Slashdot Mirror
Ask Slashdot: Secure DropBox Alternative For a Small Business?
First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality; 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). I've been calling different companies and just can't seem to find a decent solution. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. Am I wrong?"
You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level.
Gah - I can't believe this is even a question
I have mod points and I am not afraid to use them
I've worked contingency operations and recovery for data under federal regulations. You will NEVER find a service that will provide the kind of security, financial and geographical restrictions that you really need. That is the single most compelling reason why banks have backup data centers...
errr....umm...*whooosh* *whoosh* Is this thing on ?
Store it on a server at your business that you control.
Run open-source software which gives you DropBox functionality, such as BitTorrent Sync.
The only way to be sure is to host it on a server you control, using software that can be inspected.
Sparkleshare is a git based program that you can configure and use entirely in-house. . I use it for hosting our IT documentation for a small city government.
You host it yourself, control the data/features. Supports LDAP authentication. Client software is pretty quick. There is commercial support if you need it. Gracefully recovers from network loss. Oh and it has the appropriate iOS and Android clients. I have been slowly rolling it out in production without any complaints so far. Hope that helps!
- Too lazy to login
I'm sure he does not mean 'Classified' information. He means classified under ITAR. It was probably a poor choice of word to use classified rather than categorized.
I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.
Look here -> https://aws.amazon.com/govcloud-us/
Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.
It is much tighter than that. You must ensure that only "US Persons" have access to that data without appropriate export licences/approvals/agreements. Can you guarantee that no foreign national, dual citizen, or employee of a foreign company is working at your cloud host or in any data centre that might be housing your data?
Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
This isn't about security, it's security theater, it's not the safety of the data that matters, it's all about the box ticking. The box that must be ticked is 'data must not leave the US'.
If you try to apply any rationale to the existence of this box, you'll end up with something like 'The data can't leave the US because as we all know there are no bad guys on US soil, foreign powers cannot buy airplane tickets, and the internet has border police that stop foreign traffic that has the evil bit set.'
A pizza of radius z and thickness a has a volume of pi z z a
Sadly, I think this guy might be for real. Notice he didn't say "classified", merely "ITAR-restricted". Those are nowhere close to the same thing. Yet, if you get caught messing up with ITAR data, it's still up to a million-dollar fine per instance I believe. Reason enough to tell your lusers "No, you may not use Dropbox" and block it at the firewall.
Defense contractor - I'm thinking sub-contractor or sub-sub-contractor. There are so many small companies with no budget and less clue handling this kind of dangerous but not classified data out there, it's scary.
So - your use of terminology would lead me to think that you haven't been at this too long (I apologize in advance for the snark if that is not the case). If you deal with certain information, you would certainly NOT use the term CLASSIFIED in discussing the status of that information. CLASSIFIED has a VERY specific meaning in certain domains - including the domain that you seem to indicate that you work in. If you are, indeed, handling such information, I would suggest running, not walking to your FSO for a conversation. It will probably be fairly brutish and short. If, however, you are dealing with ITAR regulated information, then you have a different set of issues. You may not export the data without a permit, but you don't need to control it specifically within the US. Also, the regulations around foreign persons (or those of dual nationalities) relate to export activities. So, you can't transfer to a foreign person if you know (or suspect) that they are going to export the data. However, foreign persons in the US that aren't an export channel are not an issue (else a whole lot of commerce in the US would halt since I have no idea if another company has any foreign nationals employed, and I don't have to get an ITAR export license to ship something to another domestic company). In the later case (where we are talking regulation, not classification), you don't have an issue if you don't export the data (don't pick a company with foreign presence for cloud storage). Actually, one could probably be ok if they encrypted it (strongly) and then stored (but you may (or may not) want to talk to your DDTC rep about that. You should have no problems finding an offsite storage company to provide the service, and/or use someone who allows you to restrict the S3 zones (if AWS is the backend store) to us-* regions. Similar for rackfiles, dream objects, etc. Another comment here is worth highlighting, however - use consumer services, get consumer service. Go upmarket a bit if you are actually looking for something that your company's bottom line is hung on.