certainly get in the way of getting work done.

    No internet access to secure PCs, no digital media allowed in or out of the secure area. And make the engineers understand that, if they are found responsible for data escaping, it means not only their job but their career as well, and quite possibily a large chunk of money.

    If your data is worth that much, if the company's future depends on it, you cannot afford to take any risks. Hire an expert security consultant to examine YOUR system and implement security safeguards and procedures. You will have to give up an amount of conveniences and features in order to achieve security. Don't kid yourself that there is a transparent way to do this.

    --
    ...