Block employee access to public cloud

security firewall cloud

First of all, let me state that this is not my idea and I don't want to discuss whether such an action is reasonable.

However, for a company, is there a way to prevent employees to access public cloud services? In particular, they should not be able to upload files to any place on the web.

Blocking HTTPS might be a first, simple, but very radical solution. Using a blacklist of IP addresses wouldn't suffice either. Probably, some kind of software is needed to filter the traffic on a content level. A proxy might be helpful, to be able to filter HTTPS traffic.

Theses are my thoughts so far. What do you think? Any ideas?


Solution 1:

You basically have three options here.

1. Disconnect your office/users from the internet

  • If they can't get to "the public cloud," they can't upload anything to it.

2. Compile a blacklist of specific services you're worried about users accessing.

  • This is going to be absolutely massive if it's meant to be even remotely effective.
    • Tech-savvy users will always be able to find a way around it - I can connect to my computer from anywhere in the world with an internet connection, so... good luck blocking me, for example.

3. Do something more reasonable/recognize the limits of technology.

  • This isn't your idea, but generally, if you provide management with the pitfalls and expense of implementing a solution like this, they'll be more open to better approaches.

    • Sometimes this is a compliance thing, or "just for appearances," and they're happy with just blocking the most popular services
    • Sometimes they genuinely don't understand how insane their request is, and need you to tell them in terms they can understand.
      • Had a client once, when I was working for an computer security vendor, who wanted us to provide a way to stop employees from leaking confidential information with our AV agent. I whipped out my smartphone, took a picture of my screen, and asked him how he could possibly prevent that, or even writing the information down on a piece of paper.
      • Use the news and recent events in your explanation - if the Army couldn't stop Manning, and the NSA couldn't stop Snowden, what makes you think we can do it, and how much money do you think even trying will cost?

Solution 2:

There is no way to block it completely, of course, unless the corporate network were to be disconnected from the Internet.

If you really want something that should work most of the time while being mostly transparent, you'll need to deep-sniff packets. Set up a man-in-the-middle SSL/TLS proxy, as well as one for unencrypted communication, and block all traffic that doesn't go through one of these.

  • Block HTTP PUT requests
  • Block all HTTP POST requests where the content-type is not application/x-www-form-urlencoded or multipart/form-data
  • For HTTP POST requests of type multipart/form-data, strip out fields with a content-disposition of "file" (but let other fields through).
  • Block FTP, BitTorrent, and SMTP traffic
  • Block all traffic to the major Webmail services, and to the major public file storage sites.

As you can see, this is a massive and painful undertaking. It's also far from invulnerable: I'm thinking of several workarounds even as I write this, some of which can't be handled without fundamentally breaking your users' Web connections, and there will probably be comments showing many more that I didn't think of. But it should let most traffic through, while filtering out the easiest ways to eliminate file uploading.

The bottom line is that this is more trouble than it is worth.

The best answer would be to enter into a kind of negotiation with your bosses: find out what they really want (likely either protection of trade secrets or liability prevention), and point out why these unworkable technological measures will not get them what they want. Then you can work out solutions to their problems that do not involve unworkable technological measures.

Don't worry about ideology in these discussions: all you have to do is focus on what will work and what will not. You'll find all the arguments you need there, and while this will no doubt frustrate both you and your bosses, it avoids passing value judgments against them (which might be deserved, but will only cause talks to break down, and that is Bad).

Solution 3:

What HopelessN00b said. I just wanted to add that:

I have a friend with a job at a government agency where she isn't allowed to bring a cellphone with a camera to the office. She usually phrases that as, "I'm not allowed to own a cellphone with a camera," because, well. If she can't take her cell with her, why own one? She has trouble finding cellphones that don't have cameras.

I've worked for other high-security-type places that would "solve" this problem via administrative fascism:

  • An official policy that accessing your personal email from your workstation is a firing offense.
  • An official policy that accessing a cloud service from your workstation is a firing offense.
  • An official policy that plugging a thumb drive, ipod, or cell phone into a workstation is a firing offense.
  • An official policy that accessing social media from your workstation is a firing offense.
  • An official policy that installing unauthorized software on your workstation is a firing offense.
  • An official policy that accessing your personal online banking from your workstation is a firing offense.
  • An epic corporate firewall/proxy that has many/most of those sites blocked. Any attempt to access facebook.com, for example, prompts a screenful of "This site blocked by ETRM." They occasionally blocked things like Stack Overflow as "hacking" as well.
  • Some "offenses" merit an email sent to your entire team stating that you accessed an unauthorized site (as opposed to firing... this time). ("Katherine Villyard accessed http://icanhas.cheezburger.com/ at 3:21pm!")
  • Forcing all new hires to take "security policy" class explaining these rules, and forcing people to take regular refresher courses on these rules. And then take and pass a quiz on them.

Places that rely on Administrative Fascism generally only make cursory attempts to back up these rules via technical means, in my experience. For example, the they say they'll fire you if you plug in a thumb drive, but they don't disable USB. They block Facebook via http but not via https. And, as HopelessN00b pointed out, savvy users know and mock this.

Related

How are admins managing their EC2 EBS's and Snapshots?
WinSCP alternative for OS X (that supports sudo and without virtualizing WinSCP) [closed]
T is finite rank operator represent [closed]
Equivalent characterizations of Henselian Rings (Theorem 4.2 in James Milne's "Étale Cohomology")
How to find derivative and directional derivative of this map
Counting the zeros when a polynomial is perturbed by an exponential
Random variables satisfying a strict inequality
Limit of the sequence $\lim_{n\to\infty}\left(\frac{\log(n+2)}{\log (n+1)}\right)^{n\log n}$
How should I integrate this?
Hartshorne II.8.3(c)
$\int_0^{\frac{\pi}{2}} \frac{cos(x)}{p\sin(x) + q\cos(x)}dx$, where $p,q$ are positive constants
conjugate of conjugate is continuous