Data Security & Encryption

[Hvg]

Good day everyone, total noob question here and also my first post so if I missed something please excuse me.

My scenario is as follows:

I am using Truenas in a small business environment, i have the server setup where we store all our company data, the company is a Signage company so we mostly save our artwork files on the server and it also holds the database for the accounting software and so forth. We have multiple desktop “windows” machines that we work on and use to do the designing, once the design is done it is saved on the server.

My problem is I have recently became aware that a certain employee is copying or backing up their work to an external which is not allowed because company policy is that employees are not permitted to have a copy of the artwork “in the past we had an employee that copied a lot of artwork and started working for a competitor and took our artwork with her”, I know there is ways to block the usb port however this will not stop a person from emailing the said file or using an ftp site to transfer it to themselves, I need to maybe encrypt the data pool so that even if they transfer the file to a usb or another computer they wont be able to open it. But now I have another scenario, instead of saving it to the server then copying it to the usb they can simply save it directly to the usb or desktop and then to the server, this way they can bypass the server’s encryption?

My questions are as follows:

1, How do I encrypt an existing data set on Truenas? I did read the section on encryption however I am not certain if you can do it on an existing setup, and I am scared I make a mistake.

2, If I enable encryption on the desktop, will user X be able to access and change user Y’s work after saving it on the Server?

3, To sum it up, I need to secure my data against an employee that want to use it for their own personal gain, so I need to make sure that if there are a data leak someone else won’t be able to open or use it on another computer.

My concerns is I have over 20 years of artwork and work on the server, I do have a complete off site backup copy but if I make a mistake I may loose access to the data on the server and this may result in down time that i cannot afford at this stage, also I need to make sure I don’t do something stupid.

Thanks in Advance!

 

[sretalla]

OK, so there are a number of points here.

I'm not going to go into the depth that you need since you're effectively asking for Information Security consulting and you really need to engage somebody (in a paid contractual sense) to help you work this out.

At a high level, what you're looking for is called Data Leakage Protection/Prevention (DLP). There are a number of layers which can be involved in employing a successful strategy.

------------- begin forum related response ---------------
ZFS encryption plays a very small part in that overall strategy, so I'll handle that first:

ZFS native encryption can either have passphrase or key-based encryption.

Passphrase encryption can protect against server theft, rendering the protected datasets useless to a thief without the passphrase, which must be entered at each boot of the server before data can be accessed.

Key encryption protects against individual (or mostly multiple) disk theft (or disks falling into unknown hands without first being wiped), as the system will apply the keys at boot time, but without the system disk, the individual pool/VDEV member disks are useless/meaningless.

That's all ZFS encryption can help you with... you can only apply it at creation time of a pool/dataset, so to answer your question 1, not simple, but can be done with some shuffling of the data.

As soon as any of your users/clients access the shares, they have access to the content in an unencrypted state, so there's none of the protection you're seeking.
------------- end forum related response ----------------

Applying encryption on a desktop (like BitLocker on Windows PCs) will ensure that files with permissions which are stored on the PC disks will be useless if the disk is removed from the PC or the password of a permitted user isn't known in order to access the PC normally. Again, this doesn't help you, since the data is all available in an unencrypted format to users once they are connected and moving files between machines must be done in unencrypted form.

For things like USB sticks, as you mention, you can set policies on your machines to disable them ( and you should do that if you're unable to implement all the kinds of things I will mention next).

For E-Mail, you can use features of the server products to implement leakage prevention, using things like keywords (granted that won't be as perfect as the next options, since pictures don't necessarily have keywords) or file type blocking.

For documents in general:

File-level encryption is pretty much the only way of getting to the result you're after.

If it's done right, it doesn't matter who has the file, if you don't allow the use of it, the file content can't be accessed/seen and you can (in some systems) even revoke access to files after a predetermined period or point in time or at your discretion (for example when somebody leaves the company).

There are various ways to implement it... the simplest/most known method being to use a cloud service like Office365 and Azure Information Protection (I think Adobe has a similar thing for their suite).

The cloud services provide a way to share files (of certain types... spreadsheets, documents, slides, PDFs, for example) with users within or outside of the organization and manage the verification of identity and the creation, storage and sharing of encryption keys and digital signatures.

TL/DR: TrueNAS won't do what you want. Get an Information security consultant to help you figure out what and how to implement. Be prepared to pay a lot. What you're talking about doesn't come cheap.

 

[Hvg]

Thank you so much for the reply, this is very informative.

I think where I should start is to split the data, at the moment everything is saved on a single Pool where everyone has access to all the files.

I will also do a bit more research into (DLP) and see if there is anything else I can do myself.

 

[HoneyBadger]

My problem is I have recently became aware that a certain employee is copying or backing up their work to an external which is not allowed because company policy is that employees are not permitted to have a copy of the artwork “in the past we had an employee that copied a lot of artwork and started working for a competitor and took our artwork with her”, I know there is ways to block the usb port however this will not stop a person from emailing the said file or using an ftp site to transfer it to themselves,

In addition to the excellent post by @sretalla regarding the technical measures of implementing DLP, I'd like to pull this section out to state that this is not just a technical problem, this is an HR-and-lawyer-level problem.

1) You have become aware that an employee is violating company policy. Inform HR (or put your HR hat on, if you are HR.)
2) You (HR hat) inform the employee that you are aware they are violating company policy.
3) You (HR hat) take the appropriate stage of disciplinary action as outlined in company policy.
4) You (put IT hat back on) implement technical measures to prevent further violations where possible such as a DLP strategy.
5) If repeated violations occur, GOTO 1 and raise the severity of disciplinary actions.

The typical sequence for infractions is "verbal warning, written warning, termination" but serious ones (data/IP theft) can escalate immediately to the last measure.

Back these policies up with legal teeth. Pay a lawyer to review your company policies. If you have to, you pay them to file a civil suit.