James
Member
Registered: 1st Jun 02
Location: Surrey
User status: Offline
|
Posting on behalf of a family friend that is thinking about starting up a business. Without giving away too much about what the business does, it will involve clients uploading documents securely via a website, then employees of the business need to be able to access these documents, make some changes and then upload them back to the website for the client to be able to download again.
Initially it's only going to be my family friend involved. The business model is such that if the workload was to increase, she would bring on home-based people to help with the workload.
The main issue with this is that the USP of her business is document security. Anyone working for her will be CRB checked and the whole upload/download process of the website will be done using HTTPS. The obvious issue is that expanding out to home-based people makes it difficult to control what they do with the documents. Without supplying everyone a laptop that is completely locked down (i.e. USB sockets and CD drives disabled etc), can anyone think of a way of controlling how they access these documents?
I was thinking about some kind of remote logon situation, where they log on to a remote PC from their home PC, then access the documents like that.
Any thoughts?
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
Could do it via terminal Server but it still wont stop people print screening the objects.
The website will need to be built well too!
|
James
Member
Registered: 1st Jun 02
Location: Surrey
User status: Offline
|
I've been tasked with building the website 
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
quote:
Originally posted by James
I've been tasked with building the website
ASP with SQL backend?
|
James
Member
Registered: 1st Jun 02
Location: Surrey
User status: Offline
|
Good guess.
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
Could you not embed a document viewer/editor into the asp page?
|
James
Member
Registered: 1st Jun 02
Location: Surrey
User status: Offline
|
Possibly, but ideally they need to be able to use a full copy of MS Word to work on the documents....
|
Sam
Moderator
Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
I'm not so sure your friend could make this work without spending shitloads of money to make it all "secure".
Although not Fort Knox style secure, there are similar and free/cheap solutions to this anyway - DropBox being a prime example.
Unless your friend could assure her clients that your web servers are housed in a secure location, not shared with other companies or servers, has dedicated security staff and other staff have security clearance etc. (and of course a completely hack-proof site) then I'm not sure how successful this could be.
Sorry to piss on your bonfire and all that, but these are the sort of questions that are likely to come up I'd have thought.
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
You could get asp to read all the contents of the page and embed them into it and do the editing like that.
Security aspect it will need to be a TS or something along those lines which means its not cheap. There maybe linux os stuff thats free if you can find a suitable host for it.
|
James
Member
Registered: 1st Jun 02
Location: Surrey
User status: Offline
|
Yeh I was starting to realise that when I was talking to her about it earlier today. I feared that controlling remote staff was only the tip of the iceberg.
EDIT: That was in response to Sam.
[Edited on 29-08-2012 by James]
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
Flash and Silverlight have pretty strong DRM systems which you could use to prevent users having proper access to the data. There's always a way around this sort of thing though so it depends on how much they're willing to spend.
[Edited on 29-08-2012 by ed]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
As Vrs pointed out, as long as they're able to view it then they can grab the data. So it'd be a little pointless pumping money into RD/TS when the bottom line is that it'll offer little to no extra protection over giving the 'home-based people' the physical file.
If she's wanting restricted access to the data, then the only solution is to put the staff in a restricted environment. But then that blows the idea of using home-workers out the water.
You're also going to need to make sure you application meets the various compliances and laws (DPA etc) and you'll notice there are quite a few 'grey' areas depending on how sensitive the data is.
And unfortunately nothing is hack-proof, so be prepared if the data is to ever to be lifted from your server.
Edit - Is it not possible to restrict the 'home-based people' to only view and edit the data needed? Obviously it depends on what gets edited in the document and it's a complete fool-proof solution but at least that way they aren't given the whole document.
[Edited on 29-08-2012 by Dom]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote:
Originally posted by ed
Flash and Silverlight have pretty strong DRM systems which you could use to prevent users having proper access to the data. There's always a way around this sort of thing though so it depends on how much they're willing to spend.
Again the remote workers will be able to use their own systems and the ability to print-screen, as Vrs mentioned, nullifies anything like that.
To be honest if the data is really that sensitive and valuable then i would really knock on the head using remote workers as it's just nie impossible to govern.
[Edited on 29-08-2012 by Dom]
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Would turning it off and on again help? If not...i'm out.
|
James
Member
Registered: 1st Jun 02
Location: Surrey
User status: Offline
|
It looks like she will need to do some research around the varying levels of document security and what the expected standards are for each level. Anyone know where this can be found out?
|
Rob_Quads
Member
Registered: 29th Mar 01
Location: southampton
User status: Offline
|
There is no way you can secure the documents without having some sort of secure facility where by people are checked in and out, monitored during all hours to make sure they don't use any photographic equipment while they are working on your systems etc. Then its down to what they can remember.
As long as they can see the document they can take a photo of it if they are remote.
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
sounds gay
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
tbh i think the USP is ultimately flawed, yeah they are CBR checked but at the end of the day they could still be a right bunch of stealing cunts. If I was the client I'd want to make sure all my docs were being edited in a air tight room with retina scanners and security dogs running up and down the corridors shitting everywhere, not a bunch of security checked people working from home in India.
|
Gaz
Member
Registered: 24th Aug 03
Location: Widnes, Cheshire
User status: Offline
|
We use Citrix through a web portal which security have locked down so that anything launched through there cannot "see" a "desktop" and the user receives a restrictions error.
However there are ways around this and any solution really due to the horrible function of Print Screen.
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
quote:
Originally posted by willay
tbh i think the USP is ultimately flawed, yeah they are CBR checked but at the end of the day they could still be a right bunch of stealing cunts. If I was the client I'd want to make sure all my docs were being edited in a air tight room with retina scanners and security dogs running up and down the corridors shitting everywhere, not a bunch of security checked people working from home in India.
|
Chris
Premium Member
Registered: 21st Sep 99
User status: Offline
|
eycrypt the files then upload over SSL, Secure web storage isnt really USP loads of places do it.
[Edited on 31-08-2012 by Chris]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote:
Originally posted by Chris
MD5 hash the files then upload over SSL, Secure web storage isnt really USP loads of places do it.
Do you mean encrypt? 
And read the OP, as this isn't a simple storage site.
|
Chris
Premium Member
Registered: 21st Sep 99
User status: Offline
|
Is that better
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote:
Originally posted by Chris
Is that better
Yup 
Could do it against certificates and issue the certs. to who ever needs them. But there's still the huge issue of restricting access to remote-workers.
James - DPA will be the obvious but data like CRB (certificates/numbers) carry their own strict data control guidelines. You then have things like PCI compliance that you'd need to look into.
|
James
Member
Registered: 1st Jun 02
Location: Surrey
User status: Offline
|
It's not a storage site, in fact it's nothing to do with storage.
I can't be bothered to not tell anyone, it's not the sort of idea that will get stolen because not just anyone can do it.
The business idea is just document transcription. Apparently a lot of places (courts, prison, police etc) can only have documents transcribed by CRB checked people. The person that's doing it is already CRB checked and will be doing to the transcription from home. My idea to expand the business was to build a secure website where clients could upload audio files, the typist could transcribe them and then upload the finished document.
It sounds like making it secure is going to be more hassle than it's worth so I might just recommend she just does for herself.
[Edited on 31-08-2012 by James]
|
