Google Drive and secondary encryption

Topic

New Reply

Sorry if this is the wrong place for the question, but after searching (and searching), I found a question about Drive that had a breadcrumb pointing here.

We’re getting into this a little late in the pandemic story, so I hope there’s a fair amount of experience to draw upon.

There is an office where we have sensitive client information.  With the current surge in COVID, an employee may need to work from home, rather than coming into this office.  The office has a private network to share the client files in-house.  I’ve been asked how to implement a solution.

I use Google Drive (and backup&sync) personally, and can recommend that, but I have been reading about added layers of security.

1. I’m looking for recommendations about encrypting the data prior to uploading to the Google Drive cloud.  (I know they also encrypt, but they also scan for data useful to their search engines.)

2.  Since the data would need to be downloaded and decrypted in order to make changes, should VPN also be used in that process?  (Drive is supposed to be encrypted end-to-end.)

3.  Since there are a large numbers of clients, would each client need to be encrypted separately?    I’m thinking this is becoming a huge magilla!

 

Thanks for any advice!
Towson_Steve

Reply | Quote

Replies

Towson_Steve wrote:

There is an office where we have sensitive client information. With the current surge in COVID, an employee may need to work from home, rather than coming into this office. The office has a private network to share the client files in-house.

Well now… this will depend on exactly what is agreed with the client.

Towson_Steve wrote:

I use Google Drive (and backup&sync) personally, and can recommend that, but

… I’ve seen client requirements that data not be transferred to a third party even in encrypted form, without specific approval from the client and possibly other requirements. Sometimes that is required by law and not the actual contract.

In some cases this makes Google Drive and other similar services categorically unsuitable.

Yes, very possible that you’ll need to get some lawyers involved.

In my experience, small healthcare businesses might be the worst clients in this because they’ll ask you about what they legally require, and healthcare law is complicated. (I’m in one EU member country, might be different elsewhere but from what I’ve read in the news, different might well mean worse…)

Towson_Steve wrote:

2. Since the data would need to be downloaded and decrypted in order to make changes, should VPN also be used in that process? (Drive is supposed to be encrypted end-to-end.)

A VPN without any Google involvement is more likely to fit contract requirements easily.

And I mean a properly private VPN, the kind that makes your home PC look like it’s in the office. Many of the more “current” office router and/or firewall boxes offer a simple VPN capability for that just waiting to be turned on, but if there are lots of people doing that, a small one might run out of capacity.

That only leaves the matter of whether the home desks satisfy any contract or legal requirements on premises where work is performed… in some cases I know of, that too might be very difficult, but in others quite easy.

Towson_Steve wrote:

3. Since there are a large numbers of clients, would each client need to be encrypted separately?

Depends on the contract and legal requirements with the clients…

I’ve heard of cases where someone had two work laptops with different security settings, to work from home with two clients with different requirements. And still had to go into the office to do some stuff for a third one who had physical security requirements.

1 user thanked author for this post.

Towson_Steve

Reply | Quote

There are so many solutions it’s hard to know where to start.

If your client has servers you could use a secure remote desktop connection to access a machine on the internal network. This is the most secure as the data never leaves the site, although you can copy / paste at home.

There are secure sharing solutions, like OwnCloud or Tresorit. These manage the encryption for you, unlike GoogleDrive. Google’s GSuite has full encryption.

It’s really about whether the data is allowed offsite and if so, who will manage that data.

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

There is a nice article here about possible solutions.
https://www.askwoody.com/forums/topic/covid-19-the-challenges-of-working-from-home/#post-2211185

The cheapest is probably remote desktop with Duo for authentication.

cheers, Paul

1 user thanked author for this post.

Towson_Steve

Reply | Quote

Thanks, mn- and PaulT !

You’ve given me much to ponder.

This is a two person office that has been in business for nearly 20 years.  In-house, the files are stored on one PC, and the associate has a hard-wired network connection to share the files.  The Principle user may retire within the next 18 months, so expenditures are not so attractive.  In fact, the associate user may wind up with the bulk of the business, making all this moot.

Would you say that a remote console situation might be the ultimate solution for the timeframe?  I would need to bone up on setting that up.   There is no immediate move afoot; just seeking paths for investigation.

 

Thanks again.

Towson_Steve

 

Reply | Quote

The cheapest and easiest IMO is Duo Free and remote desktop. You need to configure the connection at the office and load the Duo app on your phone, then away you go.

cheers, Paul

p.s. I wouldn’t attempt any office connection without 2FA –  too many bad actors trying to access your stuff.

Reply | Quote

How Duo works.
https://www.askwoody.com/forums/topic/patch-lady-ransomware-attacks/#post-1914631

cheers, Paul

Reply | Quote

Wow, look at the date!

As you can imagine, as with many things, the thrust of this inquiry has become moot.  After the considerations concerning individual client personal data and the permissions required to cover ourselves, the decision was to keep things as it is – basically offline and airgapped.  Now with vaccinations making us safer, working in what had already been a mostly empty office will serve for the remainder of my wife’s professional career.

I appreciate the thoughts and suggestions all of you have brought to the table.  Look for my next post asking about the current best affordable router for a four-level beachfront condo.

Thanks again.

Towson_Steve

Reply | Quote