(Air Gapped) Data Storage and security
-
@Dashrender said in (Air Gapped) Data Storage and security:
Also, As JB said, screen shots/ cellphone pictures is still a real risk... will people be checking their phones at the door?
We did. We had company phones and weren't allowed private phones in the building. They disabled the camera and other functions on the phone.
-
@Dashrender said in (Air Gapped) Data Storage and security:
@JaredBusch said in (Air Gapped) Data Storage and security:
@Pete-S said in (Air Gapped) Data Storage and security:
@gjacobse said in (Air Gapped) Data Storage and security:
@DustinB3403 said in (Air Gapped) Data Storage and security:
@gjacobse said in (Air Gapped) Data Storage and security:
@DustinB3403 said in (Air Gapped) Data Storage and security:
@gjacobse why do you need to airgap the live data? Can't you focus on an appropriate backup strategy, and nuke and restore as needed from backup?
It's not so much about the backup strategy as it is security.
Security from what perspective? An Airgap is meant to keep your systems and data separated. ACLs and the rule of least access should cover pretty much everything else.
Agreed - Thus the comment about Schrödinger's cat,.. You can't have high (air gapped) security and access to it at the same time. Unless I've missed something here. Staff will need and want to have access to the project files when they need them.
I suppose 'one way' is to use the local machine to access a VDI but even that has limitations when you are talking about large project files (CAD, DesignFlow, etc)
When the government releases top secret documents they release redacted documents. So the original document can be securely stored and inaccessible.
If you think about it you could do the same with CAD data. The original might be a cad file but the user might have access a redacted pdf version of it. For instance without critical measurements or whatever. CAD files have layers so it would be technically possible.
Another way would be to simulate a SCIF.
Which would be a secure place to view the document but you can't take it with you. Perhaps a dedicated viewing station would work. Many CAD systems have dedicated viewers that can view the original file but not edit the documents. Or you could use pdf documents here as well, both 2D and 3D are supported.A simple way to implement a low level of this is RDS with all the "sharing" functionality disabled and no routing out form the RDS device except the RDS port.
Not the best but maybe something everyone can understand how it works. Obviously, that then lets you stll screenshot, but meh. what are you actually trying to accomplish here?
This isn't airgapped.
It is a view only access. that is effectively air gapped.
Nothing in this discussion is a true air gap.
-
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
What's the actual request/requirement? We were airgapped but it was from the outside world. We still had an internal Network (actually multiple that were airgapped from each other). But you had to be in the building and at the correct systems to access the data.
This was my thinking.
Users will need two computers one for the air-gapped network and one for the internet network.
The real problem here is that I assume you’re making the CAD drawings for clients... so how do those in power propose getting the fl data gram an airgapped system to the client?We had what they call a media center. You requested a file or files in the media center and it was exported for you and tracked. Then it was copied to an encrypted media and you could send it out of the building.
-
@JaredBusch said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@JaredBusch said in (Air Gapped) Data Storage and security:
@Pete-S said in (Air Gapped) Data Storage and security:
@gjacobse said in (Air Gapped) Data Storage and security:
@DustinB3403 said in (Air Gapped) Data Storage and security:
@gjacobse said in (Air Gapped) Data Storage and security:
@DustinB3403 said in (Air Gapped) Data Storage and security:
@gjacobse why do you need to airgap the live data? Can't you focus on an appropriate backup strategy, and nuke and restore as needed from backup?
It's not so much about the backup strategy as it is security.
Security from what perspective? An Airgap is meant to keep your systems and data separated. ACLs and the rule of least access should cover pretty much everything else.
Agreed - Thus the comment about Schrödinger's cat,.. You can't have high (air gapped) security and access to it at the same time. Unless I've missed something here. Staff will need and want to have access to the project files when they need them.
I suppose 'one way' is to use the local machine to access a VDI but even that has limitations when you are talking about large project files (CAD, DesignFlow, etc)
When the government releases top secret documents they release redacted documents. So the original document can be securely stored and inaccessible.
If you think about it you could do the same with CAD data. The original might be a cad file but the user might have access a redacted pdf version of it. For instance without critical measurements or whatever. CAD files have layers so it would be technically possible.
Another way would be to simulate a SCIF.
Which would be a secure place to view the document but you can't take it with you. Perhaps a dedicated viewing station would work. Many CAD systems have dedicated viewers that can view the original file but not edit the documents. Or you could use pdf documents here as well, both 2D and 3D are supported.A simple way to implement a low level of this is RDS with all the "sharing" functionality disabled and no routing out form the RDS device except the RDS port.
Not the best but maybe something everyone can understand how it works. Obviously, that then lets you stll screenshot, but meh. what are you actually trying to accomplish here?
This isn't airgapped.
It is a view only access. that is effectively air gapped.
Nothing in this discussion is a true air gap.
View only wasn't a given in the OP. Still not air gapped - as you said - screen shot from non-gapped machine of the RPD screen.
-
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
What's the actual request/requirement? We were airgapped but it was from the outside world. We still had an internal Network (actually multiple that were airgapped from each other). But you had to be in the building and at the correct systems to access the data.
This was my thinking.
Users will need two computers one for the air-gapped network and one for the internet network.
The real problem here is that I assume you’re making the CAD drawings for clients... so how do those in power propose getting the fl data gram an airgapped system to the client?We had what they call a media center. You requested a file or files in the media center and it was exported for you and tracked. Then it was copied to an encrypted media and you could send it out of the building.
I'm not sure how this helps? What could you plug that encrypted media into for viewing/editing? if that was a totally controlled machine - what prevents it from being copied and redistributed? of course you'd know who was responsible for that data at that time, so you could blame someone, but the data is still out there.
-
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
Also, As JB said, screen shots/ cellphone pictures is still a real risk... will people be checking their phones at the door?
We did. We had company phones and weren't allowed private phones in the building. They disabled the camera and other functions on the phone.
I had a client ask me about locking down things, not quite as bad as the OP, but bad enough. I asked them - you going to keep cellphones out? are you going to prevent access to the internet? are you going to prevent access to email, etc, etc, etc? If not, you're going way overboard on protecting this data.
They agreed that they were going overboard and backed down.
-
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
What's the actual request/requirement? We were airgapped but it was from the outside world. We still had an internal Network (actually multiple that were airgapped from each other). But you had to be in the building and at the correct systems to access the data.
This was my thinking.
Users will need two computers one for the air-gapped network and one for the internet network.
The real problem here is that I assume you’re making the CAD drawings for clients... so how do those in power propose getting the fl data gram an airgapped system to the client?We had what they call a media center. You requested a file or files in the media center and it was exported for you and tracked. Then it was copied to an encrypted media and you could send it out of the building.
I'm not sure how this helps? What could you plug that encrypted media into for viewing/editing? if that was a totally controlled machine - what prevents it from being copied and redistributed? of course you'd know who was responsible for that data at that time, so you could blame someone, but the data is still out there.
You couldn't plug it in to your computer. It was given to you from the media center. Then you could send it to clients, who had the credentials to decrypt it.
-
This post is deleted! -
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
What's the actual request/requirement? We were airgapped but it was from the outside world. We still had an internal Network (actually multiple that were airgapped from each other). But you had to be in the building and at the correct systems to access the data.
This was my thinking.
Users will need two computers one for the air-gapped network and one for the internet network.
The real problem here is that I assume you’re making the CAD drawings for clients... so how do those in power propose getting the fl data gram an airgapped system to the client?We had what they call a media center. You requested a file or files in the media center and it was exported for you and tracked. Then it was copied to an encrypted media and you could send it out of the building.
I'm not sure how this helps? What could you plug that encrypted media into for viewing/editing? if that was a totally controlled machine - what prevents it from being copied and redistributed? of course you'd know who was responsible for that data at that time, so you could blame someone, but the data is still out there.
You couldn't plug it in to your computer. It was given to you from the media center. Then you could send it to clients, who had the credentials to decrypt it.
All of the systems had USB storage disabled. The only way to get things on and off of the network was through the media center.
-
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
What's the actual request/requirement? We were airgapped but it was from the outside world. We still had an internal Network (actually multiple that were airgapped from each other). But you had to be in the building and at the correct systems to access the data.
This was my thinking.
Users will need two computers one for the air-gapped network and one for the internet network.
The real problem here is that I assume you’re making the CAD drawings for clients... so how do those in power propose getting the fl data gram an airgapped system to the client?We had what they call a media center. You requested a file or files in the media center and it was exported for you and tracked. Then it was copied to an encrypted media and you could send it out of the building.
I'm not sure how this helps? What could you plug that encrypted media into for viewing/editing? if that was a totally controlled machine - what prevents it from being copied and redistributed? of course you'd know who was responsible for that data at that time, so you could blame someone, but the data is still out there.
You couldn't plug it in to your computer. It was given to you from the media center. Then you could send it to clients, who had the credentials to decrypt it.
My point is that whomever decrypts it can distribute it anyway they like, unless you manage the computers they are decrypting on as well. But perhaps it's OK once you reach this stage, you don't care after the secure delivery has taken place, the onus is now on them?
-
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
What's the actual request/requirement? We were airgapped but it was from the outside world. We still had an internal Network (actually multiple that were airgapped from each other). But you had to be in the building and at the correct systems to access the data.
This was my thinking.
Users will need two computers one for the air-gapped network and one for the internet network.
The real problem here is that I assume you’re making the CAD drawings for clients... so how do those in power propose getting the fl data gram an airgapped system to the client?We had what they call a media center. You requested a file or files in the media center and it was exported for you and tracked. Then it was copied to an encrypted media and you could send it out of the building.
I'm not sure how this helps? What could you plug that encrypted media into for viewing/editing? if that was a totally controlled machine - what prevents it from being copied and redistributed? of course you'd know who was responsible for that data at that time, so you could blame someone, but the data is still out there.
You couldn't plug it in to your computer. It was given to you from the media center. Then you could send it to clients, who had the credentials to decrypt it.
My point is that whomever decrypts it can distribute it anyway they like, unless you manage the computers they are decrypting on as well. But perhaps it's OK once you reach this stage, you don't care after the secure delivery has taken place, the onus is now on them?
Yeah. I mean it's been sanitized (if needed) from the media center. After that, it's out of our hands. A lot of it was data that was required by the gov't to be treated that way. You can only control what you can control.
-
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
What's the actual request/requirement? We were airgapped but it was from the outside world. We still had an internal Network (actually multiple that were airgapped from each other). But you had to be in the building and at the correct systems to access the data.
This was my thinking.
Users will need two computers one for the air-gapped network and one for the internet network.
The real problem here is that I assume you’re making the CAD drawings for clients... so how do those in power propose getting the fl data gram an airgapped system to the client?We had what they call a media center. You requested a file or files in the media center and it was exported for you and tracked. Then it was copied to an encrypted media and you could send it out of the building.
I'm not sure how this helps? What could you plug that encrypted media into for viewing/editing? if that was a totally controlled machine - what prevents it from being copied and redistributed? of course you'd know who was responsible for that data at that time, so you could blame someone, but the data is still out there.
You couldn't plug it in to your computer. It was given to you from the media center. Then you could send it to clients, who had the credentials to decrypt it.
My point is that whomever decrypts it can distribute it anyway they like, unless you manage the computers they are decrypting on as well. But perhaps it's OK once you reach this stage, you don't care after the secure delivery has taken place, the onus is now on them?
Yeah. I mean it's been sanitized (if needed) from the media center. After that, it's out of our hands. A lot of it was data that was required by the gov't to be treated that way. You can only control what you can control.
LOL - I actually changed my mindset halfway through writing that last post realizing this is likely no different than HIPAA data. You keep is secure on your side and during transit to those authorized on the outside, but once you give it to them, you can't can no longer control it.
-
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
@Dashrender said in (Air Gapped) Data Storage and security:
@stacksofplates said in (Air Gapped) Data Storage and security:
What's the actual request/requirement? We were airgapped but it was from the outside world. We still had an internal Network (actually multiple that were airgapped from each other). But you had to be in the building and at the correct systems to access the data.
This was my thinking.
Users will need two computers one for the air-gapped network and one for the internet network.
The real problem here is that I assume you’re making the CAD drawings for clients... so how do those in power propose getting the fl data gram an airgapped system to the client?We had what they call a media center. You requested a file or files in the media center and it was exported for you and tracked. Then it was copied to an encrypted media and you could send it out of the building.
I'm not sure how this helps? What could you plug that encrypted media into for viewing/editing? if that was a totally controlled machine - what prevents it from being copied and redistributed? of course you'd know who was responsible for that data at that time, so you could blame someone, but the data is still out there.
You couldn't plug it in to your computer. It was given to you from the media center. Then you could send it to clients, who had the credentials to decrypt it.
My point is that whomever decrypts it can distribute it anyway they like, unless you manage the computers they are decrypting on as well. But perhaps it's OK once you reach this stage, you don't care after the secure delivery has taken place, the onus is now on them?
Yeah. I mean it's been sanitized (if needed) from the media center. After that, it's out of our hands. A lot of it was data that was required by the gov't to be treated that way. You can only control what you can control.
LOL - I actually changed my mindset halfway through writing that last post realizing this is likely no different than HIPAA data. You keep is secure on your side and during transit to those authorized on the outside, but once you give it to them, you can't can no longer control it.
Well I mean usually if you're needing that data you're either authorized by the gov't to have it (so you will have the same controls) or it's been sanitized to the point of it not being that big of a deal if it's leaked. You'd have to be able to put together a whole bunch of different pieces of information to make anything of it.
-
@gjacobse said in (Air Gapped) Data Storage and security:
Can you (how do you) Air gap and secure data and still be able to make it available to a (end user)
Once the user can get to it, it's not air gapped any longer.
