Ask Slashdot: Secure DropBox Alternative For a Small Business?

← Back to Stories (view on slashdot.org)

Ask Slashdot: Secure DropBox Alternative For a Small Business?

Posted by timothy on Friday July 26, 2013 @10:54AM from the unknown-lamer-favors-afs dept.

First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality; 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). I've been calling different companies and just can't seem to find a decent solution. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. Am I wrong?"

45 of 274 comments (clear)

Min score:

Reason:

Sort:

You are kidding right? by MerlynEmrys67 · 2013-07-26 10:58 · Score: 5, Informative

You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level.
Gah - I can't believe this is even a question

--
I have mod points and I am not afraid to use them
1. Re:You are kidding right? by ravenswood1000 · 2013-07-26 10:59 · Score: 5, Informative
  
  Try Owncloud or Ajaxplorer for your own cloud solution maybe.
2. Re:You are kidding right? by Trepidity · 2013-07-26 11:11 · Score: 4, Informative
  
  For something Dropbox-like in UI that you can point to your own servers, some options are:
  * Git-Annex Assistant: Despite its name, git is sort of an implementation detail you can ignore. It doesn't actually revision-control all your files, so you don't get huge bloat with binary files that are edited. One nice thing it does is integrate syncing with offline storage, so you can e.g. set up a remote server to sync to live, *and* set up a USB-connected hard drive to sync to when it's attached. When the USB drive is offline git-annex will still remember what files were on it.
  * Sparkleshare: a front-end that does version-control all your files, which might be preferable if you are sharing small-ish files where you might want to recover a previous version (e.g., text documents). Less good than Git-Annex Assistant if you're sharing huge media files, possibly better if you aren't.
  See also this Slashdot discussion from two years ago.
  
  --
  10 PRINT CHR$(205.5+RND(1)); : GOTO 10
3. Re:You are kidding right? by pixelpusher220 · 2013-07-26 11:11 · Score: 5, Funny
  
  I believe there's a facility in Utah that specializes in cloud data storage...
  
  --
  People in cars cause accidents....accidents in cars cause people :-D
4. Re:You are kidding right? by Sir_Sri · 2013-07-26 11:37 · Score: 2
  
  I love my dogs very much, but The love for my son and his needs are much greater.
  
  Like a lot of regular services, there are usually defence contractors who offer similar services that meet whatever national government requirements are - for 10x the price naturally.
  I would think that microsoft or google (though more likely microsoft than google) offer something similar to their commercial offerings but certified for defence. If not them, then likely you're looking at either Lockheed Martin, HP, IBM and expecting to pay very large sums of money.
5. Re:You are kidding right? by sconeu · 2013-07-26 11:59 · Score: 5, Insightful
  
  I agree with Merlyn. Are you F***ING INSANE?????? Especially after the way that the gov went batshit insane over Wikileaks and then over Snowden.
  I know that "classified under ITAR" is not "Classified secret", but you'd be crazy to trust that data to any storage that you (or your company) doesn't directly control.
  Disclaimer: I am not an ISSO or ISSM (though at one point I did get certified as one -- long since lapsed).
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
6. Re:You are kidding right? by ColdWetDog · 2013-07-26 12:30 · Score: 5, Funny
  
  I can just see this - a high level presentation to the C level executives:
  "Yes, we're planning on using Sparkleshare".
  "Sparklewhat?"
  "Sparkleshare, it's an open source product that ...."
  "Look, we're here to discuss corporate data strategy, not your daughter's favorite website".
  
  --
  Faster! Faster! Faster would be better!
7. Re:You are kidding right? by HJED · 2013-07-26 13:02 · Score: 2
  
  Aerofs might also be a good solution, it only stores data on your own servers by default (and has a headless linux client that could be installed on a VPS or similar for offsite backup). All data is transmitted encrypted P2P, but it does use NAT Proxies and authentication information provided by their servers.
  
  --
  null
8. Re:You are kidding right? by icebike · 2013-07-26 14:14 · Score: 4, Interesting
  
  ITAR simply requires State-Side storage. It doesn't have to be secure from the NSA, in fact they would probably object if it was.
  There is SpiderOak, which is US based, but they don't have the ability to decrypt your data, all decryption is done at the client.
  
  --
  Sig Battery depleted. Reverting to safe mode.
9. Re:You are kidding right? by AK+Marc · 2013-07-26 15:35 · Score: 2
  
  I've had a project canceled because they found out we were using best-of-breed RADIUS. Funk Software's Steel-Belted-RADIUS. We weren't allowed to have any funky servers. Used Windows free RADIUS instead. Lots of headaches.
  
  --
  Learn to love Alaska
10. Re:You are kidding right? by tftp · 2013-07-26 16:33 · Score: 3, Interesting
  
  As many posters indicated in their comments, compliance is not even checked against your arbitrary list of technical measures. It is checked against an approved list of measures and actions that you are supposed to have and perform.
  Good encryption would be a solution. You could have a server in North Korea and safely store all the secrets of portable nukes there, as long as they are well encrypted.
  But the devil is in details. What does it mean "well encrypted?" What is even the criteria for "wellness" of your encryption? Would it be OK if I use ROT13? Ok, perhaps not. What if I use AES256? Now you are happy. Right? No, wrong - because I used a key that consists of all zeros. Or ones. Or something equally trivial.
  But let's imagine you have a secure key. You used /dev/random, and it is random enough. Is it secure now? No, it isn't. You now have a known plaintext attack. AES may prevent you from reversing the key, but it still a block cipher - and many technical documents have similarities that can be exploited. Unless salted, every block of same plaintext will produce the same ciphertext. This is already a leak of data. Is it important? Maybe not. But there was no such leak before, and now there is a foothold. Can you guarantee that it won't get worse? Your adversary has all the resources of the state (albeit a poor one) and they are not constrained as much as you are.
  This is why you never invent your own cryptosystem. NSA does that, and they approve and provide cryptosystems for various end users. If you can get NSA to approve a cryptosystem for your setup, you are golden. But chances of that are not very good. If you start building your own, nobody is even going to check what you did. If it is not approved, it's not good. DSS workers are not cryptographers; even most of NSA personnel are not cryptographers (as we know now.) It takes an inordinate amount of effort to approve a cryptosystem for a particular use. One can have a good algorithm that is implemented with a small bug, and that bug turns it from unbreakable to reversable in milliseconds. Cryptographers know what to watch for, and even they make mistakes sometimes. Can you get away with a crypto library that you downloaded from Internet? I don't think so. It may be perfectly secure, but that's not what you will be evaluated against.
11. Re:You are kidding right? by dj245 · 2013-07-27 03:07 · Score: 4, Insightful
  
  I've had a project canceled because they found out we were using best-of-breed RADIUS. Funk Software's Steel-Belted-RADIUS. We weren't allowed to have any funky servers. Used Windows free RADIUS instead. Lots of headaches.
  You need to control problem names from the get-go. Politicians do it all the time when they name bills (Safety Measures YYY for the Children, etc). Good businessmen never ask their boss to travel to Las Vegas, they go to Clark County, NV instead. It is your responsibility to handle this kind of thing.
  
  --
  Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
12. Re:You are kidding right? by RevDisk · 2013-07-29 02:39 · Score: 2
  
  ITAR is a not a security clearance classification. It's an export control classification.
  
  This is more than a little important because it means no "foreign persons" can access the data. Inside or outside the US. You can let a US person in France see the data, for example. Foreign persons is defined in 120.16 of ITAR. Check http://pmddtc.state.gov/regulations_laws/documents/official_itar/2012/ITAR_Part_120.pdf (listed as Page 467)
  
  Basically, you can't give any ITAR data to any foreign person. If the foreign person could access the data, even if they do not, you're still breaking the law. There's a presumption of guilt if you say, leave ITAR data on a public share in your company, where foreign nationals could have accessed it. Do not put ITAR data on any disk you don't control unless it's reasonable that the provider cannot access it (ie encrypted).
  
  If DropBox has or had one foreign national that could access your account (which is likely) and the files were unencrypted, you already committed a federal crime and should give a voluntary disclosure to DDTC They'll likely give you a slap on the wrist or more likely do nothing, especially if voluntarily disclose and implement a solution to fix the problem. You personally will not get hit with anything. Try to cover it up, and you may personally be held responsible for a) knowingly breaking the law and b) knowingly trying to cover it up. You as an individual, in addition to your company.
  
  Back on the original topic, use a VPN (preferred) or self-host an app on a web server you control. I'd just use VPN and rsync. As a best practice, if a user is going overseas, send them with a clean laptop and tell them not to locally save any files.
  
  Disclaimer: I worked for Export Control at a Very Large Defense Contractor (they needed a geek, I got the short straw). I am however not YOUR export control representative. While the above is correct, it is only for reference and should not be taken as legal or binding advice. Seriously, order everything you can from Society for International Affairs and attend some conferences, or your business will be shut down by DDTC for ITAR violations. You can email me using my nick at my nick dot org if you have any other ITAR questions. I used to laugh when Department of State folks said "Please don't frame the question in terms of any felonies", now I just repeat it.
I call bull by santax · 2013-07-26 10:59 · Score: 5, Interesting

"I manage the network for a defense contractor that needs a cloud-based storage service" No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...
1. Re:I call bull by hawguy · 2013-07-26 11:09 · Score: 5, Insightful
  
  "I manage the network for a defense contractor that needs a cloud-based storage service"
  No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...
  That was my first thought when I saw his message. It doesn't seem that any commercial Dropbox like service would provide enough fine grained ACL's and reliable and untamperable logging to properly secure any kind of "classified" data. It seems like keeping the data locked up in a VPN accessed fileserver would be better with restrictions on the computer that prohibit saving to local storage. Once it's on a dropbox like service, how do you keep an exec from syncing the entire restricted folder to his laptop before his overseas trip to China, thus violating the rules about keeping it on US soil?
2. Re:I call bull by Wintermute__ · 2013-07-26 11:55 · Score: 5, Informative
  
  Sadly, I think this guy might be for real. Notice he didn't say "classified", merely "ITAR-restricted". Those are nowhere close to the same thing. Yet, if you get caught messing up with ITAR data, it's still up to a million-dollar fine per instance I believe. Reason enough to tell your lusers "No, you may not use Dropbox" and block it at the firewall.
  Defense contractor - I'm thinking sub-contractor or sub-sub-contractor. There are so many small companies with no budget and less clue handling this kind of dangerous but not classified data out there, it's scary.
3. Re:I call bull by liquidsin · 2013-07-26 14:38 · Score: 2
  
  my guess is it's a spook. with all the attention that leaks are getting right now, it seems totally plausible for some paid contractor to draw up some "classified documents" about snowden's child-trafficking ring or assange's cannibal cookbook, stick 'em on dropbox, and plant a horseshit story like this on a tech blog. then you just eat some popcorn and wait for the next security breach. you don't even have to get your hands dirty cracking into anything yourself.
  
  --
  do not read this line twice.
AWS? by Anonymous Coward · 2013-07-26 10:59 · Score: 5, Interesting

I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.
Cloud 0? by craznar · 2013-07-26 11:00 · Score: 4, Interesting

Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

--
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
1. Re:Cloud 0? by Virtucon · 2013-07-26 11:27 · Score: 2
  
  Like BoxCryptor or EncFS?
  https://www.boxcryptor.com/
  http://en.wikipedia.org/wiki/EncFS
  
  --
  Harrison's Postulate - "For every action there is an equal and opposite criticism"
2. Re:Cloud 0? by FriedYuca · 2013-07-26 11:51 · Score: 3, Insightful
  
  Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).
  To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?
  You've never heard of parity?
  Not in Raid 0, he hasn't.
3. Re:Cloud 0? by DaHat · 2013-07-26 12:08 · Score: 2
  
  Or just buy a storage appliance that has that kind of functionality built in and backups to the cloud in an encrypted way.
  To quote one of their bullet points:
  
  Military-grade Security
  All data stored in the cloud with StorSimple has military-grade encryption applied to it. The encryption key is never given to StorSimple or the cloud provider, ensuring complete data privacy to support compliance requirements as stringent as HIPAA.
  
  --
  Help Brendan pay off his student loans
Add Encryption to Dropbox by Sironfoot · 2013-07-26 11:00 · Score: 2

Could you not add a layer of encryption to Dropbox, such as BoxCryptor (https://www.boxcryptor.com/)?
Comment removed by account_deleted · 2013-07-26 11:02 · Score: 3, Funny

Comment removed based on user account deletion
Never going to find one by Archfeld · 2013-07-26 11:03 · Score: 5, Informative

I've worked contingency operations and recovery for data under federal regulations. You will NEVER find a service that will provide the kind of security, financial and geographical restrictions that you really need. That is the single most compelling reason why banks have backup data centers...

--
errr....umm...*whooosh* *whoosh* Is this thing on ?
1. Re:Never going to find one by DaHat · 2013-07-26 12:15 · Score: 2
  
  How long ago? These folks seem to have an interesting solution for this kind of setup (encryption on-prem prior to being sent to the cloud and keys never leaving your control)... and also claim to be inside of at least one bank
  
  --
  Help Brendan pay off his student loans
How about ssh? Http? by Okian+Warrior · 2013-07-26 11:03 · Score: 2, Informative

Store it on a server at your business that you control.
Run open-source software which gives you DropBox functionality, such as BitTorrent Sync.
The only way to be sure is to host it on a server you control, using software that can be inspected.
Sparkleshare by Anonymous Coward · 2013-07-26 11:04 · Score: 2, Informative

Sparkleshare is a git based program that you can configure and use entirely in-house. . I use it for hosting our IT documentation for a small city government.
Just use OwnCloud by Anonymous Coward · 2013-07-26 11:10 · Score: 2, Informative

You host it yourself, control the data/features. Supports LDAP authentication. Client software is pretty quick. There is commercial support if you need it. Gracefully recovers from network loss. Oh and it has the appropriate iOS and Android clients. I have been slowly rolling it out in production without any complaints so far. Hope that helps!
- Too lazy to login
SpiderOak, and you're doing it wrong by Fencepost · 2013-07-26 11:16 · Score: 2

I believe SpiderOak provides some encryption that you might think meets your needs, but I also agree with others that by the time you're asking this question something has already gone tragically wrong.

Of course there's always the counter argument that your data has in fact already been hacked and pretending you can keep it secure is just self deception.

--
fencepost
just a little off
Calm down people... by krbvroc1 · 2013-07-26 11:17 · Score: 4, Informative

I'm sure he does not mean 'Classified' information. He means classified under ITAR. It was probably a poor choice of word to use classified rather than categorized.
VMware Horizon Workspace or OwnCloud by insp · 2013-07-26 11:20 · Score: 2

I'm very intrigued by the fact that you actually want to use an external cloud based storage solution. I would have thought that defense would have required not to use a third party for remote file storage. The best solution would be to "roll your own" and set up something in a private cloud hosted in a datacenter that meets your requirements. If you are a VMware shop, you should seriously take a look at Horizon Workspace as it provides a Dropbox like product that would be a great fit. If you want to run this on a budget, check out OwnCloud. I use that myself to keep home/work documents in sync between machines and always wanted the equivalent of Dropbox but syncing onto my own servers.
Re:Wuala?.. by insp · 2013-07-26 11:23 · Score: 2

Wuala stores their files in Switzerland. I doubt that would meet appropriate defense standards.
AWS GovCloud by Anonymous Coward · 2013-07-26 11:29 · Score: 5, Informative

I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.
Look here -> https://aws.amazon.com/govcloud-us/
Ahem. by drolli · 2013-07-26 11:31 · Score: 2

Pay somebody (contractor/consultant) who knoes what he does. Seriously, man. Ask for a 10 page concept with the tree best options fulfilling all your specific requirements (which you probably did not mention here), and offer him to implement it if you like one of these.
My 2 cents on this: To me it is completely non-obvious how dropbox could have ended up in the stack of possible solutions - to little control, intransparent business model, other use case is the dominant one. I would start by looking at the obvious storage providers (amazon, telecoms, specialized local/regional/natinal storage providers), compare them by the options/price they offer, look separately at software fulfilling my local needs and being capable of talking to the storage providers. Then i would create local scenarios about additional dedicated hw needed and after that i would make my choice/give the best options to my manager to select, based on business criteria.
ITAR is tighter than that by GumphMaster · 2013-07-26 11:38 · Score: 4, Informative

Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.
It is much tighter than that. You must ensure that only "US Persons" have access to that data without appropriate export licences/approvals/agreements. Can you guarantee that no foreign national, dual citizen, or employee of a foreign company is working at your cloud host or in any data centre that might be housing your data?

--
Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
Re:Encrypt data, store anywhere by Andy_R · 2013-07-26 11:55 · Score: 3, Informative

This isn't about security, it's security theater, it's not the safety of the data that matters, it's all about the box ticking. The box that must be ticked is 'data must not leave the US'.
If you try to apply any rationale to the existence of this box, you'll end up with something like 'The data can't leave the US because as we all know there are no bad guys on US soil, foreign powers cannot buy airplane tickets, and the internet has border police that stop foreign traffic that has the evil bit set.'

--
A pizza of radius z and thickness a has a volume of pi z z a
You're delusional. by __aaltlg1547 · 2013-07-26 11:57 · Score: 4, Insightful

There is no way to ensure that any third party company is going to protect your ITAR data, so you can't use cloud based storage. Tell your boss it's (1) a bad idea and (2) you are not going to jail to make it happen.
Contact your site/organizations Security Officer by khb · 2013-07-26 12:13 · Score: 2

To get a ruling on whether you may do what you want. Otherwise, as others have noted, you may be very deep waters (not only will you be in violation, but anyone in the organization using the service will be, and you will have induced them to do it. Think serious civil as well as criminal consequences).
From a technology angle, it may be "possible" if the folks in charge sign off.
"All" you need to do is encrypt the data before it goes offsite, encrypt it well enough that the data is protected commensurate with its value, etc.
For commercial users, https://jungledisk.com/ provides a very usable interface and GUI. Of course, if the client isn't trustworthy (and you have to take their word for it ;>) that goes out the window even if the algorithms are secure themselves ;>
I use it for some SOHO confidential data; it wouldn't be the end of the world if the data were disclosed, but we have committed to make good faith effort(s) to keep it secure, so we do (rather than moving files to subs via email, etc.). Not all subcontractors could handle sftp and friends.
CLASSIFIED or REGULATED under ITAR? by cdl · 2013-07-26 12:43 · Score: 3, Informative

So - your use of terminology would lead me to think that you haven't been at this too long (I apologize in advance for the snark if that is not the case). If you deal with certain information, you would certainly NOT use the term CLASSIFIED in discussing the status of that information. CLASSIFIED has a VERY specific meaning in certain domains - including the domain that you seem to indicate that you work in. If you are, indeed, handling such information, I would suggest running, not walking to your FSO for a conversation. It will probably be fairly brutish and short. If, however, you are dealing with ITAR regulated information, then you have a different set of issues. You may not export the data without a permit, but you don't need to control it specifically within the US. Also, the regulations around foreign persons (or those of dual nationalities) relate to export activities. So, you can't transfer to a foreign person if you know (or suspect) that they are going to export the data. However, foreign persons in the US that aren't an export channel are not an issue (else a whole lot of commerce in the US would halt since I have no idea if another company has any foreign nationals employed, and I don't have to get an ITAR export license to ship something to another domestic company). In the later case (where we are talking regulation, not classification), you don't have an issue if you don't export the data (don't pick a company with foreign presence for cloud storage). Actually, one could probably be ok if they encrypted it (strongly) and then stored (but you may (or may not) want to talk to your DDTC rep about that. You should have no problems finding an offsite storage company to provide the service, and/or use someone who allows you to restrict the S3 zones (if AWS is the backend store) to us-* regions. Similar for rackfiles, dream objects, etc. Another comment here is worth highlighting, however - use consumer services, get consumer service. Go upmarket a bit if you are actually looking for something that your company's bottom line is hung on.
look for fedramp compliance by GovCheese · 2013-07-26 13:00 · Score: 2

You might start with looking at FEDRAMP complaint providers found here: http://www.gsa.gov/portal/content/131931 I would imagine that those listed providers also have FISMA certification so you'll be able to determine if the categorization of the data you are trying to protect is met by the provider. ITAR categorized data must be stored in CONUS and I believe AWS Government Community Cloud and the USDA National Information Technology Center offered by United States Department of Agriculture supports CONUS only storage. I believe Google Apps for Government does as well. But the key thing is to ensure the FiSMA cert matches the categorization of your data.

--
"He's using a quantum encryption scheme! That'll take hours to break!"
Help I am Classified Clueless by flyingfsck · 2013-07-26 17:26 · Score: 2

You do government work and you are this clueless? No wonder the USA is in the state it is in. You should start by reading the ITSG.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I think I see the problem by Hognoxious · 2013-07-26 20:10 · Score: 2

I manage the network for a defense contractor that needs a cloud-based storage service

Stop right there, I think I've spotted the problem.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
DIY by nurb432 · 2013-07-27 02:03 · Score: 2

Setup your own storage at your office. Don't trust public companies for your data.
If you dont/cant do it yourself, hire someone to come in and doit. And audit the hell out of what they do.

--
---- Booth was a patriot ----
I just can't believe this by flacco · 2013-07-27 02:08 · Score: 2

I completely do not understand anyone storing even remotely confidential data, much less security-related data, on servers hosted by another organization.

--
pr0n - keeping monitor glass spotless since 1981.