I'm researching on Google Apps and by the way a nice solution. But I have a concern about HOW TO PREVENT that a user that is allow to modify a document can download it and take it to a usb drive to deliver to someboy else outside the company. how can I prevent this?
Some of the security and data protection issues raised around Google Apps are technologically focused, and some are organizational. As Jim states above, anyone at your organization today probably has at least ample opportunity to download a copy, take a thumb drive and export a copy, attach a copy, or in some way use an authorized user's machine or log in to get a copy of something if they really want it.
With Google, you have data which is extremely secure in the cloud, and you have multiple levels of access which you can grant to users. The default when you upload a document is that the Owner is the only person who can see it or manipulate it. From there, you must make a conscious decision to hand the keys to another user, and the assumption is made that if you do so, you trust this other user and want to grant them access since you're taking an explicit and proactive action to grant this access. At least with Google, in granting access you can give View Only access, which doesn't allow a user to download or make the content portable, and you have built-in protection in that regard.
The point being - you have a secure location to store documents, and you have options, technically and organizationally on how to control access to those documents, and what people may do with them. From that point forward, you're at the mercy of the users and their intent for the information, just as you are today. But remember, Google doesn't have USB ports, or thick-client applications which can be stolen on a laptop, and people can't physically access the data or make any use of the obfuscated data at rest. I would argue Google offers more protection than on-premise products and policies in most cases.
Jim's point is that your current DLP processes would be retained and as important as ever - any collection of data (current or new system) is a security risk.
With Apps document sharing there is less need (and temptation) to email documents around so access to data is more tightly controlled (through sharing controls) than emailed attachments - I can't get that email back from you, but I can revoke access. I would also implement policy controls (content and attachment filtering) using the GMS product to stop clear breaches over email.
Next, if you require more security, your Apps implementation can knit nicely with your two-factor authentication platform (or a new one). You could also restrict the IP's from which users login to Apps, you could extract behaviour reports from the platform... etc!
i noticed that when one user emailed another user in the same domain with an attachement, that the attachement was saved in their docs. i guess this is normal behavior?
if it is how can you stop the attachement from being save in the docs?
Achaljub asked "HOW TO PREVENT" ... and everyone is answering as to "why it should not be done". Why?
No insults implied, but if I have no answer, then I do not answer ... I do not question the question (unless it is a vague question, which it is not in this case).
Achaljub ... the easiest way would be to get a tool so that you disable the access to USB storage drives. This works fine when the user is connecting from within the four walls of the organization. You can limit so that the user (or select users) cannot connect from outside the premises. If this is feasible, go for this solution.
If not, then it is a bit more complex - you'll need to come up with a solution where the USB storage drives are disabled (most likely via javascript / ActiveX) as soon as the user logs on (or before the user logs on) ... and uninstalls itself at the end of the session.
Like I said, the second option is complicated, but it can be done. The resources available to you would dictate how you should, or if you should, do this.
1a - Implement SSO which restricts remote access. We have done this on a few clients, where we program the SSO URL to be in internal IP such as http://172.16.0.15/, this way it is imposible to access Google Apps from outside the corporate building and they cannot use mobile devices either.
1b - Implement SSO where the person has to digitally sign in using an installed certificate on the computer. This allows remote access but only on notebooks that have a personal and corporate ceritifate installed.
2 - Keep using McAfee Host Data Loss Prevention or disable USB drives.
Just because it is in the cloud, does not mean that it MUST be accesible from everywhere.
russagarrett: GMS will not interact with mailbox features, but operates on the mail flow. That is, it will scan content and filter - like perimeter protection in the cloud. The behaviour of 'save as Google Doc' in the mailbox is not optional, I believe... although you can turn off the Docs service which I guess would change that.
Feed
Feed
How can I implement a Data Loss Solution using Google Apps?
