Home / server / Questions / 214376
Accepted
Tom O'Connor
Asked: 2010-12-21 03:37:05 +0800 CST

Secure corporate document storage

  • 772

One of the more interesting arguments currently rumbling around the office is the lack of backup for the HR person's laptop.
This contains a copy of the contract and other HR type info on every member of staff we've got working here. It's certainly confidential information, some of it contains NI and healthcare details, as well as bank account information and other personal records.

After a developer's laptop was stolen last month , I've had cause to look in more detail at the backup (or lack of) for the various services around the office.

Management think that Dropbox would be a good solution, as they claim to be secure, but I'm decidedly unsure where the law (and Data Protection Act) actually lie on this.

I was under the impression that you're not allowed to let the documents in question leave the site/country/EU. So dropbox would be no good, as they're based in the USA, and probably Amazon S3 backed.

Quick info:

  • We're UK based, with operations in the EU (DK)
  • Management would like online access, granular as possible, one user creator, only they can access that document/folder, one globally shared folder, as well as group-based access lists.
  • I would like anything that's properly secure, tested, Hard Cryptography (AES)
  • Dial-in IPSEC VPN access would be nice, HTTPS would probably do too.
  • A solution that's not going to cause us to get sued by the Information Commisioner if things go balls up.

Anyone got any ideas? Done this before? Should I just build a server and store it somewhere in the office, or a dedicated server in a UK datacentre?

backup security document-management data-protection

2 Answers

  1. Best Answer

    Turn the assumptions around for a moment - why does confidential data need to leave site at all? Why not just create a Terminal Server, connectable to the web via VPN, and have people connect to that to access confidential data and applications?

    • 2

  2. First off, DropBox does not seem to be Safe Harbor-compliant, so storing anything covered by the DPA would be a breach of DPA responsibilities.

    You're allowed to ship (some types of) documents (electronically) to the US, as long as the other end is Safe Harbor-compliant (and registered). I don't know if this covers healthcare details, but it's certainly enough for "name, address and phone number" (or, was, when I was looking in to the relevant regulations back in 2006, as work was considering off-shoring backups to a US data centre).

    I suspect that what you'd want to do is a combination of the following:

    • Backup software installed on all "work stations" (stationary computers as well as laptops).
    • Encrypted hard drive on all laptops (ideally also requiring a BIOS password on boot).
    • The backups should be on at least two separate blobs of storage, maybe one on a server in the office and another in a remote (UK) data centre.
    • The exact backup software doesn't matter too much, look for something that provides roughly the requirements you have and ask if you can have a demo license for a test run (single server, 2-3 test machines, intentionally wipe stuff and try to recover).
    • 1