Ask HN: What are some ways companies spy on employees leaking data?

13 points by rayvy 2 months ago

What are some practices that companies employ to prevent their employees from stealing/leaking sensitive company information.

I've heard methods such as - obviously hosts contacted by the client machine - using software to detect if information has been exported via USB

Can you name any others?

twunde 2 months ago

The generic name for these types of solutions is DLP or data loss prevention. DLP solutions are common in regulated industries with finance typically having the most extreme forms of DLP solutions implemented.

1) DLP solutions for email and cloud storage: Office 365 and GSuite both have a bundled DLP solution. 3rd party solutions are also fairly comprehensive.

2) DLP solutions for workstations. This can range from sharing being disabled via MDM to DLP monitoring software (sometimes bundled in anti-virus) to some type of Desktop as a service solution (See techjuice's answer for more info on the last choice).

3) DLP server solutions, these can monitor for and disable certain sharing protocols. Most of the solutions are commercial (opendlp being an exception) and relatively rare out in the wild.

4) Network-based DLP. This can be a MITM proxy which all traffic goes through, common in financial firms. This can also include more basic solutions like firewalls blocking certain types of traffic or websites

5) Security monitoring solutions. This can be a SIEM solution which aggregates logs and looks for suspicious activity. Similar solutions are user behavior analytics systems which correlate historic user history, user roles and system information to look for suspicious activity. This type of system is essentially what Google's BeyondCorp Proxy is doing in the background.

6)Audit logs. This is primarily for tracking down who leaked data, but can serve as a preventive measure

tschwimmer 2 months ago

I take some issue with the use of the verb spy in this context. Merriam-Webster defines the verb form of Spy as "to watch secretly usually for hostile purposes." Spying has a negative connotation.

Is it really spying if employees are leaking data they are not supposed to? To me, leak implies unsanctioned or illicit.

  • nmstoker 2 months ago

    Then perhaps it's not hostile when you know they're leaking the data, but in many cases wouldn't you need to observe them first to establish it and that could be deemed spying. In any respect, I'm sure we can get broad the idea of what the OP was after and focus on methods used, even if the specific term isn't everyone's cup of tea.

techjuice 2 months ago

Easiest way is deployment of VDI (Virtual Desktop Infrastructure). Only allow specific keyboards and mice and disable any other USB functionality. This way there is no local data to download or need for upload directly on the system.

In terms of loss protection most companies use DLP (Digital Loss Prevention) technology and the system logs any activity of information leaving the system or entering a system (use of smartcards, usb drives (auto encrypting usb drives)) logging all contents burned to a disc, all emails going in/out of the system, etc.

With VDI normally there is a zero client with a keyboard and mouse and that is it. There is no local storage and everything the user interacts with is streamed to their desktop. If they need to upload something they will normally send it to the systems engineers for processing, this insures their requests only goes one way and they cannot download anything off the system.

If they need to send something they normally do it from their zero client and the server they are connected to processes their request. Normally with these setups the server and network infrastructure is extremely powerful to enable the ability for the zero client to appear faster than a regular desktop due to the server being able to deliver PCoIP otherwise known as DaaS (Desktop as a service)

nmstoker 2 months ago

Ones I've actually witnessed in previous jobs rather than simply hearing of are: attempt to disable connection of USB thumb drives, restrict external website access, apply outbound email monitoring, keep important data on VMs + disable the clipboard.

The common theme was that they generally inconvenienced, as all had fairly obvious ways one might hypothetically evade them.

The sorts of steps LinuxBender suggests seem more sensible at a cost of being more invasive, it's just a matter of much the company is willing to go before it is impractical. Locking down the BIOS, encrypting the hard drive and isolating the computer in a secure room are the other points I'd expect, but that takes things to different level and it's less about regular employee situations then (so maybe getting off topic?)

  • olliej 2 months ago

    Disabling clipboard and similar is common in “HIPPA” compliant software - a lot of which seems to be designed to reduce liability rather than help patients

truth_be_told 2 months ago

Data Loss Prevention (DLP) overall and Deep Packet Inspection (DPI) in the Network. As an example, Look at products from McAfee/Symantec for DLP and Sandvine/Procera for DPI.

LinuxBender 2 months ago

Block all outbound communications and force all traffic through a MITM proxy. Disable USB on all company owned devices. Restrict network access to company devices (802.1x, etc..)