Again, the question is: what is the problem?
Let us take as given that anyone who has the right to open a file to read
will implicitly have the right to copy its contents. There is no way to
prevent this. None whatsoever. The use of ACLs will limit the access to
those who are authorized. You have to work on the premise that anyone who
has the right to read the file has the right to create a copy of that
file. There is absolutely no way to prevent this. None whatsoever.
HIPAA requirements in the US do not stop employees of a health service
from releasing records, deliberately or accidentally. They simply make it
very expensive to do so. What you have to do to comply is to make sure
that UNAUTHORIZED people cannot get access to the information. Therefore,
ACLs will do the job. As long as you keep the data “behind the fence”.
If someone can put the data on a publicly-accessible Web page, too bad.
The hospital gets a WHOPPING big fine for having been careless. And the
employee who made the error probably does not have a bright future with
the hospital.
There is absolutely no way to detect if a file is being “copied out”.
There is a read handle to the file, and there is no way to control what
happens to those bits once they have been read. This is reality. Deal
with it.
If the file reprsents some confidential patient record, any nurse logged
in on his or her account will have access if the ACLs permit. You CAN
enable logging, so you can see who is accessing the file; so if there is a
leak, you can go back to the security log and see who accessed the file.
The rest of it is training people to not leave logged-in computers
accessible to potentially “uncleared” users.
So how can you have a filter that detects a file is being “copied
out”–other than detecting it is being used from a CopyFile operation,
which is essentially protection against functionally illiterate attackers.
But tell me how you are managing the protection, and I can probably come
up with a way to defeat in within five minutes. Why? Because it is not
possible to protect a file from being “copied out”.
Anyone who believes that it is possible to prevent a file from being
“copied out” needs to be made aware of reality. It IS possible to prevent
a file from being read; it is possible to prevent a file from being
written; it is possible to protect an entire directory from being
enumerated, or having files in it opened, or new files created in it,
etc., but the concept that you can determine a file is being “copied” is
meaningless. But overall, you cannot reliably stop a file from being read
if some human needs to see the data. For that matter, I could open the
file in the medical records program, “show the bits” in the GUI, and
photograph them with my smartphone. Any method that can prevent this will
work for solving your problem, but this should be a good way to illustrate
it to those who think it is possible because they wish it to be possible
(the “wish” style of writing requirements documents usually fails when
confronted with reality. The number of times I had to explain to clients
that their requirements were impossible in the last 50 years has been much
higher than it should have been. The billing system that wanted five
“quarters” in a year, or the company that wanted to be able to have the
computer produce the result that 10 * 2 = {10, 12, 14, 16, 18}, because in
their typewritten quotes, you took the quantity, multiplied by the price,
and then discounted by whatever you thought would get the quote to be the
low bid. The idea that the computer did not let them do this really,
really bothered them. Some things are simply not possible.
As another reality check for those who don’t seem able to deal with it,
the key is to design a system for a paper-based records system that will
stop someone from making a xerographic copy of one or more pages of a
patient record, or simply giving the original page to someone. If they
can come up with an impossible-to-bypass solution to this problem, they
have designed your solution for you. But I suggest continuing on with
life and not just wait for their solution, because it doesn’t exist.
joe
Joseph,
Thanks for feedback
I have a minifilter driver that monitors files within a folder so that
files cannot be copied out
from the protected folder. This can be done with non-readable files
method.
Problem is, users (nurses in hospital) want to read files within that
protected folder which in this case, I have to set these files to
READ-ONLY, the same time not to be protected from being copied out.
I can understand the concern of, in the first place why should we allow
file to be opened for READ and
opened chances to be copied into other locations and I really find it hard
to explain to non-technical peoples as this is one of requirements.
I am aware that “COPY” is means to open for reading, which actually
allowing files to be copied out and
is this reason that I place the question here.
Please advise.
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer