Securing Files in a Hostile Workplace?

lockdown asks: "How do I secure the files used in my department? I work in an engineering department and I've been tasked with securing our electronic files. We are a likely target of pirates, both internal and external. The 'resale' value of our files is very large. Attackers would be interested in selling our files or just posting them publicly for bragging rights. While I trust our engineers, many of whom have been here over 10 years, we do have many short-timers and temps in other departments. Worst of all, our IT department is clueless and even hostile to our efforts. (They are proud that, 'our network is so outdated that it can't be hacked.') How do I came up with a way to secure our files in a hostile environment and still get our work done?"

"The constraints of my personal situation include:

1. the world controlled by the IT department (the network, most servers, tape backups, external firewalls, etc) are out of my control,
2. we do not have good physical control of our environment to prevent physical theft or PC access,
3. we need to compartmentalize access to different teams,
4. we need to be able to recover access in the event a bus hits an engineer,
5. engineers need to be able to securely take files home,
6. data files can range into the GBs,
7. this can't get in the way of getting work done,
8. being engineers, we tend to work with a wide range of obscure tools that are unlikely to be supported by commercial solutions and may not play nice with the OS
9. we are stuck with Win boxes as clients, but we could have a local dept. *nix security server,
10. each engineer need to be able to enable access to any other engineer,
11. I would like at least 2 factor security, something you know and something you have,
12. I would like the 'something you have,' attached to engineer's car key ring (something you can't go home without) and
13. open source preferred (no proprietary pixie dust, please)."

Just say it...

[t--f-c]

we all know we want to say it.. you work for Valve don't you??

Dear slashdot,

[Godeke]

I have a laundry list of requirements that would tax any reasonable persons mind, no control over my environment, obscure software tools and no money. Please fix this for me.

Thank you,
Hopelessly Clueless Engineering, Inc.

Geeze. Having implemented document control for ISO compliance at an engineering firm that does aerospace parts, I can safely say there is no way your requirements are compatible with any software solution. You have *systematic* problems that are far greater than any humble software could aspire to solving.

Re:Dear slashdot,

[Jerf]

Having implemented document control for ISO compliance at an engineering firm that does aerospace parts, I can safely say there is no way your requirements are compatible with any software solution. You have *systematic* problems that are far greater than any humble software could aspire to solving.

Even more extra emphasis added by me, of course.

I know it's damned easy for some guy, somewhere on the Internet to say this, but you have two basic options. Either stop caring and go with the flow, or start actively hunting for a new job and get out of there ASAP. (This isn't as unrealistic as you might immediately think because you don't necessarily need said job tommorow, so you're not starving until you find it; I'm not saying quit ASAP, just get a new job.)

You could fix one. You could fix two. But any three and you're hosed. Plus 7 & 11 are intrinsically incompatible, 3 & 10 are intrinsically incompatible, 1 and 2 are both stoppers all by themselves, and 4 & 5 will practically conflict (I think you'd find out what I mean if you tried to implement that). Your organization is fundamentally sick.

If you can't stop caring because when all hell breaks loose it's your head on the block, then you need to look for a new job that much sooner. (You don't want hell to break loose before you leave because it could make the next job that much harder to find.)

You've taken step one, admit the problem. Now you need to allow the analysis to sink in.

Outdated

[Ratbert42]

They are proud that, 'our network is so outdated that it can't be hacked.'

Get a couple of these.

Re:Outdated

[More+Karma+Than+God]

You're going at this all bass-ackwards. Put importantly labeled disks full of heavily encrypted random data in the nice locked boxes and set them out at every lead engineer's desk.

The real data will be kept in their shared Kazaa directories and named for classical and country songs.

You're screwed.

[dougmc]

Assuming that all your constraints are unalterable, you're screwed.

1) if you can't trust your IT department, you're screwed, especially if management thinks they should have access (they're IT -- it's their job.) You could deny IT access, by handling everything yourself, but that's often a political nightmare.

2) without physical security, you have no security. You could encrypt the filesystems, but that has it's own set of problems. It wasn't that long ago that somebody stole an entire mainframe in Australia.

4) if things are encrypted, more than one person needs to know the passcodes. But the more people who have access, the more people that can do bad things ...

7) is a big one. If you can only trust some of your engineers, then only the engineers you can trust can have access to the files. But obviously engineers you can't trust need access too ... you're screwed.

10) yikes.

Re:You're screwed.

[sakyamuni]

...and don't forget:
5) yikes.

5. engineers need to be able to securely take files home

That's another Sysiphean predicament. It's hard enough to control the company network, but effectively impossible to control your engineers' home environment.

There's no magic technology bullet that'll solve your problems.

I can do it!

[humblecoder]

Just give me an Admin account on your server, and I'll secure it for you.... :-)

Seriously, where I work, we use a VPN that is secured using a PIN and a RSA token. Basically, the RSA token is a little keychain thingly that displays a 6 digit number which changes every minute or so. When the user wants to connect to the network, they need to enter their PIN plus the 6 digit number.

Because the token is "keyed" to the individual, only my RSA token will work with my PIN. In order for a person to break in, they need both the person's PIN AND the person's unique RSA token. Obviously, this makes the network a lot more secure than a network protected by a traditional username/password setup.

Based upon your requirements, this may not be the best solution, as it fails to satisfy several of your requirements. However, my intuition tells me that you will be hard-pressed to satisfy ALL of your requirements with a single product (without rolling your own).

You might as well ask...

[deque_alpha]

What is the meaning of life? Seriously, your situation and requirements basically preclude any solution. The only way to get this done is to change either the security requirements, or the existing situation. Since I am assuming that the security requirements are there for good reason, you have to change the half-assed existing situation that is getting in your way. Once that is conplete, the only thing that comes to mind if PGP / GPG encryption using a token on a USB keychain or something similar as the decrypting key with DVD-R of some flavor to move the data, but even that is not as platform portable as you want.

Digital Rights Management

[daigu]

It sounds like the standard answers such as restricted access rights to the server, files and so forth are not an option in your circumstance. One possible solution - depending on your workflow requirements - might be to look at some digital rights management software.

In this forum, digital rights brings up Microsoft, RIAA and so forth - which I'm sure will get me pilloried. However, it sounds like you are in an environment that would be a good candidate for this kind of software.

IBM, Microsoft and other big vendors are working on solutions - but you may want to look on smaller providers like Sealed Media, Authentica or Liquid Machines.

Frankly, the technology has a way to go and the weakness of many of these companies is the encryption and the protocols for passing keys. For how badly this is implemented in many systems, you only have to look to Dmitry Sklyarov's presentation on the security of eBook readers to have some ready questions on hand to determine whether these solutions are secure enough for you.

With that said, there are vendors using this software on the 'net, Harvard Business Online being one good example. For your needs, these applications are probably secure enough and will accomplish what you want. The question is whether they can be integrated well enough in your workflow.

Your requirements are incompatible

[Circuit+Breaker]

.. even without the hostile environment.

If engineers can take the files home, you'll have to secure their home networks as well. Can you trust them to do that competently?

If any engineer can given access to any other engineer, you can't effectively divide teams. Within very little time, all engineers will acquire access rights to all processes. That's what usually happens.

You'll need to rework your requirements to a list that is consistent with itself first (which means, mostly, thinking which of these requirements are more important). Then you can start looking for a solution.

And don't trust security advice from Slashdot. For every competent answer, you'll get ten incompetent ones, and unless you have a good security background, you won't be able to tell the difference.

Re:do what the US does with classified networks

[McCarrum]

Not just the US, AU as well. In the places I've worked in (or supported) it's two networks. One for the inter-business communications and general work, but all classified work is done on a classified network. We actually confused a poor old PHB (engineer) but saying in passing that the two networks use an AirGap Router. The ol' boy searched his manuals for one but couldn't find it.

So, what are your qualifications?

[FreeLinux]

I don't mean to be offensive here but you do not state what your qualifications with regard to IT are so, I must ask are you qualified to evaluate and judge the competence of your IT department and their procedures?

You see, I frequently run into middle and upper level managers that pose the same questions and issues that you do. They have decided that their files are the most important thing in the world and that the IT department is incompetent because they do not seem responsive to said managers' queries or concerns. But, in spite of the managers' feelings on the matter, I rarely see a situation where the IT department is truly incompetent or is doing a poor job on security. What is really happening is that the managers are not qualified to evaluate the IT departments procedures and that said departments become "unresponsive" to these managers after a while of hearing the mistrust and false accusations from someone unqualified to judge.

The fact is that most file servers offer most of the features that you are asking about. Most file servers(Windows NT-2003, Netware, Unix) have very good security measures that allow compartmentalized access, the ability to recover an account and its files when the user is hit by a bus, extensive access logging and auditing, the ability for the file's owner to assign other users access permissions, the ability to handle very large files, potentially secure access control via user ID and password, and more. Most newer ones will allow you to encrypt individual files, directories or even entire disks to further restrict access although this can interfere with work when multiple users are involved. Also, most file servers from within the past decade can support two factor security schemes that utilize one time password key fobs or even biometrics like thumb print scanners(which I find preferable to key fobs that can be lost or stolen).

The most contrary item on your list of requirements is the ability to take home large files. This is a gaping hole in any security system and if the files are so terribly valuable, your company should implement measures to make sure that taking these files anywhere form the server is impossible, or at least extremely difficult. Why would you implement an elaborate security system and the have the files walking out the door on a disk or tape? (As I think about it, Microsoft claims that this can be done securely under their Trust Computing and DRM plan. But, I won't buy into it.)

In the end the question returns, are you actually qualified to evaluate and judge the IT department's processes and procedures or are you feeling dejected because they are "unresponsive" to your individual needs? One final note about your IT department's pride in their antiquated network. There are several systems out there that although old are still more than capable of doing their job and are indeed quite secure. DEC Vax systems running LAT can be completely secure from both external and internal attack. The same can be said for Novell systems when they rely on the IPX protocol. In spite of your obvious dislike and mistrust of your IT department, it is entirely possible that they are truly very secure with their outdated network.

Ask Managment to have an Security Audit performed

[np_bernstein]

Many people assume that the only reason to get an audit done is for responsible admins to double check their work and verify that their network is secure. This is a completely valid reason, and the best reason to do one, but there are also political motvations, like in your case. The IT department's stance is that they are secure. You beleive otherwise: have an infosec company do an audit. They can show the problems in the network, do so in an impartial way, and give it directly to management who can either exonerate you, or give you the tools needed to do your job.

Personally, I would consider Network segmentation, and access controls (both host and network)as the first thing I would think of. Also, read-only smart cards with an encrypted key on in and a strong encryption policy. Keys are checked in every night, and each user has a seperate password. You leave, you cant access the file. Then create a strong security policy for your department and have management sign off on it, so you can take immediate steps if anyone violates the policies (taking a key home, unauthorized laptop, etc.)


if you really need help, feel free to contact me:
me

Rules of thumb

[Hard_Code]

"We are a likely target of pirates, both internal and external"

Well, it's a difficult situation. I suggest strong coastal fortress walls, and heavy shelling cannons. Also be sure to have your mates dig the hole before you bury the treasure. That way they will all be tired and you can shoot them and bury them with the treasure. I also suggest wearing a hook and eye patch. Some would argue that this is security through obscurity, but it does have a legitimate affect as a deterrent. Oh, and DON'T FORGET to draw a map with paces relative to everyday objects. This is sure to throw off that random bunch of happy go lucky teenagers in an 80s movie.

Re:PGP

[Mattcelt]

Indeed, PGPDisk seems to be the best solution in the short term.

PGP supports enforced corporate encryption key redundancy, allowing you to hold a master decryption key which will allow you to recover any file.

Better yet, that master key can be broken into parts and only be restored by a subset of keyholders (an m of n reconstitution) so that no one rogue person can act alone, it requires m people to recover the master key.

PGPDisk sets up a virtual partition on the hard disk, and is native to Wintel platforms, which would allow it to exist in your current environment.

You can also use x509 certificates if you want. And either x509 certs or the native PGP key format can be stored on a hardware token such as a Rainbow iKey, Dallas Semiconductor iButton, Smart Card (Schlumberger, GemPlus, Datakey, etc.), or other PKCS#11 hardware crypto token.

I'm fairly sure this will fit all your criteria if it is properly engineered. Poorly implemented security is worse than none at all.

I have done this sort of implementation before, and it's not incredibly complex once you know what you are doing. You would do well to hire a professional to take a few days to architect the solution for you.

Good luck!
Mattcelt

Ask a unicorn about it

[cybermace5]

Or else fix some of those requirements. The biggest one is the physical access problem; the only mostly secure way to do that is full encryption. And encrypting & decrypting gigabyte files will certainly get in the way of getting work done.

No internet access to secure PCs, no digital media allowed in or out of the secure area. And make the engineers understand that, if they are found responsible for data escaping, it means not only their job but their career as well, and quite possibily a large chunk of money.

If your data is worth that much, if the company's future depends on it, you cannot afford to take any risks. Hire an expert security consultant to examine YOUR system and implement security safeguards and procedures. You will have to give up an amount of conveniences and features in order to achieve security. Don't kid yourself that there is a transparent way to do this.

Easy!

[duffbeer703]

Sell some of your valuable files, and use the proceeds to fund a security upgrade.