Block employee access to public cloud

security firewall cloud
11,909

Solution 1

You basically have three options here.

1. Disconnect your office/users from the internet

  • If they can't get to "the public cloud," they can't upload anything to it.

2. Compile a blacklist of specific services you're worried about users accessing.

  • This is going to be absolutely massive if it's meant to be even remotely effective.
    • Tech-savvy users will always be able to find a way around it - I can connect to my computer from anywhere in the world with an internet connection, so... good luck blocking me, for example.

3. Do something more reasonable/recognize the limits of technology.

  • This isn't your idea, but generally, if you provide management with the pitfalls and expense of implementing a solution like this, they'll be more open to better approaches.

    • Sometimes this is a compliance thing, or "just for appearances," and they're happy with just blocking the most popular services
    • Sometimes they genuinely don't understand how insane their request is, and need you to tell them in terms they can understand.
      • Had a client once, when I was working for an computer security vendor, who wanted us to provide a way to stop employees from leaking confidential information with our AV agent. I whipped out my smartphone, took a picture of my screen, and asked him how he could possibly prevent that, or even writing the information down on a piece of paper.
      • Use the news and recent events in your explanation - if the Army couldn't stop Manning, and the NSA couldn't stop Snowden, what makes you think we can do it, and how much money do you think even trying will cost?

Solution 2

There is no way to block it completely, of course, unless the corporate network were to be disconnected from the Internet.

If you really want something that should work most of the time while being mostly transparent, you'll need to deep-sniff packets. Set up a man-in-the-middle SSL/TLS proxy, as well as one for unencrypted communication, and block all traffic that doesn't go through one of these.

  • Block HTTP PUT requests
  • Block all HTTP POST requests where the content-type is not application/x-www-form-urlencoded or multipart/form-data
  • For HTTP POST requests of type multipart/form-data, strip out fields with a content-disposition of "file" (but let other fields through).
  • Block FTP, BitTorrent, and SMTP traffic
  • Block all traffic to the major Webmail services, and to the major public file storage sites.

As you can see, this is a massive and painful undertaking. It's also far from invulnerable: I'm thinking of several workarounds even as I write this, some of which can't be handled without fundamentally breaking your users' Web connections, and there will probably be comments showing many more that I didn't think of. But it should let most traffic through, while filtering out the easiest ways to eliminate file uploading.

The bottom line is that this is more trouble than it is worth.

The best answer would be to enter into a kind of negotiation with your bosses: find out what they really want (likely either protection of trade secrets or liability prevention), and point out why these unworkable technological measures will not get them what they want. Then you can work out solutions to their problems that do not involve unworkable technological measures.

Don't worry about ideology in these discussions: all you have to do is focus on what will work and what will not. You'll find all the arguments you need there, and while this will no doubt frustrate both you and your bosses, it avoids passing value judgments against them (which might be deserved, but will only cause talks to break down, and that is Bad).

Solution 3

What HopelessN00b said. I just wanted to add that:

I have a friend with a job at a government agency where she isn't allowed to bring a cellphone with a camera to the office. She usually phrases that as, "I'm not allowed to own a cellphone with a camera," because, well. If she can't take her cell with her, why own one? She has trouble finding cellphones that don't have cameras.

I've worked for other high-security-type places that would "solve" this problem via administrative fascism:

  • An official policy that accessing your personal email from your workstation is a firing offense.
  • An official policy that accessing a cloud service from your workstation is a firing offense.
  • An official policy that plugging a thumb drive, ipod, or cell phone into a workstation is a firing offense.
  • An official policy that accessing social media from your workstation is a firing offense.
  • An official policy that installing unauthorized software on your workstation is a firing offense.
  • An official policy that accessing your personal online banking from your workstation is a firing offense.
  • An epic corporate firewall/proxy that has many/most of those sites blocked. Any attempt to access facebook.com, for example, prompts a screenful of "This site blocked by ETRM." They occasionally blocked things like Stack Overflow as "hacking" as well.
  • Some "offenses" merit an email sent to your entire team stating that you accessed an unauthorized site (as opposed to firing... this time). ("Katherine Villyard accessed http://icanhas.cheezburger.com/ at 3:21pm!")
  • Forcing all new hires to take "security policy" class explaining these rules, and forcing people to take regular refresher courses on these rules. And then take and pass a quiz on them.

Places that rely on Administrative Fascism generally only make cursory attempts to back up these rules via technical means, in my experience. For example, the they say they'll fire you if you plug in a thumb drive, but they don't disable USB. They block Facebook via http but not via https. And, as HopelessN00b pointed out, savvy users know and mock this.

Solution 4

Actually, there is a simple solution provided you don't also expect your internal network to be exposed to the Internet at the same time.

Your PCs simply need to be completely blocked from accessing the Internet. All USB ports blocked, etc.

To get on the Internet, people then need to either use a different computer - connected to a different network - or connect via RDP to a Terminal Server which has Internet access. You disable clipboard over RDP and no windows share. That way, users can't copy files onto the Internet Terminal Servers and thus can't send files out.

That leaves email... that is your biggest loophole in this if you allow email on the internal PCs.

Solution 5

You know that old joke that, if you and a halfling are chased by an angry dragon, you don't have to run quicker than the dragon, you only have to be quicker than the halfling? Assuming non-malicious users*, you don't have to restrict their access to the public cloud, it is enough to make the usability of the public cloud lower than the usability of whatever enterprisey solution you have for non-desk-bound data access. Properly implemented, this will reduce the risk of non-malicious leaks sharply, and is doable with a fraction of the cost.

In most cases, a simple blacklist should suffice. Put Google drive, Dropbox and the Apple cloud on it. Also block traffic to Amazon AWS - most of these hot startups who build yet another cloud service don't build their own data center. You just reduced the number of employees who know how to get into the public cloud from 90% to 15% (very rough numbers, will differ by industry). Use a suitable error message to explain why public clouds are forbidden, which will reduce their impression of wanton censorship (sadly, there will always be users not willing to understand).

The remaining 15% can still reach providers not on the blacklist, but they probably won't bother to do it. Google drive and co are subject to strong positive network effects (the economic kind, not the technical kind). Everybody uses the same 2-3 services, so they get built in everywhere. Users build convenient, streamlined workflows which include these services. If the alternative cloud provider cannot be integrated into such a workflow, the users have no incentive to use it. And I hope that you have a corporate solution for the most basic usage of a cloud such as storing files in a central place, reachable from a physical location outside of the campus (with VPN if security is needed).

Add to this solution a good deal of measurement and analytics. (This is always needed where users are concerned). Take samples of traffic, especially if exhibiting suspicious patterns (upstream traffic in bursts large enough to be upload of documents, directed at the same domain). Have a human look at the identified suspicious domains, and if you find that it is a cloud provider, find out why users are using it, talk with management about providing an alternative with equal usability, educate the offending user about the alternative. It would be great if your corporate culture allows you to gently reeducate caught users without implementing disciplinary measures the first times - then they will not be trying to hide from you especially hard, and you will be able to easily catch deviations and deal with the situation in a way which reduces the security risk but still allows the user to do his job efficiently.

A reasonable manager** will understand that this blacklist will lead to productivity losses. The users had a reason to use the public cloud - they are incentivized to be productive, and the convenient workflow increased their productivity (including the amount of unpaid overtime they are willing to do). It is a manager's job to evaluate the trade off between productivity loss and security risks and tell you if they are willing to let the situation as-is, to implement the black list, or to go for secret-service-worthy measures (which are severely inconvenient and still don't provide 100% security).

[*] I know that people whose job is security think of criminal intent first. And indeed, a determined criminal is much harder to stop and can inflict much worse damage than a non-malicious user. But in reality, there are few organisations which get infiltrated. Most security problems are related to the goofiness of well-meaning users who don't realize the consequences of their actions. And because there are so many of them, the threat they pose should be taken as seriously as the more dangerous, but much rarer, spy.

[**] I am aware that, if your bosses already made that demand, chances are that they are not the reasonable type. If they are reasonable but just misguided, that's great. If they are unreasonable and stubborn, this is unfortunate, but you must find a way to negotiate with them. Offering such a partial solution, even if you can't get them to accept it, can be a good strategic move - properly presented, it shows them that you are "on their side", take their concerns seriously, and are prepared to search for alternatives to technically infeasible requirements.

Share:
11,909

Related videos on Youtube

marsze
Author by

marsze

C# .NET C++ SQL VBA CMD/Batch Android Java JavaScript jQuery HTML CSS RegEx

Updated on September 18, 2022

Comments

  • marsze
    marsze almost 2 years

    First of all, let me state that this is not my idea and I don't want to discuss whether such an action is reasonable.

    However, for a company, is there a way to prevent employees to access public cloud services? In particular, they should not be able to upload files to any place on the web.

    Blocking HTTPS might be a first, simple, but very radical solution. Using a blacklist of IP addresses wouldn't suffice either. Probably, some kind of software is needed to filter the traffic on a content level. A proxy might be helpful, to be able to filter HTTPS traffic.

    Theses are my thoughts so far. What do you think? Any ideas?

    • Reeno
      Reeno over 10 years
      One of our clients (we do other stuff for them) tunnels all traffic through a proxy which gets observered by bluecoat.com A lot of sites (file storage, gaming, hacking, media...) are blocked. I really hate it...
    • MadHatter
      MadHatter over 10 years
      I understand why you say that you don't want to discuss this, but that skates over one of the biggest parts of a good sysadmin's job description: speaking truth unto power. Sometimes, an idea is prima facie stupid; other times, it's not a bad idea, but it's a social / business idea, and not best suited to a technical solution. In both cases, the only correct thing for a sysadmin to do is to turn around and say "no".
    • marsze
      marsze over 10 years
      @MadHatter Still, apart from this initial intuition we share, I attempt to at least present what would be technically possible. Apart from that, I agree.
    • user9517
      user9517 over 10 years
      Isn't this what management and Acceptable Use Policies are for ?
    • njzk2
      njzk2 over 10 years
      possible: their computers are never ever connected to the internet, they are not allowed any camera (cellphone included, obviously) or recording device (such as a pen) in the office, office that has no window that you could open or see through. Also, your users need to be fully body-searched and memory-erased each time they leave the office, otherwise they may memorize something an put it on the internet later!
    • MrGigu
      MrGigu over 10 years
      If you want to block uploads via HTTP, you should be able to layer-7 inspection to block any requests with an encoding of multipart/form-data. But that will also block forms that use that header that aren't uploading files.
    • Bob
      Bob over 10 years
      @MarkHenderson If I really wanted, I could have a webserver accept "uploads" via an encoded GET string, et al.. It's simply not possible without blocking internet access entirely (or an extremely strict whitelist, I suppose).
    • MrGigu
      MrGigu over 10 years
      @Bob - well, sure, you could I guess. I've actually tried that, it kinda sucks. 2048 bytes is all you can usually get out via a GET request, or in the case of one network I work with, GET is limited to 512 bytes. I hate it.
    • Jens Timmerman
      Jens Timmerman over 10 years
      @MarkHenderson But with some nifty javascript you could easily upload huge files with get requests, and encrypt them in the browser first, I'm sure mega.co.nz can easily over such an option...
  • TomTom
    TomTom over 10 years
    Good answer. The request really can not be dealt with outside actualyl of 2.a - using a WHITELIST. And then hiring people to manage it ;) Because man, it will be a lot of work. Possibly less than a blacklist though. And still achieve nothing (nice idea with the smartphone). Surreal request.
  • HopelessN00b
    HopelessN00b over 10 years
    @TomTom Yeah, I thought about the whitelist, but everywhere I've ever seen, the whitelist of the parts of the internet they want to access is vastly larger than the blacklist of the services they are irrationally afraid of/don't want employees accessing.
  • TomTom
    TomTom over 10 years
    I think it depends. For example on my company the whitelist would just be maybe 300 items. Required for business. A blacklist will start handling everything. On top, the whitelist you win (alyways valid, starts with 0 entries) - the blacklist you don't even know where to start. But generally, those are futile attempts.
  • HopelessN00b
    HopelessN00b over 10 years
    There are actually technical solutions you can rely on to disable USB devices (every AV agent I've seen in years can do this fairly effectively), or block access to [some] well-defined categories of websites. The problem for the OP is that "public cloud"/"places users can upload data" isn't a well defined category (and won't be anytime soon), so he can't even suggest a webfilter as a solution to the problem... he's gonna have to make a custom blacklist or convice management to see reason.
  • Katherine Villyard
    Katherine Villyard over 10 years
    I know, and I agree. I certainly didn't present that list to endorse it as a course of action. :)
  • TomTom
    TomTom over 10 years
    Technically the public clouds includes every hoster as it is trivial to rent a website and put a file upload thing there. Ouch. Non-solvable problem.
  • TomTom
    TomTom over 10 years
    Sound snippy, but sadly that is the truth. Pretty much the only way to solve this.
  • marsze
    marsze over 10 years
    We have this solution (Internet and email via terminal server only) already in place for parts of our company. However, for the software developers, having no Internet access at all would obviously be really troublesome...
  • ETL
    ETL over 10 years
    @marsze - I have seen it solved with a whitelist proxy where the few things the programmers need directly on their box (like Maven repo) are allowed through proxy.
  • marsze
    marsze over 10 years
    +1 for giving some useful implementation suggestions and also for presenting a view on this issue from a wider perspective!
  • Brian S
    Brian S over 10 years
    For many years, employees at my father's workplace were not permitted to carry phones with a camera in the office. Eventually, the company transitioned to a policy of allowing company phones (blackberries at the time, iphones now), but not personal phones.
  • njzk2
    njzk2 over 10 years
    That leaves a pen and a paper, or simply memory.
  • Matt
    Matt over 10 years
    #1. Doesn't have to be that drastic. Network segregation is a valid solution where public access points don't have to run from your internal or secure corporate network. If you provide a simple, audited interface to shift data between the two you get a better idea of what data does need to come and go.
  • Steve Bennett
    Steve Bennett over 10 years
    IMHO, blocking the 10 most obvious sites would probably achieve 95% of what management is after. No one cares about the few nerds that will tunnel around the block.
  • HopelessN00b
    HopelessN00b over 10 years
    @SteveBennett While this is probably true, it's not safe to assume that management doesn't care about the 5% and/or people who can and will circumvent the system. If the technical resources doesn't let management know about the system's limitations, it'll be the technical resources whose heads roll when someone uploads all the company's IP to BitTorrent (or whatever incident brings this issue back into management's attention).
  • HopelessN00b
    HopelessN00b over 10 years
    @marsze I worked at a company with separated networks that did this by giving the developers two machines. One beefy one for doing development work, connected to the internal-access-only network, and another one (thin client, or old clunker box) that was connected to a network that had internet access. An effective, if simplistic and more expensive solution.
  • Pekka
    Pekka almost 9 years
    Many smart phones utilise a modular camera that can be removed with a little effort. It is not something that you would like to do repeatedly as it may require strange tooling to be safe, but it would permit use of a contemporary, useful, handset in a restricted area.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What Firewall, anti DDOS and anti Brute-Force managers exist in Ubuntu
Help! My server has been hacked - .IptabLes and .IptabLex in /boot
How to configure UFW for a basic desktop / laptop?
I can't use ufw on WSL-Ubuntu
Why UFW has to be (re)started at boot time if it's only iptables rule manager?
How to disable internet for a user on a system
What rules to use for UFW?
How to set up an Ubuntu 10.04 machine to accept ssh requests only from within the local network?
How do I allow multiple ports simultaneously in UFW?
How can I block ping requests with IPTables?