Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Secure DropBox Alternative For a Small Business?

Posted by timothy on from the unknown-lamer-favors-afs dept.

First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality; 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). I've been calling different companies and just can't seem to find a decent solution. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. Am I wrong?"

18 of 274 comments (clear)

  1. You are kidding right? by MerlynEmrys67 · · Score: 5, Informative

    You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level.
    Gah - I can't believe this is even a question

    --
    I have mod points and I am not afraid to use them
    1. Re:You are kidding right? by ravenswood1000 · · Score: 5, Informative

      Try Owncloud or Ajaxplorer for your own cloud solution maybe.

    2. Re:You are kidding right? by Trepidity · · Score: 4, Informative

      For something Dropbox-like in UI that you can point to your own servers, some options are:

      * Git-Annex Assistant: Despite its name, git is sort of an implementation detail you can ignore. It doesn't actually revision-control all your files, so you don't get huge bloat with binary files that are edited. One nice thing it does is integrate syncing with offline storage, so you can e.g. set up a remote server to sync to live, *and* set up a USB-connected hard drive to sync to when it's attached. When the USB drive is offline git-annex will still remember what files were on it.

      * Sparkleshare: a front-end that does version-control all your files, which might be preferable if you are sharing small-ish files where you might want to recover a previous version (e.g., text documents). Less good than Git-Annex Assistant if you're sharing huge media files, possibly better if you aren't.

      See also this Slashdot discussion from two years ago.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    3. Re:You are kidding right? by pixelpusher220 · · Score: 5, Funny

      I believe there's a facility in Utah that specializes in cloud data storage...

      --
      People in cars cause accidents....accidents in cars cause people :-D
    4. Re:You are kidding right? by sconeu · · Score: 5, Insightful

      I agree with Merlyn. Are you F***ING INSANE?????? Especially after the way that the gov went batshit insane over Wikileaks and then over Snowden.

      I know that "classified under ITAR" is not "Classified secret", but you'd be crazy to trust that data to any storage that you (or your company) doesn't directly control.

      Disclaimer: I am not an ISSO or ISSM (though at one point I did get certified as one -- long since lapsed).

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    5. Re:You are kidding right? by ColdWetDog · · Score: 5, Funny

      I can just see this - a high level presentation to the C level executives:

      "Yes, we're planning on using Sparkleshare".

      "Sparklewhat?"

      "Sparkleshare, it's an open source product that ...."

      "Look, we're here to discuss corporate data strategy, not your daughter's favorite website".

      --
      Faster! Faster! Faster would be better!
    6. Re:You are kidding right? by icebike · · Score: 4, Interesting

      ITAR simply requires State-Side storage. It doesn't have to be secure from the NSA, in fact they would probably object if it was.

      There is SpiderOak, which is US based, but they don't have the ability to decrypt your data, all decryption is done at the client.

      --
      Sig Battery depleted. Reverting to safe mode.
    7. Re:You are kidding right? by dj245 · · Score: 4, Insightful

      I've had a project canceled because they found out we were using best-of-breed RADIUS. Funk Software's Steel-Belted-RADIUS. We weren't allowed to have any funky servers. Used Windows free RADIUS instead. Lots of headaches.

      You need to control problem names from the get-go. Politicians do it all the time when they name bills (Safety Measures YYY for the Children, etc). Good businessmen never ask their boss to travel to Las Vegas, they go to Clark County, NV instead. It is your responsibility to handle this kind of thing.

      --
      Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  2. I call bull by santax · · Score: 5, Interesting

    "I manage the network for a defense contractor that needs a cloud-based storage service" No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...

    1. Re:I call bull by hawguy · · Score: 5, Insightful

      "I manage the network for a defense contractor that needs a cloud-based storage service"

      No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...

      That was my first thought when I saw his message. It doesn't seem that any commercial Dropbox like service would provide enough fine grained ACL's and reliable and untamperable logging to properly secure any kind of "classified" data. It seems like keeping the data locked up in a VPN accessed fileserver would be better with restrictions on the computer that prohibit saving to local storage. Once it's on a dropbox like service, how do you keep an exec from syncing the entire restricted folder to his laptop before his overseas trip to China, thus violating the rules about keeping it on US soil?

    2. Re:I call bull by Wintermute__ · · Score: 5, Informative

      Sadly, I think this guy might be for real. Notice he didn't say "classified", merely "ITAR-restricted". Those are nowhere close to the same thing. Yet, if you get caught messing up with ITAR data, it's still up to a million-dollar fine per instance I believe. Reason enough to tell your lusers "No, you may not use Dropbox" and block it at the firewall.

      Defense contractor - I'm thinking sub-contractor or sub-sub-contractor. There are so many small companies with no budget and less clue handling this kind of dangerous but not classified data out there, it's scary.

  3. AWS? by Anonymous Coward · · Score: 5, Interesting

    I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.

  4. Cloud 0? by craznar · · Score: 4, Interesting

    Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

    --
    EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
  5. Never going to find one by Archfeld · · Score: 5, Informative

    I've worked contingency operations and recovery for data under federal regulations. You will NEVER find a service that will provide the kind of security, financial and geographical restrictions that you really need. That is the single most compelling reason why banks have backup data centers...

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  6. Calm down people... by krbvroc1 · · Score: 4, Informative

    I'm sure he does not mean 'Classified' information. He means classified under ITAR. It was probably a poor choice of word to use classified rather than categorized.

  7. AWS GovCloud by Anonymous Coward · · Score: 5, Informative

    I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.

    Look here -> https://aws.amazon.com/govcloud-us/

  8. ITAR is tighter than that by GumphMaster · · Score: 4, Informative

    Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.

    It is much tighter than that. You must ensure that only "US Persons" have access to that data without appropriate export licences/approvals/agreements. Can you guarantee that no foreign national, dual citizen, or employee of a foreign company is working at your cloud host or in any data centre that might be housing your data?

    --
    Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
  9. You're delusional. by __aaltlg1547 · · Score: 4, Insightful

    There is no way to ensure that any third party company is going to protect your ITAR data, so you can't use cloud based storage. Tell your boss it's (1) a bad idea and (2) you are not going to jail to make it happen.