How can I protect business data from being removed by an employee using encryption?

[KurskKnyaz]

Hi,

I am looking to beef up security on an office network. Aside from the obvious: physical security, limiting user privileges using Active Directory, running a firewall that does stateful packet inspection and running anti-virus software; I would like to prevent users from copying a file to a USB flash drive and taking it home or cloning a hard disk or just removing the hard disk from a work station.

I can block all email sites using the Dell SonicWall so that employees cannot email themselves sensitive corporate data but what do I do about USB drives. The BIOS on the workstations does not allow them to be disabled.

I once had a client who used a computer at a bank that she was working on to transfer photos from her camera to a USB flash drive. She came to me complaining that she can’t open the photos on the USB drive on her home computer. It turns out that the computer encrypted the photos so that they can only be opened on the bank computer. How can I do something like this to prevent employees removing data.

I know that intel offers hardware drive encryption on systems with vPro technology but most of our workstations do not have this. Is there a way to do this via software? Would full disk encryption even prevent an employee from copying data to a flash drive? Please advise.

Also, is there a way to encrypt data in transit. For example: when the server is backing up to a NAS drive, is it possible to encrypt the data while it is going over the network and is this level of security even necessary.

 

[KurskKnyaz]

And is there a way to have windows server keep a transaction log of exactly who accesses and changes any file or system setting?

 

[PliotronX]

Sounds like something that Symantec Endpoint Encryption or Sophos SafeGuard could do. Most of the big name security software outfits offer some form of this. As far as the data transit, a VPN or tunnel of some kind is where I'd look.

 

[John Connor]

Have a look in group policy edit. gpedit.msc typed into search. There you might have your options.

 

[John Connor]

And is there a way to have windows server keep a transaction log of exactly who accesses and changes any file or system setting?

Does this help? http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/

...and is this level of security even necessary.

Not unless someone is between or has access to this link, I wouldn't think so.

Is the NAS on site?

 

[matricks]

Have a look at Control Read or Write Access to Removable Devices or Media.

There are also policies for denying write access to unencrypted volumes, but it only applies to Bitlocker-to-go. Bitlocker encrypted drives can be protected by only a password (or optionally multiple factors), so they might be able to read it just knowing the password (which they will also need to know to use it for work purposes). There may be a way to store the encryption key in AD only, requiring a domain-joined computer to mount/decrypt the volume. I wasn't able to find one with quick searches, but might be worth a look.

Also, is there a way to encrypt data in transit. For example: when the server is backing up to a NAS drive, is it possible to encrypt the data while it is going over the network and is this level of security even necessary.

In transit only, or in such a way that the data is saved encrypted on the NAS? In transit only basically means use a protocol that supports encryption. HTTPS, FTPS, SFTP, rsync over SSH, anything. Modern SMB/CIFS (a.k.a. Windows file share) is also fairly secure, unless you enable its compatibility options, reducing key length or disabling encryption altogether. In transit only is usually fairly low hanging fruit, most modern devices support some encrypted communication protocol, and it doesn't take a lot to enable. Establishing proper secure key management (e.g. if using X.509 certificates or SSH keys) will take some thought process, but the configuration is usually fairly straight forward.

If you want the data to be saved in encrypted form, you'll need to describe in more detail what you really want to achieve. What are the threats you are worried about? Someone physically stealing the NAS and reading the data? Someone connecting to the NAS and stealing data while it is running? Someone MITM-ing the link used for copying?

 

[smakme7757]

Another alternativ might be Microsoft Rights Management, but it's a big investment in time and you need to know what you're doing.

Keep in mind that an employee could also just snap a picture of a document with their phone. Then that pic gets auto uploaded via 3/4G to Google/Apple/Microsoft.

No way to get it back. Slower, but can still be done.

 

[John Connor]

Are we talking about NSA prof here?