Forgot your password?
typodupeerror
Cloud Security Data Storage Encryption Privacy The Military IT

Ask Slashdot: Secure DropBox Alternative For a Small Business? 274

Posted by timothy
from the unknown-lamer-favors-afs dept.
First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality; 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). I've been calling different companies and just can't seem to find a decent solution. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. Am I wrong?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Secure DropBox Alternative For a Small Business?

Comments Filter:
  • by MerlynEmrys67 (583469) on Friday July 26, 2013 @06:58PM (#44395599)
    You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level.
    Gah - I can't believe this is even a question
    • by ravenswood1000 (543817) on Friday July 26, 2013 @06:59PM (#44395603)
      Try Owncloud or Ajaxplorer for your own cloud solution maybe.
      • by Trepidity (597) <delirium-slashdot AT hackish DOT org> on Friday July 26, 2013 @07:11PM (#44395687)

        For something Dropbox-like in UI that you can point to your own servers, some options are:

        * Git-Annex Assistant [branchable.com]: Despite its name, git is sort of an implementation detail you can ignore. It doesn't actually revision-control all your files, so you don't get huge bloat with binary files that are edited. One nice thing it does is integrate syncing with offline storage, so you can e.g. set up a remote server to sync to live, *and* set up a USB-connected hard drive to sync to when it's attached. When the USB drive is offline git-annex will still remember what files were on it.

        * Sparkleshare [sparkleshare.org]: a front-end that does version-control all your files, which might be preferable if you are sharing small-ish files where you might want to recover a previous version (e.g., text documents). Less good than Git-Annex Assistant if you're sharing huge media files, possibly better if you aren't.

        See also this Slashdot discussion [slashdot.org] from two years ago.

        • by ColdWetDog (752185) on Friday July 26, 2013 @08:30PM (#44396201) Homepage

          I can just see this - a high level presentation to the C level executives:

          "Yes, we're planning on using Sparkleshare".

          "Sparklewhat?"

          "Sparkleshare, it's an open source product that ...."

          "Look, we're here to discuss corporate data strategy, not your daughter's favorite website".

          • by AK Marc (707885) on Friday July 26, 2013 @11:35PM (#44397079)
            I've had a project canceled because they found out we were using best-of-breed RADIUS. Funk Software's Steel-Belted-RADIUS. We weren't allowed to have any funky servers. Used Windows free RADIUS instead. Lots of headaches.
            • by dj245 (732906) on Saturday July 27, 2013 @11:07AM (#44399485) Homepage

              I've had a project canceled because they found out we were using best-of-breed RADIUS. Funk Software's Steel-Belted-RADIUS. We weren't allowed to have any funky servers. Used Windows free RADIUS instead. Lots of headaches.

              You need to control problem names from the get-go. Politicians do it all the time when they name bills (Safety Measures YYY for the Children, etc). Good businessmen never ask their boss to travel to Las Vegas, they go to Clark County, NV instead. It is your responsibility to handle this kind of thing.

        • by HJED (1304957) on Friday July 26, 2013 @09:02PM (#44396403)
          Aerofs [aerofs.com] might also be a good solution, it only stores data on your own servers by default (and has a headless linux client that could be installed on a VPS or similar for offsite backup). All data is transmitted encrypted P2P, but it does use NAT Proxies and authentication information provided by their servers.
    • by pixelpusher220 (529617) on Friday July 26, 2013 @07:11PM (#44395693)
      I believe there's a facility in Utah that specializes in cloud data storage...
    • by Sir_Sri (199544) on Friday July 26, 2013 @07:37PM (#44395833)

      I love my dogs very much, but The love for my son and his needs are much greater.

      Like a lot of regular services, there are usually defence contractors who offer similar services that meet whatever national government requirements are - for 10x the price naturally.

      I would think that microsoft or google (though more likely microsoft than google) offer something similar to their commercial offerings but certified for defence. If not them, then likely you're looking at either Lockheed Martin, HP, IBM and expecting to pay very large sums of money.

    • by sconeu (64226) on Friday July 26, 2013 @07:59PM (#44395993) Homepage Journal

      I agree with Merlyn. Are you F***ING INSANE?????? Especially after the way that the gov went batshit insane over Wikileaks and then over Snowden.

      I know that "classified under ITAR" is not "Classified secret", but you'd be crazy to trust that data to any storage that you (or your company) doesn't directly control.

      Disclaimer: I am not an ISSO or ISSM (though at one point I did get certified as one -- long since lapsed).

      • by RevDisk (740008) on Monday July 29, 2013 @10:39AM (#44412179) Journal
        ITAR is a not a security clearance classification. It's an export control classification.

        This is more than a little important because it means no "foreign persons" can access the data. Inside or outside the US. You can let a US person in France see the data, for example. Foreign persons is defined in 120.16 of ITAR. Check http://pmddtc.state.gov/regulations_laws/documents/official_itar/2012/ITAR_Part_120.pdf [state.gov] (listed as Page 467)

        Basically, you can't give any ITAR data to any foreign person. If the foreign person could access the data, even if they do not, you're still breaking the law. There's a presumption of guilt if you say, leave ITAR data on a public share in your company, where foreign nationals could have accessed it. Do not put ITAR data on any disk you don't control unless it's reasonable that the provider cannot access it (ie encrypted).

        If DropBox has or had one foreign national that could access your account (which is likely) and the files were unencrypted, you already committed a federal crime and should give a voluntary disclosure to DDTC They'll likely give you a slap on the wrist or more likely do nothing, especially if voluntarily disclose and implement a solution to fix the problem. You personally will not get hit with anything. Try to cover it up, and you may personally be held responsible for a) knowingly breaking the law and b) knowingly trying to cover it up. You as an individual, in addition to your company.

        Back on the original topic, use a VPN (preferred) or self-host an app on a web server you control. I'd just use VPN and rsync. As a best practice, if a user is going overseas, send them with a clean laptop and tell them not to locally save any files.

        Disclaimer: I worked for Export Control at a Very Large Defense Contractor (they needed a geek, I got the short straw). I am however not YOUR export control representative. While the above is correct, it is only for reference and should not be taken as legal or binding advice. Seriously, order everything you can from Society for International Affairs and attend some conferences, or your business will be shut down by DDTC for ITAR violations. You can email me using my nick at my nick dot org if you have any other ITAR questions. I used to laugh when Department of State folks said "Please don't frame the question in terms of any felonies", now I just repeat it.
    • by icebike (68054) on Friday July 26, 2013 @10:14PM (#44396745)

      ITAR simply requires State-Side storage. It doesn't have to be secure from the NSA, in fact they would probably object if it was.

      There is SpiderOak, which is US based, but they don't have the ability to decrypt your data, all decryption is done at the client.

      • by tftp (111690) on Friday July 26, 2013 @11:32PM (#44397063) Homepage

        ITAR simply requires State-Side storage.

        IIRC, ITAR compliance would not be very compliant when foreign citizens - especially citizens of named prohibited nations - have access to your data, even if it occurs on US soil. That can easily happen because cloud companies are not restricted in who they hire; they aren't even required to monitor what their employees are doing with your data. If anything happens that you, the customer, don't like, their liability is limited to what you paid for the service in the last billing cycle.

        You may encrypt your data, but I don't think this helps. Having data is a separate problem from having the key. These problems can be solved by independent methods.

        • by icebike (68054) on Saturday July 27, 2013 @12:07AM (#44397205)

          If you don't think encryption helps, you are doing it wrong.

          • by tftp (111690) on Saturday July 27, 2013 @12:33AM (#44397301) Homepage

            As many posters indicated in their comments, compliance is not even checked against your arbitrary list of technical measures. It is checked against an approved list of measures and actions that you are supposed to have and perform.

            Good encryption would be a solution. You could have a server in North Korea and safely store all the secrets of portable nukes there, as long as they are well encrypted.

            But the devil is in details. What does it mean "well encrypted?" What is even the criteria for "wellness" of your encryption? Would it be OK if I use ROT13? Ok, perhaps not. What if I use AES256? Now you are happy. Right? No, wrong - because I used a key that consists of all zeros. Or ones. Or something equally trivial.

            But let's imagine you have a secure key. You used /dev/random, and it is random enough. Is it secure now? No, it isn't. You now have a known plaintext attack. AES may prevent you from reversing the key, but it still a block cipher - and many technical documents have similarities that can be exploited. Unless salted, every block of same plaintext will produce the same ciphertext. This is already a leak of data. Is it important? Maybe not. But there was no such leak before, and now there is a foothold. Can you guarantee that it won't get worse? Your adversary has all the resources of the state (albeit a poor one) and they are not constrained as much as you are.

            This is why you never invent your own cryptosystem. NSA does that, and they approve and provide cryptosystems for various end users. If you can get NSA to approve a cryptosystem for your setup, you are golden. But chances of that are not very good. If you start building your own, nobody is even going to check what you did. If it is not approved, it's not good. DSS [wikipedia.org] workers are not cryptographers; even most of NSA personnel are not cryptographers (as we know now.) It takes an inordinate amount of effort to approve a cryptosystem for a particular use. One can have a good algorithm that is implemented with a small bug, and that bug turns it from unbreakable to reversable in milliseconds. Cryptographers know what to watch for, and even they make mistakes sometimes. Can you get away with a crypto library that you downloaded from Internet? I don't think so. It may be perfectly secure, but that's not what you will be evaluated against.

    • by Xyrus (755017) on Friday July 26, 2013 @10:24PM (#44396791) Journal

      You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level. Gah - I can't believe this is even a question

      I agree. Putting information like this in the cloud? This guy either has no clue what he's doing or not all his dogs are barking.

    • by Maxwell (13985) on Friday July 26, 2013 @10:47PM (#44396871) Homepage

      I might get lynched by the Linux crowd, but Windows Server 2012 R2 has 'Work folders' which is basically private Dropbox you host yourself. Nothing leaves your servers/clients. You can even access the work folders via SMB (drive mapping) when in the office, and the remote function kicks in when out of network. seamless for the end users as well.

    • by Fjandr (66656) on Saturday July 27, 2013 @02:07AM (#44397485) Homepage Journal

      This was my thought. Why the fsck would a defense contractor be farming out data storage of ITAR data?

      Just buy as many 4u BackBlaze boxes as you need, then you only need to worry about data leaks on your own network. Which is highly secured, right?

  • I call bull (Score:5, Interesting)

    by santax (1541065) on Friday July 26, 2013 @06:59PM (#44395607)
    "I manage the network for a defense contractor that needs a cloud-based storage service" No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...
    • Re:I call bull (Score:5, Insightful)

      by hawguy (1600213) on Friday July 26, 2013 @07:09PM (#44395681)

      "I manage the network for a defense contractor that needs a cloud-based storage service"

      No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...

      That was my first thought when I saw his message. It doesn't seem that any commercial Dropbox like service would provide enough fine grained ACL's and reliable and untamperable logging to properly secure any kind of "classified" data. It seems like keeping the data locked up in a VPN accessed fileserver would be better with restrictions on the computer that prohibit saving to local storage. Once it's on a dropbox like service, how do you keep an exec from syncing the entire restricted folder to his laptop before his overseas trip to China, thus violating the rules about keeping it on US soil?

      • Re:I call bull (Score:5, Informative)

        by Wintermute__ (22920) on Friday July 26, 2013 @07:55PM (#44395971)

        Sadly, I think this guy might be for real. Notice he didn't say "classified", merely "ITAR-restricted". Those are nowhere close to the same thing. Yet, if you get caught messing up with ITAR data, it's still up to a million-dollar fine per instance I believe. Reason enough to tell your lusers "No, you may not use Dropbox" and block it at the firewall.

        Defense contractor - I'm thinking sub-contractor or sub-sub-contractor. There are so many small companies with no budget and less clue handling this kind of dangerous but not classified data out there, it's scary.

      • by liquidsin (398151) on Friday July 26, 2013 @10:38PM (#44396837) Homepage

        my guess is it's a spook. with all the attention that leaks are getting right now, it seems totally plausible for some paid contractor to draw up some "classified documents" about snowden's child-trafficking ring or assange's cannibal cookbook, stick 'em on dropbox, and plant a horseshit story like this on a tech blog. then you just eat some popcorn and wait for the next security breach. you don't even have to get your hands dirty cracking into anything yourself.

    • by SimonInOz (579741) on Saturday July 27, 2013 @02:41AM (#44397579)

      Maybe it's a nuclear weapons developer, they are pretty good at clouds.
      Too bloody good if you ask me. And where's my free electricity - "too cheap to meter" indeed.

  • AWS? (Score:5, Interesting)

    by Anonymous Coward on Friday July 26, 2013 @06:59PM (#44395609)
    I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.
    • AWS GovCloud (Score:5, Informative)

      by Anonymous Coward on Friday July 26, 2013 @07:29PM (#44395775)

      I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.

      Look here -> https://aws.amazon.com/govcloud-us/

      • by Beezlebub33 (1220368) on Saturday July 27, 2013 @12:13PM (#44400021)
        Yep. You remember the old saying that 'Nobody ever got fired for using IBM'? Well, that's the way it is nowadays with Amazon Web Services and either security or privacy. They have ITAR covered; they even can do HIPAA, and that's a freaking privacy nightmare to try to implement yourself.

        Yes, you can get it cheaper someplace else; you might get better service; or it might be easier to use (though it's gotten better over tiime). But nobody comes close to providing you as a sysadmin or developer with the cover that you need at a good price.

  • Cloud 0? (Score:5, Interesting)

    by craznar (710808) on Friday July 26, 2013 @07:00PM (#44395611) Homepage

    Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

    • by hawguy (1600213) on Friday July 26, 2013 @07:16PM (#44395707)

      Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

      To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

      If you want reliability, mirror it (or maybe RAID-5 or -6 if you want to tolerate one or 2 providers going down).

      If you want security, use encryption.

      If you don't trust your encryption, striping it across multiple providers doesn't enhance security by much since any provider could decrypt the pieces that he has (or someone could just intercept the intact datastream in transit to the providers)

      • by I'm New Around Here (1154723) on Friday July 26, 2013 @07:46PM (#44395903)

        Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

        To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

        You've never heard of parity?

        • Re:Cloud 0? (Score:3, Insightful)

          by FriedYuca (2831489) on Friday July 26, 2013 @07:51PM (#44395945)

          Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

          To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

          You've never heard of parity?

          Not in Raid 0, he hasn't.

          • by I'm New Around Here (1154723) on Friday July 26, 2013 @09:00PM (#44396383)

            My mistake. I glossed over that digit in reading.

            In my defense, suggesting parity would seem the more logical response than simply trashing the idea that seems more like a joke response anyway.

            • by hawguy (1600213) on Friday July 26, 2013 @11:47PM (#44397121)

              My mistake. I glossed over that digit in reading.

              In my defense, suggesting parity would seem the more logical response than simply trashing the idea that seems more like a joke response anyway.

              You mean like when I said "mirror it (or maybe RAID-5 or -6 if you want to tolerate one or 2 providers going down)"? Though I probably should have said RAID-4 since that would be easier to implement. Performance would be pretty abysmal, especially for less than full stripe writes, but maybe that doesn't matter for a background sync.

        • by LordLimecat (1103839) on Friday July 26, 2013 @08:00PM (#44395999)

          Thats an awful idea, do you realize how bad the latency would be? What happens when one service is consistently behind the other, do you just allow the data to constantly be in an inconsistent state between your "stripes"? What happens if one provider is down-- do you allow the volume to remain "on" during the outage, and if so, where are you going to store the parity information until it comes back up?

          And all of this for what benefit?

          Youre basically taking the issues that arise in a mixed-hardware RAID, and amplifying them about a hundred times, and then throwing in TCP just to make things really exciting. You would end up with all of the bad parts of RAID 0, and none of the good ones (since one stripe is no good to you unless the other arrives immedately after, which can hardly be guaranteed over TCP).

    • by Virtucon (127420) on Friday July 26, 2013 @07:27PM (#44395765)

      Like BoxCryptor or EncFS?

      https://www.boxcryptor.com/ [boxcryptor.com]

      http://en.wikipedia.org/wiki/EncFS [wikipedia.org]

    • by jamesh (87723) on Friday July 26, 2013 @07:51PM (#44395939)

      Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

      I assume you say raid0 so that even if someone got the encryption keys and also managed to hack one of the providers, they'd still only have access to 1/nth of the data. As others pointed out this breaks badly if even one provider goes down.

      Better would be a truecrypt style drive that did RAID6 across multiple accounts on multiple providers, which would give better reliability and still only reveal a fraction of the data (which is still encrypted) if someone hacked the provider

      But really, there is likely someone on your staff who is going to have the keys to the data, and have a family, and unless your data still seems important when someone has a gun to the head of someone you love, extreme levels of encryption and protection are a waste of time. Put an encrypted backup of your data in the cloud and be done with it. If you really need a live copy of your data in the cloud then encrypt that all the way back to the endpoint so even if the provider gets hacked they still need your keys.

    • by DaHat (247651) on Friday July 26, 2013 @08:08PM (#44396053) Homepage

      Or just buy a storage appliance [storsimple.com] that has that kind of functionality built in and backups to the cloud in an encrypted way.

      To quote one of their bullet points:

      Military-grade Security
      All data stored in the cloud with StorSimple has military-grade encryption applied to it. The encryption key is never given to StorSimple or the cloud provider, ensuring complete data privacy to support compliance requirements as stringent as HIPAA.

    • by nurb432 (527695) on Saturday July 27, 2013 @10:18AM (#44399151) Homepage Journal

      Sort of like freenet is. Tho more reliable as its not a single point of failure.

  • by Dominic Pettifer (2998301) on Friday July 26, 2013 @07:00PM (#44395613)
    Could you not add a layer of encryption to Dropbox, such as BoxCryptor (https://www.boxcryptor.com/)?
    • by frovingslosh (582462) on Friday July 26, 2013 @07:34PM (#44395807)
      I just looked at it. I need an account with them to encrypt my files? And it seems that my files may even transfer to them before encryption and after decryption. or am I missing something? And the video even is narrated by someone with a foreign accent and shows the names of encrypted files change to something that looks like Chinese????? If I'm going to encrypt my files for security or safety or even privacy, I'm certainly going to do it on my own computers, not with something where I need an "account" with someone else to have them encrypted. Adding a layer of encryption would be nice (although likely not good enough to protect ITAR data properly), but doing it after the data leaves the computer is just crazy talk.
      • by tverbeek (457094) on Saturday July 27, 2013 @10:23AM (#44399179) Homepage
        Being suspicious of a security system because their encryption model is unclear to you is reasonable.

        Being suspicious because their narrator has a "foreign accent" or you see "something that looks like Chinese"... is just plain stupid.

        Boxcryptor is based in Germany. If that's a deal-breaker, so be it, but you didn't learn that by hearing their narrator speaking with an English accent. Being based in Europe, it's perfectly natural that they'd hire someone from England (or fluent in British English) rather than an American to record their English-language promo. Or maybe someone in the company is a British ex-pat. Or the marketing guy just loves English accents. It means nothing.

        As for the "Chinese", it appears that part of their encryption method involves using an alternate character set for the generated names of encrypted files, probably as a clever way of ensuring that there are no filename collisions. They could have used Hebrew, or Cyrillic, or whatever; they chose one of the Chinese character sets, probably because it's huge. It also means nothing... except that there are other forms of writing in the world, and their character sets are supported on modern computers.

        The fact that you're alarmed by the existence of "foreign" things makes you xenophobic, and the fact that you apparently would be less suspicious if they presented an America-only image makes you an idiot.
  • Ubuntu One (Score:4, Funny)

    by conner_bw (120497) on Friday July 26, 2013 @07:02PM (#44395623) Homepage Journal

    Ubuntu One has a similar service. Here's my referral url. [ubuntu.com]

    They have root [softpedia.com] so you know it's secure. You can trust them.

  • by Archfeld (6757) * <treboreel@live.com> on Friday July 26, 2013 @07:03PM (#44395635) Journal

    I've worked contingency operations and recovery for data under federal regulations. You will NEVER find a service that will provide the kind of security, financial and geographical restrictions that you really need. That is the single most compelling reason why banks have backup data centers...

  • How about ssh? Http? (Score:3, Informative)

    by Okian Warrior (537106) on Friday July 26, 2013 @07:03PM (#44395641) Homepage Journal

    Store it on a server at your business that you control.

    Run open-source software which gives you DropBox functionality, such as BitTorrent Sync [wikipedia.org].

    The only way to be sure is to host it on a server you control, using software that can be inspected.

    • by Khopesh (112447) on Friday July 26, 2013 @09:18PM (#44396497) Homepage Journal

      BitTorrent Sync is not open-source software, nor do they appear to have plans to make it that. Maybe in time we'll have a F/OSS client for the protocol (though I don't know if they've even opened the protocol yet, so that might be an extra hurdle).

      However, it may not be necessary; set up an SSH server (which gives you SFTP) for uploads, perhaps even use one of the myriads of HTTP file upload mechanisms and guard it with some simple SSL. It doesn't look like there are any problems uploading in such high volume, just downloading.

      Now connect the SFTP/HTTPS drop area to a script that runs a bittorrent tracker, which then wraps it up, rolls out the torrent (with password protection, which is built into bittorrent; think about all of those member-only bittorrent sites out there), and hosts it. The server participates in bittorrent as the initial host but the seeders should catch up and distribute the load quite well.

  • Sparkleshare (Score:2, Informative)

    by Anonymous Coward on Friday July 26, 2013 @07:04PM (#44395647)

    Sparkleshare is a git based program that you can configure and use entirely in-house. . I use it for hosting our IT documentation for a small city government.

  • Just use OwnCloud (Score:2, Informative)

    by Anonymous Coward on Friday July 26, 2013 @07:10PM (#44395685)

    You host it yourself, control the data/features. Supports LDAP authentication. Client software is pretty quick. There is commercial support if you need it. Gracefully recovers from network loss. Oh and it has the appropriate iOS and Android clients. I have been slowly rolling it out in production without any complaints so far. Hope that helps!

    - Too lazy to login

  • by Fencepost (107992) on Friday July 26, 2013 @07:16PM (#44395703) Journal
    I believe SpiderOak provides some encryption that you might think meets your needs, but I also agree with others that by the time you're asking this question something has already gone tragically wrong.

    Of course there's always the counter argument that your data has in fact already been hacked and pretending you can keep it secure is just self deception.
  • Calm down people... (Score:5, Informative)

    by krbvroc1 (725200) on Friday July 26, 2013 @07:17PM (#44395715)

    I'm sure he does not mean 'Classified' information. He means classified under ITAR. It was probably a poor choice of word to use classified rather than categorized.

  • by insp (854306) on Friday July 26, 2013 @07:20PM (#44395727)
    I'm very intrigued by the fact that you actually want to use an external cloud based storage solution. I would have thought that defense would have required not to use a third party for remote file storage. The best solution would be to "roll your own" and set up something in a private cloud hosted in a datacenter that meets your requirements. If you are a VMware shop, you should seriously take a look at Horizon Workspace as it provides a Dropbox like product that would be a great fit. If you want to run this on a budget, check out OwnCloud. I use that myself to keep home/work documents in sync between machines and always wanted the equivalent of Dropbox but syncing onto my own servers.
  • by Wee (17189) on Friday July 26, 2013 @07:28PM (#44395773)

    needs a cloud-based storage service

    You want to put classified data on someone else's servers? You're putting a HUGE amount of trust in the laziest/least ethical/most incompetent sysadmin that company hires. Why in hell would you think you "need" cloud-based anything?

    -B

    • by Shados (741919) on Friday July 26, 2013 @07:45PM (#44395893)

      If your company is of significant size, you still put a huge amount of trust in SOMEONE SOMEWHERE that you shouldn't. If shit happens at a third party you can sue a large entity. If one of your own employees screw you over, you can only sue an individual that won't be able to cough up any kind of reasonable damage settlement.

      Thats why people outsource payroll, employee performance evaluations and all that other crap.

    • by geezer nerd (1041858) on Friday July 26, 2013 @09:55PM (#44396681)
      ITAR information is NOT classified information. ITAR is a lower-level categorization than classified. Not only does ITAR information need to remain inside the US, it also must not be accessible by foreign nationals who happen to be in the US.

      About 30 years ago my job encompassed ITAR information and classified information. We would never have thought about data storage anywhere outside the company, and likely not outside the building. Of course, not so much information back then was digital, and cloud solutions were nonexistent.

      The OP surprised me, indeed.
  • by drolli (522659) on Friday July 26, 2013 @07:31PM (#44395791) Journal

    Pay somebody (contractor/consultant) who knoes what he does. Seriously, man. Ask for a 10 page concept with the tree best options fulfilling all your specific requirements (which you probably did not mention here), and offer him to implement it if you like one of these.

    My 2 cents on this: To me it is completely non-obvious how dropbox could have ended up in the stack of possible solutions - to little control, intransparent business model, other use case is the dominant one. I would start by looking at the obvious storage providers (amazon, telecoms, specialized local/regional/natinal storage providers), compare them by the options/price they offer, look separately at software fulfilling my local needs and being capable of talking to the storage providers. Then i would create local scenarios about additional dedicated hw needed and after that i would make my choice/give the best options to my manager to select, based on business criteria.

  • by GumphMaster (772693) on Friday July 26, 2013 @07:38PM (#44395837)

    Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.

    It is much tighter than that. You must ensure that only "US Persons" have access to that data without appropriate export licences/approvals/agreements. Can you guarantee that no foreign national, dual citizen, or employee of a foreign company is working at your cloud host or in any data centre that might be housing your data?

  • by HJED (1304957) on Friday July 26, 2013 @07:39PM (#44395849)
    I would suggest AeroFS [aerofs.com] it's P2P sync, they support multiple users and let you use your own Amazon EC3 instances if you want. It is fully encrypted.
  • by gagol (583737) on Friday July 26, 2013 @07:45PM (#44395883)
    SFTP, the cloud can go **** itself.
  • You're delusional. (Score:5, Insightful)

    by Shavano (2541114) on Friday July 26, 2013 @07:57PM (#44395981)
    There is no way to ensure that any third party company is going to protect your ITAR data, so you can't use cloud based storage. Tell your boss it's (1) a bad idea and (2) you are not going to jail to make it happen.
  • by mysidia (191772) on Friday July 26, 2013 @08:01PM (#44396013)

    "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.

    If you want Dropbox's functionality; I suggest you use Dropbox.

    However: DO NOT ALLOW ANY CONTENT REGULATED UNDER ITAR into a cloud service

    Second: DO NOT ALLOW ANY CLASSIFIED MATERIALS into a cloud service

    One possibility would be to implement Active Directory Rights Management Service (RMS) inside your organization. And set a policy that All sensitive documents must be composed using Microsoft Office, AND Users must encrypt all sensitive documents before saving them

    If your clients are running recent versions of Windows; there are some interesting things you can do to make sure that files get saved get encrypted. You can also use various third party scanning and Data Leak Prevention software products to help you with making sure RMS rights templates get applied to existing documents' that got stored on enterprise users' workstations

    If the file is RMS protected; in theory, Dropbox doesn't matter as much, because if someone accidentally places a file there; the file was encrypted, anyhow --- it can't be decrypted, unless your RMS server says it's OKAY and issues out a license to open the document (which contains the necessary crypto keys).

    You just need to be very firm about your security labelling and encryption policies for sensitive documents.

  • by khb (266593) on Friday July 26, 2013 @08:13PM (#44396093)

    To get a ruling on whether you may do what you want. Otherwise, as others have noted, you may be very deep waters (not only will you be in violation, but anyone in the organization using the service will be, and you will have induced them to do it. Think serious civil as well as criminal consequences).

    From a technology angle, it may be "possible" if the folks in charge sign off.

    "All" you need to do is encrypt the data before it goes offsite, encrypt it well enough that the data is protected commensurate with its value, etc.

    For commercial users, https://jungledisk.com/ [jungledisk.com] provides a very usable interface and GUI. Of course, if the client isn't trustworthy (and you have to take their word for it ;>) that goes out the window even if the algorithms are secure themselves ;>

    I use it for some SOHO confidential data; it wouldn't be the end of the world if the data were disclosed, but we have committed to make good faith effort(s) to keep it secure, so we do (rather than moving files to subs via email, etc.). Not all subcontractors could handle sftp and friends.

  • by cdl (902729) on Friday July 26, 2013 @08:43PM (#44396287)
    So - your use of terminology would lead me to think that you haven't been at this too long (I apologize in advance for the snark if that is not the case). If you deal with certain information, you would certainly NOT use the term CLASSIFIED in discussing the status of that information. CLASSIFIED has a VERY specific meaning in certain domains - including the domain that you seem to indicate that you work in. If you are, indeed, handling such information, I would suggest running, not walking to your FSO for a conversation. It will probably be fairly brutish and short. If, however, you are dealing with ITAR regulated information, then you have a different set of issues. You may not export the data without a permit, but you don't need to control it specifically within the US. Also, the regulations around foreign persons (or those of dual nationalities) relate to export activities. So, you can't transfer to a foreign person if you know (or suspect) that they are going to export the data. However, foreign persons in the US that aren't an export channel are not an issue (else a whole lot of commerce in the US would halt since I have no idea if another company has any foreign nationals employed, and I don't have to get an ITAR export license to ship something to another domestic company). In the later case (where we are talking regulation, not classification), you don't have an issue if you don't export the data (don't pick a company with foreign presence for cloud storage). Actually, one could probably be ok if they encrypted it (strongly) and then stored (but you may (or may not) want to talk to your DDTC rep about that. You should have no problems finding an offsite storage company to provide the service, and/or use someone who allows you to restrict the S3 zones (if AWS is the backend store) to us-* regions. Similar for rackfiles, dream objects, etc. Another comment here is worth highlighting, however - use consumer services, get consumer service. Go upmarket a bit if you are actually looking for something that your company's bottom line is hung on.
  • by iroll (717924) on Friday July 26, 2013 @08:59PM (#44396381) Homepage

    Is there a way you could encrypt the files or folders that are shared via dropbox, so that only people you have authorized (via a key) could decrypt them?

  • by GovCheese (1062648) on Friday July 26, 2013 @09:00PM (#44396385)
    You might start with looking at FEDRAMP complaint providers found here: http://www.gsa.gov/portal/content/131931 [gsa.gov] I would imagine that those listed providers also have FISMA certification so you'll be able to determine if the categorization of the data you are trying to protect is met by the provider. ITAR categorized data must be stored in CONUS and I believe AWS Government Community Cloud and the USDA National Information Technology Center offered by United States Department of Agriculture supports CONUS only storage. I believe Google Apps for Government does as well. But the key thing is to ensure the FiSMA cert matches the categorization of your data.
  • by dbIII (701233) on Friday July 26, 2013 @09:11PM (#44396459)

    Dropbox + security? Sorry, they don't go together.
    Don't people remember the day when everyone could get into anybody else's dropbox account without a password? The dedupe hack where people were getting instant access to other people's files on dropbox with the file hash - a quick way to download movies but has more sinister applications. How about the problem where you get the illusion of locking people you've shared stuff with before out by changing the password, but it doesn't actually lock them out?
    It started off as a hack with a few python scripts as a front end to Amazon's storage and sadly it still shows. It's an epic failure in terms of security due to those I've mentioned and many more. In a business environment with multiple clients and a need to share things with one client and not another the dropbox sharing model is just an accidental disclosure waiting to happen. It's one to many and not one to one.
    Seriously, there are dozens of alternatives out there and dropbox doesn't even measure up to plain old FTP from thirty years ago in a business setting. Use it for a hobby if you want with your own personal stuff but it's just an accident waiting to happen if you are going to use it for anything business related where there would be consequences if it ended up on the front page of a newspaper.
    So if you've got nothing to hide you could use dropbox - or you could just put the files to download on your website. Dropbox is for those who can't put files on their website to download.
  • by stevel (64802) * on Friday July 26, 2013 @09:18PM (#44396493) Homepage

    I don't know much about it, but my employer, probably a larger company than yours, specifies that we should use EMC's Syncplicity Enterprise (http://www.syncplicity.com/products/enterprise-edition) for secure cloud storage. It offers the option of keeping the storage in-house. Worth a look.

  • by dbIII (701233) on Friday July 26, 2013 @09:21PM (#44396513)
    Owncloud looks quite good at the moment and is very simple to set up and run. You host the data yourself and it is shared via a sync client, a web front end or links sent by email, which can have expiry times set. The email thing can be turned off if you are quite correctly worried that there are far too many people capable of reading your email.
    There is commercial support and some commercial extras but you can use the open version to try it out first (or indefinitely if that's all you need).
  • by Kagetsuki (1620613) on Friday July 26, 2013 @09:36PM (#44396583)

    We use SparkleShare because we have our own git server anyway. Not sure how robust the security is compared to something specifically built for security (EG it's not like it has multi factor authentication).

    Still as others have pointed out what the fuck are you doing with a cloud based service as a defense contractor. We do open source software and the only stuff we're storing in sparkleshare is scratch work, images, document templates and random crap that anyone could steal and we wouldn't care anyway.

  • by bobstreo (1320787) on Friday July 26, 2013 @09:38PM (#44396585)

    I managed accellion for web based and sftp file transfers, it's pretty mature, not too expensive. Check
    www.accellion.com

    The setup I used was a virtual server on vmware with an encrypted file system from a file server on our SAN.

    The link for government services is at:
    http://www.accellion.com/why-accellion/for-government [accellion.com]

  • by jfisherwa (323744) <[moc.liamg] [ta] [rehsif.nosaj]> on Friday July 26, 2013 @09:45PM (#44396629) Homepage

    You can limit it to VPN and sync folders peer-to-peer. It monitors and syncs changes for you, and is great for making a redundant backup/dropbox-type distribution system.

  • by flimflammer (956759) on Friday July 26, 2013 @10:15PM (#44396747)

    This is exactly what the system is designed for: https://aws.amazon.com/govcloud-us/ [amazon.com]

  • by thatkid_2002 (1529917) on Friday July 26, 2013 @10:45PM (#44396857)

    Whatever you chose should really be run over a VPN for external usage. Period.

    I'd look at using ownCloud - and you can get commercial support if it is required. I used to work for a company which used Novell iFolder and that was pretty good - but looking into that a little more it seems like Novell has a new thing called Filr which seems to tick the boxes (especially from a Manager perspective).

  • by Karmashock (2415832) on Friday July 26, 2013 @11:06PM (#44396967)

    Literally email dropbox and tell them you need to purchase some of their servers.

    If you're seriously using this feature and price isn't a big deal, they'll sell the literal servers which can be insulated within your own network with slightly different settings so it isn't immediately obvious to probes what sort of software you're using.

    The first rule of computer security is physical security.

    This is very very key. If you really want your data to be secure. You have to have physical possession of it. It cannot be on some remote server that you don't control. And by control, I mean you can walk up to it kick the power cord out of the wall if you so desired. THAT is control.

    If you don't have that you're "trusting" someone else which is not how security works. Security is not about trust. Security is about paranoia.

  • by Quick Reply (688867) on Saturday July 27, 2013 @12:28AM (#44397279) Journal

    Synology have been moving from the personal to the enterprise space as of late with their "DiskStation" NAS line of products. Some of their high end "NAS" boxes can get pretty powerful. There is a function of the DiskStation is called "Cloud Station", essentially a Dropbox clone.

    Basically what you would be doing is having your own on-premises 'Dropbox appliance'. It is very easy to setup/integrate with it's user-friendly interface for the admin, and then all you really need to do then is forward the ports and install the client software.

  • by flyingfsck (986395) on Saturday July 27, 2013 @01:26AM (#44397439)
    You do government work and you are this clueless? No wonder the USA is in the state it is in. You should start by reading the ITSG.
  • by Hognoxious (631665) on Saturday July 27, 2013 @04:10AM (#44397765) Homepage Journal

    I manage the network for a defense contractor that needs a cloud-based storage service

    Stop right there, I think I've spotted the problem.

  • Nobody else but you will be blameable in case of a leak. And you can tailor the solution to your needs, to your specifications and to your use cases, both technical and functional. Oh, and here is a well-meant piece of advice: stop thinking of "the cloud". Don't. Just don't. If your data is so important, then host some hardware in a fire-proof, earthquake-proof place, run your self-built solution on that hardware in that facility, and off you go.
  • by spongman (182339) on Saturday July 27, 2013 @05:19AM (#44397963)

    it's not open-source, if you care about that, and it's still in beta (what isn't these days?), but it's free, secure and it works well.

  • Office 365 isn’t cheap but it has SkyDrive Pro included, which is protected by multiple U.S. data centers, and is only in the U.S.

  • by nurb432 (527695) on Saturday July 27, 2013 @10:03AM (#44399059) Homepage Journal

    Setup your own storage at your office. Don't trust public companies for your data.

    If you dont/cant do it yourself, hire someone to come in and doit. And audit the hell out of what they do.

  • by flacco (324089) on Saturday July 27, 2013 @10:08AM (#44399091)

    I completely do not understand anyone storing even remotely confidential data, much less security-related data, on servers hosted by another organization.

  • by Frankie70 (803801) on Saturday July 27, 2013 @11:06AM (#44399479)

    Email the data to your gmail account. That's what I do.

A sheet of paper is an ink-lined plane. -- Willard Espy, "An Almanac of Words at Play"

Working...