Hi there,

new to this forum.
We work with quite a bit of confidential information, so need a systems that prevents certain office files from leaving the office - i.e. users should be able to to edit those files, but should not be allowed to attache to email, or save on usb sticks.
Does any Linux server offer such a system?

Any hint would be greatly appreciated.

I can't imagine how. Think about it - if they can see the contents of a file, how can you stop them from saving a copy of it?

it is somehow possible - there's very expensive software available for windows servers that do just that - see http://www.fileopen.com or hardware, see http://shop.tstor.biz/src/mainpage.asp

wondering why nobody seems to be looking for these kind of systems in times of data protection requirments

Because this is a fundamentally difficult problem. Once someone has the information, if they are determined to copy it, there is no way you are going to be able to stop them. Consider - once it's open, I can take a screenshot. They add a hook so that window blacks out when you do so? Okay, I'll run VNC and then take a screenshot of that. Or I could skip all of this and just manually copy it. It's a cat-and-mouse game you can never really win.

Moved: This thread is more suitable in <Linux Security> and has been moved accordingly to help your thread/question get the exposure it deserves.

Sasha

Confidential business-wise how or according to which official rules and regulations?


Does the confidential information reside on different network(s)/server(s)?
Are there separate workstations for handling confidential information?
Are these workstations stored in a locked and shielded area that is only accessable to authorized personnel?
Are these workstations locked down appropriately to avoid physical, visual and networked data transmission?
Does authorized personnel require a unique and separate code for unlocking the area?
Ditto for unlocking the workstation?
Is authorized personnel screened for the task and trained to handle confidential information?
Is authorized personnel monitored and searched on the premises?


If you answer "no" to most or all of the questions above then we are probably not talking about the kind that is bound by formal, official rules and regulations but more likely "simple" business confidentiality. For any technical implementation to work it needs to be embedded in a framework which addresses separation of data, roles and access. It is costly in setup and maintenance but without framework you have no theoretical and practical way to enforce rules, audit access and penalize offences.

Thanks for all the replies.

It is kind of cat and mouse. However, if you have to take individual screen-shots with a third-party tool of, say, 100 individual powerpoint slides and then copy-paste them into a new document rather than being able to email the whole document, that does make a difference.
In addition, we are working with excel tools, whose background functions and calculation models are not visible to the user and cannot be copied through screenshots. But if a user is able to email the excel, the tools can leave the office and could be transmitted to our competitiors.

We are currently working with a Korean windows 2003-based system called TstoreSS, that more or less what we want, but not really happy with it. And it's windows-based only at this point in time.

English webiste http://www.tstor.biz/eng/