Slashdot Mirror
Ask Slashdot: Secure DropBox Alternative For a Small Business?
First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality; 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). I've been calling different companies and just can't seem to find a decent solution. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. Am I wrong?"
You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level.
Gah - I can't believe this is even a question
I have mod points and I am not afraid to use them
"I manage the network for a defense contractor that needs a cloud-based storage service" No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...
I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.
Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
Could you not add a layer of encryption to Dropbox, such as BoxCryptor (https://www.boxcryptor.com/)?
I don't know if they keep data elsewhere that *isn't* in the US, but you could look at both SpiderOak and Bitcasa. (throw .com on the end of each). Both claim to encrypt data on the client side before upload. SpiderOak has a "hive" feature that operates pretty much just like Dropbox. Bitcasa is a little different but you may be able to shoehorn it into a solution if you need to.
Another option you could consider would be grabbing an S3 account from Amazon (or Rackspace Cloud Files could work too), keep your data in the US, and then create your own background client or script to encrypt the data on your machine and then upload it. There are several apps out there that can upload data to one of these cloud providers - there's Forklift in the Apple store and the popular "Cyberduck" which has support for both options. (I happen to be a Mac user so I'm not sure what Windows/Linux alternatives are there, but both have APIs so it's possible to roll your own if you want).
You could also consider virtual machines and mounting them as NFS for shared storage. Obviously some form of encryption would be key here since this is all going over the internet.
I can't guarantee any of these options will work for your use case (especially with your ITAR regulation requirements), but they may be a place to start.
Good luck!
Given your area of expertise, why don't you host your own cluster with this type of functionality?
Comment removed based on user account deletion
Check it out.
Host your own solution using Novell Filr , http://www.novell.com/products/filr/
I've worked contingency operations and recovery for data under federal regulations. You will NEVER find a service that will provide the kind of security, financial and geographical restrictions that you really need. That is the single most compelling reason why banks have backup data centers...
errr....umm...*whooosh* *whoosh* Is this thing on ?
Store it on a server at your business that you control.
Run open-source software which gives you DropBox functionality, such as BitTorrent Sync.
The only way to be sure is to host it on a server you control, using software that can be inspected.
Sparkleshare is a git based program that you can configure and use entirely in-house. . I use it for hosting our IT documentation for a small city government.
They are storing the internet traffic anyway...
By definition it is in US territory...
Their sites are secure... Opps!
Why would you be looking for a provider for classified info instead of looking to create your own solution? Google ownCloud. Works just like Dropbox, opensource so you can always change it to fit your needs if it's missing something.
Amazon S3 is .10 cents per GB or glacier is .01 per GB. We use it for off site backup.
If you are that concerned about the data security, just use ownCloud, and run it on your own servers.
What about Owncloud ?
I am surprised no one else mentioned this yet, Wuala encrypts locally then uploads to their server. But its feature set isn't quite on par with DropBox yet....
You host it yourself, control the data/features. Supports LDAP authentication. Client software is pretty quick. There is commercial support if you need it. Gracefully recovers from network loss. Oh and it has the appropriate iOS and Android clients. I have been slowly rolling it out in production without any complaints so far. Hope that helps!
- Too lazy to login
JungleDisk is one that comes to mind
I believe SpiderOak provides some encryption that you might think meets your needs, but I also agree with others that by the time you're asking this question something has already gone tragically wrong.
Of course there's always the counter argument that your data has in fact already been hacked and pretending you can keep it secure is just self deception.
fencepost
just a little off
Spideroak is probably as secure as you are going to get. Fwiw I have had good experiences.
I'm sure he does not mean 'Classified' information. He means classified under ITAR. It was probably a poor choice of word to use classified rather than categorized.
First, ITAR and "classified" are not the same.
Second, Dropbox is just a front end for Amazon S3. Which has quite a few DoD data security certs.
Novel Filr It's as simple and secure as it gets, you control the data, you control the access, you control everything.
I'm very intrigued by the fact that you actually want to use an external cloud based storage solution. I would have thought that defense would have required not to use a third party for remote file storage. The best solution would be to "roll your own" and set up something in a private cloud hosted in a datacenter that meets your requirements. If you are a VMware shop, you should seriously take a look at Horizon Workspace as it provides a Dropbox like product that would be a great fit. If you want to run this on a budget, check out OwnCloud. I use that myself to keep home/work documents in sync between machines and always wanted the equivalent of Dropbox but syncing onto my own servers.
You may try btsync. http://labs.bittorrent.com/experiments/sync.html
Tell the fuckin execs to pass on their bonuses this year, or they will be arrested and the company shut down. If you can afford to do it, go out of business.
needs a cloud-based storage service
You want to put classified data on someone else's servers? You're putting a HUGE amount of trust in the laziest/least ethical/most incompetent sysadmin that company hires. Why in hell would you think you "need" cloud-based anything?
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.
Look here -> https://aws.amazon.com/govcloud-us/
rsync.net? It supports common protocols (ftp though https to rsync). You specify which location you want to store on at signup. It doesn't do encryption for you (storage encryption that is) but it sounds like you should be doing that yourself.
Pay somebody (contractor/consultant) who knoes what he does. Seriously, man. Ask for a 10 page concept with the tree best options fulfilling all your specific requirements (which you probably did not mention here), and offer him to implement it if you like one of these.
My 2 cents on this: To me it is completely non-obvious how dropbox could have ended up in the stack of possible solutions - to little control, intransparent business model, other use case is the dominant one. I would start by looking at the obvious storage providers (amazon, telecoms, specialized local/regional/natinal storage providers), compare them by the options/price they offer, look separately at software fulfilling my local needs and being capable of talking to the storage providers. Then i would create local scenarios about additional dedicated hw needed and after that i would make my choice/give the best options to my manager to select, based on business criteria.
Buy yourself a server. How dumb can people get? And we let these people sell arms to the world?
I just looked at it. I need an account with them to encrypt my files? And it seems that my files may even transfer to them before encryption and after decryption. or am I missing something? And the video even is narrated by someone with a foreign accent and shows the names of encrypted files change to something that looks like Chinese????? If I'm going to encrypt my files for security or safety or even privacy, I'm certainly going to do it on my own computers, not with something where I need an "account" with someone else to have them encrypted. Adding a layer of encryption would be nice (although likely not good enough to protect ITAR data properly), but doing it after the data leaves the computer is just crazy talk.
I'm an American. I love this country and the freedoms that we used to have.
EMC's Syncplicity allows you to have a "cloud" backup that's actually domain authenticated and resides in your own data center. Some of the Dropbox-esque features people want, with the in-house security.
Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.
It is much tighter than that. You must ensure that only "US Persons" have access to that data without appropriate export licences/approvals/agreements. Can you guarantee that no foreign national, dual citizen, or employee of a foreign company is working at your cloud host or in any data centre that might be housing your data?
Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
I would suggest AeroFS it's P2P sync, they support multiple users and let you use your own Amazon EC3 instances if you want. It is fully encrypted.
null
I'm not in defense (and never will), but isn't (public key) encryption not invented to keep something secure in a unsecure enviroment (i.e. internet). Encrypt your files with very decent encryption, such as PGP/GPG, and upload to dropbox or whatever. Manage keys well.
SFTP, the cloud can go **** itself.
Tomorrow is another day...
There is three different ways I know of to accomplish the task.
1.) You have to deploy and manage you own solution where you have a key management server on premise doing the encryption for you.
You’re not going to find a SAAS solution to this problem. What you’re looking for in a secure drop box application is to be able to control who has access to your data. If this was provided as a SAAS application the provider would than hold the encryption key's that would be used to secure you data. This then makes it so anyone in that company who has access to the key management server has access to your data and the greater threat is government demanding the keys from the provider and gaining access to your data. If somehow the SAAS provider allowed you to use your own key management server than you would lose a lot of functionality when it comes to things like indexing and if you did provide access again it than takes away the security of the application.
2.) The second option you have is to just encrypt the files before you upload them to the server.
You would have to do the whole shared key repository thing but it would be the cheapest method to securing your data in the cloud.
3.) The third method is to use a device that will proxy the data between your system and Dropbox encrypting the data before it gets to the cloud using your system.
I think the company I saw do thing for SkyDrive was called ciphercloud but I can’t remember. This is simpler to setup and configure than option 2 but still allows you full control over the encryption keys and often doesn’t interfere with indexing other such activities. The down side is you would still have to manage an application designing it for HA/DR/Usage and you wouldn’t be able to use the standard DropBox portal/applications you would have to use the website through the proxy.
The short answer is it is possible, I have seen all three done, but you are completely under estimating the requirements it would take to do. Also if you have export control data why are you using dropbox in the first place? How are you controlling employee’s ability to access the data from overseas?
ShareFile (from Citrix) will let you choose where your data is stored (e.g. US only) or even have it stored on premises, while still providing sync and web access to it like other cloud storage providers.
There is no way to ensure that any third party company is going to protect your ITAR data, so you can't use cloud based storage. Tell your boss it's (1) a bad idea and (2) you are not going to jail to make it happen.
"I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.
If you want Dropbox's functionality; I suggest you use Dropbox.
However: DO NOT ALLOW ANY CONTENT REGULATED UNDER ITAR into a cloud service
Second: DO NOT ALLOW ANY CLASSIFIED MATERIALS into a cloud service
One possibility would be to implement Active Directory Rights Management Service (RMS) inside your organization. And set a policy that All sensitive documents must be composed using Microsoft Office, AND Users must encrypt all sensitive documents before saving them
If your clients are running recent versions of Windows; there are some interesting things you can do to make sure that files get saved get encrypted. You can also use various third party scanning and Data Leak Prevention software products to help you with making sure RMS rights templates get applied to existing documents' that got stored on enterprise users' workstations
If the file is RMS protected; in theory, Dropbox doesn't matter as much, because if someone accidentally places a file there; the file was encrypted, anyhow --- it can't be decrypted, unless your RMS server says it's OKAY and issues out a license to open the document (which contains the necessary crypto keys).
You just need to be very firm about your security labelling and encryption policies for sensitive documents.
However, the government says, with 51% certainty, that I'm a "non-US person", and wiretaps me with impunity. Can I be both simultaneously?
Try Novell Filr: http://www.novell.com/products/filr/
Most large defense contractors will not even let you visit dropbox from the office because they are scared of unclassified (ITAR) leaks. And you're putting data there intentionally?!? Please tell me this question is from a troll.
You are almost certainly breaking Federal law by putting data onto a server that you do not control unless you can guarantee that no dropbox employee can access the data
HORIZON WORKSPACE!
https://www.vmware.com/products/desktop_virtualization/horizon-workspace/overview.html
"Flyin' in just a sweet place,
Never been known to fail..."
Google is your friend: the only major cloud provider with an ITAR-compliant offering is Amazon, with GovCloud. This is available to both government agencies and contractors, but requires applying to Amazon for access.You'd need to find a front end to manage the storage/backup that will let you restrict it to use only the GovCloud S3.
The Department of State is considering revising the export rules to make clear that data encrypted to FIPS standards does not count as an export, and if they actually do change the rules, then you'll be able to use any cloud provider as long as you do the encryption at your end and control the keys. AFAIK, however, these changes are still being evaluated and may be too late to affect your choice, or never.
With ShareFile you can host the data in-house, but the control channel is all cloud...
To get a ruling on whether you may do what you want. Otherwise, as others have noted, you may be very deep waters (not only will you be in violation, but anyone in the organization using the service will be, and you will have induced them to do it. Think serious civil as well as criminal consequences).
From a technology angle, it may be "possible" if the folks in charge sign off.
"All" you need to do is encrypt the data before it goes offsite, encrypt it well enough that the data is protected commensurate with its value, etc.
For commercial users, https://jungledisk.com/ provides a very usable interface and GUI. Of course, if the client isn't trustworthy (and you have to take their word for it ;>) that goes out the window even if the algorithms are secure themselves ;>
I use it for some SOHO confidential data; it wouldn't be the end of the world if the data were disclosed, but we have committed to make good faith effort(s) to keep it secure, so we do (rather than moving files to subs via email, etc.). Not all subcontractors could handle sftp and friends.
Siteclone works well with custom security needs.
Many people using these services encrypt the data prior to upload, so that the storage provider does not have access to the keys. Even though Dropbox encrypts their data, they have the keys necessary to decrypt it(and thus your data is vulnerable if someone working for them or hacking them is able to obtain the key and your data). So you should use something like TrueCrypt to encrypt the data client side before uploading, so that you can ensure that you and no one else has the keys to access the data. There is still the possibility that someone at dropbox could steal your encrypted data, and then brute force the key, but with an appropriately strong key and encryption algorithm, then brute forcing shouldn't be feasible.
This however may not satisfy the security requirements for ITAR data, but from a general security standpoint would be the appropriate approach when storing data or backups offsite in a facility that you do not have complete control over.
There are some products that out of the box encrypt data client side, and generate keys based on your input string, and do not transmit those keys. In other words, it's exactly what I described above, but wrapped up in an off the shelf product. The problem here is verifying this since they are closed source products.
There are some products that cater to the government and meet certain data storage requirements, such as ShareFile. But because Sharefile holds the keys to the encrypted data, they are theoretically vulnerable to scenarios where a hacker might obtain data and keys. I don't think the people creating these government security standards are as knowledgeable about security as they think. If it has certain buzzwords like "AES-256" in the product's description, it passes their standard, regardless of whether the architecture implements it appropriately.
and SSHfs ? Yeah it's 20Mb of data at most and it can run on a 50$ arm board with lots of hard drives. Why would anyone want clouds anyway, they are just that but with no control, multiple eavesdroppers, security breaches, higher price and less performing ?
If you need to access your data remotely and securely, why not just use sftp or ftps to log in to your in-house server? That way you can keep logs on the users that connect, set up who can access what, and have the traffic encrypted. I don't know why everyone is so hooked on "the cloud".
You should look into sharefile. It is a secure alternitive to drop box. You can also optionally host an on prem appliance while still utilizing their cloud based access and front end.
... but you have to pay in cash for the service.
This might work for you: https://www.tarsnap.com/
Check out this on prem option from Varonis http://www.varonis.com/products/datanywhere
LiteTree Litecoin Exchange
You claim you need to manage highly sensitive and classified data, yet you can't put together a storage solution yourself? You're the wrong person for the job. No wonder Facebook and Microsoft et al can justify more H1Bs, they just use people such as MrClappy as examples of the poor talent in the U.S.
There are strict rules and regulations that govern the storage and transmission of classified data. If you are trying to secure classified data on dropbox, you go to jail. Do not pass go. Do not collect $100.
What you are asking for does not exist. You are not even permitted to encrypt classified data and store on an unapproved device/service. You are swimming in very, very dangerous waters my friend.
http://milyli.com/arc/Pages/ARC-Overview.aspx
It's not a cloud solution, you host it yourself. But given your concerns about security and compliance that's what you should be doing anyway. Arc is intended to provide secure and auditable self-hosted document sharing, for industries that can't risk an outside cloud service, from servers, workstations, and CMSes like Sharepoint, to authorized users via web and mobile clients.
NFS. Seriously. It's that simple. Mount the drive. There's your data. No weird software or limitations.
SpiderOak (https://spideroak.com/business/) encrypts locally before putting the data into their cloud and supports linux AD.
Worth looking into, I guess.
Securdrop is an upcoming product circulating in the defense community from alfresco. Carahsoft has been demoing it. You can find more information on software forge.
So - your use of terminology would lead me to think that you haven't been at this too long (I apologize in advance for the snark if that is not the case). If you deal with certain information, you would certainly NOT use the term CLASSIFIED in discussing the status of that information. CLASSIFIED has a VERY specific meaning in certain domains - including the domain that you seem to indicate that you work in. If you are, indeed, handling such information, I would suggest running, not walking to your FSO for a conversation. It will probably be fairly brutish and short. If, however, you are dealing with ITAR regulated information, then you have a different set of issues. You may not export the data without a permit, but you don't need to control it specifically within the US. Also, the regulations around foreign persons (or those of dual nationalities) relate to export activities. So, you can't transfer to a foreign person if you know (or suspect) that they are going to export the data. However, foreign persons in the US that aren't an export channel are not an issue (else a whole lot of commerce in the US would halt since I have no idea if another company has any foreign nationals employed, and I don't have to get an ITAR export license to ship something to another domestic company). In the later case (where we are talking regulation, not classification), you don't have an issue if you don't export the data (don't pick a company with foreign presence for cloud storage). Actually, one could probably be ok if they encrypted it (strongly) and then stored (but you may (or may not) want to talk to your DDTC rep about that. You should have no problems finding an offsite storage company to provide the service, and/or use someone who allows you to restrict the S3 zones (if AWS is the backend store) to us-* regions. Similar for rackfiles, dream objects, etc. Another comment here is worth highlighting, however - use consumer services, get consumer service. Go upmarket a bit if you are actually looking for something that your company's bottom line is hung on.
This is whats wrong with gov contractors and the organizations they support. So someone has made the decision to outsource a "secure" backup strategy? How about you contract your job to China.
This is fucking assinine thinking and the person who is running that contract needs to be fired.
There are a bunch of folks who add client side encryption to drop box.
This mob: http://lock-box.com/ do a bunch of fancy client side key management to allow strong PKI management including revocation and re-keying of group accessed data. They're pretty good if you need a strong crypto layer on top of drop box, but there's a bunch of folks who add security to drop box with some balance of security and convenience. ... but like many other posters have said, be very careful before sticking classified data on any of this stuff; it's unlikely to be suitable unless the solution's been given a rating.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird.
I manage the network for a defense contractor....Am I wrong?
Solution to your problem: give up your blood-drenched paycheck and re-examine your life. You're an enabler in the warfare/surveillance state.
Is there a way you could encrypt the files or folders that are shared via dropbox, so that only people you have authorized (via a key) could decrypt them?
Repetition does not transform a lie into the truth. - FDR
You might start with looking at FEDRAMP complaint providers found here: http://www.gsa.gov/portal/content/131931 I would imagine that those listed providers also have FISMA certification so you'll be able to determine if the categorization of the data you are trying to protect is met by the provider. ITAR categorized data must be stored in CONUS and I believe AWS Government Community Cloud and the USDA National Information Technology Center offered by United States Department of Agriculture supports CONUS only storage. I believe Google Apps for Government does as well. But the key thing is to ensure the FiSMA cert matches the categorization of your data.
"He's using a quantum encryption scheme! That'll take hours to break!"
Dropbox + security? Sorry, they don't go together.
Don't people remember the day when everyone could get into anybody else's dropbox account without a password? The dedupe hack where people were getting instant access to other people's files on dropbox with the file hash - a quick way to download movies but has more sinister applications. How about the problem where you get the illusion of locking people you've shared stuff with before out by changing the password, but it doesn't actually lock them out?
It started off as a hack with a few python scripts as a front end to Amazon's storage and sadly it still shows. It's an epic failure in terms of security due to those I've mentioned and many more. In a business environment with multiple clients and a need to share things with one client and not another the dropbox sharing model is just an accidental disclosure waiting to happen. It's one to many and not one to one.
Seriously, there are dozens of alternatives out there and dropbox doesn't even measure up to plain old FTP from thirty years ago in a business setting. Use it for a hobby if you want with your own personal stuff but it's just an accident waiting to happen if you are going to use it for anything business related where there would be consequences if it ended up on the front page of a newspaper.
So if you've got nothing to hide you could use dropbox - or you could just put the files to download on your website. Dropbox is for those who can't put files on their website to download.
Nobody has mentioned spideroak yet, it seems. Probably worth checking out.
I don't know much about it, but my employer, probably a larger company than yours, specifies that we should use EMC's Syncplicity Enterprise (http://www.syncplicity.com/products/enterprise-edition) for secure cloud storage. It offers the option of keeping the storage in-house. Worth a look.
Talk to your FBI Infraguard liason. He'll tell you you're loony and then get you in contact with someone who can tell you what your options are. We were a tiny defense contractor and we even had one, so you bet your ass if you're a real one you do.
Owncloud looks quite good at the moment and is very simple to set up and run. You host the data yourself and it is shared via a sync client, a web front end or links sent by email, which can have expiry times set. The email thing can be turned off if you are quite correctly worried that there are far too many people capable of reading your email.
There is commercial support and some commercial extras but you can use the open version to try it out first (or indefinitely if that's all you need).
Have a look at commercially available web based doc management systems with security, such as Aconex..... Not a Dropbox replacement, but covers your security concerns.
Here is an Enterprise solution that is GSA certified. Www.smartfile.com.
You could try bittorrent sync:
* unlimited storage
* unlimited upload / download
* 256 aes encryption then sending files
* efficient transfer with p2p bittorrent protocol
* fully dezendtralized
* keeps histrory
* you own all the data and choose there it is stored
Link:
http://labs.bittorrent.com/experiments/sync.html?utm_source=bittorrent&utm_medium=web&utm_content=banner&utm_campaign=general
Check out TeamDrive:
- client side encryption (they cannot decrypt even if required to)
- team sharing
- data stored in AWS (although the company is German)
- you can run your own TeamDrive server, meaning, you control everything (this part is very very cool)
- android and ios clients. I only use the ios client, and its pretty good.
- Mac, windows, linux support (I use linux and Mac, so can't vouch for windows). Syncs are very well behaved.
- versioning, syncing etc etc
Worth a peek.
We use SparkleShare because we have our own git server anyway. Not sure how robust the security is compared to something specifically built for security (EG it's not like it has multi factor authentication).
Still as others have pointed out what the fuck are you doing with a cloud based service as a defense contractor. We do open source software and the only stuff we're storing in sparkleshare is scratch work, images, document templates and random crap that anyone could steal and we wouldn't care anyway.
I managed accellion for web based and sftp file transfers, it's pretty mature, not too expensive. Check
www.accellion.com
The setup I used was a virtual server on vmware with an encrypted file system from a file server on our SAN.
The link for government services is at:
http://www.accellion.com/why-accellion/for-government
You can limit it to VPN and sync folders peer-to-peer. It monitors and syncs changes for you, and is great for making a redundant backup/dropbox-type distribution system.
"...Some of our data is classified..." I too work for a government contractor. Some of your thinking is flawed. Can you please explain to me why ANY of your -->classified-- data belongs in the cloud? Step away from the kook-aid.
This is exactly what the system is designed for: https://aws.amazon.com/govcloud-us/
Accellion. $800/yr
What's wrong with AMRDEC SAFE? https://safe.amrdec.army.mil/SAFE/
It is only secure when you put your hands all around it and have full control. There are products out in the market for you to self-host the solution. You can put a DNS name on your instance and all the data stays in your infrastructure. Check out Gladinet Cloud Enterprise - a Self-Hosted Dropbox Alternative Solution. http://www.gladinet.com/serviceprovider/selfhosteddropbox.aspx
I work for an ITAR registered small business, and we store information in Dropbox to share with remote employees, but all information is first encrypted using Viivo. When you install Dropbox and Viivo, Viivo just runs as a service in the background. When you save files to a special unencrypted Viivo directory on your computer, Viivo immediately encrypts them locally and then copies them over to your Dropbox in encrypted form. You can share that encrypted Dropbox directory with colleagues, of course it will all be jibberish unless you use the "share" feature in Viivo, which sets up share keys and allows your colleagues' computers to decrypt whatever you share.
Besides the fact that the UI is terrible, Viivo works continuously in the background, much in the same spirit of Dropbox itself. Your local unencrypted folder just sits there statically (and continuously updates with whatever your colleagues are sharing).
On the security side, "Each Viivo user has a Private Key that is encrypted with AES-256. The key is generated from your password using PBKDF2 HMAC SHA256." It's serious stuff; Viivo/Dropbox can't reset your password or read your files.
Whatever you chose should really be run over a VPN for external usage. Period.
I'd look at using ownCloud - and you can get commercial support if it is required. I used to work for a company which used Novell iFolder and that was pretty good - but looking into that a little more it seems like Novell has a new thing called Filr which seems to tick the boxes (especially from a Manager perspective).
Either use something like citrix to a remote desktop or a VPN with sharepoint or subversion for such data.
Also hope any data that goes onto a laptop you are securing the drive with pgp disk encryption, and have specific rules to use the machines for work only.
Its amazing at how so many companies cant secure properly and think every tool out there should be used for things that need a lot of security.
You could use MEGA. But really, to even mention the nebulous word means that you don't care about security, encryption, or manner of storage. A company could design their "cloud" storage as a bunch of USB keys stuffed into the pockets of the employees with ROT-13 encryption and you'd be none the wiser as long as latency doesn't suffer (obviously the USB keys would be mirrored on a slighly lower latency device).
Literally email dropbox and tell them you need to purchase some of their servers.
If you're seriously using this feature and price isn't a big deal, they'll sell the literal servers which can be insulated within your own network with slightly different settings so it isn't immediately obvious to probes what sort of software you're using.
The first rule of computer security is physical security.
This is very very key. If you really want your data to be secure. You have to have physical possession of it. It cannot be on some remote server that you don't control. And by control, I mean you can walk up to it kick the power cord out of the wall if you so desired. THAT is control.
If you don't have that you're "trusting" someone else which is not how security works. Security is not about trust. Security is about paranoia.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
"I am a chinese hacker that is attempting to determine if any defense contractors illegally store classified data on cloud based systems. We were going to do some recon, but decided to just ask first"
There we go. I fixed OP post for you.
Although its a very limited solution, for a small number of documents your needs may be met by uploading individually encrypted documents an encrypted drive image.
"I'm just blown away that no one offers this functionality with today's tech capabilities"
Hmm. let's see, you want to transfer export controlled info to a third party. You'd better trust that third party a lot. A lot more than a "click wrap" license agreement level of trust. It's not the technical aspects: encryption takes care of the "on the way to/from the storage". It's the "do I trust you to store it only on servers located in the US with access only allowed to U.S. Persons. US Persons which includes some green card holders, but does not include US citizens who represent foreign entities. Would an employee of Chrysler, owned by FIat, be a US Person?
And for what it's worth, this kind of thing IS available. It's just not cheap.
Synology have been moving from the personal to the enterprise space as of late with their "DiskStation" NAS line of products. Some of their high end "NAS" boxes can get pretty powerful. There is a function of the DiskStation is called "Cloud Station", essentially a Dropbox clone.
Basically what you would be doing is having your own on-premises 'Dropbox appliance'. It is very easy to setup/integrate with it's user-friendly interface for the admin, and then all you really need to do then is forward the ports and install the client software.
www.mezeo.com
Not open-source but you run the software on your own machines inside your firewall.
Sync clients are available for Windows and OS X.
Tresorit is another Dropbox clone with client-side encryption. I couldn't find any information about it beyond the marketing materials though.
https://tresorit.com/
BitTorrent Sync http://labs.bittorrent.com/experiments/sync.html seems like it might do what you want.
I work for a company called Quest Global, and we subcontract for Pratt and Whitney, so we deal with a lot of ITAR data. It's not exactly drop box, but we use something called MFT to transfer (fairly vast amounts) data between our company and Pratt. It's more like an in-browser FTP site, the way Pratt set it up but It's very flexible so something similar could surely be done with it. Maybe this is an idiotic answer which doesn't really focus on your question, but I would not trust any external provider. I have too much experience.
http://en.wikipedia.org/wiki/Managed_file_transfer
In related news, I know that Pratt also does not trust external providers, so they are super careful never to send out anything they care about protecting- for example, on developmental military engines they won't send out info on consecutive blade rows.
OP, can you tell me what company this is so I know not to take it seriously?
If you have zfs based fileservers to sync you can try a solution called ZFS-DR by RackTop Systems. But it doesn't sound like that's what you're after if Dropbox was what you were using previously.
You do government work and you are this clueless? No wonder the USA is in the state it is in. You should start by reading the ITSG.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
www.tarsnap.com. Client-side encryption, brought to you by Colin Percival.
Check out Symantec's cloud storage offering, Norton Zone:
https://nortonzone.com/
Use an on-premises install of something like keynectis mft
http://www.keynectis.com/en/mft-solution
Quite a few aerospace/defense firms listed as customers on their web site
Ipswitxh MoveIt DMZ or their cloud solution is pretty nice.
Try this: http://www.novell.com/products/filr/
Stop right there, I think I've spotted the problem.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
For a Hoster that offers true Security take a look at https://mega.co.nz/. Your Data will be stored in New Zealand as far as i know but its probaby saver as in US.
Nobody else but you will be blameable in case of a leak. And you can tailor the solution to your needs, to your specifications and to your use cases, both technical and functional. Oh, and here is a well-meant piece of advice: stop thinking of "the cloud". Don't. Just don't. If your data is so important, then host some hardware in a fire-proof, earthquake-proof place, run your self-built solution on that hardware in that facility, and off you go.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
it's not open-source, if you care about that, and it's still in beta (what isn't these days?), but it's free, secure and it works well.
Citrix ShareFile?
...You are over-qualified and under-paid. If we give you a raise, we will break the cosmic balance of the universe.
Install WebDAV CGI (http://webdavcgi.sourceforge.net/) on your own servers, provision access over HTTPS and use any one of the freely available WebDAV sync clients available for Windows, MacOSX, Linux, iPhone, or Android.
Need redundancy within a single site? Use it with GFS or GlusterFS. Need offsite backups or hot-standby site? rsync or csync2 the filesystems to servers in the other DC, or use GlusterFS's Geo-Replication (integrated rsync).
Have working files on already existing CIFS shares you want to make available? No problem, WebDAV CGI already supports it.
See, no big deal to roll your own.
Dropbox is bs for the masses. Use box.net or even box.net premium
Office 365 isn’t cheap but it has SkyDrive Pro included, which is protected by multiple U.S. data centers, and is only in the U.S.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
www.egnyte.com
Citrix ShareFile On-Premises. Drop Box-like interface, encrypted onsite data storage.
Yep, we went with the VMware Horizon product too. It works well and is under active development but the current 1.0 product is a little clunky to manage. Citrix has been promising a self-hosted Sharefile solution forever yet there is still nothing.
You are stating that you need a secure data solution under ITAR, keeping your cloud based data within the USA. Alfresco Enterprise http://www.alfresco.com/ would be a solution, since you can limit what data is being handled by your users via the web, mobile or PC via role based management using Alfresco Share. Developer tools for Alfresco allows you create custom plugins, if one does not exist at the moment, have your developer team create a custom plugin to meet those requirements (say, ITAR??). And it works with either Windows or Linux. Data inside your firewall is kept secure on both sides of the firewall. Will probably catch hell for even suggesting this for your organization.
Either
A: You do not know what CLASSIFIED means.
B: Your fucking stupid.
Setup your own storage at your office. Don't trust public companies for your data.
If you dont/cant do it yourself, hire someone to come in and doit. And audit the hell out of what they do.
---- Booth was a patriot ----
I completely do not understand anyone storing even remotely confidential data, much less security-related data, on servers hosted by another organization.
pr0n - keeping monitor glass spotless since 1981.
https://mega.co.nz/
VPN, a Samba share with required domain authentication, and inside the share a Truecrypt volume (or volume(s) plural).
Hi - I run the Federal Business for Box and have been here for 16 months - - do not know that we have met/talked as I would have recalled this requirement- - but there may be some more current capability and/or planned that addresses some of the shortcomings you have run into. Please reach out to me at cmanouse@box.com and we can see if in fact those limitations in fact exist - and if they did at one time but no longer due or may be overcome in the very near future, I'll direct you as such. For sure if they do exist and if there are no planned remedies, I'll verify that for you. Thanks - Chris
Email the data to your gmail account. That's what I do.
Why don't you check "Gith" ? www.gith-systems.com It's been released last week and everything is fully encrypted. The servers are hosted in France for now, not in the US yet !
IBM offers private cloud technology for the enterprise and security is no problem there. You've got to pay for it though.
http://www.ibm.com/cloud-computing/us/en/private-cloud.html
Try AeroFS. You need to provide all of the locations to store the data yourself, but with their team server on your machines you can build your own private cloud.
Why not use a thumbdrive (or several, for several clients)? You can encrypt the drive so that if it falls into the wrong hands data won't be comprimised. I still use a thumbdrive to transfer data and it hasn't failed me yet. It also doesn't have a "transfer limit" (as long as there isn't one big enough). I've never seen the draw of those cloud storage systems. Why spend an hour waiting for a project to download when I can just download it onto a disk and get it to a person within 20 minutes?
an encrypted solution for Box like functionality. No limit on files (except what you pay for) and backed by object storage.
call 1-855-459-5121 for more info.
You're missing the rsync component of the equation, but yes. This is the essence.
Now, administer for 250 users. :-)
"Flyin' in just a sweet place,
Never been known to fail..."
onehub lets you brand your own version of dropbox, stores it on aws, and lets you create your own local version. it's pretty great for companies that want dropbox but want control.
The combination of ClearOS and ownCloud enables you to build a Secure Hybrid Cloud offering based upon open source file sync and share technology that is as easy to use as Dropbox, but is hosted in your data center, on your servers, using your security policies, etc. Here are some helpful links: ClearOS Link: http://www.clearcenter.com/Software/clearos-professional-overview.html ownCloud Link: https://owncloud.com/products/enterprise Enjoy!
1. I act for a UK organization which has similar restrictions for handling Export Controlled matters & 'Classified' matters. These are not the same. The users and any intermediaries need to be known and locked down.
2. if "Cloud" storage for access from remote computer, then the store for both of above had better be within your own location and control and under your own domain, never under a 'third party external service' on remote servers to which you have no physical access.
3. ITAR and its equivalent UK Export Control restrict some things, 'Classified' by any government restricts other things. However the penalties are very severe for bad practice.
4. You have a problem if any person would access your servers from outside the USA, as internet access passes through non USA systems. If you and all your staff ONLY work within the USA then this is possible, but note, ITAR does allow staff to take laptops home, Classified (depending on level) does not allow staff to leave the locked building with any laptop or copy (USBs anyone?). The nationality or birth of any person outside the USA may forbid you having them in any chain that allows corporate computer access.
Example: The company I advise has some senior USA staff, I have to control that they have no access whatsoever or knowledge of certain UK EYES ONLY level matters.
Keep 'cloud' internal to USA (i.e. refuse and block all foreign incoming and outgoing signals). Check parentage of all staff. You have your work cut out!
Regards Eion MacDonald
Try Citrix's ShareFile or using Microsoft Skydrive Pro, you can store data in your own datacenter with your own policies, for the user the experience is similar to dropbox either way.
Industry standard for this is to just set up your own internal network shares, Samba, whatever. If a file needs to be shared the user copies it to the shared drive. Good enough for government work, as they say.
Next step up in terms of automation is network mounted user directories and automatic backup software. There are a few sync clients out there as well that will sync to a remote location.
You can deploy your own servers and provide services via OpenStack Storage. There are numerous file systems available that can talk to OpenStack.
You can also check with Google they have special sales teams that can deal with your specific requirements and DoD requirements.
... with no ability to fulfill it. Our govt is broke because of crap like this....and well, destroying physical hardware because it "might" have been infected.
Oh, and sending barrels of food bought with American EBT cards to the homeland.
This country is f'd if people don't turn off the faucet in DC.
Timothy,
I would take a look at Sookasa (www.sookasa.com). It's a security layer on top of cloud services like Dropbox, that provides encryption, full audit trails and full access control for files, devices and users, while preserving the user experience and sync capabilities of Dropbox.
We'd be very happy to chat - drop us a line at info@sookasa.com
Best,
Asaf
ITAR is a CLASSIFICATION. So saying "data classified as ITAR" is 100% correct.
They're nice guys too. https://www.cx.com/
Every rule has more than one consequence.
... but not by the Linux crowd.
Because it is more than obvious that you have no clue of what the subject is about and decided to make the dumbest suggestion ever.
If data is sensitive enough to have an ITAR classification, then the data is sensitive enough to cause problems if it gets leaked.
A gross negligent violation of ITAR means very heavy fines (in the millions per instance), the (almost always) forfeit of the contract and any payments for service rendered. It is also an automatic disqualification from any government contract for no less than 10 years.
So being stupid with documentation classified as ITAR (yes that is the correct term), is pretty much the death of the company.
ITAR is a level of classification, not a category.
... do not make stupid suggestions.
Too many ignorant people making suggestions that will pretty much destroy the company and possibly put the guy in legal danger.
Why don't YOU create the product that your company wants, then market it to other companies with similar needs.
You could suggest it to your bosses as a new money-maker for your corporation, and when they turn you down (make sure it's in writing), get some people together and do it yourself.
Lot's of new businesses have been created by one business meeting it's own needs, then selling it's solution.
THINK! It's patriotic
As others have pointed out, handling data which is sensitive relative to national security (be it "secret" or not) via a plain "cloud" service is a NO-GO ! For lots of reasons which boil down to "cannot control where data is stored under what security conditions".
Of course you could add some encryption on top of Dropbox (e.g. TrueCrypt containers or GNUpg), but I am still quite sure you would break more than one government regulation in doing so.
I suggest you:
A) Ask your government for guidance in this matter. That's important for both technical and legal reasons.
B) Set up your own little server connected to a cable modem in a reasonably well-protected building (anti-burglar security is a minimum)
C) Run Linux and and sshd on that server
D) Protect sshd (yeah, even sshd did have lots of flaws in the past) by iptables. Have a whitelist of legitimate IP addresses who can use the file exchange
E) Use an scp client program (there exist quite nice ones for all operating systems now) to up/download files from your server
F) Secure the help of a credible Linux security expert to set up this arrangement properly
You can try Seafile: http://seafile.com/en/home/ It's open source, you can build your own Dropbox like service.
You should look here: https://prism-break.org/
They mention a number of self-hosted cloud solutions.
Hello,
I think you should be looking at Vaultize, World's most secure end point file sync, share and backup solution. Just visit www.vaultize.com.
Thanks,
Sam
www.domestichelpinindia.com ,Home Nurse, Baby
We are a renowned Agency known for providing trustworthy
Domestic Help, House Maid, Nanny, Patient Care
Care, Housekeeping, Drivers, the candidates so placed are cleared
by us referred by reputed people, their address etc are verified,
we file their finger prints & also Guarantee 3 Replacement In A
Year. On special request Police Verification can also be arranged
(customer has to bear the cost) Any Where in India.
Hi,
Check out this project on github: https://github.com/bokxing-it/sambadav
It is a bridge between samba and webdav. You run it on your webserver and it connects to shares/machines that have samba shares on your LAN. It uses smbclient to access the LNA shares, converts it in WebDav. It lets me mount samba network shares on a Win7 as a driveletter, without the need to make a VPN connection.
mu € 0.02
I just recently learned about a service called SafeMonk that is an encryption service for Dropbox. SafeMonk is basically a key management service and all encryption is done on the client before changes are uploaded to Dropbox. I've never used it, but it looks promising.
https://safemonk.com/
Dropbox + nCrypted Cloud (www.ncryptedcloud.com) = Enterprise Level Security in the cloud
take a look at bittorrent sync. http://labs.bittorrent.com/experiments/sync.html with cheap hardware and multiple locations(the locations could be virtual servers at different data centers around the world.) you could set up your own cloud for the cost of the hardware. run the host machines on your favorite flavor of linux and configure the different machines to do the rest. you add stuff to your onsite machine and it gets distributed securely and quickly to the other nodes. ive been playing around with the software for a week now but it seems to be exactly what we needed as a community.
Hello, Please have a quick look at www.vaultize.com . Vaultize is an enterprise-grade unified platform for secure file sharing - together with endpoint backup, endpoint encryption and Google Apps backup - that helps enterprises mitigate these risks through complete enterprise control and visibility on the use of unstructured data. It is the only solution that does military-grade (AES 256bit) encryption together with de-duplication at source (patent pending) – making it the most secure and efficient solution in the world. For product trial, please contact http://www.vaultize.com/try_it_free.html. Thanks, Sam sameer@vaultize.com
Copy.com is the best. Right now u can sign up & get 15gb.
Use this link for another 5gb during signup for a total of 20gb.
https://copy.com?r=yGI0Xb