I need some advice on managing access for Claude, especially as we've rolled out Claude Enterprise at a rapid pace. Leadership finally sees the risks linked to unrestricted UNC and ODBC access, and we're now in a tricky spot with our Claude Desktop clients. We're considering using Docker on both client and server sides to channel interactions through secure points where we can impose EDR and DLP measures. While this strategy works well with cloud services, it falls short for on-prem systems like MS SQL and SMB servers, as the documentation is lacking for enterprise scenarios. We're exploring this Docker route alongside other options like MS DAB, but I'd love to hear about your approaches. By the way, we're also implementing a system where users must access SMB servers only via AWS Workspaces with read-only AD accounts. However, I'm concerned that this might just be a temporary fix, and I'm looking for a more sustainable solution.
5 Answers
We've taken a hard stance by isolating Claude's network completely from internal resources. Any files it needs have to be manually approved and moved on to its network, which we hope will minimize risks.
I've been using native sandboxing tools to protect sensitive files from Claude. By keeping environment files hidden and using secure vaults for keys, we can manage access more carefully. It’s all about applying strict policies and thoroughly auditing changes to prevent mishaps.
How do you ensure that all tool calls are secure? Curious about your process.
One thing we've implemented is using read-only accounts for anyone interacting with AI systems. If there's a violation, HR will step in. This helps restrict what Claude can access without cutting it off completely.
Yeah, we're doing something similar with AWS Workspace setups tied to those accounts. It feels a bit temporary, though.
I'm curious, how do you manage outbound requests while keeping accounts read-only?
Honestly, you should just stop it before it spirals out of control. Removing access completely for now seems like the safest option. Attempting to rein it in after letting it run wild—good luck with that.
Right? It's like trying to catch a genie back in the bottle.
We're actually testing out Prompt Security next week as part of our strategy to regain control. Luckily, I proactively lined up some vendors when we went from no AI to having half our devs on Claude within a month. It's been hectic, but we need proper visibility and control.
What are some alternatives to Prompt Security that you're considering? I've been tasked with exploring this too.
Is Prompt Security the actual product name? Sounds a bit off to me. Which vendor is it from?
But what happens if Claude gets a remote IT job and manages to bypass those rules? That could spell trouble.