Archive for the ‘Data Protection’ Category
As more and more employees bring their own smartphones and tablets into the workplace (from iOs to Android devices), the need for keeping data secure on these devices becomes critical.
Credant for Mobile Device Security puts your organization in total control of your data, whether it’s stored or accessed on personally owned or corporately owned mobile devices. Because Credant for Mobile Device Security is centrally managed, IT departments can easily:
- Integrate iOS and Android devices, by tapping into native security features there is no loading and configuring of apps onto the device
- Set policies and restrictions across the enterprise such as requiring a PIN or disabling backups
- Execute commands quickly and efficiently, including reset password or if necessary remote wipe
- Automatically detect unenrolled devices and remove those devices’ access to corporate data if they are lost, stolen or must be deprovisioned
- Compile compliance reports including reports that meet auditor or regulated compliance reporting
“Our customers are facing the new reality that comes with enabling a growing mobile workforce,” said Chris Burchett, CTO and co-founder, Credant Technologies. “With Credant for Mobile Device Security, organizations large and small have the piece-of-mind knowing that corporate data is secure wherever or whenever it is being accessed.”
Your employees continue to be able to work where, when, and on the devices they want, without putting critical data at risk. Learn more about how mobile device security could benefit your organization by visiting our website and the press release.
First I’ll talk a little bit more about some of the elements of a platform and why it’s better than the traditional approach. One of the reasons is because you provide a framework. And by framework what I mean is that you have well defined concepts and integration points. What are all the ways that I can protect it in both stream form and block form? And in file form or in motion. It gives you a very consistent ways of dealing with data. And what that means is that when new things come along, new Cloud services or new mobile services, you already have a place built into your architecture where you can add support for that. It’s not a whole new reengineering and rearchitecture because the framework has accounted for fundamentally what the structure of the problem is.
We’ve all seen lots of frameworks. Some of which have then been successful and some have not. But this is an important element to find the domain that we’re dealing with, the problem domain in a very extensible way. You need to be allow other people to plug into that framework at those different extension points and they should be both internal and also external for third parties to plugin. For example if I’m sharing data with a third party I need to be able to allow them to establish an identity with me, and so one of the things that I need to have built into this data platform is the ability for them to plugin identities or establish an identity that I can trust at that time and in a dynamic way.
Next, data lifecycle node equivalency. Well that sounds really technical or complicated. But what it means is that all of these different things that data can flow through, the data’s always flowing to a system or from a system. And so it’s flowing to a home PC or to an iPad or to the Cloud, and as it does that all of those need to be able to be treated in some way as equal peers. And we need to be able to establish that all have a certain degree of threat or vulnerability associated with them. They all have a certain risk posture associated with them. And so there’s an equivalency in the sense that they can all be represented in the same way as having some basic characteristics. They all have like I said, the vulnerability. They all then require a certain amount of protection based on whatever their vulnerability posture is. And so that way the system can treat them all unique, even though they’re diverse different platforms, you know the way you would protect something on one may not be equivalent to the way that you would protect it on another. A tablet versus an internal server for example in the data center. You may not choose to protect the data the same way, but you need to be able to look at all of those things as nodes and simplify your management so you can set up high level policies and then let the system intelligently protect the data and enforce the data protection policies. And that’s the next item.
Once you can look at all the different nodes then what you can do is you can have the system say okay, my administrator’s set up preferences wants to prefer hardware encryption where possible locally on a box. If the hardware encryption’s not present then I want to prefer an OS base, then I want to prefer a software base. And always when data leaves the box I want to have it be encrypted. And if I can’t protect certain paths I want to block them.
Now a big part of this then is okay now I’ve encrypted my data everywhere, great. At Credant we like to believe that the natural state of the data frankly is to be encrypted wherever it goes. That way the data owner stays in control. Now what you have to do is you have to have an integrated authentication managed centrally. You have to be able to unlock the keys and make sure that there are key rings moving around and group key management. Thus, you have to have authentication and key management integrated centrally into the solution from the start. And if you’re in an environment that needs strong authentication like smart cards, fingerprints, proximity cards, then that needs to be a part of the solution and fit into that framework that we talked about.
Finally you need to have collaboration and sharing policies and I can go on and on and on about all that. The benefits of such an approach obviously the more the platform can automate the less work for IT and the less impact on the end-user. There’s a lot of benefits in terms of improved security, lower cost. Such a framework is extensible for the future. But most importantly it gives us now a way where we don’t have to say okay, on my Macs I’m doing this, on my servers I’m doing that. On my handheld I’m doing something else. If it’s all tied together through this kind of unified solution then that really makes a lot of sense.
As I turn the corner to wrap up here real quickly, just give you a short overview of what we’ve done. Credant is 100 percent focused on solving this problem. And one of the ways that we’re doing that is by extending the work station, the handheld encryption and data protection that we have with mobile device management and cloud. And also with working with partners to establish a third party plugins into the solution so that customers who deploy a solution like ours, they can be sure that that decision is a future proved decision because we’re going to be there providing new plugins and new extensions with other partners in the future. We’re now supporting all of those things except for the Cloud and that’s coming here in a couple of months. But all in an integrated way from one platform, from one console so that it makes it easy to manage. Key management obviously very important in our system. No administrator touches key, and no administrator ever has to individually manage keys. The keys flow automatically and transparently. So that’s a great simplification that we’ve provided as part of the platform. Auditing and reporting. Obviously also huge and important aspects of the platform includes enterprise integration into your directories and your security and event management.
So then what is managed? What is managed is the nodes of this fabric, this data protection fabric include the work station – endpoints, the mobile device, servers. In the future we’re moving even towards storage, Cloud and enterprise application. And things recently we’ve added have been support for Windows server, virtual servers, VDI environments. We’ve got several banks deploying our solution and VDI settings to protect removal media because one of the biggest trends we see right now is the need for finance and healthcare in particular to protect data that flows through USB thumb drives. One of the things that we think is exciting is the potential for an SDK into the system and that’s a clear need in terms of supporting that extensibility goal of a platform.
In summary, traditional bolt-on approaches really don’t meet the current challenges much less the emerging challenges. So we really believe that enterprises need to be looking for security for the full data lifecycle. And thinking about how can I have one system that’s going to protect my server data, my Mac, my Windows, my endpoints and all the data that moves between them and into the Cloud. And finally, we think the best way to do that is through a platform approach. And we don’t see a lot of those platforms really in existence today, but we think that they’re coming and we tend to lead the way to provide a real platform. And people have talked about it. But in terms of automating, giving it the automation and extensibility and the framework, plugin capability, we think there’s a lot of room to innovate in the market to help you solve your really important and pressing problems right now.
So what’s the alternative? Well the alternative really is what we’re calling here the data protection platform, and a platform that can provide a central set of services where the data protection goes with the data as the data moves across the data life cycle.
So what you do is you encrypt the data within your enterprise and as the data moves it stays encrypted. There are some challenges with doing that – which I’ll talk about later. But some of the core tenants that you need to be a successful platform is you need obviously to have simple control and management visibility into where your data is, how it’s being protected, how to recover access to it. How to manage and report on the system in terms of keys and compliance and collaboration and how to report and audit that you’re complying.
Now of course to make something like that happen you have to be able to automate as much as possible. So you do need software that does automation and you need to be able to have a very flexible policy system that lets you specify rules for how you protect data wherever it goes. But another important piece is it needs to be extensible. We already said that there are more and more services coming on all the time…but the one thing consistent is those things all tend to use data as files, as discrete chunks of data. And those things can be protected. Data that moves into Dropbox or into Amazon tends to be file based data by and large unless you’re going into a proprietary system. And then where there are proprietary systems, there is a list of standards.
A platform needs to be based on standards as much as possible and avoid the proprietary nature some systems will lock into. If you can use standards, and you provide a framework for extensibility than you can get this ability to add on to the system after it’s been deployed and add services. And that’s really where we need to go. So that you can provide new safe paths for your users as new Cloud offerings or new mobile devices come on line.
Obviously it has to support your existing IT infrastructure so you have to integrate with other operational processes like AD, log management, security, event management and information event management. All those things have to be supported by the platform as well. And then you have to, fundamentally stay out of your user’s way. You have to maintain a real strong sense of transparency. You have to provide very easy paths for your consumers to be safe. And the security can’t get in the way of that.
So next I’ll discuss why a data protection platform is better….
What would that new approach look like then? What are the solutions to integrating security? There’s at least two options. The traditional approach – let’s implement security for data of each type or each type of end point or service. And then a new approach – one that spans all (data of each type or each type of end point or service).
Now the benefit in the past of taking door number one, if you will, the individual technology choice for each platform type. The benefit is that you go deep on each type of platform, and you have a lot of different service and protection offering. The challenge with it is it is really complex and expensive. And as more and more options for end-users grow, we believe this approach becomes untenable. That if you go deep on every platform and you have to have a deep kind of level code and all that goes into maintaining and managing that on every single platform and every single device, that your employees use and that your partners use that’s ultimately going to be a scenario where you can’t win.
For example a customer once said, well I want to allow my billing partners to have my data, but I want to force them to run this software that modifies all the office applications as well and I want you to build this kind of deep windows solution. The thing that I pointed out to him was every time Windows updates now you’re responsible for all the customer support for your partners, because a solution like that is so dependent and so deep into the operating system and office apps for example would no doubt be brutal and you can’t predict what Microsoft will change. The whole approach is basically flawed because now you’re going to take on the support burden for your partners, and you can’t do that. It just doesn’t make sense. It’s the right idea and the right motivation to protect the data and want the data to be safe wherever it goes. But the implementation approach of doing a particular deep solution for every platform and every place the data goes, won’t scale. It just can’t scale.
Stay tuned for what’s behind door number 2….
To illustrate the point just in the area of key management, a Computer Weekly survey found that 88 percent of organizations had multiple administrators managing their encryption keys. And that doesn’t mean that those multiple administrators are required to look over one another’s shoulder when other keys are accessed, it means that they have a lot of different people who have to have access to the keys. And 22 percent have ten or more. This basically means that there’s a lot of opportunity for things like collusion or wiki leaks or insider threats. It also speaks to the complexity of the environments and the need to have all these people trained on these systems just to understand them. Interestingly, 42 percent of administrators are managing encryption technologies from at least four suppliers while eight percent are dealing with more than ten suppliers. This is amazing considering the complexity that can exist in one encryption system and then having to deal with ten is just remarkable. But I can also understand why people say well I need to protect my servers, I need to protect my Macs, I need to protect my Windows devices, my handheld devices, etc. It’s understandable how you could quickly get to four or more technology platforms for encryption.
But it doesn’t have to be that way. What really then is the core problem that’s driving the complexity and the change is the fact that the traditional approaches just aren’t working. There are a lot of problems organizations are dealing with but one of the fundamental problems is the fact that users are now self-sufficient. We have a self-sufficient population. I mean they don’t wait for IT. They move data immediately to solve business problems. That’s what they’re paid to do. They do that 24/7 because nobody works a regular day anymore. So, our users are self-sufficient and the technologies they use are more self-serving now.
There’s lots of different technologies and startups out there trying to make technology more and more simple. Today, you can have what might’ve took IT six months to develop in years past – instantly. You can have computed storage in minutes now, at the most hours. That kind of pace, that kind of rate of change means that data flows instantly. And so, we have to set up systems that first of all anticipate that and where data protection is built in what our users are going to do. Giving them paths that are approved, good paths to follow instead of blocking or missing the paths that users come to follow. And obviously this is not a trend that’s going to change. This is only going to get worse going forward.
So there’s a new approach really that we need to take. We need to not depend on setting up perimeters. And of course everybody’s heard this for years. We’ve been talking about it in the security industry – the perimeter’s dead. I remember years ago we used to talk about how there is no perimeter. And there’s a lot of good work done by the Jericho Group and others who tried to get that message out and I think by and large people have received that message. But what we have not really gotten to is what is the unified consistent data protection strategy.
Stay tuned for my next post on the solutions to this….
I want to start off with essentially the bad news – we’re seeing more and more security challenges arise. I’m going to walk through why traditional approaches and traditional thinking for solving data protection problems is beginning to fail. The big three challenges that we’re facing right now include:
- BYOD (what used to be called consumerization) – the concept is that end-users in organizations are in more and more control, they want more and more services and they use their mobile devices to get it.
- The Cloud – this next one plays on those mobile devices and the need to access the Cloud.
- Mobility – the underlying trend here is just that the workforces and populations in general are more and more mobile now a days.
So what’s IT trying to achieve? Today, IT departments still have traditional full time employment, essentially 100 percent utilized just trying to meet their day job. Typically they’re focused on how do we manage what we already have deployed so that we can enable our business, how do we drive cost out of that operationally and, then how do we plan for the future? And take those savings that we drive and reinvest them back in the business strategically. Oh, and by the way we need to make sure that our data is protected because in this day and age certainly compliance of our corporate data is a huge, huge return.
Thus the challenge then is while we have these new trends coming on and we have these existing functions we have to do, they don’t always align with one another, so the very things that we do sometimes to keep the lights on and keep the business going doesn’t always cover the new things that are coming in, and new services needed. Every day there are new Cloud services coming up from do it yourself Clouds. Basically build your own Cloud and synch to it. So, employees and partners are trying to solve their own problems. And sometimes the methods and the procedures and the tools that we’ve had in place in the past don’t extend and don’t leverage the new technologies that are needed to solve the problem.
But wait…it gets worse - this is a trend that will continue. Users are just going to want even more and more connectivity in the future and it’s going to lead to more extremes. With the iPhone app craze essentially there’s no reason why, in most user’s minds, why they shouldn’t have all IT services available as an app on their iPhone or their iPad. It’s a huge challenge. And it’s not just applications, it’s also the concept that your data is actually moving, and it’s going places that we don’t fully recognize all the time. So, there is in fact in order to get our organizations moving at the rate that they need to, the data has to move, too. And that data flows from our corporate servers to work stations to handheld devices, to the Cloud and beyond.
For example, one of our customers found 8,000 users were using Cloud services without any specific corporate approval. The team wanted to shut off access to these services (Dropbox and SugarSync) but the CIO decided no because the organization clearly needed it. So it’s become important for businesses to find a way to secure it.
What does this all mean? The fact that obviously solutions that solve these kinds of problems are very, very complex, and complexity is bad for security. The more complex, the more different platforms you have, different databases, different back in systems, different kinds of applications and employee scenarios makes the challenge great. Are they inside my network? Are they outside my network? Are they working from home? All of this complexity is really a challenge to manage. Particularly when you think about all the systems that we have in place and the traditional ways we think about, I need to install agents, I need to use a firewall for this, and I need to use an AB product for that, and it gets very cumbersome quickly.
Stay tuned for my next couple of posts on overcoming these challenges…
Let’s look at the software impact of upgrading to Windows 7 and what it can have on Bitlocker. As part of the hardware refresh that can occur associated with these updates the other thing that can happen is people start to look at self-encrypting drive technology (which is becoming more and more available, more and more cost effective).
SED? WHAT’S THAT?
The idea here is the drive is essentially self-defending. So you’ve got a self-encrypting drive, an SED as it’s called. It’s often abbreviated. Usually a fixed disk, which uses some kind of hardware based encryption. The standard for these is OPAL. You’ll see more and more devices that are OPAL compliant. They’re made by people like Hitachi, Toshiba, Seagate and Samsung. So there’s a number of different manufactures now and most of those are moving to some kind of OPAL complaint SED. The Trusted Computing Group estimates that in five years pretty much all drives will have some kind of self-encrypting capability and that includes not just sort of the traditional, mechanical drive but also solid state drives, too. So self-encrypting is really going to become pretty much the foundational element for at least drive based data protection.
HOW IT WORKS
And, you know, there’s a reason for that and it’s conceptually very simple. You have essentially the file system, the operating system running on the drive. In between you sort of, the drive and everything you want to do with it you have a hardware component that perform all encryption tasks. So, typically for SEDs they’re going to be using, again, AES- 128 or 256. So again it’s an industry standard encryption algorithm, but there’s a hardware piece that sits there. Everything that gets written to the drive’s encrypted. Everything that gets read from the drive is unencrypted. There’s a couple of different keys that are used. There’s a data encryption key, and an authentication key. I won’t talk about those in great detail. If you’re interested, a couple of weeks ago we had a webinar just on self-encrypting drive management where I talk in more detail about what those keys do, and where they live and how to manage them and so on.
WHY THE INTEREST?
Many organizations are looking at SEDs. Especially organizations that have looked at software based full disk, or full volume encryption. That approach of encrypting the entire drive is appealing to them. They’re now looking at SEDs, or other hardware based encryption as a way of getting the same kind of conceptual simplicity of encrypts everything, but without a lot of the headaches associated with software based full disk. And, you know, one of the things that, the first things that we hear about when people look at self-encrypting drives is, “Boy they’re really fast.” It is a much faster approach than software based encryption for the full volume because unlike full volume, software based full volume, you don’t have to encrypt everything, but it’s all happening in a specialized piece of hardware. So the drive is essentially running at full speed, and all the encryption’s taking place in specialized hardware. They’re faster to use. They’re also faster to roll out because you don’t have a lot of the upfront work that’s required to prep a system for a software based full disk. Anyone that’s deployed software based full disk knows there’s a lot of work has to go in to ensuring the drive itself, the physical drive is ready to have the encryption deployed to it. And if it’s not ready you can, you know, what’s called brick the system. You can cause the system to become completely unusable. Well that doesn’t happen with a self-encrypting drive. The drive is going to be fine. So you’ve got a lot less work up front, a lot less management, a lot less risk upfront. I think the other thing to say is there’s a lot shorter time to security. Instead of spending a long time encrypting a full volume, in order to get it to “secure” with a self-encrypting drive you pretty much turn it on and it’s ready to go. You’re pretty much security. So you know we’re talking about something in a couple of minutes rather than you know maybe, many, many, many hours. So, faster time, less time, less work upfront, less risk up front. Faster time from a performance perspective and also faster time to security. And it’s just very, very simple. The drive is encrypted all the time. You can’t tell a self-encrypting drive not to encrypt. So you’ve got a very, very simple conceptual and high performance approach. So it’s not surprising that people are looking at SEDs.
WHERE DO THEY FIT?
And again where they fit is the same places you would think a traditional full volume approach would fit. When simplicity’s very important. When, you know, you’re thinking about “well I want to keep the advances of software based full disk encryption without the pain of software based”. And it’s a great place to look at SEDs as part of that hardware refresh. As part of the whole process of cycling through your systems whether it’s every three to four to five years. That’s a great time to start looking at SEDs. But we’ll say that because it’s a full volume approach, just like BitLocker, you don’t get the high degree of granularity of encryption. In other words, I can’t at least currently easily decrypt or encrypt certain parts of the files on an SED. It’s a, everything’s encrypted all the time and therefore when I unlock them they’re usually unencrypted for everything. Again that means that there’s implications if I need to share a system or need to give a system to somebody else and to work on, I can’t just unencrypt the OS and keep the data encrypted. I’ve got to give them an unencrypted everything. And that, again, can be a challenge for sensitive information. Also, I think I will say here it’s probably so obvious it almost doesn’t need saying, yet I’m going to call it out anyway. That you have something else for everything else. In other words, you have an encryption and data protection solution for the other things your data’s going to be going to. Because you know, as data moves increasingly in a large volumes and increasing mobility, it moves on to removable media. It moves on to other devices and out into the cloud and so on. So, SEDs aren’t going to help you there. It’s a device centric form of data protection. It protects that device. And so you’ve got to think well what else am I going to put around it to protect information as that information moves to other platforms to some drives, to mobile devices and so on. Do think about that as part of your planning process.
I think the other thing I will say is that it’s great technology “But” and it’s a big but, right. Deliberately big. And the “but” is like every other piece of data security technology it requires management.
AREAS TO CONSIDER
So, there’s still things to think about even with the simplicity of robustness of a self-encrypting drive. User management, how do I define who has access to that drive and who doesn’t? There’s still questions around key recovery. There’s a preboot authentication step with a self-encrypting drive to unlock the drive. What happens when the user forgets it? How do I do reporting? Defining policies. Integrating those policies with everything else that’s going on in my organization. That preboot authentication step does require the users to understand what they’re doing. Ideally you want to tie the preboot step into [UI] typing my pin so that the drive knows it’s really me. I want to tie in that step with my authentication to active directory generally. So I don’t have to keep re-authenticating as a user just to reduce the impact on me. Remote administration, patching and so on. These are also important things to think about. One of the challenges you’ll have is you still need to have other operational processes. You still need to install software, update software, patch the operating system, and so on. You don’t want to have to physically walk through every system, nor do you want to have users leaving all those systems on 24/7 so that they don’t interfere with your patching process. You ideally want to be able to wake those systems up, unlock the drive, do the patching, relock it all and shut it down again and do it all automatically. And so that’s something you’ll want to consider. Certainly doable with SEDs but it’s definitely something you want to be thinking about, “How do I integrate SED management with the other operational stuff that I need to do as a business so I don’t break everything else I need to get done.”
CREDANT MANGER FOR SELF-ENCRYPTING DRIVES
And if you missed it about two or three weeks ago, we did launch a Credant Manager for Self-Encrypting Drives, which essentially covers a lot of those challenges. So, in other words, it reduces the risk of, reduces the work rather deploying SEDs. It also reduces the risk that will have an impact on your operational processes, such as the patch management. And it more tightly ties everything together from a reporting and policy definition perspective. And ultimately, therefore, it reduces all of sort of the work and the complexity and impact to users, impact to your administrative team, impact to your security teams and so on. So you get the benefit and the simplicity and the performance of SEDs. But you can do it from a centrally managed place with a lot less impact on everything else that’s going on.
And I have talked a few times and I’m just winding up because I know we’re running close to time on this and I want to make sure I leave time for some questions. I talked a few times about integration here. It’s important to think about integration whether you’re, as you roll out Windows 7, as you think about some of the other options you’ve got for encryption, data protection, integration is important. These stats came from a report from just about a year ago. Eight-eight percent of organizations have multiple administrators managing encryption keys. And part of that reason is there’s a lot to manage. Twenty-two percent have more than ten administrators just managing it, with access to managing encryption keys. That obviously makes it difficult to track who has access to what. And there are multiple encryption suppliers in place, each of which almost certainly has different key management and reporting infrastructures in place which makes it very difficult for you to meet your compliance requirements to prove that everything’s encrypted when it’s supposed to be. And it also increases the risk of gaps in coverage, and that’s a problem. You don’t want to have systems that come on to the network where you may not have rolled them out yet into existing processes because those processes are complicated and manual and time intensive. So you really want to try and simplify a lot of the pieces here.
THE DATA PROTECTION PLATFORM
And I think that’s one of the things that we talked to a lot of organizations about. And sort of as I wind this up, the data protection platform. You know, you think about self-encrypting drives. You think about BitLocker. You think about other devices, removable media. You start thinking about what’s going on with the cloud. The more you can tie those together into a single platform, a single set of tools to manage, define policy, build reports for your auditors, for your stakeholders, for your compliance requirements, that reduces work. it reduces risk and it reduces impact both on the users and on your own folks as well. And that is a huge win. So I will strongly recommend thinking about ways to tie these piece of technology together, and it’s certainly something we would be more than happy to talk to you about if we haven’t already done so.
So, a couple of quick conclusions. I think as you roll out Windows 7, as you think about planning for Windows 7 it is a great time to evaluate what you’ve got in place, and what your options are from a data security perspective. There are a number of new options that you’re going to be looking at, but consistently across all of them, you’re going to see the requirement for management is going to be something that’s not going to go away, and in many ways as the number of options grows that requirement for management really grows with it. So, you’ve got a lot of options, there’s a lot of powerful tools becoming available, but you’ve got to be able to manage them to get the most out of them. And integrating the management of those pieces, tying them all together is what’s going to help you reduce the cost, reduce the workload on you and recue ultimately the risk that you’re going to face breech which you know we all are more than aware of can be both extraordinarily painful and extraordinarily expensive.
PRE-BOOT AUTHENTICATION PAIN
Let’s shift gears to pre-boot authentication (PBA). That’s the step in which the user first powers up their system and types in the authentication. They’re telling the system, “Yes, it really is me. Please continue booting and unlock all of the data.” However, if you’ve lived with a pre-boot system before, you know that it can have some real challenges. If it requires the user to learn a new step, or have a different password than they normally use, they’re typing on their domain. If there are IT processes that don’t have a pre-boot authentication step and then that system might apply patches because it can potentially get broken by the pre-boot authentication step. First of all, self-encrypting drives (SEDs) implement PBA a little differently from software based full disk encryption. It’s a little simpler to hook into. As a result, you have good SED management capabilities in place.
Can SEDs be integrated into active directory? Yes. Active directory is a great way to reduce the impact on end-users. This means that if I put the correct management piece in place, I can take the authentication step from the pre-boot authentication and use that to pull it into active directory. This way, the user won’t have to authenticate twice on the same system, which is always something you want to avoid.
It’s also important to have good recovery methods in place. If you can use remote recovery then that is also a great advantage when you think about the users because you know they will forget their key at some point. You’re going to get a phone call at two in the morning from somebody on the other side of the world asking, “What’s my authentication key? I don’t remember what it is. How do I get my system powered up?” You want to be able to either get it, enable them to do that, or potentially even have some self-recovery mechanism where they can go to and answer questions and maybe help them with authenticating without having to come back to the admin. The pros and cons to that approach, but we’re already seeing both methods requested.
FASTER? SLOWER? JUST THE SAME
Then the other question that comes up often is “Doesn’t encryption slow my machine down?” The answer is no. Everything that comes back to the hardware module gets decrypted and as a result, the encryption process has absolutely no impact on performance as it stands. We’ve actually seen it ourselves during our own testing. The other thing to remember is that the time to security is much shorter. Previous approaches to full disk encryption, there the disk would have to go to a process of essentially encryption sector by sector. Self-encrypting drives are encrypted all the time. Everything is encrypted on there from the instant you enter the authentication key. Performance is a real win when you’re thinking about SED’s.
ROUNDING OUT THE SOLUTION
Hopefully this helps you as far as thinking about some of the ways that you employ SEDs. Of course, there are still things that SEDs cannot do, and there are still pieces that you need to round out to compliment all of the requirements. You’ve got to be able to provide the reports that show that systems are protected and that you’re doing your due diligence. Another element you should consider is enterprise deployment of self-encrypting drives and the drive running reports by itself. You’ve got to think about something else there.
And remember, SEDs are not going to be right for everything. You’ve also got to consider other devices. You’re going to have data moving onto removable media. You’re going to have data moving onto smartphones. Then there are also thumb drives. You have to ask, “Do I manage the encryption or manage the policies on the self-encrypting drive device?” Then you have one holistic view. “Where’s the data? What’s my security stance across the board?” It’s less work. It’s less risk to just tie all these pieces together. If you’re thinking about SEDs where possible, I recommend tying these into the same processes you’ve already got in place; it creates a winning solution across the board.
To summarize, self-encrypting drives are great. They’re extraordinarily powerful tools, but to get back what you want out of the drive, you need a management layer.
Q&A / SUMMARY
Credant can actually double encrypt SEDs. The SED has its own encryption technology that’s written to the drive, but you can implement policybased encryption on top of that which would encrypt the system again. It’s an option. I’m not saying that’s a standard that you should adopt, but it’s certainly possible and would make great sense in certain use cases.
What does Credant do in this space? We’ve just recently announced the ability to have the management layer for self-encrypting drives managed from the same set of tools that you manage data protection on all of those other platforms. It reduces the workload and meets compliance needs because the data is protected. It reduces the risk of a breach because I have the ability to both ensure the correct place on the right platform and also ensure that I’m not missing pieces – it’s all rolled up into the same set of reports. And of course it reduces operational impact on users because I can deploy policies consistently and I can manage much more effectively.
The piece that we launched is the Credant Manager for self-encrypting drives. Here’s more information on self-encrypting drives. It helps you reduce the work of deploying SED’s, again by enabling you to automate and simplify a lot of the policy definition, pushing out policy devices, switching on that authentication key, tying the users to the right level of access. It reduces the complexity of all of those pieces because you do it from one set of tools. The nice thing is because it’s all in one place it integrates all the reporting. As a result, you can automate processes like patch management and updating systems. This gives you a great deal of savings from the perspective of time and process. It also actually makes things a lot more secure. Now you don’t have a whole bunch of systems left on, powered up and potentially logged in.
Can you use BitLocker with a self-encrypting drive? Potentially you could. I’m not sure it’s a combination I would personally recommend simply because what you’re doing at that point is full disk, a software full disk approach on top of a hardware full disk approach. And I don’t think it’s necessary. If you’re looking at that, I would recommend looking at Credant’s Enterprise Edition. If you have concerns about data protection policies, then you can layer that on top of the self-encrypting drive. But it may simply be enough to have an SED in place. Again, provided it’s up and running.
There are also questions about innovations being considered around SEDs. From our perspective we think the growth and interest in self-encrypting drives is entirely natural because of the advances we already talked about. Especially again, considered against the challenges that people saw with software based full disk encryption, SEDs make a lot of sense.
Our perspective on this is we provide data protection capabilities for your entire organization. If you as a customer feel that it is the right solution to implement SEDs for one group of users, or for every user, that’s your decision. You have to make your decision based on the data, on your organization and on the kind of information you have. Our job is to provide you the tools and the capabilities to make that data protection step much simpler to reduce the risk of a breach and the risk of a failed deployment and to reduce the cost of management. Our job is to provide you with the management pieces to enable you to do that. We will be happy to help you encrypt data as it moves onto removable media and flash drives. We’ll be happy to help you encrypt data on a mac. We’ll be happy to help you encrypt data on non-SED systems. We’ll be happy to help you manage SEDs and tie them into the management of all systems. It’s really not something we want to do to push one solution or another down your throat.
We will try to give you advice based on what we see being successful in organizations like yours and given that we’ve encrypted and provided data protection management ten million plus end points to over a thousand enterprise customers, we have a lot of experience. Our objective here is to make you successful by deploying the right protection for you.
SED? WHAT’S THAT?
A self-encrypting drive (SED) is a disk that has built-in hardware-based encryption. It’s essentially a drive that is enabled to encrypt all the information that gets written to it and that encryption is done by specialized hardware that has a number of really important and significant implications for how to use it, where to use it, how to manage it and so on. They’re made by a number of manufacturers – Hitachi, Toshiba, Seagate, and Samsung, to name a few. There’s a number of organizations that are drive manufacturers that are building out their capability to supply self-encrypting drives. And the reason is that they are becoming very, very popular. Both from the perspective of people wanting to put them in, but also I think from the perspective of organizations looking at them for the first time or maybe coming back and revisiting them. The Trusted Computing Group, which obviously has something of a vested interest in this space, estimates that within five years pretty much all drives will have some self-encrypting capability built in, and that includes both the traditional disk drives and also solid state drives as well. Sometime over the next few years most of the drives that you encounter are going to be a self-encrypting drive of some kind.
HOW IT WORKS
So, how do they work? Very simply. Anything that gets written to the drive gets written via a hardware encryption module that encrypts it on its way onto the drive and then decrypts it on the way back. Pretty straight forward. Everything’s encrypted. Everything that gets written to the drive is encrypted – the whole thing is encrypted. It’s encrypted as far as the various standard are concerned – typically AES-128 or AES-256. Pretty industry standard, well-established encryption algorithms as you would expect, meaning the encryption is going to be solid and secure.
Obviously there are a number of caveats and the caveats must always, as they do with any kind of encryption discussion come down to what happens with the keys. And we’re going to talk about keys, because there’s a couple of keys that are very important when it comes to drives.
WHY THE INTEREST?
Why the interest? In many cases the reasons we’re seeing organizations look at self-encrypting drive technology are that they’re going through some kind of refresher or they’re re-evaluating their initial deployments or attempted deployments around software based full disk encryption. They like the idea of full disk encryption, but as I’m sure you know, full disk encryption can have some management challenges. So what we’re seeing is a sort of re-evaluation of the way in which we implement full disk encryption and self-encrypting drives. They are much faster than software based storage and they’re much more reliable. Data loss is less likely to happen with a self-encrypting drive because they’re much less sensitive to issues around bad sectors. They also take away a lot of the pain associated with the initial install when people need full disk to be done, defragmenting the drive, checking for bad sectors because some would often be fairly sensitive issues with the drive itself. In a nutshell, that’s a self-encrypting drive – and they’re simple.
WHERE DO THEY FIT
Where do they fit? Typically organizations interested in self-encrypting drives are really driven by a couple of things. One is they want a simple solution, and one that’s simple to live with. Full disk tends to offer simplicity since everything gets encrypted. Self-encrypting drives are a very simple way to implement encryption in software. Another great feature is that you don’t need to be able to provide different encryption for different types of users. If you don’t care whether you can save in one go, then again self-encrypting drives are a great approach. Because it is a full disk, then it’ll be unlocked all in one go rather than being unlocked in different portions for different users. That’s a consideration you have to have. And, I think the other thing to think about is fairly self-evident, but self-encrypting drives are only going to encrypt the information that’s on the drive itself. You will need to think about some information as it moves off the self-encrypting drive technology. But that being said, if that matches your requirements, then SED’s may be a fit.
OPAL – CONNECTING AND PROTECTING
I want to touch on OPAL really briefly, which is the standard for self-encrypting drive technology. It is increasingly looked to by the Trusted Computing Group and defines a number of capabilities for self-encrypting drives. I don’t intend to go through all of them in any great detail, but if you come across OPAL drives then understand that that’s really what the industry is moving to for standards for SED’s. It defines the functions and it defines a lot of the way that these drives will interact with other hardware. OPAL’s an important standard. And you should expect pretty much all the devices you’re looking at in the future to be OPAL compliant.
Let’s talk about common misconceptions and areas where there may be some confusion around self-encrypting drives. We talked a little bit about security for self-encrypting drive, and while that may seem odd, it is an important consideration. Management and applicability, as in where do you use self-encrypting drives – just where is the right place, exactly? For one, pre-boot authentication. If you’ve ever dealt with pre-boot authentication, certainly in the software world, it can have some serious impacts and can be quite a headache to manage. So let’s talk about what pre-boot authentication can look like for self-encrypting drive technology and about performance, too. One of the questions that we get a lot is, “What’s the performance impact if I go to a self-encrypting drive?”
SECURE FROM DAY 1
One of the interesting things about self-encrypting drives is that everything is encrypted all the time. The entire drive is encrypted. Everything is encrypted from day one whether you want it to be or not. It’s not possible to have a self-encrypting drive that isn’t encrypted, which sounds great. The reason is that there are a couple of keys involved. The first key that you need to know about is the encryption key. That’s the key that the drive uses to encrypt information and is created when the drive is built; the encryption creates that key. It is locked away in the hardware. That’s the key for the encryption of all information saved to the drive and coming back. The problem is that that key is available all the time. So essentially it’s like having a great system of locks on your front door, but the key is in the door every time you go out. So you might have great locks, but there’s no security. That’s where the second key comes in – the authentication key. The authentication key locks away the data encryption key. It encrypts it and locks it away so that you can’t get to it unless you have the authentication key that you take with you. That’s the key that enables you to prove that you are the authorized user of this device and the information. So, like everything else in encryption, the big challenge is key management. You must secure the authentication key and manage it appropriately.
Now, the good news is that devices are encrypted from day one and there’s no sort of setup. So the device again is going to be running, encrypting everything as it gets written to the drive itself. What if I need to go and make sure that there’s nothing on there that can’t be found somewhere else. All you do is destroy the key and the information is unusable. Once you’ve got that initial key management under control.
THEY DON’T NEED MANAGEMENT
I’m sure you’re asking, “Okay, so how would I do that?” You do that by putting in management layers and this should not be a great surprise to anybody. But if you want to be able to manage all of those keys, enable people to get access to their systems without any great difficulty and ensure that they can continue to have access, you need a management layer. So, there’s technology that enables you to activate the set policies to manage which users have access, when they can have access to remove their right to have access, of course, if you need to. You really have to think about maintaining control over who has access to authentication keys, and when they need to get access. We have to consider things like user recovery, for when a user inevitably is on the other side of the planet and lost their authentication key and can’t get in. Things like this are a big challenge when you are looking at encryption technology, especially full disk encryption approaches. One of the big complaints is in the pre-boot step, in other words, the step where the user authenticates himself, if the authentication key is difficult to manage, then it has its own patch management. People have to literally leave their systems and enable that to happen in the worst case, and that’s really not ideal at all. You want to question, “Can my management layer maybe enable me to implement while having access to patch management processes?” System loss is another challenge here. One of the challenges here is if the device is lost, how do I ensure that people can’t have access to it anymore? Can I kill those keys quickly in order to prevent people from getting in? This brings up reporting and auditing and wanting to be able to assist them. I want to be able to prove that these controls are in place. I want to make sure that the information is protected at all times. Provide auditing and compliance report into my internal stakeholders, my compliance managers and so on. These are the major things that you need to think about when you’re talking about management.
ONE SIZE FITS ALL
One of the other things is to bear in mind is the idea of one size fits all. SED’s are great and extremely effective. They are becoming increasingly more affordable as price points are coming down, but they’re still not necessarily going to be the right solution for everything. Think about the challenges with any full disk approach is that once you unlock it, it is unlocked for good. For example, if I have sensitive information on my direct device and I need to give it to an administrator or contract organization for them to work on, I need to have that drive unlocked. That could be a concern that they have access to any information that’s on that system. Another option is to provide access to what I would call “non-authorized” users. That’s also something to think about. So they’re great tools, but use them in the right place. There are always things to consider: “What happens when I’m moving onto a different system without an SED on it? What happens when I move it out into a cloud environment?” They’re a great solution, yes, but you obviously have to think beyond just that device.
Stay tuned as we shift gears to pre-boot authentication and a well-rounded SED solution.
Let’s look at best practices for integrating BitLocker into your security solution, and how to do so as you plan your migration to Windows 7.
A lot of organizations have either started or are starting to migrate to Windows 7. With that comes BitLocker – and I’ll take a look here at some of the strengths of BitLocker – and some of the areas to be aware of. I’d like to give you some tips and tricks as well, and some of the things that you ought to bear in mind as you plan for your BitLocker rollout, and as you plan for management of BitLocker within your broader security environment.
WINDOWS 7 MIGRATION
As I look at Windows 7 migrations and what’s happening in the market, in general, most organizations seem to be on about a 4 to 6 year cycle for refreshing hardware. That means there’s a lot of Windows hardware still out there that’s running XP or Vista – it’s older hardware and maybe time to go ahead and refresh those PC’s and look into new desktops and laptops. Of course, there are significant cost and security benefits to adopting Windows 7 – and I’ve seen some reports indicating that right now, about 60 percent of organizations have already begun to deploy Windows 7, though of course it may not be full deployment as yet.
MIGRATING TO WINDOWS 7/SOME KEY FEATURES
As I look specifically at the security elements of Windows 7, it certainly brings with it a lot of enhancements over what we had previously with XP or with Vista. User account control will help you defend your PCs against hackers and malicious software by basically allowing you to set everybody up with standard user privileges, rather than local administrator privileges. If you’re going to go down that road it certainly is the recommendation of Gartner that you do so – but – for various reasons, a lot of organizations continue to give employees local administrator rights rather than having standard user permissions!
There are other pretty important systems in play as well. One are to take advantage of is group policy, to get some centralized management and configuration based on active directory. AppLocker, for instance, is a pretty neat little tool that basically allows you to specify which software is allowed to run by managing it through group policies. There are a number of other key security enhancements that are available, but as I think about BitLocker in particular, a couple of things come to mind.
The first one is that BitLocker is not available with the Professional version of Windows 7 – In fact, BitLocker is only available with either the Enterprise version, or with the Ultimate version. This is an important distinction – and, of course, the Enterprise & Ultimate versions of Windows 7 require that you have the appropriate licensing … Volume licensing for Enterprise – or with the Ultimate version, it’s either retail or OEM licensing, which may not be appropriate for an organisation-wide deployment.
WHAT IS BITLOCKER?
Let’s take a deeper dive into BitLocker and what it really is. As mentioned, it’s intended for Ultimate and Enterprise editions only, for Windows 7 and for Windows Vista, and it can run on Windows Server 2008. The Windows BitLocker drive encryption does support both 128 bit and 256 bit encryption keys. Certainly the longer encryption keys increase security. But they also, as Microsoft will tell you, can cause slower encryption and decryption of data. BitLocker has a diffuser algorithm that is intended to help protect the system, so by default with Windows 7 the encryption is AES 128. That may or may not be appropriate, but it is possible for you to go back and change that to 256 bit should you choose to. That’s just one of the things to bear in mind as you begin to look at BitLocker.
What are some of BitLocker’s strengths? Certainly it is a strong encryption solution – a volume based solution that will work well encrypting data on fixed drives. For instance, a lot of users out there have desktops and BitLocker might be a very good solution – though you may want to think twice about the BitLocker-to-go removable media option for those systems (more later).
The Windows 7 implementation has certainly improved over the Windows Vista version, and it does leverage the newer technologies such as the AES processor and the Trusted Platform Module (TPM). However, that actually requires that you have TPM version 1.2. As you move toward a Windows 7 rollout and installing new machines, the likelihood is that you’ll be in great shape! Pretty much all of the new laptops and desktops out there come with TPM 1.2 … but you may not be quite as well positioned to roll BitLocker out to older systems already in your environment, as part of your Windows 7 upgrade.
Let’s move on from BitLocker’s strengths to some of the areas to be aware of.
When it comes to how users authenticate, there are a few different options. You’ve got the TPM, you’ve got a PIN or enhanced PIN, and you’ve got USB device as options. The recommendation from Microsoft and from us as well, would be to use multifactor authentication because it does increase the drive security. You can use these sort of authentication methods in any number of combinations. You can use TPM with a PIN / You can use the TPM and a stored key kept on a USB flash drive / You can use a starter key and the PIN and the TPM … You’ve got lots of options there. (Note – If you do decide to use enhanced PIN it does require that the Bios version support full keyboard in pre-boot mode)
But, the thing to remember as you look at multifactor identification is that it’s vitally important you communicate and train your users on what it is that they’ve got to do! For instance, if they are required to have a starter PIN and a USB key, you’ve got to remind them that they should NOT be keeping their BitLocks or authentication key in an easily accessible location, like on a sticky note or a USB stick that’s sitting right beside the laptop. It’s important to be sure you store the keys separately from the data because you potentially have a problem otherwise.
WHAT IS THE TPM?
It is an onboard system that provides a root of trust that seals the encryption keys and can protect against off-line attacks. As already noted, the thing to remember with TPM, if you’re going to use it, is that it must be version 1.2. (If you’re on a newer system, you’re probably in great shape.) For some older systems you might need to look back and see whether this is still a viable option.
One other thing to bear in mind regardless of how users are authenticated – you will need to disable the use of standby mode for any portable computers. For any laptops with BitLocker on the OS, it’s only in effect when the computer is turned off or in hibernation mode. So, no sleeping for you road warriors.
WHAT IS THE RECOVERY PASSWORD OR KEY?
The next thing after authentication is to plan for recovery key management. It’s a 48 digit randomly generated number and it’s created during BitLocker setup. If the computer enters recovery mode the user will need to type in this password in order to recover data. It will be required if the machine goes into recovery mode.
WHAT MIGHT CAUSE IT TO GO INTO RECOVERY MODE?
There are a number of different things that could do it. An update to the Bios could potentially do it, updating the option ROM, upgrading any early boot components that potentially cause a problem, or forgetting the PIN, simple as that. A user who has forgotten the PIN when PIN authentication has been enabled can potentially trigger a recovery process.
If you do have a recovery process, now the user needs to have the key. If they have the key, that’s perfectly fine, but how do they store it? Again, key security becomes very important to bear in mind. If a user is worried that they’ll need the key, he or she is probably going to keep it pretty close to the laptop/desktop, and that will potentially give you 1) – a management headache, and 2) – a key security headache.
Are those keys actually secure? Written down on a sticky pad, or printed off and tucked away in the same briefcase as the laptop containing the data!?
WHAT ABOUT REMOVABLE MEDIA?
Another thing to consider is removable media. BitLocker does come with a solution called BitLocker-To-Go, which allows you to encrypt data on removable media. But one of the problems with BitLocker-To-Go is that it can be very slow in provisioning larger capacity drives. I’ve seen a 1 GB or 2 GB USB stick take up to a half an hour to format. And if you think about a user who is sticking in a USB stick, they’re not going to wait 20 minutes or half an hour for that stick to be formatted ready for encryption. What might happen is they will pull the USB stick out because they’re frustrated. And that, by the way, will corrupt all of the data. That’s a problem!
One of the other things is that a lot of people have 1 TB external drives they use for backups connected via a USB stick. If I were using BitLocker-To-Go, I don’t know if I would have the patience for the provisioning time, let’s put it that way. Removable media is an area that you need to consider because of large external drive capacities and also because of the use scenario for the end user. If they’re waiting 15 or 20 minutes to half an hour or longer for a USB stick to be formatted, they’re going to get frustrated and they’re going to find other ways of sharing data. For that reason, BitLocker-To-Go may not be the ideal solution for most users.
WHAT ABOUT ENCRYPTING NON-WINDOWS 7 MACHINES?
Now let’s visit encryption for non-Windows 7 machines. There’s very little likelihood that the Windows 7 environment is going to be entirely Windows 7. In most organizations there is still a fairly sizeable population of Mac OS users – and in some cases that number is growing. Mac users tend to be big fans and they tend to want to keep their Macs. And it may be in the creative department. It may be at the management level. It could be anywhere. Mac OS is a substantial platform that exists within a lot of environments, 10 to 15 percent of some environments in fact. That’s something you need to consider as you look at complying and protecting data across the entire organization.
Windows 7, of course, is not the only Windows version that’s out there today. If your organisation is in line with market norms, you’ve still got Windows XP on up to a third of the machines out there in your environment. I don’t know how fast you’re able to get the transition to happen, or whether you might want to reuse and recycle some of those machines for lower-end users … In either case, you need to consider protecting the data on those devices as well.
Additionally, you’ve got a growing population now of mobile OS platforms that are becoming more and more of an issue that you need to consider as you look to the future and protecting data across your entire organization.
If we take a look at a few stats that were released last year, the vast majority of organizations have multiple administrators managing encryption keys and integrating security into your existing IT processes. Integrating all of those security admin jobs into the ability to manage everything in a single pane of glass can bring with it enormous benefits. It’s both a reason to move to BitLocker and also to look at how you manage BitLocker. A lot of organizations have multiple different encryption technologies in place with three or four or five different management consoles. If you’re able to integrate there and find the opportunity with BitLocker and the other systems in your environment to manage it all centrally, then you’ve certainly driven some benefit for your organization and for end users, and of course for compliance reporting.
WHAT ABOUT COMPLIANCE?
This brings me to the next point – about the need to understand your compliance environment. Data encryption is specifically mandated under various regulations – and even where it not mandated, there’s a strong emphasis on encryption as a recommended best practice under various regulations. HIPAA and HITECH for instance do not mandate encryption – but it does give you safe harbor should a USB stick or a laptop with sensitive data on it be lost. If that data is encrypted then you don’t have the same notification requirements that are in place for non-encrypted data.
Something else to think about is what kind of reporting you’ll need. Is it organization-wide? Possibly. The ability to report to auditors and to management in the organization as to our data protection status is often crucial in regard to the number of endpoints, the types of endpoints and types of devices where data is flowing to – and the ability to enforce encryption of the data as it moves about. Management will want reporting and outside auditing agencies will want it as well. They will want to see that you are putting the right security profile in place.
FIPS compliance is another very important factor for some organisations, and while BitLocker does allow you to achieve FIPS compliance, it is only possible to do so if users do NOT create recovery passwords. The fact that these passwords are going to be, most likely, very close to the machines is, I guess, one important reason that FIPS compliance is gone – but there’s also the fact that the recovery keys can be stored in clear text within active directory, which again loses your FIPS compliance. So is FIPS compliance an important factor for you? Certainly worth thinking about.
CREDANT BITLOCKER MANAGER
Credant BitLocker Manager is a solution that’s available that gives you a single management console for all of your data protection requirements. You’ll have full management control not only of your Windows BitLocker machines, but also potentially of all of the endpoints in your environment. We are able to give you full management and control of BitLocker itself including automation of the TPM initialization and management. You can leverage group policy settings to set features around encryption strength. Drive access controls. Drive recovery. Deployment options. We’re able to help you in terms of rolling this out and setting up your policies and then managing those policies. We’ll give you standardized recovery key management. All of the recovery keys are securely escrowed and encrypted, so that you’ve got much more security – and you retain FIPS compliance if that’s of concern for you. Credant offers automated management of the trusted platform module, and very flexible management in terms of the ability to manage different groups, different users, all the way down to the individual user and the individual device.
As I look to what the biggest benefit here is, it’s hands down around integration. The BitLocker manager solution will help you to manage all of those BitLocker devices. You can integrate it with the Credant Enterprise product that will allow you to manage all of the other devices in your environment. It will allow you to manage all of your old Windows XP, Windows Vista or Windows 7 non-BitLocker machines and it will also allow you to manage all of your Mac OS machines – all from a single pane of glass!
Additionally, instead of using BitLocker-To-Go with it’s many issues – the Credant external media solution is best solution in the market for protecting data on external media devices. It gives users quick and easy protection for data on any of their external media devices; ensures very comprehensive visibility and reporting capabilities for management; and gives IT the ability to set policies around what kind of data can be moved to external media.
We can integrate all of that into one pane of glass so that you get much simpler management, much more complete reporting and auditing. There’s a lot lighter workload for compliance related auditing because compliance reporting is built into the solution and will allow you to generate reports at a companywide level down to an individual user level. When the CFO calls and says, “I lost my laptop at O’Hare on my last business trip, can you tell me what’s up?” You’re able to very quickly go in and take a look and confirm that the encryption was in place. While the CFO is going to be unhappy that he has to get a new laptop and configure it, he can be very happy that all of the sensitive data on his laptop was not lost.
Again, integration is probably the biggest area of concern for a lot of our customers. It is an area that the Credant Manager for BitLocker is able to provide you support on so that you get a lot lower gaps in your coverage.
FULL STEAM AHEAD
So – as I’ve discussed, BitLocker does have some clear advantages – and with your Window 7 rollout either in process already, or going to be in process very soon as you look at refreshing your PCs, BitLocker does work very well for some users. However, BitLocker does have some limitations. It’s important to think about what your authentication policy’s going to be. It’s important to think about what your recovery key management policies are going to be. Very important to consider removable media. Compliance is a key driver for a lot of organizations. It’s important that you understand which regulations you’re held accountable for – and what’s required in order to achieve compliance.
As you roll out Windows 7 you’re going to get the benefit of enhanced security in a number of ways and enhanced performance over some of those older Windows XP machines. There are a lot of great, positive things to do with the Windows upgrade.
So full steam ahead, but just remember some of these tips and tricks and try to make sure that you’re able to integrate and save on the management cost as well as on the end user side making it as transparent and as easy for the user as possible.