Ask Slashdot: Secure DropBox Alternative For a Small Business?

First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality; 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). I've been calling different companies and just can't seem to find a decent solution. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. Am I wrong?"

You are kidding right?

[MerlynEmrys67]

You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level.
Gah - I can't believe this is even a question

Re:You are kidding right?

[ravenswood1000]

Try Owncloud or Ajaxplorer for your own cloud solution maybe.

Re:You are kidding right?

[Trepidity]

For something Dropbox-like in UI that you can point to your own servers, some options are:

* Git-Annex Assistant: Despite its name, git is sort of an implementation detail you can ignore. It doesn't actually revision-control all your files, so you don't get huge bloat with binary files that are edited. One nice thing it does is integrate syncing with offline storage, so you can e.g. set up a remote server to sync to live, *and* set up a USB-connected hard drive to sync to when it's attached. When the USB drive is offline git-annex will still remember what files were on it.

* Sparkleshare: a front-end that does version-control all your files, which might be preferable if you are sharing small-ish files where you might want to recover a previous version (e.g., text documents). Less good than Git-Annex Assistant if you're sharing huge media files, possibly better if you aren't.

See also this Slashdot discussion from two years ago.

Re:You are kidding right?

[pixelpusher220]

I believe there's a facility in Utah that specializes in cloud data storage...

Re:You are kidding right?

[sconeu]

I agree with Merlyn. Are you F***ING INSANE?????? Especially after the way that the gov went batshit insane over Wikileaks and then over Snowden.

I know that "classified under ITAR" is not "Classified secret", but you'd be crazy to trust that data to any storage that you (or your company) doesn't directly control.

Disclaimer: I am not an ISSO or ISSM (though at one point I did get certified as one -- long since lapsed).

Re:You are kidding right?

[ColdWetDog]

I can just see this - a high level presentation to the C level executives:

"Yes, we're planning on using Sparkleshare".

"Sparklewhat?"

"Sparkleshare, it's an open source product that ...."

"Look, we're here to discuss corporate data strategy, not your daughter's favorite website".

Re:You are kidding right?

[icebike]

ITAR simply requires State-Side storage. It doesn't have to be secure from the NSA, in fact they would probably object if it was.

There is SpiderOak, which is US based, but they don't have the ability to decrypt your data, all decryption is done at the client.

Re:You are kidding right?

[tftp]

As many posters indicated in their comments, compliance is not even checked against your arbitrary list of technical measures. It is checked against an approved list of measures and actions that you are supposed to have and perform.

Good encryption would be a solution. You could have a server in North Korea and safely store all the secrets of portable nukes there, as long as they are well encrypted.

But the devil is in details. What does it mean "well encrypted?" What is even the criteria for "wellness" of your encryption? Would it be OK if I use ROT13? Ok, perhaps not. What if I use AES256? Now you are happy. Right? No, wrong - because I used a key that consists of all zeros. Or ones. Or something equally trivial.

But let's imagine you have a secure key. You used /dev/random, and it is random enough. Is it secure now? No, it isn't. You now have a known plaintext attack. AES may prevent you from reversing the key, but it still a block cipher - and many technical documents have similarities that can be exploited. Unless salted, every block of same plaintext will produce the same ciphertext. This is already a leak of data. Is it important? Maybe not. But there was no such leak before, and now there is a foothold. Can you guarantee that it won't get worse? Your adversary has all the resources of the state (albeit a poor one) and they are not constrained as much as you are.

This is why you never invent your own cryptosystem. NSA does that, and they approve and provide cryptosystems for various end users. If you can get NSA to approve a cryptosystem for your setup, you are golden. But chances of that are not very good. If you start building your own, nobody is even going to check what you did. If it is not approved, it's not good. DSS workers are not cryptographers; even most of NSA personnel are not cryptographers (as we know now.) It takes an inordinate amount of effort to approve a cryptosystem for a particular use. One can have a good algorithm that is implemented with a small bug, and that bug turns it from unbreakable to reversable in milliseconds. Cryptographers know what to watch for, and even they make mistakes sometimes. Can you get away with a crypto library that you downloaded from Internet? I don't think so. It may be perfectly secure, but that's not what you will be evaluated against.

Re:You are kidding right?

[dj245]

I've had a project canceled because they found out we were using best-of-breed RADIUS. Funk Software's Steel-Belted-RADIUS. We weren't allowed to have any funky servers. Used Windows free RADIUS instead. Lots of headaches.

You need to control problem names from the get-go. Politicians do it all the time when they name bills (Safety Measures YYY for the Children, etc). Good businessmen never ask their boss to travel to Las Vegas, they go to Clark County, NV instead. It is your responsibility to handle this kind of thing.

I call bull

[santax]

"I manage the network for a defense contractor that needs a cloud-based storage service" No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...

Re:I call bull

[hawguy]

"I manage the network for a defense contractor that needs a cloud-based storage service"

No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...

That was my first thought when I saw his message. It doesn't seem that any commercial Dropbox like service would provide enough fine grained ACL's and reliable and untamperable logging to properly secure any kind of "classified" data. It seems like keeping the data locked up in a VPN accessed fileserver would be better with restrictions on the computer that prohibit saving to local storage. Once it's on a dropbox like service, how do you keep an exec from syncing the entire restricted folder to his laptop before his overseas trip to China, thus violating the rules about keeping it on US soil?

Re:I call bull

[Wintermute__]

Sadly, I think this guy might be for real. Notice he didn't say "classified", merely "ITAR-restricted". Those are nowhere close to the same thing. Yet, if you get caught messing up with ITAR data, it's still up to a million-dollar fine per instance I believe. Reason enough to tell your lusers "No, you may not use Dropbox" and block it at the firewall.

Defense contractor - I'm thinking sub-contractor or sub-sub-contractor. There are so many small companies with no budget and less clue handling this kind of dangerous but not classified data out there, it's scary.

AWS?

I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.

Cloud 0?

[craznar]

Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

Re:Cloud 0?

[FriedYuca]

Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

You've never heard of parity?

Not in Raid 0, he hasn't.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Never going to find one

[Archfeld]

I've worked contingency operations and recovery for data under federal regulations. You will NEVER find a service that will provide the kind of security, financial and geographical restrictions that you really need. That is the single most compelling reason why banks have backup data centers...

Calm down people...

[krbvroc1]

I'm sure he does not mean 'Classified' information. He means classified under ITAR. It was probably a poor choice of word to use classified rather than categorized.

AWS GovCloud

I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.

Look here -> https://aws.amazon.com/govcloud-us/

ITAR is tighter than that

[GumphMaster]

Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.

It is much tighter than that. You must ensure that only "US Persons" have access to that data without appropriate export licences/approvals/agreements. Can you guarantee that no foreign national, dual citizen, or employee of a foreign company is working at your cloud host or in any data centre that might be housing your data?

Re:Encrypt data, store anywhere

[Andy_R]

This isn't about security, it's security theater, it's not the safety of the data that matters, it's all about the box ticking. The box that must be ticked is 'data must not leave the US'.

If you try to apply any rationale to the existence of this box, you'll end up with something like 'The data can't leave the US because as we all know there are no bad guys on US soil, foreign powers cannot buy airplane tickets, and the internet has border police that stop foreign traffic that has the evil bit set.'

You're delusional.

[__aaltlg1547]

There is no way to ensure that any third party company is going to protect your ITAR data, so you can't use cloud based storage. Tell your boss it's (1) a bad idea and (2) you are not going to jail to make it happen.

CLASSIFIED or REGULATED under ITAR?

[cdl]

So - your use of terminology would lead me to think that you haven't been at this too long (I apologize in advance for the snark if that is not the case). If you deal with certain information, you would certainly NOT use the term CLASSIFIED in discussing the status of that information. CLASSIFIED has a VERY specific meaning in certain domains - including the domain that you seem to indicate that you work in. If you are, indeed, handling such information, I would suggest running, not walking to your FSO for a conversation. It will probably be fairly brutish and short. If, however, you are dealing with ITAR regulated information, then you have a different set of issues. You may not export the data without a permit, but you don't need to control it specifically within the US. Also, the regulations around foreign persons (or those of dual nationalities) relate to export activities. So, you can't transfer to a foreign person if you know (or suspect) that they are going to export the data. However, foreign persons in the US that aren't an export channel are not an issue (else a whole lot of commerce in the US would halt since I have no idea if another company has any foreign nationals employed, and I don't have to get an ITAR export license to ship something to another domestic company). In the later case (where we are talking regulation, not classification), you don't have an issue if you don't export the data (don't pick a company with foreign presence for cloud storage). Actually, one could probably be ok if they encrypted it (strongly) and then stored (but you may (or may not) want to talk to your DDTC rep about that. You should have no problems finding an offsite storage company to provide the service, and/or use someone who allows you to restrict the S3 zones (if AWS is the backend store) to us-* regions. Similar for rackfiles, dream objects, etc. Another comment here is worth highlighting, however - use consumer services, get consumer service. Go upmarket a bit if you are actually looking for something that your company's bottom line is hung on.