How to protect Data from being stolen?

[The_DR]

Hey Guys, 

 

I have a question. I have an employee that has to work with some Data. It's actually a Database with about 10GB of Data. The employee has to work with the real data, it can't be replaced by dummy data. What can I do to prevent the employee to steal the data? For example to download it to an USB Drive. Or to upload it into the Internet. What's possible?

[thevictor390]

Not enough information, what kind of database and how are they working with it? You do need to give employees a certain minimum amount of trust in order for them to do their job.

[PDifolco]

Well there's 2 solutions: technical and human

Technical solution is to never have the data leave your server, employee should be given a remote access with secure vpn tunnel

That's how corps do it

Now the human solution is called trust

[tikker]

Firstly by not letting people that you think will steal your data work on it.

 

It sounds like your company needs to look into some data policies. Something like a "nothing leaves the premises" approach where all work is done on a machine that requires some sort of verified login, stays locally, is monitored all the time, is disconnected from any network etc. There are many approaches.

 

 

[The_DR]

Honestly, I don't believe in trust. Because I can't count how many times my company had cases  for Data Recovery when an employee (of another company) was let go or even fired and on his last day he took the database of the clients with him AND wiped all the data he had access to. 

 

Well, I don't care if some one is going to take some records like screenshots. But the whole Database is critical. 

 

Well, I can give the employee access via RDP. So the data never going to leave the network. But how can I prevent RDP from mounting USB Devices remotely? Hm... And firewall Rules on the RDP Machine, that gonna allow the Access via RDP but block other Traffic into the Internet?

[a399]

There's plenty of enterprise software for data management. usbguard can easily prevent unexpected usb connections, without actually costing anything (it's a Linux package, but i think that should illustrate my point). And I'd assume if you are running a data center, you should already have at least one guy in charge of security. If the stuff is as critical as you say, than that would be the only logical option.

 

As tikker said, just don't give untrustworthy people access to the data. Databases technicians are usually supposed to be screened more thoroughly than McDonald's workers. Revoke access if there's a reason to believe that the employee is copying stuff.