Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Data Storage Security

Securing Files in a Hostile Workplace? 88

Posted by Cliff from the for-authorized-eyes-only dept.
lockdown asks: "How do I secure the files used in my department? I work in an engineering department and I've been tasked with securing our electronic files. We are a likely target of pirates, both internal and external. The 'resale' value of our files is very large. Attackers would be interested in selling our files or just posting them publicly for bragging rights. While I trust our engineers, many of whom have been here over 10 years, we do have many short-timers and temps in other departments. Worst of all, our IT department is clueless and even hostile to our efforts. (They are proud that, 'our network is so outdated that it can't be hacked.') How do I came up with a way to secure our files in a hostile environment and still get our work done?"

"The constraints of my personal situation include:

  1. the world controlled by the IT department (the network, most servers, tape backups, external firewalls, etc) are out of my control,
  2. we do not have good physical control of our environment to prevent physical theft or PC access,
  3. we need to compartmentalize access to different teams,
  4. we need to be able to recover access in the event a bus hits an engineer,
  5. engineers need to be able to securely take files home,
  6. data files can range into the GBs,
  7. this can't get in the way of getting work done,
  8. being engineers, we tend to work with a wide range of obscure tools that are unlikely to be supported by commercial solutions and may not play nice with the OS
  9. we are stuck with Win boxes as clients, but we could have a local dept. *nix security server,
  10. each engineer need to be able to enable access to any other engineer,
  11. I would like at least 2 factor security, something you know and something you have,
  12. I would like the 'something you have,' attached to engineer's car key ring (something you can't go home without) and
  13. open source preferred (no proprietary pixie dust, please)."
This discussion has been archived. No new comments can be posted.

Securing Files in a Hostile Workplace? More

Securing Files in a Hostile Workplace?

Comments Filter:

  • hard to tell; need to see the files (Score:1, Funny)

    by Anonymous Coward
    This situation strongly depends on the ATM packet size ratio to the compressibility of the files. To get a decent analysis from us ask slashdot experts, please post links to the files here so we can examine them and offer you the best advice possible.

  • Just say it... (Score:5, Funny)

    by t--f-c ( 76987 ) on Tuesday October 07, 2003 @06:45PM (#7157861)
    we all know we want to say it.. you work for Valve don't you??
    • omg, you beat me to it lol!
    • Come on! Didn't you get the hints:

      'resale' value of our files is very large -- who else can ask for $100,000 for a single mp3?

      IT department is clueless and even hostile AND our network is so outdated -- who do we know that is technologically clueless?

      We are a likely target of pirates -- hmmm.. who could possibly have made themselves intraweb-public-enemy-no.1?? (no, not SCO, they are ruled out by the first item on the list)

      I've been tasked with securing our electronic files -- and who could possi

  • Dear slashdot, (Score:5, Insightful)

    by Godeke ( 32895 ) * on Tuesday October 07, 2003 @06:49PM (#7157893)
    I have a laundry list of requirements that would tax any reasonable persons mind, no control over my environment, obscure software tools and no money. Please fix this for me.

    Thank you,
    Hopelessly Clueless Engineering, Inc.

    Geeze. Having implemented document control for ISO compliance at an engineering firm that does aerospace parts, I can safely say there is no way your requirements are compatible with any software solution. You have *systematic* problems that are far greater than any humble software could aspire to solving.

    • Re:Dear slashdot, (Score:3, Interesting)

      by Jerf ( 17166 )
      Having implemented document control for ISO compliance at an engineering firm that does aerospace parts, I can safely say there is no way your requirements are compatible with any software solution. You have *systematic* problems that are far greater than any humble software could aspire to solving.

      Even more extra emphasis added by me, of course.

      I know it's damned easy for some guy, somewhere on the Internet to say this, but you have two basic options. Either stop caring and go with the flow, or start ac

  • Outdated (Score:5, Funny)

    by Ratbert42 ( 452340 ) on Tuesday October 07, 2003 @06:51PM (#7157910)
    They are proud that, 'our network is so outdated that it can't be hacked.'

    Get a couple of these [montek.com].

    • I don't know... What if the key is lost? How they will be able to recover the data?
      • You're going at this all bass-ackwards. Put importantly labeled disks full of heavily encrypted random data in the nice locked boxes and set them out at every lead engineer's desk.

        The real data will be kept in their shared Kazaa directories and named for classical and country songs.

  • You're screwed. (Score:5, Insightful)

    by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Tuesday October 07, 2003 @06:52PM (#7157917) Homepage
    Assuming that all your constraints are unalterable, you're screwed.

    1) if you can't trust your IT department, you're screwed, especially if management thinks they should have access (they're IT -- it's their job.) You could deny IT access, by handling everything yourself, but that's often a political nightmare.

    2) without physical security, you have no security. You could encrypt the filesystems, but that has it's own set of problems. It wasn't that long ago that somebody stole an entire mainframe in Australia.

    4) if things are encrypted, more than one person needs to know the passcodes. But the more people who have access, the more people that can do bad things ...

    7) is a big one. If you can only trust some of your engineers, then only the engineers you can trust can have access to the files. But obviously engineers you can't trust need access too ... you're screwed.

    10) yikes.

    • Re:You're screwed. (Score:2, Insightful)

      by sakyamuni ( 528502 )

      ...and don't forget:
      5) yikes.

      5. engineers need to be able to securely take files home

      That's another Sysiphean predicament. It's hard enough to control the company network, but effectively impossible to control your engineers' home environment.

      There's no magic technology bullet that'll solve your problems.

    • Well put. There is no solution within the constraints.

      Play hot potato and give the problem to IT or, preferably, upper management.

    • Assuming that all your constraints are unalterable, you're screwed.

      What about keeping all the files on big usb memory keys?

      I'm only 90% kidding ;)
    • I agree with the parent poster. Even if you secure yourself from the outside world, there is no real way of stopping the inside employees. The company should re-evaluate the hiring procedure to hire trustworthy employees. You can take measures to keep the data safe, but not stolen from the inside.
    • Encrypting the large files would be impractical as well, I would imagine.

  • I can do it! (Score:3, Interesting)

    by humblecoder ( 472099 ) on Tuesday October 07, 2003 @06:53PM (#7157931) Homepage
    Just give me an Admin account on your server, and I'll secure it for you.... :-)

    Seriously, where I work, we use a VPN that is secured using a PIN and a RSA token. Basically, the RSA token is a little keychain thingly that displays a 6 digit number which changes every minute or so. When the user wants to connect to the network, they need to enter their PIN plus the 6 digit number.

    Because the token is "keyed" to the individual, only my RSA token will work with my PIN. In order for a person to break in, they need both the person's PIN AND the person's unique RSA token. Obviously, this makes the network a lot more secure than a network protected by a traditional username/password setup.

    Based upon your requirements, this may not be the best solution, as it fails to satisfy several of your requirements. However, my intuition tells me that you will be hard-pressed to satisfy ALL of your requirements with a single product (without rolling your own).

    • Yah, and as soon as a user is connected to the company VPN, I'll hack into his/her PC (weak link) and use the VPN connection.

      I agree that a VPN is better than no VPN, but it does not stop a determined foe who'll just get in through some Windows flaw on the employee's home PC.

      You have to address all the weak links first.

    • Someone I know uses an RSA key to access a VPN into work. It nearly cripples the PC with its CPU load. Even though this is a late 90s machine, still the overhead of the RSA VPN is, in my opinion, too high for the benefits, especially over dialup.

      The RSA key is also difficult to use to legitimately log in. It's easy to mistime your login where the number rolls around and end up having to try again. In theory, RSA VPN sounds neat, put it looks like a huge pain in exchange for extra security.

      Using client

      • Someone I know uses an RSA key to access a VPN into work. It nearly cripples the PC with its CPU load. Even though this is a late 90s machine, still the overhead of the RSA VPN is, in my opinion, too high for the benefits, especially over dialup.

        There is a degradation in performance when you access a network over a VPN, I admit. You need to be judicious in your use of it. However, if you need to access your network remoting and are concerned with security, I believe it is worth the tradeoff. Also, wi

  • do what the US does with classified networks (Score:1, Insightful)

    by Anonymous Coward
    install the AirGap(TM) firewall.
  • To me it sounds like there are three problems you're trying to solve:

    1) Securing files stored at work.
    2) Securing files while being transferred around at work.
    3) Securing files when stored to take home.

    I also assume that your 'recover access in case of being hit by a bus' requirement is also 'recover access if the physical security key is lost/left at home today/dunked in hot coffee'.

    For #1 - I'll leave that to the paranoid masses out there, I'm sure they can come up with something.

    For #2 - Logically yo
  • What is the meaning of life? Seriously, your situation and requirements basically preclude any solution. The only way to get this done is to change either the security requirements, or the existing situation. Since I am assuming that the security requirements are there for good reason, you have to change the half-assed existing situation that is getting in your way. Once that is conplete, the only thing that comes to mind if PGP / GPG encryption using a token on a USB keychain or something similar as the de

  • PGP (Score:2)

    by itwerx ( 165526 )
    No clue what these files or how you need to work with them but PGP has a pretty good Windows interface now. You just right-click a file to encrypt/decrypt. You'll need support from your fellow engineers but s'long as the files are kept encrypted on the server and only ever decrypted locally (and then re-encrypted when they go back to the server) you should be okay. Just be sure to clear out the local files every night when you go home!

    • Re:PGP (Score:3, Informative)

      by Mattcelt ( 454751 )
      Indeed, PGPDisk seems to be the best solution in the short term.

      PGP supports enforced corporate encryption key redundancy, allowing you to hold a master decryption key which will allow you to recover any file.

      Better yet, that master key can be broken into parts and only be restored by a subset of keyholders (an m of n reconstitution) so that no one rogue person can act alone, it requires m people to recover the master key.

      PGPDisk sets up a virtual partition on the hard disk, and is native to Wintel platf
      • I actually might have to do something like that myself one of these days. Any particularly good HOWTOs or other docs that you've run across?
        • Now that I think about it, I don't think I know of any. I happened to fall into PGP as an adjacent piece to the PKI Architecture that I do for a living, so it wasn't much of a stretch to apply what knowledge I have to PGP.

          The PGP documentation is, in and of itself, somewhat helpful; Phil Zimmerman has the right idea when it comes to security in general, and PGP in particular.

          I'll do some looking around; if I come across any, I'll let you know.

          Mattcelt

  • It sounds like the standard answers such as restricted access rights to the server, files and so forth are not an option in your circumstance. One possible solution - depending on your workflow requirements - might be to look at some digital rights management software.

    In this forum, digital rights brings up Microsoft, RIAA and so forth - which I'm sure will get me pilloried. However, it sounds like you are in an environment that would be a good candidate for this kind of software.

    IBM, Microsoft and othe

  • Your requirements are incompatible (Score:5, Insightful)

    by Circuit Breaker ( 114482 ) on Tuesday October 07, 2003 @07:06PM (#7158034)
    .. even without the hostile environment.

    If engineers can take the files home, you'll have to secure their home networks as well. Can you trust them to do that competently?

    If any engineer can given access to any other engineer, you can't effectively divide teams. Within very little time, all engineers will acquire access rights to all processes. That's what usually happens.

    You'll need to rework your requirements to a list that is consistent with itself first (which means, mostly, thinking which of these requirements are more important). Then you can start looking for a solution.

    And don't trust security advice from Slashdot. For every competent answer, you'll get ten incompetent ones, and unless you have a good security background, you won't be able to tell the difference.

  • Go Commercial (Score:1, Interesting)

    by Anonymous Coward
    You're looking for a full-blown document management system. The only one I'm familiar with is IBM's Domino.Doc.

    Basically, you need a database to store everything in (single network file store), access controls, and revision control (in the event two engineers check out the same file at the same time). It'll cost you money, and no matter what you choose, you'll need 1 or 2 people who understand how to maintain and administer the product.

    Your best bet is to involve management. And the Legal department.
  • First off, there is (in my humble opinion) no way to guarantee the safety of data that is accessible by machines connected to the internet, no matter how many firewalls are in place. Even something as stupid as having web access on a work machine may one day cause you grief, no matter the security, no matter what operating system. A Trojan Horse, whether something whipped up by a hacker with you as the specific target or a worm coming in from the wild, can access files on your machine and then send them e
  • Your insanely hostile environment mandates a solution in which all data is encrypted at all times except when it is being accessed on a single workstation.

    The requirement for shared access mandates that the encryption key be shared. Smart cards provide this by giving each user an individual passkey that they use to access the shared encryption key. This prevents a person's lost smartcard from compromising the security of the files.

    You also need software that accepts the passkey and smart card directly f
  • if you can have a local *nix server, how about logging into that and using that as the source of secure data? I guess the real issue is working with large files (engineering files can get friggin huge) across a network - but it's a local box on a LAN it's alot more doable than in a WAN environment. Trust me, I'm in that hell supporting one right now.

    So, all work done at work is kept on the secure *nix box .. and to take files home, I guess you could use a 'half-decent' archiving tool with password protec

  • So, what are your qualifications? (Score:4, Interesting)

    by FreeLinux ( 555387 ) on Tuesday October 07, 2003 @07:48PM (#7158370)
    I don't mean to be offensive here but you do not state what your qualifications with regard to IT are so, I must ask are you qualified to evaluate and judge the competence of your IT department and their procedures?

    You see, I frequently run into middle and upper level managers that pose the same questions and issues that you do. They have decided that their files are the most important thing in the world and that the IT department is incompetent because they do not seem responsive to said managers' queries or concerns. But, in spite of the managers' feelings on the matter, I rarely see a situation where the IT department is truly incompetent or is doing a poor job on security. What is really happening is that the managers are not qualified to evaluate the IT departments procedures and that said departments become "unresponsive" to these managers after a while of hearing the mistrust and false accusations from someone unqualified to judge.

    The fact is that most file servers offer most of the features that you are asking about. Most file servers(Windows NT-2003, Netware, Unix) have very good security measures that allow compartmentalized access, the ability to recover an account and its files when the user is hit by a bus, extensive access logging and auditing, the ability for the file's owner to assign other users access permissions, the ability to handle very large files, potentially secure access control via user ID and password, and more. Most newer ones will allow you to encrypt individual files, directories or even entire disks to further restrict access although this can interfere with work when multiple users are involved. Also, most file servers from within the past decade can support two factor security schemes that utilize one time password key fobs or even biometrics like thumb print scanners(which I find preferable to key fobs that can be lost or stolen).

    The most contrary item on your list of requirements is the ability to take home large files. This is a gaping hole in any security system and if the files are so terribly valuable, your company should implement measures to make sure that taking these files anywhere form the server is impossible, or at least extremely difficult. Why would you implement an elaborate security system and the have the files walking out the door on a disk or tape? (As I think about it, Microsoft claims that this can be done securely under their Trust Computing and DRM plan. But, I won't buy into it.)

    In the end the question returns, are you actually qualified to evaluate and judge the IT department's processes and procedures or are you feeling dejected because they are "unresponsive" to your individual needs? One final note about your IT department's pride in their antiquated network. There are several systems out there that although old are still more than capable of doing their job and are indeed quite secure. DEC Vax systems running LAT can be completely secure from both external and internal attack. The same can be said for Novell systems when they rely on the IPX protocol. In spite of your obvious dislike and mistrust of your IT department, it is entirely possible that they are truly very secure with their outdated network.

  • Ask Managment to have an Security Audit performed (Score:3, Interesting)

    by np_bernstein ( 453840 ) on Tuesday October 07, 2003 @07:52PM (#7158398) Homepage


    Many people assume that the only reason to get an audit done is for responsible admins to double check their work and verify that their network is secure. This is a completely valid reason, and the best reason to do one, but there are also political motvations, like in your case. The IT department's stance is that they are secure. You beleive otherwise: have an infosec company do an audit. They can show the problems in the network, do so in an impartial way, and give it directly to management who can either exonerate you, or give you the tools needed to do your job.


    Personally, I would consider Network segmentation, and access controls (both host and network)as the first thing I would think of. Also, read-only smart cards with an encrypted key on in and a strong encryption policy. Keys are checked in every night, and each user has a seperate password. You leave, you cant access the file. Then create a strong security policy for your department and have management sign off on it, so you can take immediate steps if anyone violates the policies (taking a key home, unauthorized laptop, etc.)


    if you really need help, feel free to contact me:
    me [mailto]
  • Purchase a solid safe; unhook all file servers, place them in said safe. Post two rabid pit bulls in room containing said safe. Resulting security may be barely enough to contain grandma's cookie recipe.

    Considering the number of people who appear to have access to your data, and the current us vs. them politics with the other departments, you can be certain that any measures you take to protect your data from theft will be, in the end, undone by the human factor. You should emphasize, instead, maintain

  • Rules of thumb (Score:5, Funny)

    by Hard_Code ( 49548 ) on Tuesday October 07, 2003 @08:12PM (#7158513)
    "We are a likely target of pirates, both internal and external"

    Well, it's a difficult situation. I suggest strong coastal fortress walls, and heavy shelling cannons. Also be sure to have your mates dig the hole before you bury the treasure. That way they will all be tired and you can shoot them and bury them with the treasure. I also suggest wearing a hook and eye patch. Some would argue that this is security through obscurity, but it does have a legitimate affect as a deterrent. Oh, and DON'T FORGET to draw a map with paces relative to everyday objects. This is sure to throw off that random bunch of happy go lucky teenagers in an 80s movie.
  • we are stuck with Win boxes as clients, but we could have a local dept. *nix security server

    Its easy - you say your IT people say its "that old it's secure", well if its that old = root exploits-a-go-go. Root the box, then set up the security properly.

    What? Noone said the solution had to be legal...
  • "rm 'filename'" will usually do a fair job of keeping people from viewing the file.

  • I suppose I could lend you my public encryption key for a while....

  • PGP? (Score:2)

    by Kris_J ( 10111 )
    I'm sure some of the PGP-based filesystem extensions will get you half way there. Just get everyone to carry their private keys on a little USB device, a floppy disk or an iPod. You'll still never stop a leak from a person with legitimate access to the files.
  • If you can't trust your company's IT department, then you have to
    treat the company network as if it were part of the internet --
    outside, hostile, dangerous. That means you have to have your own
    internal firewall(s) that prevent traffic from coming into your
    department from the rest of the company network, except for traffic
    that you specifically allow. The IT department can control whatever
    servers it likes, but you don't put anything that matters on those
    servers; you keep it on your OWN servers. Ideally, th

  • Ask a unicorn about it (Score:3, Insightful)

    by cybermace5 ( 446439 ) <g.ryan@macetech.com> on Tuesday October 07, 2003 @09:28PM (#7159008) Homepage Journal
    Or else fix some of those requirements. The biggest one is the physical access problem; the only mostly secure way to do that is full encryption. And encrypting & decrypting gigabyte files will certainly get in the way of getting work done.

    No internet access to secure PCs, no digital media allowed in or out of the secure area. And make the engineers understand that, if they are found responsible for data escaping, it means not only their job but their career as well, and quite possibily a large chunk of money.

    If your data is worth that much, if the company's future depends on it, you cannot afford to take any risks. Hire an expert security consultant to examine YOUR system and implement security safeguards and procedures. You will have to give up an amount of conveniences and features in order to achieve security. Don't kid yourself that there is a transparent way to do this.

  • Easy! (Score:3, Funny)

    by duffbeer703 ( 177751 ) on Tuesday October 07, 2003 @09:53PM (#7159169)
    Sell some of your valuable files, and use the proceeds to fund a security upgrade.
  • Buy a bunch of these 2gb Flash Drives [yahoo.com]

    Instruct the engineers to rectally insert them when not in use. You'll be safe from everything but a cavity search. Large files can be spanned across multiple devices, just find someone with extra capacity available. (The Goat.se dude could be your new server).

    SD
  • This is plain stupid. You can get some encryped USB drives and smart cards or you can change your environment. I can't imagine that this is a real scenario. What pointy haired manager would allow this type of environment to fester, especially when all the management types can think about these days is protecting IP?

  • except for contradictary requirements ("We don't trust engineers but they can take files home and use as they please" "We have no control over computers but our solutions must be a robust computer system") you should look into document management portal systems.

    Some examples are OpenText's LiveLink or IBM's Lotus Notes.
    • Notes is a pretty good idea, even though it is not open source. You only have to physically secure the server, then distribute the key files to the engineers on USB drives. Then use it for managing all documents that have security. Most of your requirements (except for the contradictory ones) are satisfied, and some that you haven't thought of (such as audit trails).

      Notes' security good enough for the CIA, so it's good enough for you. The problem is that you have to retrain people to keep important thin
  • Your problems are management company created problems. They need to be solved on that level.

    Your company needs to create a security admin. This person needs to be above the level of department managers. This person needs to dictate security policies company wide. If a manager doesn't like her policies, that manager needs to go to her boss.
    The security admin needs to have her job on the line if your code gets out in the open.

    Do that one thing and see what happens.
    Many, many, many people are gonna be pi
  • Well, the situation described is pretty common in many firms.

    What I did in the same situation was:

    1. Fix the physical security: get a clear desk policy up and running. As well as protecting you from intruders, it also means the impact of a fire will be much less.
    2. Move all important files to the server (which will be backed up and has access controls).
    3. Put power on passwords on all PCs, make sure they are good ones (if you need access in an emergency, there will be an administrator password held by

  • Unfortunately, you are not the one who should implement any security measure... you need to make your manager aware of the fact that some corporate assets may be at risk, and that he/she might want to conduct a risk analysis to see how large the risk of information disclosure actually is, and what it is worth to the company to mitigate these risks. This largely depends on the real value of the information, not the perceived value. And you are, forgive me in saying so, biassed towards the value of this infor
  • Do a risk assessment, show the issues you have and the risk to business in cold hard cash.

    ie the threat, the risk (impacty on the business), likelihood and possible ways of reducing the threat/risk with costs.

    Present this info all the way up to the board of Directors, at the end of day they run the business and its there descision. You need to get a high level manager/director to sponsor this for you as well.

    Alot of this kind of problem is getting the business (directors) to be aware of the problem and t
  • Replying to each in turn:

    1, you can't control external IT services, external IT is hotile to you.

    Fine, if you have support from your department, then treat the rest of your company's IT assets as 'hostile' and 'insecure.' Having your bosses support is crucial, it's his job as a project manager, or division head to facilitate his employees getting their work done. Further, its his job to make sure that important information and data is not compromised. He is delegating that responsibility to you, but it i
  • we need to be able to recover access in the event a bus hits an engineer,

    Petition to outlaw buses.

  • Granted, I don't have GB sized files, but I do maintain some of my own files on my work computer that I DO NOT want some random admin to have access to, especially if I were to be "let go" one day without warning or time to backup/wipe said files.

    I use PGP [pgp.com] - the 'freeware' version - because I'm only securing personal files, not work files. For work files I'm sure you'd need an enterprise license or some such thing, but I've found it to be really easy to use. I also haven't tested out how actually secure it
  • If you cant trust your IT department, install an internal firewall(just for you)

    Authentication (smthing you know and smthing you have = smartcard) Contact smartcard vendors (Gemplus, etc.) and they will be happy to help you.

    Securely taking files home is like securely taking a nuclear device home. This does not exist... Either be "completely" secure or do not allow this...

    Not depending on a single person to keep a secret is tricky:
    you may try somthing like this: each engineer changes the password every we
  • the world controlled by the IT department... are out of my control
    Then this is not your problem, its the IT director's problem. Or a CxO's problem.

    we do not have good physical control of our environment
    Again, if you are not the one in charge of physical security, its neither your job nor your responsibility.

    we are stuck with Win boxes as clients
    You're fucked! Seriously, the security of files comes from properly configured and admined win servers, not from the clients.

    I would like the 'something yo
    • Mod parent +1 Insightful
    • the security of files comes from properly configured and admined win servers, not from the clients.

      The clients are always the weak link. Everyone from script-kiddies to the FBI knows this. It's hard to secure files when they have to traverse the network. Besides, don't pretend that a 'properly configured win server' is any different from a Windows workstation when it comes to security: they're the same OS.

      There might be some freeware projects out there, but none of them come close to the completenes

  • 1) Remove all floppy drives and other writable-removable-media drives from every desktop on the network.

    2) Keep the servers in a locked room. Put two or three cameras in the server room.

    3) Enable firmware passwords on all computers to prevent installation CD root access.

    4) Put lock-down cables on all computers to prevent physical theft. Real computers, such as Sun workstations, even have it where the lock-down cable prevents opening the case, too.

    5) Isolate your network from all others, especially the

    • Here's a couple more:

      8) No windows.

      9) Faraday cage in the walls.

      10) Submarine-style isolation of the interior of your building, to prevent sound transmission to the outside.

      It'll be much harder for the competitor's spooks to get anything, but it seems things are getting a bit less simple, now. You know, a military submarine is a great example to follow for good network security!

  • Scare your employees and make them fall inline! Use polygraphs.
  • My company sells (and I work on) a product that meets numbers 1 through 9 of your criteria list (and maybe 10). Here's the website for it: http://www.kastenchase.com/products/acs.asp And here's a PDF brochure that might have less sales noise (maybe): http://www.kastenchase.com/products/CipherShareBr o chure_20030729.pdf We could probably also make the source code available for review, and don't yet have two-factor authentication but we plan to add it soon. Sales guys would have to be the ones to make pr

  • I'm not sure you're going to be able to meet all of the constraints. One piece of the puzzle may be linux running Samba re-exporting the company server but layering a crypto-fs on top of it.

    Unfortunatly, that would not be a very granular but would at least narrow your risk from the whole company to just your own department.

  • You need to change some of your requirements (such as engineers taking files home) otherwise you're never going to be secure.

    You MUST have physical security. I can hack any machine I can get physical access to... If the data's encrypted, I just walk out with the whole disk and decrypt it at my leasure in my lab...

    Your IT people need to either get a clue or you need to get new IT people.

    Finally, hire a reputable security consultant and actually do what he tells you to.

    Otherwise, you're wasting your t

  • There's a few serious problems there, there are some that technology won't solve, and some that have the feeling of being. "We asked the engineers and these are the things they want". The bottom line is this: If they get what they desire, your network will 'never' be secure. Sollutions, or critisicm as follows: #1 > Get onboard with your IT department, if these people stay hostile to your intentions you'll be looking over your shoulder constantly. These folks probably have some, if not all of the skill

Slashdot Top Deals

Money will say more in one moment than the most eloquent lover can in years.

Close