Block employee access to public cloud

Question

First of all, let me state that this is not my idea and I don't want to discuss whether such an action is reasonable.

However, for a company, is there a way to prevent employees to access public cloud services? In particular, they should not be able to upload files to any place on the web.

Blocking HTTPS might be a first, simple, but very radical solution. Using a blacklist of IP addresses wouldn't suffice either. Probably, some kind of software is needed to filter the traffic on a content level. A proxy might be helpful, to be able to filter HTTPS traffic.

Theses are my thoughts so far. What do you think? Any ideas?

Answer 1

You basically have three options here.

1. Disconnect your office/users from the internet

• If they can't get to "the public cloud," they can't upload anything to it.
  
  

2. Compile a blacklist of specific services you're worried about users accessing.

• This is going to be absolutely massive if it's meant to be even remotely effective.
  • Tech-savvy users will always be able to find a way around it - I can connect to my computer from anywhere in the world with an internet connection, so... good luck blocking me, for example.
    
    

3. Do something more reasonable/recognize the limits of technology.

• This isn't your idea, but generally, if you provide management with the pitfalls and expense of implementing a solution like this, they'll be more open to better approaches.

  • Sometimes this is a compliance thing, or "just for appearances," and they're happy with just blocking the most popular services
  • Sometimes they genuinely don't understand how insane their request is, and need you to tell them in terms they can understand.
    • Had a client once, when I was working for an computer security vendor, who wanted us to provide a way to stop employees from leaking confidential information with our AV agent. I whipped out my smartphone, took a picture of my screen, and asked him how he could possibly prevent that, or even writing the information down on a piece of paper.
    • Use the news and recent events in your explanation - if the Army couldn't stop Manning, and the NSA couldn't stop Snowden, what makes you think we can do it, and how much money do you think even trying will cost?

Answer 2

There is no way to block it completely, of course, unless the corporate network were to be disconnected from the Internet.

If you really want something that should work most of the time while being mostly transparent, you'll need to deep-sniff packets. Set up a man-in-the-middle SSL/TLS proxy, as well as one for unencrypted communication, and block all traffic that doesn't go through one of these.

• Block HTTP PUT requests
• Block all HTTP POST requests where the content-type is not application/x-www-form-urlencoded or multipart/form-data
• For HTTP POST requests of type multipart/form-data, strip out fields with a content-disposition of "file" (but let other fields through).
• Block FTP, BitTorrent, and SMTP traffic
• Block all traffic to the major Webmail services, and to the major public file storage sites.

As you can see, this is a massive and painful undertaking. It's also far from invulnerable: I'm thinking of several workarounds even as I write this, some of which can't be handled without fundamentally breaking your users' Web connections, and there will probably be comments showing many more that I didn't think of. But it should let most traffic through, while filtering out the easiest ways to eliminate file uploading.

The bottom line is that this is more trouble than it is worth.

The best answer would be to enter into a kind of negotiation with your bosses: find out what they really want (likely either protection of trade secrets or liability prevention), and point out why these unworkable technological measures will not get them what they want. Then you can work out solutions to their problems that do not involve unworkable technological measures.

Don't worry about ideology in these discussions: all you have to do is focus on what will work and what will not. You'll find all the arguments you need there, and while this will no doubt frustrate both you and your bosses, it avoids passing value judgments against them (which might be deserved, but will only cause talks to break down, and that is Bad).

Answer 3

What HopelessN00b said. I just wanted to add that:

I have a friend with a job at a government agency where she isn't allowed to bring a cellphone with a camera to the office. She usually phrases that as, "I'm not allowed to own a cellphone with a camera," because, well. If she can't take her cell with her, why own one? She has trouble finding cellphones that don't have cameras.

I've worked for other high-security-type places that would "solve" this problem via administrative fascism:

• An official policy that accessing your personal email from your workstation is a firing offense.
• An official policy that accessing a cloud service from your workstation is a firing offense.
• An official policy that plugging a thumb drive, ipod, or cell phone into a workstation is a firing offense.
• An official policy that accessing social media from your workstation is a firing offense.
• An official policy that installing unauthorized software on your workstation is a firing offense.
• An official policy that accessing your personal online banking from your workstation is a firing offense.
• An epic corporate firewall/proxy that has many/most of those sites blocked. Any attempt to access facebook.com, for example, prompts a screenful of "This site blocked by ETRM." They occasionally blocked things like Stack Overflow as "hacking" as well.
• Some "offenses" merit an email sent to your entire team stating that you accessed an unauthorized site (as opposed to firing... this time). ("Katherine Villyard accessed http://icanhas.cheezburger.com/ at 3:21pm!")
• Forcing all new hires to take "security policy" class explaining these rules, and forcing people to take regular refresher courses on these rules. And then take and pass a quiz on them.

Places that rely on Administrative Fascism generally only make cursory attempts to back up these rules via technical means, in my experience. For example, the they say they'll fire you if you plug in a thumb drive, but they don't disable USB. They block Facebook via http but not via https. And, as HopelessN00b pointed out, savvy users know and mock this.

Answer 4

Actually, there is a simple solution provided you don't also expect your internal network to be exposed to the Internet at the same time.

Your PCs simply need to be completely blocked from accessing the Internet. All USB ports blocked, etc.

To get on the Internet, people then need to either use a different computer - connected to a different network - or connect via RDP to a Terminal Server which has Internet access. You disable clipboard over RDP and no windows share. That way, users can't copy files onto the Internet Terminal Servers and thus can't send files out.

That leaves email... that is your biggest loophole in this if you allow email on the internal PCs.

Answer 5

You know that old joke that, if you and a halfling are chased by an angry dragon, you don't have to run quicker than the dragon, you only have to be quicker than the halfling? Assuming non-malicious users*, you don't have to restrict their access to the public cloud, it is enough to make the usability of the public cloud lower than the usability of whatever enterprisey solution you have for non-desk-bound data access. Properly implemented, this will reduce the risk of non-malicious leaks sharply, and is doable with a fraction of the cost.

In most cases, a simple blacklist should suffice. Put Google drive, Dropbox and the Apple cloud on it. Also block traffic to Amazon AWS - most of these hot startups who build yet another cloud service don't build their own data center. You just reduced the number of employees who know how to get into the public cloud from 90% to 15% (very rough numbers, will differ by industry). Use a suitable error message to explain why public clouds are forbidden, which will reduce their impression of wanton censorship (sadly, there will always be users not willing to understand).

The remaining 15% can still reach providers not on the blacklist, but they probably won't bother to do it. Google drive and co are subject to strong positive network effects (the economic kind, not the technical kind). Everybody uses the same 2-3 services, so they get built in everywhere. Users build convenient, streamlined workflows which include these services. If the alternative cloud provider cannot be integrated into such a workflow, the users have no incentive to use it. And I hope that you have a corporate solution for the most basic usage of a cloud such as storing files in a central place, reachable from a physical location outside of the campus (with VPN if security is needed).

Add to this solution a good deal of measurement and analytics. (This is always needed where users are concerned). Take samples of traffic, especially if exhibiting suspicious patterns (upstream traffic in bursts large enough to be upload of documents, directed at the same domain). Have a human look at the identified suspicious domains, and if you find that it is a cloud provider, find out why users are using it, talk with management about providing an alternative with equal usability, educate the offending user about the alternative. It would be great if your corporate culture allows you to gently reeducate caught users without implementing disciplinary measures the first times - then they will not be trying to hide from you especially hard, and you will be able to easily catch deviations and deal with the situation in a way which reduces the security risk but still allows the user to do his job efficiently.

A reasonable manager** will understand that this blacklist will lead to productivity losses. The users had a reason to use the public cloud - they are incentivized to be productive, and the convenient workflow increased their productivity (including the amount of unpaid overtime they are willing to do). It is a manager's job to evaluate the trade off between productivity loss and security risks and tell you if they are willing to let the situation as-is, to implement the black list, or to go for secret-service-worthy measures (which are severely inconvenient and still don't provide 100% security).

---

[*] I know that people whose job is security think of criminal intent first. And indeed, a determined criminal is much harder to stop and can inflict much worse damage than a non-malicious user. But in reality, there are few organisations which get infiltrated. Most security problems are related to the goofiness of well-meaning users who don't realize the consequences of their actions. And because there are so many of them, the threat they pose should be taken as seriously as the more dangerous, but much rarer, spy.

[**] I am aware that, if your bosses already made that demand, chances are that they are not the reasonable type. If they are reasonable but just misguided, that's great. If they are unreasonable and stubborn, this is unfortunate, but you must find a way to negotiate with them. Offering such a partial solution, even if you can't get them to accept it, can be a good strategic move - properly presented, it shows them that you are "on their side", take their concerns seriously, and are prepared to search for alternatives to technically infeasible requirements.

Answer 6

Your management is asking you to close Pandora's box.

While you can, in principle, prevent uploading of any documentation for all known possible mechanisms, you won't be able to prevent zero-day exploits (or the equivalent to you) from being used.

That said, an authenticating firewall to identify both the user and the workstation, can be implemented to restrict access with ACL that you desire. You can incorporate a reputation service as described in some of the other answers to help your managing the process.

The real question is to ask whether is this about security, or is this about control? If it is the first, then you need to understand the cost threshold your managers are prepared to pay. If it is the second, then probably a large visible theatre will be sufficient to convince them you have delivered, with minor exceptions.

Answer 7

You need a content filtering device or service, such as BlueCoat Secure Web Gateway, or a firewall with content filtering, such as a Palo Alto firewall. Products like this have broad category filters that include online storage.

BlueCoat even offers cloud-based service where you can force your laptop users to connect through a proxy service that runs locally on their computer, but takes content filtering rules from a central source.

Answer 8

• Blacklist

Create a list of sites that the users can't access.

Pro: Block specific service.

Cons: A big list, sometimes it could hurts the performance of the firewall of the system (usually it does!). Sometimes it could be bypassed.

• WhiteList

Instead of relies in a big list of blacklisted sites, some companies uses a whitelist where users can only access to the whitelisted sites.

Pro : easy to manage.

Cons : it hurts productivity.

• Block the size of the information send (POST/GET).

Some firewall allows to block the size of information send, rendering impossible to send some files.

Pro: Easy to manage.

Cons : some users could bypass it by sending files in small chunks. It could breaks some websites, for example, some Java and Visual Studio's winforms sites send a lot of information regularly.

• Block non HTTP connections.

Pro: easy to configure.

Cons : it could breaks current systems.

In my experience, i worked for a bank. The administrators blocked the access to the usb driverand access some restricted sites (blacklist). However, i created a php file in a free webhosting and i can upload my files without any problem (using a regular website). It took me 5 minutes to do that.

I agree with some comments, is easy and more effective to use a human resource rules.