Ask Slashdot: Secure DropBox Alternative For a Small Business?

First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality; 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). I've been calling different companies and just can't seem to find a decent solution. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. Am I wrong?"

Re:I call bull

[hawguy]

"I manage the network for a defense contractor that needs a cloud-based storage service"

No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...

That was my first thought when I saw his message. It doesn't seem that any commercial Dropbox like service would provide enough fine grained ACL's and reliable and untamperable logging to properly secure any kind of "classified" data. It seems like keeping the data locked up in a VPN accessed fileserver would be better with restrictions on the computer that prohibit saving to local storage. Once it's on a dropbox like service, how do you keep an exec from syncing the entire restricted folder to his laptop before his overseas trip to China, thus violating the rules about keeping it on US soil?

Re:Cloud 0?

[FriedYuca]

Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

You've never heard of parity?

Not in Raid 0, he hasn't.

You're delusional.

[__aaltlg1547]

There is no way to ensure that any third party company is going to protect your ITAR data, so you can't use cloud based storage. Tell your boss it's (1) a bad idea and (2) you are not going to jail to make it happen.

Re:You are kidding right?

[sconeu]

I agree with Merlyn. Are you F***ING INSANE?????? Especially after the way that the gov went batshit insane over Wikileaks and then over Snowden.

I know that "classified under ITAR" is not "Classified secret", but you'd be crazy to trust that data to any storage that you (or your company) doesn't directly control.

Disclaimer: I am not an ISSO or ISSM (though at one point I did get certified as one -- long since lapsed).

Re:You are kidding right?

[dj245]

I've had a project canceled because they found out we were using best-of-breed RADIUS. Funk Software's Steel-Belted-RADIUS. We weren't allowed to have any funky servers. Used Windows free RADIUS instead. Lots of headaches.

You need to control problem names from the get-go. Politicians do it all the time when they name bills (Safety Measures YYY for the Children, etc). Good businessmen never ask their boss to travel to Las Vegas, they go to Clark County, NV instead. It is your responsibility to handle this kind of thing.