1

I want to set up my company's laptops in a way that all files created on these laptops can only be read by these laptops. If it is copied to a USB then that file is only readable when plugging that USB on a company laptop. If plugging in or copied to another non-authorized laptop then it is not readable.

Ernst and Young are using this technique to protect their data but I don't know what is it called and how to set it up.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Trung Nguyen
  • 11
  • 1

2 Answers2

0

What you are looking for is "Endpoint DLP". All files are encrypted on the device individually.

Note that it can be very expensive, and there will be unexpected consequences depending on your environment. In many companies, such a control is too much. It is a better control when the company is already highly regulated, like a bank or a government office.

Imagine someone making a shopping list in Word on their lunch break. They can't send that file home or email it to anyone because the DLP system protected it. This can create a lot of friction with your employees.

It's a great solution, but it can be "too good" for many contexts.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    Not to mention that many employees aren't really that concerned with security, and will try to seek ways "around" your system, such as using their own (possibly infected) thumb drives, uploading their files to third-party filesharing sites, etc... –  Feb 20 '20 at 15:18
  • The endpoint DLP solutions I worked with at a bank instantly reformatted any foreign USB plugged in and encrypted it. I had my own sneaky ways around the DLP systems that I only told the security team about long after I left. If you over-constrain a system, people will adapt to avoid it. – schroeder Feb 20 '20 at 15:21
  • Depends on the solution, I'd assume, and how it's configured. In such a situation, I'm sure the employee in question would get mad as to why his holiday pictures are now gone, and then would proceed to be mad at the IT guy who is mad at the employee for connecting possibly malicious USB devices to company hardware. –  Feb 20 '20 at 15:23
  • Yeah, but we did inform people well ahead of time, and in a bank, you just simply don't use the systems for personal use, so it was shocking but not unusual. – schroeder Feb 20 '20 at 15:24
  • I agree. I would never connect personal hardware to company systems, or company hardware to personal systems. But then again, people are also informed not to open documents from unknown senders, and especially not to execute any macros from them. We both know how well that works. –  Feb 20 '20 at 15:27
  • thank guys for helping me out. I am fascinated with the way EY set up their data loss prevention system and just curious to see if I can do the same for my company. This is way more convenient and better than the password encrypted method. If you guys know a specific software or tutorial. please share with me. – Trung Nguyen Feb 20 '20 at 20:35
  • to MechMK1. If you copy the file from EY's laptop to your USB. you can't use non-EY-laptop to read the file. – Trung Nguyen Feb 20 '20 at 20:42
  • @TrungNguyen we can't recommend software. A search for "endpoint DLP" will return vendors. Note that none of it is free, and as I said, is very expensive. – schroeder Feb 20 '20 at 22:33
0

There is a solution using VeraCrypt volumes. You can use key files;

  • Allows multiple users to mount a single volume using different user passwords or PINs. Just give each user a security token or smart card containing the same VeraCrypt keyfile and let them choose their personal password or PIN that will protect their security token or smart card. [Bold are mine]

Create one USB and clone the others you have all USBs can be opened with your clients.

Note that the idea that one can reach all of the files in the USBs may not be a good idea. It can cause Snowden like actors. You should carefully design your security policy.

kelalaka
  • 5,409
  • 4
  • 24
  • 47