corsasport.co.uk
 

Corsa Sport » Message Board » Off Day » Geek Day » IT Security People


New Topic

New Poll
  <<  1    2  >> Subscribe | Add to Favourites

You are not logged in and may not post or reply to messages. Please log in or create a new account or mail us about fixing an existing one - register@corsasport.co.uk

There are also many more features available when you are logged in such as private messages, buddy list, location services, post search and more.


Author IT Security People
James
Member

Registered: 1st Jun 02
Location: Surrey
User status: Offline
29th Aug 12 at 13:59   View User's Profile U2U Member Reply With Quote

Posting on behalf of a family friend that is thinking about starting up a business. Without giving away too much about what the business does, it will involve clients uploading documents securely via a website, then employees of the business need to be able to access these documents, make some changes and then upload them back to the website for the client to be able to download again.

Initially it's only going to be my family friend involved. The business model is such that if the workload was to increase, she would bring on home-based people to help with the workload.

The main issue with this is that the USP of her business is document security. Anyone working for her will be CRB checked and the whole upload/download process of the website will be done using HTTPS. The obvious issue is that expanding out to home-based people makes it difficult to control what they do with the documents. Without supplying everyone a laptop that is completely locked down (i.e. USB sockets and CD drives disabled etc), can anyone think of a way of controlling how they access these documents?

I was thinking about some kind of remote logon situation, where they log on to a remote PC from their home PC, then access the documents like that.

Any thoughts?
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
29th Aug 12 at 14:03   View Garage View User's Profile U2U Member Reply With Quote

Could do it via terminal Server but it still wont stop people print screening the objects.

The website will need to be built well too!
James
Member

Registered: 1st Jun 02
Location: Surrey
User status: Offline
29th Aug 12 at 14:03   View User's Profile U2U Member Reply With Quote

I've been tasked with building the website
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
29th Aug 12 at 14:04   View Garage View User's Profile U2U Member Reply With Quote

quote:
Originally posted by James
I've been tasked with building the website


ASP with SQL backend?
James
Member

Registered: 1st Jun 02
Location: Surrey
User status: Offline
29th Aug 12 at 14:05   View User's Profile U2U Member Reply With Quote

Good guess.
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
29th Aug 12 at 14:07   View Garage View User's Profile U2U Member Reply With Quote

Could you not embed a document viewer/editor into the asp page?
James
Member

Registered: 1st Jun 02
Location: Surrey
User status: Offline
29th Aug 12 at 14:10   View User's Profile U2U Member Reply With Quote

Possibly, but ideally they need to be able to use a full copy of MS Word to work on the documents....
Sam
Moderator
Premium Member


Registered: 24th Dec 99
Location: West Midlands
User status: Offline
29th Aug 12 at 14:11   View User's Profile U2U Member Reply With Quote

I'm not so sure your friend could make this work without spending shitloads of money to make it all "secure".

Although not Fort Knox style secure, there are similar and free/cheap solutions to this anyway - DropBox being a prime example.

Unless your friend could assure her clients that your web servers are housed in a secure location, not shared with other companies or servers, has dedicated security staff and other staff have security clearance etc. (and of course a completely hack-proof site) then I'm not sure how successful this could be.

Sorry to piss on your bonfire and all that, but these are the sort of questions that are likely to come up I'd have thought.
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
29th Aug 12 at 14:12   View Garage View User's Profile U2U Member Reply With Quote

You could get asp to read all the contents of the page and embed them into it and do the editing like that.

Security aspect it will need to be a TS or something along those lines which means its not cheap. There maybe linux os stuff thats free if you can find a suitable host for it.
James
Member

Registered: 1st Jun 02
Location: Surrey
User status: Offline
29th Aug 12 at 14:14   View User's Profile U2U Member Reply With Quote

Yeh I was starting to realise that when I was talking to her about it earlier today. I feared that controlling remote staff was only the tip of the iceberg.

EDIT: That was in response to Sam.

[Edited on 29-08-2012 by James]
ed
Member

Registered: 10th Sep 03
User status: Offline
29th Aug 12 at 15:14   View User's Profile U2U Member Reply With Quote

Flash and Silverlight have pretty strong DRM systems which you could use to prevent users having proper access to the data. There's always a way around this sort of thing though so it depends on how much they're willing to spend.

[Edited on 29-08-2012 by ed]
Dom
Member

Registered: 13th Sep 03
User status: Offline
29th Aug 12 at 15:18   View User's Profile U2U Member Reply With Quote

As Vrs pointed out, as long as they're able to view it then they can grab the data. So it'd be a little pointless pumping money into RD/TS when the bottom line is that it'll offer little to no extra protection over giving the 'home-based people' the physical file.
If she's wanting restricted access to the data, then the only solution is to put the staff in a restricted environment. But then that blows the idea of using home-workers out the water.

You're also going to need to make sure you application meets the various compliances and laws (DPA etc) and you'll notice there are quite a few 'grey' areas depending on how sensitive the data is.
And unfortunately nothing is hack-proof, so be prepared if the data is to ever to be lifted from your server.


Edit - Is it not possible to restrict the 'home-based people' to only view and edit the data needed? Obviously it depends on what gets edited in the document and it's a complete fool-proof solution but at least that way they aren't given the whole document.

[Edited on 29-08-2012 by Dom]
Dom
Member

Registered: 13th Sep 03
User status: Offline
29th Aug 12 at 15:24   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by ed
Flash and Silverlight have pretty strong DRM systems which you could use to prevent users having proper access to the data. There's always a way around this sort of thing though so it depends on how much they're willing to spend.


Again the remote workers will be able to use their own systems and the ability to print-screen, as Vrs mentioned, nullifies anything like that.

To be honest if the data is really that sensitive and valuable then i would really knock on the head using remote workers as it's just nie impossible to govern.

[Edited on 29-08-2012 by Dom]
Aaron
Member

Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
29th Aug 12 at 15:53   View User's Profile U2U Member Reply With Quote

Would turning it off and on again help? If not...i'm out.
James
Member

Registered: 1st Jun 02
Location: Surrey
User status: Offline
29th Aug 12 at 15:55   View User's Profile U2U Member Reply With Quote

It looks like she will need to do some research around the varying levels of document security and what the expected standards are for each level. Anyone know where this can be found out?
Rob_Quads
Member

Registered: 29th Mar 01
Location: southampton
User status: Offline
29th Aug 12 at 20:33   View User's Profile U2U Member Reply With Quote

There is no way you can secure the documents without having some sort of secure facility where by people are checked in and out, monitored during all hours to make sure they don't use any photographic equipment while they are working on your systems etc. Then its down to what they can remember.

As long as they can see the document they can take a photo of it if they are remote.
willay
Moderator
Organiser: South East, National Events
Premium Member


Avatar

Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
30th Aug 12 at 13:31   View Garage View User's Profile U2U Member Reply With Quote

sounds gay
willay
Moderator
Organiser: South East, National Events
Premium Member


Avatar

Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
30th Aug 12 at 13:33   View Garage View User's Profile U2U Member Reply With Quote

tbh i think the USP is ultimately flawed, yeah they are CBR checked but at the end of the day they could still be a right bunch of stealing cunts. If I was the client I'd want to make sure all my docs were being edited in a air tight room with retina scanners and security dogs running up and down the corridors shitting everywhere, not a bunch of security checked people working from home in India.
Gaz
Member

Registered: 24th Aug 03
Location: Widnes, Cheshire
User status: Offline
31st Aug 12 at 06:49   View User's Profile U2U Member Reply With Quote

We use Citrix through a web portal which security have locked down so that anything launched through there cannot "see" a "desktop" and the user receives a restrictions error.

However there are ways around this and any solution really due to the horrible function of Print Screen.
Steve
Premium Member

Avatar

Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
31st Aug 12 at 07:06   View Garage View User's Profile U2U Member Reply With Quote

quote:
Originally posted by willay
tbh i think the USP is ultimately flawed, yeah they are CBR checked but at the end of the day they could still be a right bunch of stealing cunts. If I was the client I'd want to make sure all my docs were being edited in a air tight room with retina scanners and security dogs running up and down the corridors shitting everywhere, not a bunch of security checked people working from home in India.
Chris
Premium Member

Avatar

Registered: 21st Sep 99
User status: Offline
31st Aug 12 at 15:19   View Garage View User's Profile U2U Member Reply With Quote

eycrypt the files then upload over SSL, Secure web storage isnt really USP loads of places do it.

[Edited on 31-08-2012 by Chris]
Dom
Member

Registered: 13th Sep 03
User status: Offline
31st Aug 12 at 15:27   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Chris
MD5 hash the files then upload over SSL, Secure web storage isnt really USP loads of places do it.


Do you mean encrypt?

And read the OP, as this isn't a simple storage site.
Chris
Premium Member

Avatar

Registered: 21st Sep 99
User status: Offline
31st Aug 12 at 15:33   View Garage View User's Profile U2U Member Reply With Quote

Is that better
Dom
Member

Registered: 13th Sep 03
User status: Offline
31st Aug 12 at 15:54   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Chris
Is that better


Yup

Could do it against certificates and issue the certs. to who ever needs them. But there's still the huge issue of restricting access to remote-workers.


James - DPA will be the obvious but data like CRB (certificates/numbers) carry their own strict data control guidelines. You then have things like PCI compliance that you'd need to look into.
James
Member

Registered: 1st Jun 02
Location: Surrey
User status: Offline
31st Aug 12 at 16:10   View User's Profile U2U Member Reply With Quote

It's not a storage site, in fact it's nothing to do with storage.

I can't be bothered to not tell anyone, it's not the sort of idea that will get stolen because not just anyone can do it.

The business idea is just document transcription. Apparently a lot of places (courts, prison, police etc) can only have documents transcribed by CRB checked people. The person that's doing it is already CRB checked and will be doing to the transcription from home. My idea to expand the business was to build a secure website where clients could upload audio files, the typist could transcribe them and then upload the finished document.

It sounds like making it secure is going to be more hassle than it's worth so I might just recommend she just does for herself.

[Edited on 31-08-2012 by James]

  <<  1    2  >>
New Topic

New Poll

  Related Threads Author Forum Replies Views Last Post
Corsasport @ Maxlive 2003.[**FINAL UPDATE, PAGE 6**] SteveW General Chat 161 6617
7th Jul 03 at 09:47
by S1MON
 
Just got broadband.... What security software is best to use? Dean_H Geek Day 16 1667
28th Oct 03 at 08:34
by vibrio
 
Anyone recomend a Hardware Firewall? Bart Geek Day 24 1239
8th Mar 05 at 16:10
by Bart
 
Vista - Windows JM_16v Geek Day 100 7179
3rd Feb 07 at 00:56
by ed
 
Firefox v3.0 Doug Geek Day 38 1415
21st Jun 08 at 14:23
by Rob E
 

Corsa Sport » Message Board » Off Day » Geek Day » IT Security People 28 database queries in 0.0204580 seconds