I'm kind of ignorant in the use of PKI or other stuff to help with security,
so I'm not the one to be giving advice in that area.
I think you've got to take the attitude that files an employee has had
access to in the past are probably pretty much compromised. You have to
depend on their honesty and adherence to any non-disclosure agreements they
have to keep that data from being misused.
Encryption of the files should provide pretty good protection against some
nefarious individual sneaking in and copying the files for use later. I am
familiar with some places dealing with very sensitive information that have a
policy of immediately escorting anyone either fired or announcing that they
are "giving notice" first to their desk to clean it out, and then directly to
the door. Their accounts are immediately closed and passwords for data
access are changed at that time. No doubt this causes some inconvenience to
remaining staff at times, but they all understand the necessity for those
actions.
Typically the worst risk is the disgruntled employee and it is those that
you really have to think about when the time comes that they either quit or
are terminated. You have to come up with strategies to protect yourself from
any damage they may do. Take me for example! I happen to have full access
to the company servers and all workstations at our main offices. That, in my
opinion, is really more access than any individual in the HQ group needs or
should have, but I can't seem to convince them to move from a workgroup setup
to a true domain network that I could set up restrictions to some access even
to myself. But I've set up some processes to protect them against damage
that even I could do should I ever become that disgruntled employee. For
example, I could wipe out the contents of both our servers and that would be
a big ouch, but not fatal since the backup strategy I implemented would allow
them to recover possibly to only a point in time only 2 hours before I hit
the big [DEL!!!] button - worst case scenario, they'd lose 5 days data. As
for data misuse - heck, I've already got copies of most everything they have
here now - I'm one of the "off-site storage" facilities for backups <g>.
"Del boy" wrote:
> Thanks JL! Now I'm beginning to realise how hard this task can be.....
> All our staff have a smart card id tag (PKI) could this be a linked to excel
> to somehow limit opening of a spreadsheets by valid staff? I know once they
> have the file open they can copy/edit etc but I'm trying to limit ex
> staff/competitors opening up files if they get them.
>
> Any thoughts?
> --
> Del
>
>
> "JLatham" wrote:
>
> > You're kind of fighting an uphill battle.
> >
> > You could require a password to open the file(s) - but anyone with the
> > password can of course then open it on any machine.
> >
> > You could even write code to detect the user's login name on the system and
> > restrict that to some 'authorized access' list - BUT the simple expedient of
> > holding the [Shift] key down while opening the file keeps that code from
> > executing.
> >
> > In fact, I don't even have to open the file to dig the information out of
> > it. I could create a brand new workbook and set a formula reference into a
> > copy of it on disk and get the values on it - this would be somewhat
> > circumvented if the file required a password to open it.
> >
> > Pretty much anything you can do, someone else can undo. There are password
> > discovery (cracking) tools readily available that will reveal usable
> > passwords to:
> > open files
> > unlock protected workbooks
> > unlock protected worksheets
> > unlock protected VBA projects
> >
> > Encrypting the files is another potential 'speed bump' to put in the way of
> > would be data thieves. Bottom line: you really can't stop someone determined
> > to get at the data as long as they can get to the file. A data security
> > manager's worst nightmare is the thumb drive. You can put stumbling blocks
> > in the way and hope they are enough to finally tire out the attacker - but if
> > the data is of significant worth to someone, they're going to eventually be
> > able to get at it. You have to balance the number and type of stumbling
> > blocks to put in place against the inconvenience to valid users who need to
> > use that information.
> >
> > Excel, in and of itself, is not a secure environment for data. However, the
> > OS and other security features available to it and the network can assist
> > quite a bit in securing access to the file itself.
> >
> > "Del boy" wrote:
> >
> > > I'm trying to limit the possibility of confidential data being copied from an
> > > excel spreadsheet & then used outside of our organisation. Can Excel 2003 be
> > > setup to open only on specific company computers?
> > > --
> > > Del
|
Similar Threads
