
Ask HN: What are some ways companies spy on employees leaking data? - rayvy
What are some practices that companies employ to prevent their employees from stealing&#x2F;leaking sensitive company information.<p>I&#x27;ve heard methods such as
   - obviously hosts contacted by the client machine
   - using software to detect if information has been exported via USB<p>Can you name any others?
======
twunde
The generic name for these types of solutions is DLP or data loss prevention.
DLP solutions are common in regulated industries with finance typically having
the most extreme forms of DLP solutions implemented.

1) DLP solutions for email and cloud storage: Office 365 and GSuite both have
a bundled DLP solution. 3rd party solutions are also fairly comprehensive.

2) DLP solutions for workstations. This can range from sharing being disabled
via MDM to DLP monitoring software (sometimes bundled in anti-virus) to some
type of Desktop as a service solution (See techjuice's answer for more info on
the last choice).

3) DLP server solutions, these can monitor for and disable certain sharing
protocols. Most of the solutions are commercial (opendlp being an exception)
and relatively rare out in the wild.

4) Network-based DLP. This can be a MITM proxy which all traffic goes through,
common in financial firms. This can also include more basic solutions like
firewalls blocking certain types of traffic or websites

5) Security monitoring solutions. This can be a SIEM solution which aggregates
logs and looks for suspicious activity. Similar solutions are user behavior
analytics systems which correlate historic user history, user roles and system
information to look for suspicious activity. This type of system is
essentially what Google's BeyondCorp Proxy is doing in the background.

6)Audit logs. This is primarily for tracking down who leaked data, but can
serve as a preventive measure

------
tschwimmer
I take some issue with the use of the verb spy in this context. Merriam-
Webster defines the verb form of Spy as "to watch secretly usually for hostile
purposes." Spying has a negative connotation.

Is it really spying if employees are leaking data they are not supposed to? To
me, leak implies unsanctioned or illicit.

~~~
nmstoker
Then perhaps it's not hostile when you know they're leaking the data, but in
many cases wouldn't you need to observe them first to establish it and that
could be deemed spying. In any respect, I'm sure we can get broad the idea of
what the OP was after and focus on methods used, even if the specific term
isn't everyone's cup of tea.

------
techjuice
Easiest way is deployment of VDI (Virtual Desktop Infrastructure). Only allow
specific keyboards and mice and disable any other USB functionality. This way
there is no local data to download or need for upload directly on the system.

In terms of loss protection most companies use DLP (Digital Loss Prevention)
technology and the system logs any activity of information leaving the system
or entering a system (use of smartcards, usb drives (auto encrypting usb
drives)) logging all contents burned to a disc, all emails going in/out of the
system, etc.

With VDI normally there is a zero client with a keyboard and mouse and that is
it. There is no local storage and everything the user interacts with is
streamed to their desktop. If they need to upload something they will normally
send it to the systems engineers for processing, this insures their requests
only goes one way and they cannot download anything off the system.

If they need to send something they normally do it from their zero client and
the server they are connected to processes their request. Normally with these
setups the server and network infrastructure is extremely powerful to enable
the ability for the zero client to appear faster than a regular desktop due to
the server being able to deliver PCoIP otherwise known as DaaS (Desktop as a
service)

------
nmstoker
Ones I've actually witnessed in previous jobs rather than simply hearing of
are: attempt to disable connection of USB thumb drives, restrict external
website access, apply outbound email monitoring, keep important data on VMs +
disable the clipboard.

The common theme was that they generally inconvenienced, as all had fairly
obvious ways one might hypothetically evade them.

The sorts of steps LinuxBender suggests seem more sensible at a cost of being
more invasive, it's just a matter of much the company is willing to go before
it is impractical. Locking down the BIOS, encrypting the hard drive and
isolating the computer in a secure room are the other points I'd expect, but
that takes things to different level and it's less about regular employee
situations then (so maybe getting off topic?)

~~~
olliej
Disabling clipboard and similar is common in “HIPPA” compliant software - a
lot of which seems to be designed to reduce liability rather than help
patients

------
lovelearning
Tiny yellow dots

[1]: [https://arstechnica.com/information-
technology/2017/06/how-a...](https://arstechnica.com/information-
technology/2017/06/how-a-few-yellow-dots-burned-the-intercepts-nsa-leaker/)

------
cbanek
Watermarks or small changes that encode the user accessing materials, such as
small dots on printed material, or hidden metadata on electronic documents.

[https://en.wikipedia.org/wiki/Machine_Identification_Code](https://en.wikipedia.org/wiki/Machine_Identification_Code)

This also recently was made public that Xbox did the same with private builds
of console software for people releasing youtube videos of unreleased
software.

[https://www.gamerevolution.com/news/469221-how-microsoft-
cau...](https://www.gamerevolution.com/news/469221-how-microsoft-caught-
xbox-360-nda-breakers)

------
truth_be_told
Data Loss Prevention (DLP) overall and Deep Packet Inspection (DPI) in the
Network. As an example, Look at products from McAfee/Symantec for DLP and
Sandvine/Procera for DPI.

------
LinuxBender
Block all outbound communications and force all traffic through a MITM proxy.
Disable USB on all company owned devices. Restrict network access to company
devices (802.1x, etc..)

