Copy / Theft Protection of Folders

[Foogoofish]

Hey Guys,

I am in the process of setting up the File Server for a new client, and he wants to protect a very valuable library of files and data. While he wants his employees to be able to freely use them in work, he has no desire to let them walk out the office with it on an external HDD. Locking the folder doesn't stop copy+paste, and neither does changing the permissions.

Any help on this would be greatly appreciated!

Thanks

 

[millerj123]

How seriously is your client willing to lock the work environment? Whatever the files are, if they can be read, they can be saved.

How would you prevent emailing, or saving to USB drive or CD/DVD?

You can use permissions and group membership to limit the audience that has access, but once you've provided access, you've pretty much got to assume they can walk out.

Being on the receiving end of these measures is not morale building, regardless of the necessity.

 

[Foogoofish]

I understand with what you are saying and having been trying to explain that.

I was wandering if there was some way to stop just the drag and drop method. We are talking upwards of 2500+ PDF's and others that span many years of technical documents. It is not a problem if they have to re-save every pdf (this is easier to spot), but if they can copy all at once then that would be easier for them, and more difficult to stop or even notice.

While the monetary value is of course high, the fact is that if all the doc's are taken by an employee leaving, it no doubt drops the competitive edge his company has.

Maybe the best way is some sort of IT agreement when joining the company that the user / employee must sign. Any thoughts?

To be honest I am not too bothered about they employee's view with this. It is a highly knowledgeable firm, and everyone working there will understand just how important the use of these doc's are. That is where this problem comes in - they understand they shouldn't take them, they know they hold a great upper hand if they do.

Thanks for your reply!

 

[ChrisA]

Hey Guys,

I am in the process of setting up the File Server for a new client, and he wants to protect a very valuable library of files and data. While he wants his employees to be able to freely use them in work, he has no desire to let them walk out the office with it on an external HDD. Locking the folder doesn't stop copy+paste, and neither does changing the permissions.

Any help on this would be greatly appreciated!

Thanks

The ONLY method is to implement physical security. Fill all the ports, USB, Firewires and such with epoxy. This will prevent anyone from incerting a USB drive. Remove any optical drives. And OF COURSE you don't allow any of the computers to connect to the Internet. This is reasonably common practice in places where security is important. the epoxy makes the computers hard to re-sell later but who cares? Their value is nothing compared to the data right? Epoxy is an insulator so it does not harm the computer, other then to permeant disable use of the port.

There is no possible software fix because anyone with physical access to the computer can always boot off a portable drive and bypass your software.

Or you can simply hire honest employees.

 

[thejadedmonkey]

I don't know how to do this with OS X, but Adobe has DRM built in. You can lock the PDF's so they can't be "save'd as"... This might help some.

 

[millerj123]

I don't know how to do this with OS X, but Adobe has DRM built in. You can lock the PDF's so they can't be "save'd as"... This might help some.

At the very least you could still get screenshots...one page at a time. I'll concede upfront that it wouldn't be practical, and I wouldn't waste my time doing that.

I'd try going with an NDA of some sort, although I have no idea how well they really hold up in court.

 

[Foogoofish]

Ok well to sum up then for anyone else finding this thread:

It is not possible to stop Copy+Paste of folders/documents, if someone has read access to them.

Am I right?

Thanks

 

[chrfr]

It is not possible to stop Copy+Paste of folders/documents, if someone has read access to them.

By definition, if someone has access to the files, they can copy them. What your client seeks is impossible. As someone else posted, if you disable all the ports on the computer, as well as remove internet access, that's the only possible way to come close.

 

[Foogoofish]

NDA it is then!

Thanks for the help as always everyone

 

[ChrisA]

By definition, if someone has access to the files, they can copy them. What your client seeks is impossible. As someone else posted, if you disable all the ports on the computer, as well as remove internet access, that's the only possible way to come close.

Yes it's only "close" because you can open the machine with a screw driver and swap the internal disk drive, even if the ports are plugged with epoxy.

You would have to invite TSA to install a full body scanner at your door. That and implement a full shred poly on the trash so no one toss the data in the trash can.

Maybe you can read that I'm saying that no technical measures will work if you can't trust the employee. Not if they have physical access to the computer.

In all security textbooks they all say that everything assumes you can prevent physical access.

So you have them sign NDAs but also you hire out a background check.

Other poly that is common are to have remotely monitored alarm service and never allow only one person inside.

I've worked several places with such policies. People are not as productive but it works.

 

[Foogoofish]

It's not really a matter of trust. It's more a matter of stopping those that you do trust, without having to make it obvious that you are stopping them. Sort of a hidden line of defense.

Therefore they see something as 'just not possible' rather than the 'he doesn't trust me'.

 

[interrobang]

Filling the USB ports is insane. You can disable USB mass storage by removing the .kext, without ruining the computers.

Therefore they see something as 'just not possible' rather than the 'he doesn't trust me'.

In other words, you rely on the employees to be ignorant rather than honest. I think this is a very safe bet.

 

[Foogoofish]

Ignorance is bliss....

 

[Consultant]

Ignorance is bliss....

Even the military can't stop things from leaking. But basically many companies have employees sign NDA and drill the information into the head during orientation.

 

[miles01110]

It's not really a matter of trust. It's more a matter of stopping those that you do trust, without having to make it obvious that you are stopping them. Sort of a hidden line of defense.

Therefore they see something as 'just not possible' rather than the 'he doesn't trust me'.

Anyone that really wants to get the documents will know that it is possible and assume that you don't trust them, thus negating your entire "strategy."

 

[Foogoofish]

Anyone that really wants to get the documents will know that it is possible and assume that you don't trust them, thus negating your entire "strategy."

In Hong Kong where people have very very likely never used a Mac in business before, I highly doubt that they will understand the workings of a Mac server and what you can and can't do.

This of course is different in a Mac focused workplace / side of the world

 

[Quad5Ny]

Put all the PDF's on jailbroken iPads that have everything except a PDF reader App locked out.

Then get cable locks for the iPads and setup remote wipe incase the iPad gets stolen (you need 3G iPads for this to have any success though).

 

[Foogoofish]

Meh....they can just have the library at this rate!

 

[speacock]

You could use an endpoint protection product

In a Windows PC based environment you would use an endpoint protection product from the likes of Symantec or McAfee for this, possibly combined with an endpoint encryption product. I can't say how well it works in a Mac environment as I've never used it in that world, but I know it exists.

The newer versions of tools like this go well beyond their traditional AV/AM and HIP/HID role and now include things like the ability to lock down the type of device that can be plugged into a USB port or the data that can be written to an external device, or by who, or to enforce encryption (so that people may be able to take the data out of the building but can't read it when not attached to the company network), or to simply audit who took data off the system.

Many larger and more security paranoid organisations that I work with such as financial companies and government departments use this kind of solution to stop (or at least make it much harder) for people to steal data.

However, it's not something that I would undertake lightly. It needs lots of thought, planning and can be quite intrusive and require some effort to manage. Not to mention the issues such as practicality and the non-technical issues such as the breakdown in trust between employer and employee that it implies.

As always, the technical solution needs to be combined with policy such as non-disclosure agreements and acceptable use agreements.

As a final point, you will never plug every hole, you can just make it harder for people. As an IT security consultant that I used to work with said: "The biggest security gap in most companies is the printer and the front door".

 

[adt100]

I have not used it myself but a client of mine uses OwnerGuard (http://www.armjisoft.com/?page=pdfownerguard) to lock PDFs to particular computers. They use Windows but it looks like a Mac viewer is available.

Failing that if you just wanted to make it more difficult (or time consuming) for the users to walk off with the files you could host the files in a local CMS or just a local Apache website and place download limits so that each IP could only download 2 or 3 files a day (or whatever fit with their normal workload).

 

[Foogoofish]

Failing that if you just wanted to make it more difficult (or time consuming) for the users to walk off with the files you could host the files in a local CMS or just a local Apache website and place download limits so that each IP could only download 2 or 3 files a day (or whatever fit with their normal workload).

So I could set up a local portal type of thing with a very simple folder structure to house all of these?

You sir may have made my day!

 

[miles01110]

In Hong Kong where people have very very likely never used a Mac in business before, I highly doubt that they will understand the workings of a Mac server and what you can and can't do.

This of course is different in a Mac focused workplace / side of the world

As I said, someone who really wants the files will not be stopped by your assumption that they "won't know how to use a Mac."

 

[Foogoofish]

OK time to get to reality. If it's easy, they will take it. If it's not easy, then they are less likely to take it. I'm not talking about being in business with driven people to break into the network - they are mainly just opportunists.

I can't help thinking this thread has got out of hand....!

 

[paulcdb]

As an IT security consultant that I used to work with said: "The biggest security gap in most companies is the printer and the front door".

yeah but you can brick up a door

 

[Foogoofish]

orrrrr.....

create a matrix for your workers to inhabit, and then brick up the door when necessary!

(oh dear! )