Forgot your password?
typodupeerror
Cloud Security Data Storage Encryption Privacy The Military IT

Ask Slashdot: Secure DropBox Alternative For a Small Business? 274

Posted by timothy
from the unknown-lamer-favors-afs dept.
First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality; 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). I've been calling different companies and just can't seem to find a decent solution. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. Am I wrong?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Secure DropBox Alternative For a Small Business?

Comments Filter:
  • by MerlynEmrys67 (583469) on Friday July 26, 2013 @06:58PM (#44395599)
    You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level.
    Gah - I can't believe this is even a question
    • by ravenswood1000 (543817) on Friday July 26, 2013 @06:59PM (#44395603)
      Try Owncloud or Ajaxplorer for your own cloud solution maybe.
      • by Trepidity (597) <delirium-slashdot@h a c k i sh.org> on Friday July 26, 2013 @07:11PM (#44395687)

        For something Dropbox-like in UI that you can point to your own servers, some options are:

        * Git-Annex Assistant [branchable.com]: Despite its name, git is sort of an implementation detail you can ignore. It doesn't actually revision-control all your files, so you don't get huge bloat with binary files that are edited. One nice thing it does is integrate syncing with offline storage, so you can e.g. set up a remote server to sync to live, *and* set up a USB-connected hard drive to sync to when it's attached. When the USB drive is offline git-annex will still remember what files were on it.

        * Sparkleshare [sparkleshare.org]: a front-end that does version-control all your files, which might be preferable if you are sharing small-ish files where you might want to recover a previous version (e.g., text documents). Less good than Git-Annex Assistant if you're sharing huge media files, possibly better if you aren't.

        See also this Slashdot discussion [slashdot.org] from two years ago.

        • by ColdWetDog (752185) on Friday July 26, 2013 @08:30PM (#44396201) Homepage

          I can just see this - a high level presentation to the C level executives:

          "Yes, we're planning on using Sparkleshare".

          "Sparklewhat?"

          "Sparkleshare, it's an open source product that ...."

          "Look, we're here to discuss corporate data strategy, not your daughter's favorite website".

          • by AK Marc (707885)
            I've had a project canceled because they found out we were using best-of-breed RADIUS. Funk Software's Steel-Belted-RADIUS. We weren't allowed to have any funky servers. Used Windows free RADIUS instead. Lots of headaches.
            • by dj245 (732906) on Saturday July 27, 2013 @11:07AM (#44399485) Homepage

              I've had a project canceled because they found out we were using best-of-breed RADIUS. Funk Software's Steel-Belted-RADIUS. We weren't allowed to have any funky servers. Used Windows free RADIUS instead. Lots of headaches.

              You need to control problem names from the get-go. Politicians do it all the time when they name bills (Safety Measures YYY for the Children, etc). Good businessmen never ask their boss to travel to Las Vegas, they go to Clark County, NV instead. It is your responsibility to handle this kind of thing.

        • by HJED (1304957)
          Aerofs [aerofs.com] might also be a good solution, it only stores data on your own servers by default (and has a headless linux client that could be installed on a VPS or similar for offsite backup). All data is transmitted encrypted P2P, but it does use NAT Proxies and authentication information provided by their servers.
    • by pixelpusher220 (529617) on Friday July 26, 2013 @07:11PM (#44395693)
      I believe there's a facility in Utah that specializes in cloud data storage...
    • by Sir_Sri (199544)

      I love my dogs very much, but The love for my son and his needs are much greater.

      Like a lot of regular services, there are usually defence contractors who offer similar services that meet whatever national government requirements are - for 10x the price naturally.

      I would think that microsoft or google (though more likely microsoft than google) offer something similar to their commercial offerings but certified for defence. If not them, then likely you're looking at either Lockheed Martin, HP, IBM and expecting to pay very large sums of money.

    • by sconeu (64226) on Friday July 26, 2013 @07:59PM (#44395993) Homepage Journal

      I agree with Merlyn. Are you F***ING INSANE?????? Especially after the way that the gov went batshit insane over Wikileaks and then over Snowden.

      I know that "classified under ITAR" is not "Classified secret", but you'd be crazy to trust that data to any storage that you (or your company) doesn't directly control.

      Disclaimer: I am not an ISSO or ISSM (though at one point I did get certified as one -- long since lapsed).

    • by icebike (68054) on Friday July 26, 2013 @10:14PM (#44396745)

      ITAR simply requires State-Side storage. It doesn't have to be secure from the NSA, in fact they would probably object if it was.

      There is SpiderOak, which is US based, but they don't have the ability to decrypt your data, all decryption is done at the client.

      • by tftp (111690)

        ITAR simply requires State-Side storage.

        IIRC, ITAR compliance would not be very compliant when foreign citizens - especially citizens of named prohibited nations - have access to your data, even if it occurs on US soil. That can easily happen because cloud companies are not restricted in who they hire; they aren't even required to monitor what their employees are doing with your data. If anything happens that you, the customer, don't like, their liability is limited to what you paid for the service in th

        • by icebike (68054)

          If you don't think encryption helps, you are doing it wrong.

          • by tftp (111690) on Saturday July 27, 2013 @12:33AM (#44397301) Homepage

            As many posters indicated in their comments, compliance is not even checked against your arbitrary list of technical measures. It is checked against an approved list of measures and actions that you are supposed to have and perform.

            Good encryption would be a solution. You could have a server in North Korea and safely store all the secrets of portable nukes there, as long as they are well encrypted.

            But the devil is in details. What does it mean "well encrypted?" What is even the criteria for "wellness" of your encryption? Would it be OK if I use ROT13? Ok, perhaps not. What if I use AES256? Now you are happy. Right? No, wrong - because I used a key that consists of all zeros. Or ones. Or something equally trivial.

            But let's imagine you have a secure key. You used /dev/random, and it is random enough. Is it secure now? No, it isn't. You now have a known plaintext attack. AES may prevent you from reversing the key, but it still a block cipher - and many technical documents have similarities that can be exploited. Unless salted, every block of same plaintext will produce the same ciphertext. This is already a leak of data. Is it important? Maybe not. But there was no such leak before, and now there is a foothold. Can you guarantee that it won't get worse? Your adversary has all the resources of the state (albeit a poor one) and they are not constrained as much as you are.

            This is why you never invent your own cryptosystem. NSA does that, and they approve and provide cryptosystems for various end users. If you can get NSA to approve a cryptosystem for your setup, you are golden. But chances of that are not very good. If you start building your own, nobody is even going to check what you did. If it is not approved, it's not good. DSS [wikipedia.org] workers are not cryptographers; even most of NSA personnel are not cryptographers (as we know now.) It takes an inordinate amount of effort to approve a cryptosystem for a particular use. One can have a good algorithm that is implemented with a small bug, and that bug turns it from unbreakable to reversable in milliseconds. Cryptographers know what to watch for, and even they make mistakes sometimes. Can you get away with a crypto library that you downloaded from Internet? I don't think so. It may be perfectly secure, but that's not what you will be evaluated against.

    • by Xyrus (755017)

      You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level. Gah - I can't believe this is even a question

      I agree. Putting information like this in the cloud? This guy either has no clue what he's doing or not all his dogs are barking.

    • by Maxwell (13985)

      I might get lynched by the Linux crowd, but Windows Server 2012 R2 has 'Work folders' which is basically private Dropbox you host yourself. Nothing leaves your servers/clients. You can even access the work folders via SMB (drive mapping) when in the office, and the remote function kicks in when out of network. seamless for the end users as well.

    • by Fjandr (66656)

      This was my thought. Why the fsck would a defense contractor be farming out data storage of ITAR data?

      Just buy as many 4u BackBlaze boxes as you need, then you only need to worry about data leaks on your own network. Which is highly secured, right?

  • I call bull (Score:5, Interesting)

    by santax (1541065) on Friday July 26, 2013 @06:59PM (#44395607)
    "I manage the network for a defense contractor that needs a cloud-based storage service" No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...
    • Re:I call bull (Score:5, Insightful)

      by hawguy (1600213) on Friday July 26, 2013 @07:09PM (#44395681)

      "I manage the network for a defense contractor that needs a cloud-based storage service"

      No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...

      That was my first thought when I saw his message. It doesn't seem that any commercial Dropbox like service would provide enough fine grained ACL's and reliable and untamperable logging to properly secure any kind of "classified" data. It seems like keeping the data locked up in a VPN accessed fileserver would be better with restrictions on the computer that prohibit saving to local storage. Once it's on a dropbox like service, how do you keep an exec from syncing the entire restricted folder to his laptop before his overseas trip to China, thus violating the rules about keeping it on US soil?

      • Re:I call bull (Score:5, Informative)

        by Wintermute__ (22920) on Friday July 26, 2013 @07:55PM (#44395971)

        Sadly, I think this guy might be for real. Notice he didn't say "classified", merely "ITAR-restricted". Those are nowhere close to the same thing. Yet, if you get caught messing up with ITAR data, it's still up to a million-dollar fine per instance I believe. Reason enough to tell your lusers "No, you may not use Dropbox" and block it at the firewall.

        Defense contractor - I'm thinking sub-contractor or sub-sub-contractor. There are so many small companies with no budget and less clue handling this kind of dangerous but not classified data out there, it's scary.

        • by pnutjam (523990)
          Yeah, let's contract it out. It's cheaper, who cares why it's cheaper. It's obviously the exact same product with a middle-man markup for cheaper... (I got a bridge for you to look at buying...)
      • by liquidsin (398151)

        my guess is it's a spook. with all the attention that leaks are getting right now, it seems totally plausible for some paid contractor to draw up some "classified documents" about snowden's child-trafficking ring or assange's cannibal cookbook, stick 'em on dropbox, and plant a horseshit story like this on a tech blog. then you just eat some popcorn and wait for the next security breach. you don't even have to get your hands dirty cracking into anything yourself.

    • by SimonInOz (579741)

      Maybe it's a nuclear weapons developer, they are pretty good at clouds.
      Too bloody good if you ask me. And where's my free electricity - "too cheap to meter" indeed.

  • AWS? (Score:5, Interesting)

    by Anonymous Coward on Friday July 26, 2013 @06:59PM (#44395609)
    I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.
    • AWS GovCloud (Score:5, Informative)

      by Anonymous Coward on Friday July 26, 2013 @07:29PM (#44395775)

      I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.

      Look here -> https://aws.amazon.com/govcloud-us/

      • Yep. You remember the old saying that 'Nobody ever got fired for using IBM'? Well, that's the way it is nowadays with Amazon Web Services and either security or privacy. They have ITAR covered; they even can do HIPAA, and that's a freaking privacy nightmare to try to implement yourself.

        Yes, you can get it cheaper someplace else; you might get better service; or it might be easier to use (though it's gotten better over tiime). But nobody comes close to providing you as a sysadmin or developer with t

  • Cloud 0? (Score:5, Interesting)

    by craznar (710808) on Friday July 26, 2013 @07:00PM (#44395611) Homepage

    Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

    • by hawguy (1600213)

      Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

      To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

      If you want reliability, mirror it (or maybe RAID-5 or -6 if you want to tolerate one or 2 providers going down).

      If you want security, use encryption.

      If you don't trust your encryption, striping it across multiple providers doesn't enhance security by much since any provider could decrypt the pieces that he has (or someone could just intercept the intact datastream in transi

      • Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

        To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

        You've never heard of parity?

        • Re: (Score:3, Insightful)

          by FriedYuca (2831489)

          Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

          To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

          You've never heard of parity?

          Not in Raid 0, he hasn't.

          • My mistake. I glossed over that digit in reading.

            In my defense, suggesting parity would seem the more logical response than simply trashing the idea that seems more like a joke response anyway.

            • by hawguy (1600213)

              My mistake. I glossed over that digit in reading.

              In my defense, suggesting parity would seem the more logical response than simply trashing the idea that seems more like a joke response anyway.

              You mean like when I said "mirror it (or maybe RAID-5 or -6 if you want to tolerate one or 2 providers going down)"? Though I probably should have said RAID-4 since that would be easier to implement. Performance would be pretty abysmal, especially for less than full stripe writes, but maybe that doesn't matter for a background sync.

        • Thats an awful idea, do you realize how bad the latency would be? What happens when one service is consistently behind the other, do you just allow the data to constantly be in an inconsistent state between your "stripes"? What happens if one provider is down-- do you allow the volume to remain "on" during the outage, and if so, where are you going to store the parity information until it comes back up?

          And all of this for what benefit?

          Youre basically taking the issues that arise in a mixed-hardware RAID,

    • by Virtucon (127420)

      Like BoxCryptor or EncFS?

      https://www.boxcryptor.com/ [boxcryptor.com]

      http://en.wikipedia.org/wiki/EncFS [wikipedia.org]

    • by jamesh (87723)

      Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

      I assume you say raid0 so that even if someone got the encryption keys and also managed to hack one of the providers, they'd still only have access to 1/nth of the data. As others pointed out this breaks badly if even one provider goes down.

      Better would be a truecrypt style drive that did RAID6 across multiple accounts on multiple providers, which would give better reliability and still only reveal a fraction of the data (which is still encrypted) if someone hacked the provider

      But really, there is likely so

    • by DaHat (247651)

      Or just buy a storage appliance [storsimple.com] that has that kind of functionality built in and backups to the cloud in an encrypted way.

      To quote one of their bullet points:

      Military-grade Security
      All data stored in the cloud with StorSimple has military-grade encryption applied to it. The encryption key is never given to StorSimple or the cloud provider, ensuring complete data privacy to support compliance requirements as stringent as HIPAA.

    • by nurb432 (527695)

      Sort of like freenet is. Tho more reliable as its not a single point of failure.

  • Could you not add a layer of encryption to Dropbox, such as BoxCryptor (https://www.boxcryptor.com/)?
    • I just looked at it. I need an account with them to encrypt my files? And it seems that my files may even transfer to them before encryption and after decryption. or am I missing something? And the video even is narrated by someone with a foreign accent and shows the names of encrypted files change to something that looks like Chinese????? If I'm going to encrypt my files for security or safety or even privacy, I'm certainly going to do it on my own computers, not with something where I need an "account" wi
      • by tverbeek (457094)
        Being suspicious of a security system because their encryption model is unclear to you is reasonable.

        Being suspicious because their narrator has a "foreign accent" or you see "something that looks like Chinese"... is just plain stupid.

        Boxcryptor is based in Germany. If that's a deal-breaker, so be it, but you didn't learn that by hearing their narrator speaking with an English accent. Being based in Europe, it's perfectly natural that they'd hire someone from England (or fluent in British English) r
  • Ubuntu One (Score:4, Funny)

    by conner_bw (120497) on Friday July 26, 2013 @07:02PM (#44395623) Homepage Journal

    Ubuntu One has a similar service. Here's my referral url. [ubuntu.com]

    They have root [softpedia.com] so you know it's secure. You can trust them.

  • by Archfeld (6757) * <treboreel@live.com> on Friday July 26, 2013 @07:03PM (#44395635) Journal

    I've worked contingency operations and recovery for data under federal regulations. You will NEVER find a service that will provide the kind of security, financial and geographical restrictions that you really need. That is the single most compelling reason why banks have backup data centers...

  • How about ssh? Http? (Score:3, Informative)

    by Okian Warrior (537106) on Friday July 26, 2013 @07:03PM (#44395641) Homepage Journal

    Store it on a server at your business that you control.

    Run open-source software which gives you DropBox functionality, such as BitTorrent Sync [wikipedia.org].

    The only way to be sure is to host it on a server you control, using software that can be inspected.

    • by Khopesh (112447)

      BitTorrent Sync is not open-source software, nor do they appear to have plans to make it that. Maybe in time we'll have a F/OSS client for the protocol (though I don't know if they've even opened the protocol yet, so that might be an extra hurdle).

      However, it may not be necessary; set up an SSH server (which gives you SFTP) for uploads, perhaps even use one of the myriads of HTTP file upload mechanisms and guard it with some simple SSL. It doesn't look like there are any problems uploading in such high

  • Sparkleshare (Score:2, Informative)

    by Anonymous Coward

    Sparkleshare is a git based program that you can configure and use entirely in-house. . I use it for hosting our IT documentation for a small city government.

  • Just use OwnCloud (Score:2, Informative)

    by Anonymous Coward

    You host it yourself, control the data/features. Supports LDAP authentication. Client software is pretty quick. There is commercial support if you need it. Gracefully recovers from network loss. Oh and it has the appropriate iOS and Android clients. I have been slowly rolling it out in production without any complaints so far. Hope that helps!

    - Too lazy to login

  • by Fencepost (107992) on Friday July 26, 2013 @07:16PM (#44395703) Journal
    I believe SpiderOak provides some encryption that you might think meets your needs, but I also agree with others that by the time you're asking this question something has already gone tragically wrong.

    Of course there's always the counter argument that your data has in fact already been hacked and pretending you can keep it secure is just self deception.
  • Calm down people... (Score:5, Informative)

    by krbvroc1 (725200) on Friday July 26, 2013 @07:17PM (#44395715)

    I'm sure he does not mean 'Classified' information. He means classified under ITAR. It was probably a poor choice of word to use classified rather than categorized.

  • I'm very intrigued by the fact that you actually want to use an external cloud based storage solution. I would have thought that defense would have required not to use a third party for remote file storage. The best solution would be to "roll your own" and set up something in a private cloud hosted in a datacenter that meets your requirements. If you are a VMware shop, you should seriously take a look at Horizon Workspace as it provides a Dropbox like product that would be a great fit. If you want to run
  • needs a cloud-based storage service

    You want to put classified data on someone else's servers? You're putting a HUGE amount of trust in the laziest/least ethical/most incompetent sysadmin that company hires. Why in hell would you think you "need" cloud-based anything?

    -B

    • by Shados (741919)

      If your company is of significant size, you still put a huge amount of trust in SOMEONE SOMEWHERE that you shouldn't. If shit happens at a third party you can sue a large entity. If one of your own employees screw you over, you can only sue an individual that won't be able to cough up any kind of reasonable damage settlement.

      Thats why people outsource payroll, employee performance evaluations and all that other crap.

    • ITAR information is NOT classified information. ITAR is a lower-level categorization than classified. Not only does ITAR information need to remain inside the US, it also must not be accessible by foreign nationals who happen to be in the US.

      About 30 years ago my job encompassed ITAR information and classified information. We would never have thought about data storage anywhere outside the company, and likely not outside the building. Of course, not so much information back then was digital, and cloud so
  • by drolli (522659) on Friday July 26, 2013 @07:31PM (#44395791) Journal

    Pay somebody (contractor/consultant) who knoes what he does. Seriously, man. Ask for a 10 page concept with the tree best options fulfilling all your specific requirements (which you probably did not mention here), and offer him to implement it if you like one of these.

    My 2 cents on this: To me it is completely non-obvious how dropbox could have ended up in the stack of possible solutions - to little control, intransparent business model, other use case is the dominant one. I would start by looking at the obvious storage providers (amazon, telecoms, specialized local/regional/natinal storage providers), compare them by the options/price they offer, look separately at software fulfilling my local needs and being capable of talking to the storage providers. Then i would create local scenarios about additional dedicated hw needed and after that i would make my choice/give the best options to my manager to select, based on business criteria.

  • by GumphMaster (772693) on Friday July 26, 2013 @07:38PM (#44395837)

    Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.

    It is much tighter than that. You must ensure that only "US Persons" have access to that data without appropriate export licences/approvals/agreements. Can you guarantee that no foreign national, dual citizen, or employee of a foreign company is working at your cloud host or in any data centre that might be housing your data?

    • BTW: IANAL but I am a "foreign national" that has been at the receiving end of ITAR fun and games.

  • by HJED (1304957)
    I would suggest AeroFS [aerofs.com] it's P2P sync, they support multiple users and let you use your own Amazon EC3 instances if you want. It is fully encrypted.
  • by gagol (583737)
    SFTP, the cloud can go **** itself.
  • You're delusional. (Score:5, Insightful)

    by Shavano (2541114) on Friday July 26, 2013 @07:57PM (#44395981)
    There is no way to ensure that any third party company is going to protect your ITAR data, so you can't use cloud based storage. Tell your boss it's (1) a bad idea and (2) you are not going to jail to make it happen.
    • Dude, it's a defense contractors.

      OP: tell your boss I'll do it for $4.5M/yr.

    • Also mention the fines run into the $millions per instance and that willfully knowingly putting violating ITAR regulations can result in jail time for the responsible persons (read as the managers).
  • "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.

    If you want Dropbox's functionality; I sugg

  • by khb (266593) on Friday July 26, 2013 @08:13PM (#44396093)

    To get a ruling on whether you may do what you want. Otherwise, as others have noted, you may be very deep waters (not only will you be in violation, but anyone in the organization using the service will be, and you will have induced them to do it. Think serious civil as well as criminal consequences).

    From a technology angle, it may be "possible" if the folks in charge sign off.

    "All" you need to do is encrypt the data before it goes offsite, encrypt it well enough that the data is protected commensurate with its value, etc.

    For commercial users, https://jungledisk.com/ [jungledisk.com] provides a very usable interface and GUI. Of course, if the client isn't trustworthy (and you have to take their word for it ;>) that goes out the window even if the algorithms are secure themselves ;>

    I use it for some SOHO confidential data; it wouldn't be the end of the world if the data were disclosed, but we have committed to make good faith effort(s) to keep it secure, so we do (rather than moving files to subs via email, etc.). Not all subcontractors could handle sftp and friends.

  • by cdl (902729) on Friday July 26, 2013 @08:43PM (#44396287)
    So - your use of terminology would lead me to think that you haven't been at this too long (I apologize in advance for the snark if that is not the case). If you deal with certain information, you would certainly NOT use the term CLASSIFIED in discussing the status of that information. CLASSIFIED has a VERY specific meaning in certain domains - including the domain that you seem to indicate that you work in. If you are, indeed, handling such information, I would suggest running, not walking to your FSO for a conversation. It will probably be fairly brutish and short. If, however, you are dealing with ITAR regulated information, then you have a different set of issues. You may not export the data without a permit, but you don't need to control it specifically within the US. Also, the regulations around foreign persons (or those of dual nationalities) relate to export activities. So, you can't transfer to a foreign person if you know (or suspect) that they are going to export the data. However, foreign persons in the US that aren't an export channel are not an issue (else a whole lot of commerce in the US would halt since I have no idea if another company has any foreign nationals employed, and I don't have to get an ITAR export license to ship something to another domestic company). In the later case (where we are talking regulation, not classification), you don't have an issue if you don't export the data (don't pick a company with foreign presence for cloud storage). Actually, one could probably be ok if they encrypted it (strongly) and then stored (but you may (or may not) want to talk to your DDTC rep about that. You should have no problems finding an offsite storage company to provide the service, and/or use someone who allows you to restrict the S3 zones (if AWS is the backend store) to us-* regions. Similar for rackfiles, dream objects, etc. Another comment here is worth highlighting, however - use consumer services, get consumer service. Go upmarket a bit if you are actually looking for something that your company's bottom line is hung on.
  • Is there a way you could encrypt the files or folders that are shared via dropbox, so that only people you have authorized (via a key) could decrypt them?

  • by GovCheese (1062648) on Friday July 26, 2013 @09:00PM (#44396385)
    You might start with looking at FEDRAMP complaint providers found here: http://www.gsa.gov/portal/content/131931 [gsa.gov] I would imagine that those listed providers also have FISMA certification so you'll be able to determine if the categorization of the data you are trying to protect is met by the provider. ITAR categorized data must be stored in CONUS and I believe AWS Government Community Cloud and the USDA National Information Technology Center offered by United States Department of Agriculture supports CONUS only storage. I believe Google Apps for Government does as well. But the key thing is to ensure the FiSMA cert matches the categorization of your data.

  • Dropbox + security? Sorry, they don't go together.
    Don't people remember the day when everyone could get into anybody else's dropbox account without a password? The dedupe hack where people were getting instant access to other people's files on dropbox with the file hash - a quick way to download movies but has more sinister applications. How about the problem where you get the illusion of locking people you've shared stuff with before out by changing the password, but it doesn't actually lock them out?
    It
  • I don't know much about it, but my employer, probably a larger company than yours, specifies that we should use EMC's Syncplicity Enterprise (http://www.syncplicity.com/products/enterprise-edition) for secure cloud storage. It offers the option of keeping the storage in-house. Worth a look.

  • Owncloud looks quite good at the moment and is very simple to set up and run. You host the data yourself and it is shared via a sync client, a web front end or links sent by email, which can have expiry times set. The email thing can be turned off if you are quite correctly worried that there are far too many people capable of reading your email.
    There is commercial support and some commercial extras but you can use the open version to try it out first (or indefinitely if that's all you need).
  • We use SparkleShare because we have our own git server anyway. Not sure how robust the security is compared to something specifically built for security (EG it's not like it has multi factor authentication).

    Still as others have pointed out what the fuck are you doing with a cloud based service as a defense contractor. We do open source software and the only stuff we're storing in sparkleshare is scratch work, images, document templates and random crap that anyone could steal and we wouldn't care anyway.

  • I managed accellion for web based and sftp file transfers, it's pretty mature, not too expensive. Check
    www.accellion.com

    The setup I used was a virtual server on vmware with an encrypted file system from a file server on our SAN.

    The link for government services is at:
    http://www.accellion.com/why-accellion/for-government [accellion.com]

  • You can limit it to VPN and sync folders peer-to-peer. It monitors and syncs changes for you, and is great for making a redundant backup/dropbox-type distribution system.

  • This is exactly what the system is designed for: https://aws.amazon.com/govcloud-us/ [amazon.com]

  • Whatever you chose should really be run over a VPN for external usage. Period.

    I'd look at using ownCloud - and you can get commercial support if it is required. I used to work for a company which used Novell iFolder and that was pretty good - but looking into that a little more it seems like Novell has a new thing called Filr which seems to tick the boxes (especially from a Manager perspective).

  • Literally email dropbox and tell them you need to purchase some of their servers.

    If you're seriously using this feature and price isn't a big deal, they'll sell the literal servers which can be insulated within your own network with slightly different settings so it isn't immediately obvious to probes what sort of software you're using.

    The first rule of computer security is physical security.

    This is very very key. If you really want your data to be secure. You have to have physical possession of it. It cann

  • Synology have been moving from the personal to the enterprise space as of late with their "DiskStation" NAS line of products. Some of their high end "NAS" boxes can get pretty powerful. There is a function of the DiskStation is called "Cloud Station", essentially a Dropbox clone.

    Basically what you would be doing is having your own on-premises 'Dropbox appliance'. It is very easy to setup/integrate with it's user-friendly interface for the admin, and then all you really need to do then is forward the ports

  • by flyingfsck (986395) on Saturday July 27, 2013 @01:26AM (#44397439)
    You do government work and you are this clueless? No wonder the USA is in the state it is in. You should start by reading the ITSG.
  • by Hognoxious (631665) on Saturday July 27, 2013 @04:10AM (#44397765) Homepage Journal

    I manage the network for a defense contractor that needs a cloud-based storage service

    Stop right there, I think I've spotted the problem.

  • Nobody else but you will be blameable in case of a leak. And you can tailor the solution to your needs, to your specifications and to your use cases, both technical and functional. Oh, and here is a well-meant piece of advice: stop thinking of "the cloud". Don't. Just don't. If your data is so important, then host some hardware in a fire-proof, earthquake-proof place, run your self-built solution on that hardware in that facility, and off you go.
  • it's not open-source, if you care about that, and it's still in beta (what isn't these days?), but it's free, secure and it works well.

  • Office 365 isn’t cheap but it has SkyDrive Pro included, which is protected by multiple U.S. data centers, and is only in the U.S.

  • by nurb432 (527695) on Saturday July 27, 2013 @10:03AM (#44399059) Homepage Journal

    Setup your own storage at your office. Don't trust public companies for your data.

    If you dont/cant do it yourself, hire someone to come in and doit. And audit the hell out of what they do.

  • by flacco (324089) on Saturday July 27, 2013 @10:08AM (#44399091)

    I completely do not understand anyone storing even remotely confidential data, much less security-related data, on servers hosted by another organization.

  • Email the data to your gmail account. That's what I do.

Take an astronaut to launch.

Working...