Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Secure DropBox Alternative For a Small Business?

timothy posted about a year ago | from the unknown-lamer-favors-afs dept.

Cloud 274

First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality; 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). I've been calling different companies and just can't seem to find a decent solution. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. Am I wrong?"

cancel ×

274 comments

Sorry! There are no comments related to the filter you selected.

Simple. (-1)

Anonymous Coward | about a year ago | (#44395597)

A station wagon full of floppies.

You are kidding right? (5, Informative)

MerlynEmrys67 (583469) | about a year ago | (#44395599)

You want "Someone Else" to manage your data that is classified under ITAR? Uhmmm... Why don't you build your backup solution - put links in to remote data centers and handle the problem correctly and professionally. The last thing we need is some external entity getting a hold of this stuff because you don't want to have the budget to do things right instead of at a consumer level.
Gah - I can't believe this is even a question

Re:You are kidding right? (5, Informative)

ravenswood1000 (543817) | about a year ago | (#44395603)

Try Owncloud or Ajaxplorer for your own cloud solution maybe.

Re:You are kidding right? (4, Informative)

Trepidity (597) | about a year ago | (#44395687)

For something Dropbox-like in UI that you can point to your own servers, some options are:

* Git-Annex Assistant [branchable.com] : Despite its name, git is sort of an implementation detail you can ignore. It doesn't actually revision-control all your files, so you don't get huge bloat with binary files that are edited. One nice thing it does is integrate syncing with offline storage, so you can e.g. set up a remote server to sync to live, *and* set up a USB-connected hard drive to sync to when it's attached. When the USB drive is offline git-annex will still remember what files were on it.

* Sparkleshare [sparkleshare.org] : a front-end that does version-control all your files, which might be preferable if you are sharing small-ish files where you might want to recover a previous version (e.g., text documents). Less good than Git-Annex Assistant if you're sharing huge media files, possibly better if you aren't.

See also this Slashdot discussion [slashdot.org] from two years ago.

Re:You are kidding right? (0)

Anonymous Coward | about a year ago | (#44395767)

Dont' forget that git-annex can use encrypted remotes! I think they're also building in the option for version control of large files, implementing deltas, etc.

Re:You are kidding right? (5, Funny)

ColdWetDog (752185) | about a year ago | (#44396201)

I can just see this - a high level presentation to the C level executives:

"Yes, we're planning on using Sparkleshare".

"Sparklewhat?"

"Sparkleshare, it's an open source product that ...."

"Look, we're here to discuss corporate data strategy, not your daughter's favorite website".

Re:You are kidding right? (5, Funny)

pixelpusher220 (529617) | about a year ago | (#44395693)

I believe there's a facility in Utah that specializes in cloud data storage...

Re:You are kidding right? (0)

Anonymous Coward | about a year ago | (#44396019)

..providing a generous free backup to all your data.

Re:You are kidding right? (0)

Anonymous Coward | about a year ago | (#44395825)

Or he can look at a File Transporter, the 2.0 software offers a lot of Dropbox's functionality, but the data lives on your drives and is encrypted during sync.

http://www.filetransporter.com/

Re:You are kidding right? (2)

Sir_Sri (199544) | about a year ago | (#44395833)

I love my dogs very much, but The love for my son and his needs are much greater.

Like a lot of regular services, there are usually defence contractors who offer similar services that meet whatever national government requirements are - for 10x the price naturally.

I would think that microsoft or google (though more likely microsoft than google) offer something similar to their commercial offerings but certified for defence. If not them, then likely you're looking at either Lockheed Martin, HP, IBM and expecting to pay very large sums of money.

Re:You are kidding right? (5, Insightful)

sconeu (64226) | about a year ago | (#44395993)

I agree with Merlyn. Are you F***ING INSANE?????? Especially after the way that the gov went batshit insane over Wikileaks and then over Snowden.

I know that "classified under ITAR" is not "Classified secret", but you'd be crazy to trust that data to any storage that you (or your company) doesn't directly control.

Disclaimer: I am not an ISSO or ISSM (though at one point I did get certified as one -- long since lapsed).

Re:You are kidding right? (-1, Flamebait)

Anonymous Coward | about a year ago | (#44396055)

For a small monthly fee I will manage this system for you. I promise it will be totally secure.

I call bull (5, Interesting)

santax (1541065) | about a year ago | (#44395607)

"I manage the network for a defense contractor that needs a cloud-based storage service" No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...

Re:I call bull (5, Insightful)

hawguy (1600213) | about a year ago | (#44395681)

"I manage the network for a defense contractor that needs a cloud-based storage service"

No you don't. At least I sure as hell hope you don't. Cloud + defense don't mix but since you are managing such a network, why am I telling you this? Why don't you contact 'defense' for options...

That was my first thought when I saw his message. It doesn't seem that any commercial Dropbox like service would provide enough fine grained ACL's and reliable and untamperable logging to properly secure any kind of "classified" data. It seems like keeping the data locked up in a VPN accessed fileserver would be better with restrictions on the computer that prohibit saving to local storage. Once it's on a dropbox like service, how do you keep an exec from syncing the entire restricted folder to his laptop before his overseas trip to China, thus violating the rules about keeping it on US soil?

Re:I call bull (0)

Anonymous Coward | about a year ago | (#44395887)

The ITAR classification system is not the same as the Secret/Top Secret/FOUO classification system. They are two separate and distinct systems run by two different parts of the State Department. This guy's company could be working with FOUO or Unclassified data that the DDTC thinks is super-sensitive. (Data classified as FOUO or Unclassified doesn't require the access control machinery and personnel vetting that Secret and higher do.)

Re:I call bull (5, Informative)

Wintermute__ (22920) | about a year ago | (#44395971)

Sadly, I think this guy might be for real. Notice he didn't say "classified", merely "ITAR-restricted". Those are nowhere close to the same thing. Yet, if you get caught messing up with ITAR data, it's still up to a million-dollar fine per instance I believe. Reason enough to tell your lusers "No, you may not use Dropbox" and block it at the firewall.

Defense contractor - I'm thinking sub-contractor or sub-sub-contractor. There are so many small companies with no budget and less clue handling this kind of dangerous but not classified data out there, it's scary.

Re:I call bull (0)

Anonymous Coward | about a year ago | (#44395779)

Ya, dropbox for security? Ever googled 'dropbox security'?

I guess idiot admins must read /. as well.

Re:I call bull (-1)

Anonymous Coward | about a year ago | (#44395995)

I think there was a typo in the summary. He left a 'D' off of iTard, which would explain a lot*.

.

* disclaimer: I use apple products.

AWS? (5, Interesting)

Anonymous Coward | about a year ago | (#44395609)

I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.

AWS GovCloud (5, Informative)

Anonymous Coward | about a year ago | (#44395775)

I know that Amazon Web Services have several cloud-based sites that are certified to not allow traffic out of the US (I work there currently). I don't know how it fits your other needs, but there are a number of government agencies that use them.

Look here -> https://aws.amazon.com/govcloud-us/

Cloud 0? (4, Interesting)

craznar (710808) | about a year ago | (#44395611)

Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

Re:Cloud 0? (1)

hawguy (1600213) | about a year ago | (#44395707)

Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

If you want reliability, mirror it (or maybe RAID-5 or -6 if you want to tolerate one or 2 providers going down).

If you want security, use encryption.

If you don't trust your encryption, striping it across multiple providers doesn't enhance security by much since any provider could decrypt the pieces that he has (or someone could just intercept the intact datastream in transit to the providers)

Re:Cloud 0? (1)

I'm New Around Here (1154723) | about a year ago | (#44395903)

Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

You've never heard of parity?

Re:Cloud 0? (3, Insightful)

FriedYuca (2831489) | about a year ago | (#44395945)

Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

To give you 1/3 the reliability of storing it on a single provider and making your data completely inaccessible if any of them go down?

You've never heard of parity?

Not in Raid 0, he hasn't.

Re:Cloud 0? (1)

LordLimecat (1103839) | about a year ago | (#44395999)

Thats an awful idea, do you realize how bad the latency would be? What happens when one service is consistently behind the other, do you just allow the data to constantly be in an inconsistent state between your "stripes"? What happens if one provider is down-- do you allow the volume to remain "on" during the outage, and if so, where are you going to store the parity information until it comes back up?

And all of this for what benefit?

Youre basically taking the issues that arise in a mixed-hardware RAID, and amplifying them about a hundred times, and then throwing in TCP just to make things really exciting. You would end up with all of the bad parts of RAID 0, and none of the good ones (since one stripe is no good to you unless the other arrives immedately after, which can hardly be guaranteed over TCP).

Re:Cloud 0? (0)

Anonymous Coward | about a year ago | (#44395803)

a drive striped to the cloud? REALLY??

you sound like my boss just spouting off tech jargon that you have NO understanding of..

stripping to the cloud would be the worst idea EVER..

But of course you really meant RAID 1 and MIRRORING...

STRIPING would only keep half the data on your local system and the other half in the cloud and each alone would be useless without the other...

Re:Cloud 0? (0)

Anonymous Coward | about a year ago | (#44395829)

What the fuck is so hard about sshfs to your own server who also has apache running? Hm?
Want the whole partition encrypted on the client side? Well, since a partition is only a file too... "mount -o loop ...". Done.
Of course you could also just run OpenVPN instead of tunneling through ssh.
There really are *countless* options for every possible usage scenario BUILT RIGHT IN.
At least with non-toy operating systems.

This is what counts as computer experts nowadays? Morons who understand absolutely NOTHING about computers??

This is what I'm talking about, when I say "mentally crippled by Windows". (Not that OS X would encourage anything better, but at least you can do a bit of it, if you really want to. They're both not professional but consumer [read: moron] OSes though.)

Re:Cloud 0? (1)

jamesh (87723) | about a year ago | (#44395939)

Someone needs to write a RAID 0 style encrypted 'driver' that stores your data striped on Google Drive, Skydrive and Dropbox (and what ever else).

I assume you say raid0 so that even if someone got the encryption keys and also managed to hack one of the providers, they'd still only have access to 1/nth of the data. As others pointed out this breaks badly if even one provider goes down.

Better would be a truecrypt style drive that did RAID6 across multiple accounts on multiple providers, which would give better reliability and still only reveal a fraction of the data (which is still encrypted) if someone hacked the provider

But really, there is likely someone on your staff who is going to have the keys to the data, and have a family, and unless your data still seems important when someone has a gun to the head of someone you love, extreme levels of encryption and protection are a waste of time. Put an encrypted backup of your data in the cloud and be done with it. If you really need a live copy of your data in the cloud then encrypt that all the way back to the endpoint so even if the provider gets hacked they still need your keys.

Re:Cloud 0? (2)

DaHat (247651) | about a year ago | (#44396053)

Or just buy a storage appliance [storsimple.com] that has that kind of functionality built in and backups to the cloud in an encrypted way.

To quote one of their bullet points:

Military-grade Security
All data stored in the cloud with StorSimple has military-grade encryption applied to it. The encryption key is never given to StorSimple or the cloud provider, ensuring complete data privacy to support compliance requirements as stringent as HIPAA.

Add Encryption to Dropbox (2)

Dominic Pettifer (2998301) | about a year ago | (#44395613)

Could you not add a layer of encryption to Dropbox, such as BoxCryptor (https://www.boxcryptor.com/)?

You're kidding, right? (1)

frovingslosh (582462) | about a year ago | (#44395807)

I just looked at it. I need an account with them to encrypt my files? And it seems that my files may even transfer to them before encryption and after decryption. or am I missing something? And the video even is narrated by someone with a foreign accent and shows the names of encrypted files change to something that looks like Chinese????? If I'm going to encrypt my files for security or safety or even privacy, I'm certainly going to do it on my own computers, not with something where I need an "account" with someone else to have them encrypted. Adding a layer of encryption would be nice (although likely not good enough to protect ITAR data properly), but doing it after the data leaves the computer is just crazy talk.

Re: You're kidding, right? (1)

Dominic Pettifer (2998301) | about a year ago | (#44395871)

Reading up on BoxCryptor it looks like it uses end-to-end encryption. So the data is encrypted before it leaves your computer. I believe the sign up is because it's a software subscription model, you have to pay annually, which I don't like. I'd rather just pay for the software outright, and buy upgrades in my own time.

SpiderOak, Bitcasa (1)

Anonymous Coward | about a year ago | (#44395615)

I don't know if they keep data elsewhere that *isn't* in the US, but you could look at both SpiderOak and Bitcasa. (throw .com on the end of each). Both claim to encrypt data on the client side before upload. SpiderOak has a "hive" feature that operates pretty much just like Dropbox. Bitcasa is a little different but you may be able to shoehorn it into a solution if you need to.

Another option you could consider would be grabbing an S3 account from Amazon (or Rackspace Cloud Files could work too), keep your data in the US, and then create your own background client or script to encrypt the data on your machine and then upload it. There are several apps out there that can upload data to one of these cloud providers - there's Forklift in the Apple store and the popular "Cyberduck" which has support for both options. (I happen to be a Mac user so I'm not sure what Windows/Linux alternatives are there, but both have APIs so it's possible to roll your own if you want).

You could also consider virtual machines and mounting them as NFS for shared storage. Obviously some form of encryption would be key here since this is all going over the internet.

I can't guarantee any of these options will work for your use case (especially with your ITAR regulation requirements), but they may be a place to start.

Good luck!

DIY (0)

Anonymous Coward | about a year ago | (#44395619)

Given your area of expertise, why don't you host your own cluster with this type of functionality?

Ubuntu One (3, Funny)

conner_bw (120497) | about a year ago | (#44395623)

Ubuntu One has a similar service. Here's my referral url. [ubuntu.com]

They have root [softpedia.com] so you know it's secure. You can trust them.

Carbonite Cloud Backup (0)

Anonymous Coward | about a year ago | (#44395629)

Check it out.

Novell filr (0)

Anonymous Coward | about a year ago | (#44395631)

Host your own solution using Novell Filr , http://www.novell.com/products/filr/

Re: Novell filr (0)

Anonymous Coward | about a year ago | (#44395725)

I second Filr.

Never going to find one (5, Informative)

Archfeld (6757) | about a year ago | (#44395635)

I've worked contingency operations and recovery for data under federal regulations. You will NEVER find a service that will provide the kind of security, financial and geographical restrictions that you really need. That is the single most compelling reason why banks have backup data centers...

Re:Never going to find one (2)

DaHat (247651) | about a year ago | (#44396105)

How long ago? These folks [storsimple.com] seem to have an interesting solution for this kind of setup (encryption on-prem prior to being sent to the cloud and keys never leaving your control)... and also claim to be inside of at least one bank [storsimple.com]

How about ssh? Http? (2, Informative)

Okian Warrior (537106) | about a year ago | (#44395641)

Store it on a server at your business that you control.

Run open-source software which gives you DropBox functionality, such as BitTorrent Sync [wikipedia.org] .

The only way to be sure is to host it on a server you control, using software that can be inspected.

Re:How about ssh? Http? (0)

Anonymous Coward | about a year ago | (#44396117)

Bittorrent Sync isn't open source (yet).

Sparkleshare (2, Informative)

Anonymous Coward | about a year ago | (#44395647)

Sparkleshare is a git based program that you can configure and use entirely in-house. . I use it for hosting our IT documentation for a small city government.

CALL the NSA (0)

jackb_guppy (204733) | about a year ago | (#44395649)

They are storing the internet traffic anyway...
By definition it is in US territory...
Their sites are secure... Opps!

Re:CALL the NSA (0)

Anonymous Coward | about a year ago | (#44395735)

You are absolutely right! [arstechnica.com] .

ownCloud (1)

Infin1niteX (950492) | about a year ago | (#44395655)

Why would you be looking for a provider for classified info instead of looking to create your own solution? Google ownCloud. Works just like Dropbox, opensource so you can always change it to fit your needs if it's missing something.

Amazon S3 or Glacier (0)

Anonymous Coward | about a year ago | (#44395667)

Amazon S3 is .10 cents per GB or glacier is .01 per GB. We use it for off site backup.

ownCloud and host it yourself (0)

Anonymous Coward | about a year ago | (#44395669)

If you are that concerned about the data security, just use ownCloud, and run it on your own servers.

OwnCloud ? (0)

Anonymous Coward | about a year ago | (#44395671)

What about Owncloud ?

Wuala?.. (1)

thaiceman (2564009) | about a year ago | (#44395673)

I am surprised no one else mentioned this yet, Wuala encrypts locally then uploads to their server. But its feature set isn't quite on par with DropBox yet....

Re:Wuala?.. (2)

insp (854306) | about a year ago | (#44395743)

Wuala stores their files in Switzerland. I doubt that would meet appropriate defense standards.

Just use OwnCloud (2, Informative)

Anonymous Coward | about a year ago | (#44395685)

You host it yourself, control the data/features. Supports LDAP authentication. Client software is pretty quick. There is commercial support if you need it. Gracefully recovers from network loss. Oh and it has the appropriate iOS and Android clients. I have been slowly rolling it out in production without any complaints so far. Hope that helps!

- Too lazy to login

JungleDisk (0)

Anonymous Coward | about a year ago | (#44395697)

JungleDisk is one that comes to mind

SpiderOak, and you're doing it wrong (2)

Fencepost (107992) | about a year ago | (#44395703)

I believe SpiderOak provides some encryption that you might think meets your needs, but I also agree with others that by the time you're asking this question something has already gone tragically wrong.

Of course there's always the counter argument that your data has in fact already been hacked and pretending you can keep it secure is just self deception.

Spideroak (0)

Anonymous Coward | about a year ago | (#44395709)

Spideroak is probably as secure as you are going to get. Fwiw I have had good experiences.

Calm down people... (4, Informative)

krbvroc1 (725200) | about a year ago | (#44395715)

I'm sure he does not mean 'Classified' information. He means classified under ITAR. It was probably a poor choice of word to use classified rather than categorized.

Dropbox (0)

Anonymous Coward | about a year ago | (#44395719)

First, ITAR and "classified" are not the same.

Second, Dropbox is just a front end for Amazon S3. Which has quite a few DoD data security certs.

Simple easy secure solution (0)

Anonymous Coward | about a year ago | (#44395721)

Novel Filr It's as simple and secure as it gets, you control the data, you control the access, you control everything.

VMware Horizon Workspace or OwnCloud (2)

insp (854306) | about a year ago | (#44395727)

I'm very intrigued by the fact that you actually want to use an external cloud based storage solution. I would have thought that defense would have required not to use a third party for remote file storage. The best solution would be to "roll your own" and set up something in a private cloud hosted in a datacenter that meets your requirements. If you are a VMware shop, you should seriously take a look at Horizon Workspace as it provides a Dropbox like product that would be a great fit. If you want to run this on a budget, check out OwnCloud. I use that myself to keep home/work documents in sync between machines and always wanted the equivalent of Dropbox but syncing onto my own servers.

Re: VMware Horizon Workspace or OwnCloud (0)

Anonymous Coward | about a year ago | (#44395781)

We use horizon workspace internally, and it has some bugs and oddities vs Dropbox. It's very much a 1.0 product but they did get security right. We are migrating to HDS HCP anywhere. The backend is an amazon S3 API comparable object store that can scale to PBs easily, is secure and handles replication, archiving retention compression and single instancing. Vmware is about to update workspace soon, but implementing this stuff is my day job so feel free to ask questions.

btsync (0)

Anonymous Coward | about a year ago | (#44395769)

You may try btsync. http://labs.bittorrent.com/experiments/sync.html

fuck you (0)

Anonymous Coward | about a year ago | (#44395771)

Tell the fuckin execs to pass on their bonuses this year, or they will be arrested and the company shut down. If you can afford to do it, go out of business.

No you don't (1)

Wee (17189) | about a year ago | (#44395773)

needs a cloud-based storage service

You want to put classified data on someone else's servers? You're putting a HUGE amount of trust in the laziest/least ethical/most incompetent sysadmin that company hires. Why in hell would you think you "need" cloud-based anything?

-B

Re:No you don't (1)

Shados (741919) | about a year ago | (#44395893)

If your company is of significant size, you still put a huge amount of trust in SOMEONE SOMEWHERE that you shouldn't. If shit happens at a third party you can sue a large entity. If one of your own employees screw you over, you can only sue an individual that won't be able to cough up any kind of reasonable damage settlement.

Thats why people outsource payroll, employee performance evaluations and all that other crap.

rsync.net (0)

Anonymous Coward | about a year ago | (#44395785)

rsync.net [rsync.net] ? It supports common protocols (ftp though https to rsync). You specify which location you want to store on at signup. It doesn't do encryption for you (storage encryption that is) but it sounds like you should be doing that yourself.

Ahem. (2)

drolli (522659) | about a year ago | (#44395791)

Pay somebody (contractor/consultant) who knoes what he does. Seriously, man. Ask for a 10 page concept with the tree best options fulfilling all your specific requirements (which you probably did not mention here), and offer him to implement it if you like one of these.

My 2 cents on this: To me it is completely non-obvious how dropbox could have ended up in the stack of possible solutions - to little control, intransparent business model, other use case is the dominant one. I would start by looking at the obvious storage providers (amazon, telecoms, specialized local/regional/natinal storage providers), compare them by the options/price they offer, look separately at software fulfilling my local needs and being capable of talking to the storage providers. Then i would create local scenarios about additional dedicated hw needed and after that i would make my choice/give the best options to my manager to select, based on business criteria.

buy a server (0)

Anonymous Coward | about a year ago | (#44395793)

Buy yourself a server. How dumb can people get? And we let these people sell arms to the world?

Syncplicity (1)

Xygon (578778) | about a year ago | (#44395809)

EMC's Syncplicity allows you to have a "cloud" backup that's actually domain authenticated and resides in your own data center. Some of the Dropbox-esque features people want, with the in-house security.

ITAR is tighter than that (4, Informative)

GumphMaster (772693) | about a year ago | (#44395837)

Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.

It is much tighter than that. You must ensure that only "US Persons" have access to that data without appropriate export licences/approvals/agreements. Can you guarantee that no foreign national, dual citizen, or employee of a foreign company is working at your cloud host or in any data centre that might be housing your data?

Re:ITAR is tighter than that (1)

GumphMaster (772693) | about a year ago | (#44395917)

BTW: IANAL but I am a "foreign national" that has been at the receiving end of ITAR fun and games.

I live in the US (0)

Anonymous Coward | about a year ago | (#44396025)

However, the government says, with 51% certainty, that I'm a "non-US person", and wiretaps me with impunity. Can I be both simultaneously?

AeroFS (1)

HJED (1304957) | about a year ago | (#44395849)

I would suggest AeroFS [aerofs.com] it's P2P sync, they support multiple users and let you use your own Amazon EC3 instances if you want. It is fully encrypted.

Re:AeroFS (0)

Anonymous Coward | about a year ago | (#44396155)

No encrypted storage volume should be considered safe in the cloud. Space is shared/replicated/RAIDed across SANs thus possibly creating multiple copies of the same data under different states/keys. It's considered insecure for the same reason truecrypt is considered insecure on SSDs.

Also you can't securely shred a file in such environment.

Encrypt data, store anywhere (1)

mars-nl (2777323) | about a year ago | (#44395869)

I'm not in defense (and never will), but isn't (public key) encryption not invented to keep something secure in a unsecure enviroment (i.e. internet). Encrypt your files with very decent encryption, such as PGP/GPG, and upload to dropbox or whatever. Manage keys well.

Re:Encrypt data, store anywhere (3, Informative)

Andy_R (114137) | about a year ago | (#44395965)

This isn't about security, it's security theater, it's not the safety of the data that matters, it's all about the box ticking. The box that must be ticked is 'data must not leave the US'.

If you try to apply any rationale to the existence of this box, you'll end up with something like 'The data can't leave the US because as we all know there are no bad guys on US soil, foreign powers cannot buy airplane tickets, and the internet has border police that stop foreign traffic that has the evil bit set.'

SFTP (1)

gagol (583737) | about a year ago | (#44395883)

SFTP, the cloud can go **** itself.

It's there (0)

Anonymous Coward | about a year ago | (#44395943)

There is three different ways I know of to accomplish the task.

1.) You have to deploy and manage you own solution where you have a key management server on premise doing the encryption for you.
                You’re not going to find a SAAS solution to this problem. What you’re looking for in a secure drop box application is to be able to control who has access to your data. If this was provided as a SAAS application the provider would than hold the encryption key's that would be used to secure you data. This then makes it so anyone in that company who has access to the key management server has access to your data and the greater threat is government demanding the keys from the provider and gaining access to your data. If somehow the SAAS provider allowed you to use your own key management server than you would lose a lot of functionality when it comes to things like indexing and if you did provide access again it than takes away the security of the application.
2.) The second option you have is to just encrypt the files before you upload them to the server.
        You would have to do the whole shared key repository thing but it would be the cheapest method to securing your data in the cloud.
3.) The third method is to use a device that will proxy the data between your system and Dropbox encrypting the data before it gets to the cloud using your system.
        I think the company I saw do thing for SkyDrive was called ciphercloud but I can’t remember. This is simpler to setup and configure than option 2 but still allows you full control over the encryption keys and often doesn’t interfere with indexing other such activities. The down side is you would still have to manage an application designing it for HA/DR/Usage and you wouldn’t be able to use the standard DropBox portal/applications you would have to use the website through the proxy.
The short answer is it is possible, I have seen all three done, but you are completely under estimating the requirements it would take to do. Also if you have export control data why are you using dropbox in the first place? How are you controlling employee’s ability to access the data from overseas?

         

Maybe ShareFile would work for you? (0)

Anonymous Coward | about a year ago | (#44395959)

ShareFile (from Citrix) will let you choose where your data is stored (e.g. US only) or even have it stored on premises, while still providing sync and web access to it like other cloud storage providers.

You're delusional. (4, Insightful)

Shavano (2541114) | about a year ago | (#44395981)

There is no way to ensure that any third party company is going to protect your ITAR data, so you can't use cloud based storage. Tell your boss it's (1) a bad idea and (2) you are not going to jail to make it happen.

Re:You're delusional. (0)

Anonymous Coward | about a year ago | (#44396143)

You can use 3rd party storage, but you need to encrypt your own data client side prior to upload, and maintain the security of the keys inhouse. This is pretty common for users of DropBox who are concerned about the security of their data.

In essence this means your data is stored in dropbox, encrypted by your own keys, and then encrypted by dropbox's keys. Someone could gain access to your dropbox account, or even the dropbox encryption keys, but still be unable to decrypt the data because they lack your own encryption keys.

Stronger policy (1)

mysidia (191772) | about a year ago | (#44396013)

"I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements. We are currently using DropBox and I am terrified of seeing another data leak like last year. Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.

If you want Dropbox's functionality; I suggest you use Dropbox.

However: DO NOT ALLOW ANY CONTENT REGULATED UNDER ITAR into a cloud service

Second: DO NOT ALLOW ANY CLASSIFIED MATERIALS into a cloud service

One possibility would be to implement Active Directory Rights Management Service (RMS) inside your organization. And set a policy that All sensitive documents must be composed using Microsoft Office, AND Users must encrypt all sensitive documents before saving them

If your clients are running recent versions of Windows; there are some interesting things you can do to make sure that files get saved get encrypted. You can also use various third party scanning and Data Leak Prevention software products to help you with making sure RMS rights templates get applied to existing documents' that got stored on enterprise users' workstations

If the file is RMS protected; in theory, Dropbox doesn't matter as much, because if someone accidentally places a file there; the file was encrypted, anyhow --- it can't be decrypted, unless your RMS server says it's OKAY and issues out a license to open the document (which contains the necessary crypto keys).

You just need to be very firm about your security labelling and encryption policies for sensitive documents.

Inside the firewall Dropbox-y option (0)

Anonymous Coward | about a year ago | (#44396037)

Try Novell Filr: http://www.novell.com/products/filr/

You're already breaking the law (0)

Anonymous Coward | about a year ago | (#44396057)

Most large defense contractors will not even let you visit dropbox from the office because they are scared of unclassified (ITAR) leaks. And you're putting data there intentionally?!? Please tell me this question is from a troll.

You are almost certainly breaking Federal law by putting data onto a server that you do not control unless you can guarantee that no dropbox employee can access the data

Amazon GovCloud (0)

Anonymous Coward | about a year ago | (#44396075)

Google is your friend: the only major cloud provider with an ITAR-compliant offering is Amazon, with GovCloud. This is available to both government agencies and contractors, but requires applying to Amazon for access.You'd need to find a front end to manage the storage/backup that will let you restrict it to use only the GovCloud S3.

The Department of State is considering revising the export rules to make clear that data encrypted to FIPS standards does not count as an export, and if they actually do change the rules, then you'll be able to use any cloud provider as long as you do the encryption at your end and control the keys. AFAIK, however, these changes are still being evaluated and may be too late to affect your choice, or never.

Citrix Sharefile Enterprise? (0)

Anonymous Coward | about a year ago | (#44396085)

With ShareFile you can host the data in-house, but the control channel is all cloud...

Contact your site/organizations Security Officer (2)

khb (266593) | about a year ago | (#44396093)

To get a ruling on whether you may do what you want. Otherwise, as others have noted, you may be very deep waters (not only will you be in violation, but anyone in the organization using the service will be, and you will have induced them to do it. Think serious civil as well as criminal consequences).

From a technology angle, it may be "possible" if the folks in charge sign off.

"All" you need to do is encrypt the data before it goes offsite, encrypt it well enough that the data is protected commensurate with its value, etc.

For commercial users, https://jungledisk.com/ [jungledisk.com] provides a very usable interface and GUI. Of course, if the client isn't trustworthy (and you have to take their word for it ;>) that goes out the window even if the algorithms are secure themselves ;>

I use it for some SOHO confidential data; it wouldn't be the end of the world if the data were disclosed, but we have committed to make good faith effort(s) to keep it secure, so we do (rather than moving files to subs via email, etc.). Not all subcontractors could handle sftp and friends.

Siteclone (0)

Anonymous Coward | about a year ago | (#44396107)

Siteclone works well with custom security needs.

Encrypt before upload? (0)

Anonymous Coward | about a year ago | (#44396115)

Many people using these services encrypt the data prior to upload, so that the storage provider does not have access to the keys. Even though Dropbox encrypts their data, they have the keys necessary to decrypt it(and thus your data is vulnerable if someone working for them or hacking them is able to obtain the key and your data). So you should use something like TrueCrypt to encrypt the data client side before uploading, so that you can ensure that you and no one else has the keys to access the data. There is still the possibility that someone at dropbox could steal your encrypted data, and then brute force the key, but with an appropriately strong key and encryption algorithm, then brute forcing shouldn't be feasible.

This however may not satisfy the security requirements for ITAR data, but from a general security standpoint would be the appropriate approach when storing data or backups offsite in a facility that you do not have complete control over.

There are some products that out of the box encrypt data client side, and generate keys based on your input string, and do not transmit those keys. In other words, it's exactly what I described above, but wrapped up in an off the shelf product. The problem here is verifying this since they are closed source products.

There are some products that cater to the government and meet certain data storage requirements, such as ShareFile. But because Sharefile holds the keys to the encrypted data, they are theoretically vulnerable to scenarios where a hacker might obtain data and keys. I don't think the people creating these government security standards are as knowledgeable about security as they think. If it has certain buzzwords like "AES-256" in the product's description, it passes their standard, regardless of whether the architecture implements it appropriately.

A dedicated server (0)

Anonymous Coward | about a year ago | (#44396121)

and SSHfs ? Yeah it's 20Mb of data at most and it can run on a 50$ arm board with lots of hard drives. Why would anyone want clouds anyway, they are just that but with no control, multiple eavesdroppers, security breaches, higher price and less performing ?

I'm no system administrator, but... (1)

natetk (2985955) | about a year ago | (#44396123)

If you need to access your data remotely and securely, why not just use sftp or ftps to log in to your in-house server? That way you can keep logs on the users that connect, set up who can access what, and have the traffic encrypted. I don't know why everyone is so hooked on "the cloud".

Www.sharefile.com (1)

tanawts (786512) | about a year ago | (#44396141)

You should look into sharefile. It is a secure alternitive to drop box. You can also optionally host an on prem appliance while still utilizing their cloud based access and front end.

In other news, wikileaks announces cloud storage.. (0)

Anonymous Coward | about a year ago | (#44396173)

... but you have to pay in cash for the service.

Tarsnap (0)

Anonymous Coward | about a year ago | (#44396183)

This might work for you: https://www.tarsnap.com/

Jesus Tapdancing Christ, MrClappy (0)

Anonymous Coward | about a year ago | (#44396193)

You claim you need to manage highly sensitive and classified data, yet you can't put together a storage solution yourself? You're the wrong person for the job. No wonder Facebook and Microsoft et al can justify more H1Bs, they just use people such as MrClappy as examples of the poor talent in the U.S.

I Call BS (0)

Anonymous Coward | about a year ago | (#44396203)

There are strict rules and regulations that govern the storage and transmission of classified data. If you are trying to secure classified data on dropbox, you go to jail. Do not pass go. Do not collect $100.

  What you are asking for does not exist. You are not even permitted to encrypt classified data and store on an unapproved device/service. You are swimming in very, very dangerous waters my friend.

   

Take a look at Milyli's Arc (0)

Anonymous Coward | about a year ago | (#44396237)

http://milyli.com/arc/Pages/ARC-Overview.aspx

It's not a cloud solution, you host it yourself. But given your concerns about security and compliance that's what you should be doing anyway. Arc is intended to provide secure and auditable self-hosted document sharing, for industries that can't risk an outside cloud service, from servers, workstations, and CMSes like Sharepoint, to authorized users via web and mobile clients.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>