Many organizations start to think about the process of upgrading to Windows 7 because inherently with Windows 7 there are additions that you might want to make use of. This makes you question integration and the opportunities and challenges it can bring. One of those opportunities might be Windows BitLocker. Organizations with Ultimate and Enterprise editions of Windows 7 should be looking at Windows BitLocker. We’ll examine what the thinking around BitLocker should be, and how to plan and be successful with BitLocker as part of your overall strategy. As you’re upgrading, it’s a great opportunity to look at things like self-encrypting drives. There’s also a lot of buzz around removable media as part of the changed Windows 7, but at the same time, you can think about a broader strategy: Windows, removable media, mobility increasingly, and even cloud services. All of these things are having an impact on the way that enterprise organizations think about data protection.
WHAT IS BITLOCKER?
Let’s cover the highlights of BitLocker. It’s included as part of a number of different versions of Vista. I think it’s fair to say that the version that is now in Windows 7 is definitely an improvement over what was in Vista. Across the various platforms that support Ultimate and Enterprise editions of Windows 7; Windows Server 2008, and 2008 R2. The default encryption of Windows BitLocker is AES with a 128 bit key, a fairly standard encryption.
BITLOCKER OPERATION MODES
It operates in three modes: transparent operation mode, user authentication mode, and USB key mode. The operational modes that you choose for BitLocker will have an impact on the way that you plan to implement Windows 7 as you roll it out. Transparent operation mode is lowest impact as far as your users are concerned. The Trusted Platform Module (TPM), which is a hardware piece embedded in the system, provides what’s called a “root of trust.” When the system boots up it just checks that no one’s been tampering with the system while it was powered down. If it hasn’t, the system starts normally and it’s minimum impact. Transparent operation mode may be attractive from an operation perspective and ideal from a security perspective. User authentication mode requires the user identity pin. It has a pre-boot authentication step where you can set the length of that pin; this is part of the polices you set with BitLocker. Typically, BitLocker is eight digits long, but there is flexibility around that. The third way is to add another layer of authentication is USB key mode, in which you’d have to plug in a USB device in order to boot the system. Most intrusive, and I think it’s fair to say that using the TPM in conjunction with user authentication mode is probably the balance between security and minimizing the impact on users. However, all these things do have an impact because you end up increasing the security of the options you have with BitLocker and increasing the potential impact on the user. You have to keep it up and running and get it configured. And that’s something you want to think about early because management is going to be one of the challenges you want to think about.
It has great encryption, period. Good solid encryption. AES algorithm. You can configure it to 128 or 256 bit key and security that for the volumes that it covers. With full volume encryption solutions it encrypts the entire volume. That’s an impact you’ll want to think about. As I mentioned, it is an improvement over the Vista version. The Windows implementation is considerably better. It uses and AES NI processor support. That’s the Intel chips that will aid processing. And it only utilizes that TPM module. Pretty much all systems these days have a TPM in them. So, it can utilize that TPM and the nice thing about that is that it can add a degree of trust that no one has tampered with the system while it’s been off. The system has the ability to essentially detect if someone’s trying to attack it while it’s offline. The good thing is obviously that it improves security. It does mean, however, that it can have an impact on users if you’re not set up to manage it appropriately. And it will also leverage Active Directory Server 2003 or 2008. If you’re on 2003, you’ll probably require some extensions. It’s all built into Active Directory in 2008 and included in the OS, so for many organizations, the primary reason they’re looking at BitLocker is because it’s already there. It’s included. If you’ve got Windows 7 or if you’re moving to Windows 7 Enterprise or Ultimate editions, BitLocker’s already in there and it’s a fairly compelling argument to say you should at least examine it for some users.
WHERE DOES IT FIT?
BitLocker may, however, not be appropriate for everybody. Like most tools, security tools are no different. They are appropriate for some jobs, and not for others. Obviously, if you’ve got Windows 7 Enterprise or Ultimate, the sensible thing is to at least look at it. For users that do not share systems, then it makes sense because it’s a volume encryption approach. It will require you to unencrypt the entire volume when you turn it on. And as a result the full volume is unlocked and available unencrypted. But unlocked and available for use, across shared systems could be a challenge. Also, it’s for users that don’t have highly sensitive information. The reason I say that is that it’s part of the challenge with a full volume approach once it’s unlocked. If there’s highly sensitive information you might want to think about a slightly more granular approach than a full volume approach. Simply, it may be a fit for some types of users in some environments, but not for others.
CHALLENGES WITH BITLOCKER
Despite the fact that it obviously has very strong encryption, there are some challenges. I’ll be specific about a couple of these because they do have an impact on the way you think about using BitLocker. Recovery key management is one of the more significant challenges with BitLocker as it stands. Recovery keys are required with the TPM. If it senses a threat and goes into recovery mode and you don’t have that recovery key somewhere available for the user, you then have a bunch of users who potentially cannot get into their systems. A system can go into recovery mode for a lot of reasons. If it’s under attack, obviously, but even things like docking and un-docking a laptop can cause the system to go into recovery mode. Also, hitting certain function keys during the boot. If you accidentally touch the wrong function keys during boot time, that can send the system into recovery mode. It can be sensitive. Should you tinker with the way that the TPM’s set up, it can become incredibly sensitive. Bottom line, you’ve got to think about recovery key management. Also, BitLocker by itself really doesn’t provide you much in the way of auditing, logging and reporting that you would expect from an enterprise solution if you’re using multiple, different platforms and different types of users – you’re not going to have that integration either. You’ll probably have to put something else in place for reporting and auditing.
RECOVERY KEY MANAGEMENT
It’s important to understand recovery keys. The question that comes up most is, “What’s a recovery key? My system won’t boot.” The user is already in a great deal of pain at that point. Recovery keys are the things that you create in order to be able to tell that TPM that everything is fine. You only need the recovery key occasionally when the TPM asks for it, but when you need it, you really need it. It’s a 48 digit randomly generated key and you have to type it in using the function keys. You can do a couple of different things with a recovery key, sometimes called a recovery password – they’re essentially the same thing depending on how you store them. But you have to make sure that they’re available, because if it’s 3:00 a.m. my time and the other side of the world someone’s booting a system and it’s gone into recovery mode, you want to make sure you can get them that recovery key so that they can unlock their system and keep working.
RECOVERY KEY MANAGEMENT
You have a few choices when it comes to how you store recovery keys as you create them. You can tell the user to write it down on a piece of paper, but I would not recommend that. (If you wish to go ahead and tell them to do that you certainly can, though.) You can print it out. You can store it on a USB device. That’s when it becomes a sort of recovery key device that you can plug in. Or you can store it natively straight off into active directory. That is an attractive choice from a management perspective. It is not necessarily a great choice from a security perspective, because it will still store in plain text. If it’s in active directory and having the recovery keys available for anyone that has active directory administrative capabilities is not necessarily a good thing, because it means they can then get access to that system. You really have to think about what you can put in place to manage recovery keys and to help mitigate the challenges.
AREAS TO BE AWARE OF
There are some areas to be aware of with BitLocker. We talked about key management and reporting, but FIPS compliance is something else you have to consider as you roll it out. If FIPS compliance is important to you, it will have an impact on the way you configure the policies for BitLocker. You’d have to set it into FIPS compliance mode. Biometric authentication is not supported. There is support for removable media encryption, data security. But it is not necessarily optimal from a performance and reliability perspective; you might want to think about another solution. There are a number of choices when it comes to layering management with BitLocker. Credant as an organization can help you with that. There are choices out there – Microsoft provides a tool called Microsoft BitLocker Administration and Management tool or MBAM, which is part of the Microsoft desktop optimization pack. It is something I would suggest if you’re going to look at BitLocker; you’ll probably end up glancing at MBAM at some point. From an enterprise perspective, it’s probably not something that’s going to meet all of your needs. It certainly doesn’t cover all of the problems. For example, it won’t stop a privileged user or administrator from turning BitLocker off on a system if they don’t like it. But again, you’ll want to look at something to help you manage BitLocker as you roll it out, because otherwise you will find that there will be some significant holes and it’s better to plan for those earlier rather than later.
Let’s shift gears to pre-boot authentication (PBA). That’s the step in which the user first powers up their system and types in the authentication. They’re telling the system, “Yes, it really is me. Please continue booting and unlock all of the data.” However, if you’ve lived with a pre-boot system before, you know that it can have some real challenges. If it requires the user to learn a new step, or have a different password than they normally use, they’re typing on their domain. If there are IT processes that don’t have a pre-boot authentication step and then that system might apply patches because it can potentially get broken by the pre-boot authentication step. First of all, self-encrypting drives (SEDs) implement PBA a little differently from software based full disk encryption. It’s a little simpler to hook into. As a result, you have good SED management capabilities in place.
Can SEDs be integrated into active directory? Yes. Active directory is a great way to reduce the impact on end-users. This means that if I put the correct management piece in place, I can take the authentication step from the pre-boot authentication and use that to pull it into active directory. This way, the user won’t have to authenticate twice on the same system, which is always something you want to avoid.
It’s also important to have good recovery methods in place. If you can use remote recovery then that is also a great advantage when you think about the users because you know they will forget their key at some point. You’re going to get a phone call at two in the morning from somebody on the other side of the world asking, “What’s my authentication key? I don’t remember what it is. How do I get my system powered up?” You want to be able to either get it, enable them to do that, or potentially even have some self-recovery mechanism where they can go to and answer questions and maybe help them with authenticating without having to come back to the admin. The pros and cons to that approach, but we’re already seeing both methods requested.
FASTER? SLOWER? JUST THE SAME
Then the other question that comes up often is “Doesn’t encryption slow my machine down?” The answer is no. Everything that comes back to the hardware module gets decrypted and as a result, the encryption process has absolutely no impact on performance as it stands. We’ve actually seen it ourselves during our own testing. The other thing to remember is that the time to security is much shorter. Previous approaches to full disk encryption, there the disk would have to go to a process of essentially encryption sector by sector. Self-encrypting drives are encrypted all the time. Everything is encrypted on there from the instant you enter the authentication key. Performance is a real win when you’re thinking about SED’s.
ROUNDING OUT THE SOLUTION
Hopefully this helps you as far as thinking about some of the ways that you employ SEDs. Of course, there are still things that SEDs cannot do, and there are still pieces that you need to round out to compliment all of the requirements. You’ve got to be able to provide the reports that show that systems are protected and that you’re doing your due diligence. Another element you should consider is enterprise deployment of self-encrypting drives and the drive running reports by itself. You’ve got to think about something else there.
And remember, SEDs are not going to be right for everything. You’ve also got to consider other devices. You’re going to have data moving onto removable media. You’re going to have data moving onto smartphones. Then there are also thumb drives. You have to ask, “Do I manage the encryption or manage the policies on the self-encrypting drive device?” Then you have one holistic view. “Where’s the data? What’s my security stance across the board?” It’s less work. It’s less risk to just tie all these pieces together. If you’re thinking about SEDs where possible, I recommend tying these into the same processes you’ve already got in place; it creates a winning solution across the board.
To summarize, self-encrypting drives are great. They’re extraordinarily powerful tools, but to get back what you want out of the drive, you need a management layer.
Q&A / SUMMARY
Credant can actually double encrypt SEDs. The SED has its own encryption technology that’s written to the drive, but you can implement policybased encryption on top of that which would encrypt the system again. It’s an option. I’m not saying that’s a standard that you should adopt, but it’s certainly possible and would make great sense in certain use cases.
What does Credant do in this space? We’ve just recently announced the ability to have the management layer for self-encrypting drives managed from the same set of tools that you manage data protection on all of those other platforms. It reduces the workload and meets compliance needs because the data is protected. It reduces the risk of a breach because I have the ability to both ensure the correct place on the right platform and also ensure that I’m not missing pieces – it’s all rolled up into the same set of reports. And of course it reduces operational impact on users because I can deploy policies consistently and I can manage much more effectively.
The piece that we launched is the Credant Manager for self-encrypting drives. Here’s more information on self-encrypting drives. It helps you reduce the work of deploying SED’s, again by enabling you to automate and simplify a lot of the policy definition, pushing out policy devices, switching on that authentication key, tying the users to the right level of access. It reduces the complexity of all of those pieces because you do it from one set of tools. The nice thing is because it’s all in one place it integrates all the reporting. As a result, you can automate processes like patch management and updating systems. This gives you a great deal of savings from the perspective of time and process. It also actually makes things a lot more secure. Now you don’t have a whole bunch of systems left on, powered up and potentially logged in.
Can you use BitLocker with a self-encrypting drive? Potentially you could. I’m not sure it’s a combination I would personally recommend simply because what you’re doing at that point is full disk, a software full disk approach on top of a hardware full disk approach. And I don’t think it’s necessary. If you’re looking at that, I would recommend looking at Credant’s Enterprise Edition. If you have concerns about data protection policies, then you can layer that on top of the self-encrypting drive. But it may simply be enough to have an SED in place. Again, provided it’s up and running.
There are also questions about innovations being considered around SEDs. From our perspective we think the growth and interest in self-encrypting drives is entirely natural because of the advances we already talked about. Especially again, considered against the challenges that people saw with software based full disk encryption, SEDs make a lot of sense.
Our perspective on this is we provide data protection capabilities for your entire organization. If you as a customer feel that it is the right solution to implement SEDs for one group of users, or for every user, that’s your decision. You have to make your decision based on the data, on your organization and on the kind of information you have. Our job is to provide you the tools and the capabilities to make that data protection step much simpler to reduce the risk of a breach and the risk of a failed deployment and to reduce the cost of management. Our job is to provide you with the management pieces to enable you to do that. We will be happy to help you encrypt data as it moves onto removable media and flash drives. We’ll be happy to help you encrypt data on a mac. We’ll be happy to help you encrypt data on non-SED systems. We’ll be happy to help you manage SEDs and tie them into the management of all systems. It’s really not something we want to do to push one solution or another down your throat.
We will try to give you advice based on what we see being successful in organizations like yours and given that we’ve encrypted and provided data protection management ten million plus end points to over a thousand enterprise customers, we have a lot of experience. Our objective here is to make you successful by deploying the right protection for you.
A self-encrypting drive (SED) is a disk that has built-in hardware-based encryption. It’s essentially a drive that is enabled to encrypt all the information that gets written to it and that encryption is done by specialized hardware that has a number of really important and significant implications for how to use it, where to use it, how to manage it and so on. They’re made by a number of manufacturers – Hitachi, Toshiba, Seagate, and Samsung, to name a few. There’s a number of organizations that are drive manufacturers that are building out their capability to supply self-encrypting drives. And the reason is that they are becoming very, very popular. Both from the perspective of people wanting to put them in, but also I think from the perspective of organizations looking at them for the first time or maybe coming back and revisiting them. The Trusted Computing Group, which obviously has something of a vested interest in this space, estimates that within five years pretty much all drives will have some self-encrypting capability built in, and that includes both the traditional disk drives and also solid state drives as well. Sometime over the next few years most of the drives that you encounter are going to be a self-encrypting drive of some kind.
HOW IT WORKS
So, how do they work? Very simply. Anything that gets written to the drive gets written via a hardware encryption module that encrypts it on its way onto the drive and then decrypts it on the way back. Pretty straight forward. Everything’s encrypted. Everything that gets written to the drive is encrypted – the whole thing is encrypted. It’s encrypted as far as the various standard are concerned – typically AES-128 or AES-256. Pretty industry standard, well-established encryption algorithms as you would expect, meaning the encryption is going to be solid and secure.
Obviously there are a number of caveats and the caveats must always, as they do with any kind of encryption discussion come down to what happens with the keys. And we’re going to talk about keys, because there’s a couple of keys that are very important when it comes to drives.
WHY THE INTEREST?
Why the interest? In many cases the reasons we’re seeing organizations look at self-encrypting drive technology are that they’re going through some kind of refresher or they’re re-evaluating their initial deployments or attempted deployments around software based full disk encryption. They like the idea of full disk encryption, but as I’m sure you know, full disk encryption can have some management challenges. So what we’re seeing is a sort of re-evaluation of the way in which we implement full disk encryption and self-encrypting drives. They are much faster than software based storage and they’re much more reliable. Data loss is less likely to happen with a self-encrypting drive because they’re much less sensitive to issues around bad sectors. They also take away a lot of the pain associated with the initial install when people need full disk to be done, defragmenting the drive, checking for bad sectors because some would often be fairly sensitive issues with the drive itself. In a nutshell, that’s a self-encrypting drive – and they’re simple.
WHERE DO THEY FIT
Where do they fit? Typically organizations interested in self-encrypting drives are really driven by a couple of things. One is they want a simple solution, and one that’s simple to live with. Full disk tends to offer simplicity since everything gets encrypted. Self-encrypting drives are a very simple way to implement encryption in software. Another great feature is that you don’t need to be able to provide different encryption for different types of users. If you don’t care whether you can save in one go, then again self-encrypting drives are a great approach. Because it is a full disk, then it’ll be unlocked all in one go rather than being unlocked in different portions for different users. That’s a consideration you have to have. And, I think the other thing to think about is fairly self-evident, but self-encrypting drives are only going to encrypt the information that’s on the drive itself. You will need to think about some information as it moves off the self-encrypting drive technology. But that being said, if that matches your requirements, then SED’s may be a fit.
OPAL – CONNECTING AND PROTECTING
I want to touch on OPAL really briefly, which is the standard for self-encrypting drive technology. It is increasingly looked to by the Trusted Computing Group and defines a number of capabilities for self-encrypting drives. I don’t intend to go through all of them in any great detail, but if you come across OPAL drives then understand that that’s really what the industry is moving to for standards for SED’s. It defines the functions and it defines a lot of the way that these drives will interact with other hardware. OPAL’s an important standard. And you should expect pretty much all the devices you’re looking at in the future to be OPAL compliant.
Let’s talk about common misconceptions and areas where there may be some confusion around self-encrypting drives. We talked a little bit about security for self-encrypting drive, and while that may seem odd, it is an important consideration. Management and applicability, as in where do you use self-encrypting drives – just where is the right place, exactly? For one, pre-boot authentication. If you’ve ever dealt with pre-boot authentication, certainly in the software world, it can have some serious impacts and can be quite a headache to manage. So let’s talk about what pre-boot authentication can look like for self-encrypting drive technology and about performance, too. One of the questions that we get a lot is, “What’s the performance impact if I go to a self-encrypting drive?”
SECURE FROM DAY 1
One of the interesting things about self-encrypting drives is that everything is encrypted all the time. The entire drive is encrypted. Everything is encrypted from day one whether you want it to be or not. It’s not possible to have a self-encrypting drive that isn’t encrypted, which sounds great. The reason is that there are a couple of keys involved. The first key that you need to know about is the encryption key. That’s the key that the drive uses to encrypt information and is created when the drive is built; the encryption creates that key. It is locked away in the hardware. That’s the key for the encryption of all information saved to the drive and coming back. The problem is that that key is available all the time. So essentially it’s like having a great system of locks on your front door, but the key is in the door every time you go out. So you might have great locks, but there’s no security. That’s where the second key comes in – the authentication key. The authentication key locks away the data encryption key. It encrypts it and locks it away so that you can’t get to it unless you have the authentication key that you take with you. That’s the key that enables you to prove that you are the authorized user of this device and the information. So, like everything else in encryption, the big challenge is key management. You must secure the authentication key and manage it appropriately.
Now, the good news is that devices are encrypted from day one and there’s no sort of setup. So the device again is going to be running, encrypting everything as it gets written to the drive itself. What if I need to go and make sure that there’s nothing on there that can’t be found somewhere else. All you do is destroy the key and the information is unusable. Once you’ve got that initial key management under control.
THEY DON’T NEED MANAGEMENT
I’m sure you’re asking, “Okay, so how would I do that?” You do that by putting in management layers and this should not be a great surprise to anybody. But if you want to be able to manage all of those keys, enable people to get access to their systems without any great difficulty and ensure that they can continue to have access, you need a management layer. So, there’s technology that enables you to activate the set policies to manage which users have access, when they can have access to remove their right to have access, of course, if you need to. You really have to think about maintaining control over who has access to authentication keys, and when they need to get access. We have to consider things like user recovery, for when a user inevitably is on the other side of the planet and lost their authentication key and can’t get in. Things like this are a big challenge when you are looking at encryption technology, especially full disk encryption approaches. One of the big complaints is in the pre-boot step, in other words, the step where the user authenticates himself, if the authentication key is difficult to manage, then it has its own patch management. People have to literally leave their systems and enable that to happen in the worst case, and that’s really not ideal at all. You want to question, “Can my management layer maybe enable me to implement while having access to patch management processes?” System loss is another challenge here. One of the challenges here is if the device is lost, how do I ensure that people can’t have access to it anymore? Can I kill those keys quickly in order to prevent people from getting in? This brings up reporting and auditing and wanting to be able to assist them. I want to be able to prove that these controls are in place. I want to make sure that the information is protected at all times. Provide auditing and compliance report into my internal stakeholders, my compliance managers and so on. These are the major things that you need to think about when you’re talking about management.
ONE SIZE FITS ALL
One of the other things is to bear in mind is the idea of one size fits all. SED’s are great and extremely effective. They are becoming increasingly more affordable as price points are coming down, but they’re still not necessarily going to be the right solution for everything. Think about the challenges with any full disk approach is that once you unlock it, it is unlocked for good. For example, if I have sensitive information on my direct device and I need to give it to an administrator or contract organization for them to work on, I need to have that drive unlocked. That could be a concern that they have access to any information that’s on that system. Another option is to provide access to what I would call “non-authorized” users. That’s also something to think about. So they’re great tools, but use them in the right place. There are always things to consider: “What happens when I’m moving onto a different system without an SED on it? What happens when I move it out into a cloud environment?” They’re a great solution, yes, but you obviously have to think beyond just that device.
Stay tuned as we shift gears to pre-boot authentication and a well-rounded SED solution.
Let’s look at best practices for integrating BitLocker into your security solution, and how to do so as you plan your migration to Windows 7.
A lot of organizations have either started or are starting to migrate to Windows 7. With that comes BitLocker – and I’ll take a look here at some of the strengths of BitLocker – and some of the areas to be aware of. I’d like to give you some tips and tricks as well, and some of the things that you ought to bear in mind as you plan for your BitLocker rollout, and as you plan for management of BitLocker within your broader security environment.
WINDOWS 7 MIGRATION
As I look at Windows 7 migrations and what’s happening in the market, in general, most organizations seem to be on about a 4 to 6 year cycle for refreshing hardware. That means there’s a lot of Windows hardware still out there that’s running XP or Vista – it’s older hardware and maybe time to go ahead and refresh those PC’s and look into new desktops and laptops. Of course, there are significant cost and security benefits to adopting Windows 7 – and I’ve seen some reports indicating that right now, about 60 percent of organizations have already begun to deploy Windows 7, though of course it may not be full deployment as yet.
MIGRATING TO WINDOWS 7/SOME KEY FEATURES
As I look specifically at the security elements of Windows 7, it certainly brings with it a lot of enhancements over what we had previously with XP or with Vista. User account control will help you defend your PCs against hackers and malicious software by basically allowing you to set everybody up with standard user privileges, rather than local administrator privileges. If you’re going to go down that road it certainly is the recommendation of Gartner that you do so – but – for various reasons, a lot of organizations continue to give employees local administrator rights rather than having standard user permissions!
There are other pretty important systems in play as well. One are to take advantage of is group policy, to get some centralized management and configuration based on active directory. AppLocker, for instance, is a pretty neat little tool that basically allows you to specify which software is allowed to run by managing it through group policies. There are a number of other key security enhancements that are available, but as I think about BitLocker in particular, a couple of things come to mind.
The first one is that BitLocker is not available with the Professional version of Windows 7 – In fact, BitLocker is only available with either the Enterprise version, or with the Ultimate version. This is an important distinction – and, of course, the Enterprise & Ultimate versions of Windows 7 require that you have the appropriate licensing … Volume licensing for Enterprise – or with the Ultimate version, it’s either retail or OEM licensing, which may not be appropriate for an organisation-wide deployment.
WHAT IS BITLOCKER?
Let’s take a deeper dive into BitLocker and what it really is. As mentioned, it’s intended for Ultimate and Enterprise editions only, for Windows 7 and for Windows Vista, and it can run on Windows Server 2008. The Windows BitLocker drive encryption does support both 128 bit and 256 bit encryption keys. Certainly the longer encryption keys increase security. But they also, as Microsoft will tell you, can cause slower encryption and decryption of data. BitLocker has a diffuser algorithm that is intended to help protect the system, so by default with Windows 7 the encryption is AES 128. That may or may not be appropriate, but it is possible for you to go back and change that to 256 bit should you choose to. That’s just one of the things to bear in mind as you begin to look at BitLocker.
What are some of BitLocker’s strengths? Certainly it is a strong encryption solution – a volume based solution that will work well encrypting data on fixed drives. For instance, a lot of users out there have desktops and BitLocker might be a very good solution – though you may want to think twice about the BitLocker-to-go removable media option for those systems (more later).
The Windows 7 implementation has certainly improved over the Windows Vista version, and it does leverage the newer technologies such as the AES processor and the Trusted Platform Module (TPM). However, that actually requires that you have TPM version 1.2. As you move toward a Windows 7 rollout and installing new machines, the likelihood is that you’ll be in great shape! Pretty much all of the new laptops and desktops out there come with TPM 1.2 … but you may not be quite as well positioned to roll BitLocker out to older systems already in your environment, as part of your Windows 7 upgrade.
Let’s move on from BitLocker’s strengths to some of the areas to be aware of.
When it comes to how users authenticate, there are a few different options. You’ve got the TPM, you’ve got a PIN or enhanced PIN, and you’ve got USB device as options. The recommendation from Microsoft and from us as well, would be to use multifactor authentication because it does increase the drive security. You can use these sort of authentication methods in any number of combinations. You can use TPM with a PIN / You can use the TPM and a stored key kept on a USB flash drive / You can use a starter key and the PIN and the TPM … You’ve got lots of options there. (Note – If you do decide to use enhanced PIN it does require that the Bios version support full keyboard in pre-boot mode)
But, the thing to remember as you look at multifactor identification is that it’s vitally important you communicate and train your users on what it is that they’ve got to do! For instance, if they are required to have a starter PIN and a USB key, you’ve got to remind them that they should NOT be keeping their BitLocks or authentication key in an easily accessible location, like on a sticky note or a USB stick that’s sitting right beside the laptop. It’s important to be sure you store the keys separately from the data because you potentially have a problem otherwise.
WHAT IS THE TPM?
It is an onboard system that provides a root of trust that seals the encryption keys and can protect against off-line attacks. As already noted, the thing to remember with TPM, if you’re going to use it, is that it must be version 1.2. (If you’re on a newer system, you’re probably in great shape.) For some older systems you might need to look back and see whether this is still a viable option.
One other thing to bear in mind regardless of how users are authenticated – you will need to disable the use of standby mode for any portable computers. For any laptops with BitLocker on the OS, it’s only in effect when the computer is turned off or in hibernation mode. So, no sleeping for you road warriors.
WHAT IS THE RECOVERY PASSWORD OR KEY?
The next thing after authentication is to plan for recovery key management. It’s a 48 digit randomly generated number and it’s created during BitLocker setup. If the computer enters recovery mode the user will need to type in this password in order to recover data. It will be required if the machine goes into recovery mode.
WHAT MIGHT CAUSE IT TO GO INTO RECOVERY MODE?
There are a number of different things that could do it. An update to the Bios could potentially do it, updating the option ROM, upgrading any early boot components that potentially cause a problem, or forgetting the PIN, simple as that. A user who has forgotten the PIN when PIN authentication has been enabled can potentially trigger a recovery process.
If you do have a recovery process, now the user needs to have the key. If they have the key, that’s perfectly fine, but how do they store it? Again, key security becomes very important to bear in mind. If a user is worried that they’ll need the key, he or she is probably going to keep it pretty close to the laptop/desktop, and that will potentially give you 1) – a management headache, and 2) – a key security headache.
Are those keys actually secure? Written down on a sticky pad, or printed off and tucked away in the same briefcase as the laptop containing the data!?
WHAT ABOUT REMOVABLE MEDIA?
Another thing to consider is removable media. BitLocker does come with a solution called BitLocker-To-Go, which allows you to encrypt data on removable media. But one of the problems with BitLocker-To-Go is that it can be very slow in provisioning larger capacity drives. I’ve seen a 1 GB or 2 GB USB stick take up to a half an hour to format. And if you think about a user who is sticking in a USB stick, they’re not going to wait 20 minutes or half an hour for that stick to be formatted ready for encryption. What might happen is they will pull the USB stick out because they’re frustrated. And that, by the way, will corrupt all of the data. That’s a problem!
One of the other things is that a lot of people have 1 TB external drives they use for backups connected via a USB stick. If I were using BitLocker-To-Go, I don’t know if I would have the patience for the provisioning time, let’s put it that way. Removable media is an area that you need to consider because of large external drive capacities and also because of the use scenario for the end user. If they’re waiting 15 or 20 minutes to half an hour or longer for a USB stick to be formatted, they’re going to get frustrated and they’re going to find other ways of sharing data. For that reason, BitLocker-To-Go may not be the ideal solution for most users.
WHAT ABOUT ENCRYPTING NON-WINDOWS 7 MACHINES?
Now let’s visit encryption for non-Windows 7 machines. There’s very little likelihood that the Windows 7 environment is going to be entirely Windows 7. In most organizations there is still a fairly sizeable population of Mac OS users – and in some cases that number is growing. Mac users tend to be big fans and they tend to want to keep their Macs. And it may be in the creative department. It may be at the management level. It could be anywhere. Mac OS is a substantial platform that exists within a lot of environments, 10 to 15 percent of some environments in fact. That’s something you need to consider as you look at complying and protecting data across the entire organization.
Windows 7, of course, is not the only Windows version that’s out there today. If your organisation is in line with market norms, you’ve still got Windows XP on up to a third of the machines out there in your environment. I don’t know how fast you’re able to get the transition to happen, or whether you might want to reuse and recycle some of those machines for lower-end users … In either case, you need to consider protecting the data on those devices as well.
Additionally, you’ve got a growing population now of mobile OS platforms that are becoming more and more of an issue that you need to consider as you look to the future and protecting data across your entire organization.
If we take a look at a few stats that were released last year, the vast majority of organizations have multiple administrators managing encryption keys and integrating security into your existing IT processes. Integrating all of those security admin jobs into the ability to manage everything in a single pane of glass can bring with it enormous benefits. It’s both a reason to move to BitLocker and also to look at how you manage BitLocker. A lot of organizations have multiple different encryption technologies in place with three or four or five different management consoles. If you’re able to integrate there and find the opportunity with BitLocker and the other systems in your environment to manage it all centrally, then you’ve certainly driven some benefit for your organization and for end users, and of course for compliance reporting.
WHAT ABOUT COMPLIANCE?
This brings me to the next point – about the need to understand your compliance environment. Data encryption is specifically mandated under various regulations – and even where it not mandated, there’s a strong emphasis on encryption as a recommended best practice under various regulations. HIPAA and HITECH for instance do not mandate encryption – but it does give you safe harbor should a USB stick or a laptop with sensitive data on it be lost. If that data is encrypted then you don’t have the same notification requirements that are in place for non-encrypted data.
Something else to think about is what kind of reporting you’ll need. Is it organization-wide? Possibly. The ability to report to auditors and to management in the organization as to our data protection status is often crucial in regard to the number of endpoints, the types of endpoints and types of devices where data is flowing to – and the ability to enforce encryption of the data as it moves about. Management will want reporting and outside auditing agencies will want it as well. They will want to see that you are putting the right security profile in place.
FIPS compliance is another very important factor for some organisations, and while BitLocker does allow you to achieve FIPS compliance, it is only possible to do so if users do NOT create recovery passwords. The fact that these passwords are going to be, most likely, very close to the machines is, I guess, one important reason that FIPS compliance is gone – but there’s also the fact that the recovery keys can be stored in clear text within active directory, which again loses your FIPS compliance. So is FIPS compliance an important factor for you? Certainly worth thinking about.
CREDANT BITLOCKER MANAGER
Credant BitLocker Manager is a solution that’s available that gives you a single management console for all of your data protection requirements. You’ll have full management control not only of your Windows BitLocker machines, but also potentially of all of the endpoints in your environment. We are able to give you full management and control of BitLocker itself including automation of the TPM initialization and management. You can leverage group policy settings to set features around encryption strength. Drive access controls. Drive recovery. Deployment options. We’re able to help you in terms of rolling this out and setting up your policies and then managing those policies. We’ll give you standardized recovery key management. All of the recovery keys are securely escrowed and encrypted, so that you’ve got much more security – and you retain FIPS compliance if that’s of concern for you. Credant offers automated management of the trusted platform module, and very flexible management in terms of the ability to manage different groups, different users, all the way down to the individual user and the individual device.
As I look to what the biggest benefit here is, it’s hands down around integration. The BitLocker manager solution will help you to manage all of those BitLocker devices. You can integrate it with the Credant Enterprise product that will allow you to manage all of the other devices in your environment. It will allow you to manage all of your old Windows XP, Windows Vista or Windows 7 non-BitLocker machines and it will also allow you to manage all of your Mac OS machines – all from a single pane of glass!
Additionally, instead of using BitLocker-To-Go with it’s many issues – the Credant external media solution is best solution in the market for protecting data on external media devices. It gives users quick and easy protection for data on any of their external media devices; ensures very comprehensive visibility and reporting capabilities for management; and gives IT the ability to set policies around what kind of data can be moved to external media.
We can integrate all of that into one pane of glass so that you get much simpler management, much more complete reporting and auditing. There’s a lot lighter workload for compliance related auditing because compliance reporting is built into the solution and will allow you to generate reports at a companywide level down to an individual user level. When the CFO calls and says, “I lost my laptop at O’Hare on my last business trip, can you tell me what’s up?” You’re able to very quickly go in and take a look and confirm that the encryption was in place. While the CFO is going to be unhappy that he has to get a new laptop and configure it, he can be very happy that all of the sensitive data on his laptop was not lost.
Again, integration is probably the biggest area of concern for a lot of our customers. It is an area that the Credant Manager for BitLocker is able to provide you support on so that you get a lot lower gaps in your coverage.
FULL STEAM AHEAD
So – as I’ve discussed, BitLocker does have some clear advantages – and with your Window 7 rollout either in process already, or going to be in process very soon as you look at refreshing your PCs, BitLocker does work very well for some users. However, BitLocker does have some limitations. It’s important to think about what your authentication policy’s going to be. It’s important to think about what your recovery key management policies are going to be. Very important to consider removable media. Compliance is a key driver for a lot of organizations. It’s important that you understand which regulations you’re held accountable for – and what’s required in order to achieve compliance.
As you roll out Windows 7 you’re going to get the benefit of enhanced security in a number of ways and enhanced performance over some of those older Windows XP machines. There are a lot of great, positive things to do with the Windows upgrade.
So full steam ahead, but just remember some of these tips and tricks and try to make sure that you’re able to integrate and save on the management cost as well as on the end user side making it as transparent and as easy for the user as possible.
We’ve recently added some videos where I cover a number of the key questions we see coming up when we talk to both our current customers and organizations that are starting to think about the best approaches to protecting sensitive information.
So the first question really revolves around the role of encryption in the event of a breach. As I say in the video it’s an unfortunate fact, but breaches are going to happen to even the best protected organization. Laptops get stolen, removable media gets lost, and people make mistakes. So the question then is, what happens next? And that’s where we see the real value of encryption. Because even if a breach occurs, encrypted data is still safe data. Encryption may not stop the breach from occurring, but it will certainly eliminate much of the pain (and cost) when one does.
In the second video I address one of the more frequent questions we hear – around the consumerization of IT. Ultimately what is happening is that the range of devices in the enterprise is growing incredibly rapidly and in a way that is often beyond the control of the IT organization. As more and more people bring their own devices into the network, so the complexity of keeping it all secure and compliant is growing- and increasing complexity is never a good thing in the case of security.
Part of the problem in keeping data safe is also keeping control over who has access to it. That’s why CREDANT has adopted an approach to encryption management that is a little different from what you might see normally. Rather than use a single key to encrypt everything on a device, we actually enable the use of multiple keys. That means that, as an organization, I have much greater flexibility in deciding who can see what data. For example, I can allow an administrator to work on a system while still keeping the actual user data (say that of my CFO) safely encrypted. It’s that kind of flexibility that really allows our users to tune their security policies to match their needs – and their risk appetite.
In the last video I talk a little bit about removable media. This is a huge problem for most organizations (especially those that haven’t thought about it yet.) Removable media devices, such as flash drives, are everywhere. They are cheap, have very large capacity, and are often used in a way that can compromise data security. As such, if you want to quickly reduce the risk to your business of a breach occurring, you should start by thinking about removable media – what is being copied on to it, by whom, and most importantly, is it secure?
I hope the videos are interesting, and I’d love to get your feedback. Let me know if there are other topics we should explore on keeping your information safe and secure- we’re all in this together after all!
If you think the holiday shopping frenzy has died down until the day after Christmas, you may want to stay away from any sort of establishment where you receive things in exchange for cash or the swipe of a card. Because the truth is, you’re sadly mistaken. But, you’re not alone. Most holiday shoppers think that Black Friday is the busiest shopping day of the year, however, the weekend before Christmas Day is actually the busiest, with sales nearly four times as large as those on Black Friday.
Let’s admit it: we’re a society of chronic procrastinators. So naturally, many people wait until the last couple of days in the holiday shopping season to buy gifts. Along with crowded department stores and jam-packed malls, Internet connections are getting a run for their money this time of year, too, whether shoppers are at home, in the office, or on the go.
With the holiday spike of ecommerce and in-store sales also comes the increase of lost wireless devices. As people are scurrying around malls and department stores trying to finish up their last bit of shopping for the year, they often misplace or lose personal belongings like bags, purses, wallets and keys in the process. These belongings often house wireless devices like smartphones, USB storage drives, and even tablet and laptop computers.
In fact, a recent survey we conducted shows just how many devices end up at the lost and found department of several different local shopping malls. If these devices end up, or even the hands of a bored mall employee, any sensitive information stored on the device—whether it’s employee-owned or not—is fair game to the user.
As the end of the holiday season is nearing, but the biggest shopping days are still to come. Make sure you keep track of your wireless devices and protect the data before you decide to brave the mall.
For those sale fiends that didn’t get their fix on Black Friday—or maybe for the ones that have a phobia of large, hostile crowds—there is Cyber Monday. Coined in 2005, this virtual holiday happens the Monday after Black Friday, giving holiday shoppers one last holiday shopping hurrah before December. And boy do they take it. Sales have steadily increased each year during Cyber Monday, going beyond the $1 billion mark in 2010.
One reason that Cyber Monday has picked up steam in just a few short years? Convenience.
In today’s digital world, not only has online shopping increased in environments like corporate offices, school classrooms and the living room sofa, it’s gaining popularity on-the-go, with technology advances in smartphones, tablets and laptops. Ecommerce is happening in taxis, on sidewalks, in restaurants and everywhere else there is wireless reception—especially on Cyber Monday.
Additionally, many devices used for ecommerce are either company-owned, or they’ve been brought into the corporate walls due to IT Consumerization. Nonetheless, when a device is brought into work, it often leaves with sensitive company data stored on it, whether it’s in the form of an app, an email attachment, or stored on the device itself. Many of these devices—especially employee-owned devices—aren’t protected, leaving their contents a free-for-all in the event that the device is misplaced or lost.
For instance, let’s say an employee at your organization places a bid on eBay for a really cool garment they’ve been wanting. It’s in the last hour and they need to place a higher bid, so they pull out their smartphone at lunch, tap the eBay app, place a bid and put the phone back on the table. In a rush to get back to the office, they leave their phone on the table, loaded with several accounts opened, exposing not only their personal information, but sensitive company information in their work email account as well. If this phone were to fall into the wrong hands, not only has the employee put themselves at risk of several accounts of personal data breach, but your organization’s data as well. With the holiday season in full swing, this risk will only increase, especially during Cyber Monday.
As the holiday shopping arrives, it’s not a bad idea to being thinking about ways to protect the data that gets circulated on wireless devices, employee-owned or not.
As many people are sleeping off their food comas in the wee hours of the morning post-Thanksgiving, many others are waiting in long, winding lines in the parking lots of various department stores, calculating how they’ll get their mitts on a limited number of heavily-discounted toys, electronics, housewares, and other goods of the sort in less than two minutes.
And, at the strike of the opening hour, these shoppers—most of them well-versed in strategic crowd surfing—stampede through store doors like wild animals, maneuvering shopping carts like bulldozers, knocking over displays, losing their children and belongings—all for a good bargain.
In the bowels of the mayhem, many personal belongings like bags, purses, wallets and keys are often misplaced, dropped and eventually lost. These belongings all-too-often contain smartphones, USB drives, and even tablet and laptop computers that are often used at work and loaded with sensitive data.
And, what’s more, based off of the findings of our recent survey, around 68% of these lost devices never get claimed by their owners. Left unprotected, the data stored on them is at large risk of exposure, which can result in expensive remediation fees and reputation damage to the owner of the data if a breach occurs.
So, if you’re a fan of fighting thick swarms of sale enthusiasts this holiday shopping season, know that the loss of wireless devices spikes this time of year, and the potential repercussions of losing your smartphone or USB drive could far outweigh the money that you saved on gifts this Black Friday.
In a recent article on Drdobbs.com, Andrew Binstock argues that breaches, especially the recent spate of very public hacks into large organizations by groups such as LulzSec, are the result of a degree of organizational indifference to security.
“Given that these hacks were nothing new — every month seems to bring forth a new one — you’d have to conclude that many businesses don’t view themselves as having an obligation to their customers to make sure data is secure.”
I think there’s certainly a kernel of truth here, but I also think it’s dangerous to use too broad a brush when painting a picture of the current state of security. It’s hard to argue that a lot of companies have done a poor job of securing their infrastructure and information. But—and it’s a very big but—a lot of companies have done a far, far better job than they are given credit for.
One of the common features of hacking (whether for malicious fun or profit) is that attackers tend to look for easy targets. In fact, research shows that a lot of successful attacks are somewhat opportunistic. The hacker looks for certain types of vulnerability and then tries to match a target organization with that weakness that they can exploit. Rarely do hackers actually go after specific organizations because of who they are (the attacks by LulzSec on Sony, and attacks on certain defense contractors by “APTs” are more exceptions than the rule.)
In this year’s Data Breach Investigations Report, the Verizon Risk Team (along with the US Secret Service and others) identified 83% of all the attacks that they investigated as being opportunistic in nature. The attacker picked that target because they exhibited a vulnerability that the attack knew how to exploit. In only 17% of cases was the company targeted first and then a vulnerability sought.
What this means is that in the vast majority of cases, when hackers encounter an organization whose security *is* strong, they simply move on. Like predators in the animal kingdom, hackers seek the weakest targets simply because that is the most efficient (and risk-free) use of their time and resources.
What hits the headlines, then, is not a representative picture of how enterprises approach security, but rather a somewhat skewed view; in much the same way that the news headlines paint a rather different picture of life than is experienced by most people. What we see is the result of successful attacks on organizations that, for some reason, whether bad luck, insufficient resources, or yes, organizational disinterest, looked like an easy target to the wrong attacker at the wrong time. It’s not good, but perhaps it’s not as bleak as the article suggests.
I also think there’s another set of factors at work here, compounding the problem for businesses and government agencies struggling to catch up with security best practices. In fact, I think the worst is yet to come, but there is also tremendous opportunity, too. In my next post, I’ll discuss what I think those factors are, and why the problems of today may well be signposts to the solutions for tomorrow.
Ah, the joys of moving houses. Boxes everywhere, hours on hold with utility companies, trying to get everything turned off/on at the right times, multiple trips to Goodwill, dropping off the flotsam and jetsam we’ve collected over time but no longer need, and the list goes on. Arrrggghh!!
I’ve also the added complication that I work from a home office—which I’ve done for many years—and as I’ve been working through the pile of ‘stuff’ accumulated around my desk and in my filing cabinets, I’ve been surprised to find a variety of CDs, DVDs and USB Thumb drives that I thought I’d lost years ago.
Some have been great finds, like old pictures of my now three-year-old daughter: visiting her grandparents for the first time, pulling herself up to the side of the couch as she learned how to walk, and staring intently at Elmo on the TV. Great stuff, and I’m thrilled to have found them again. But, aside from finding things with sentimental value, I’ve also found stuff with a different kind of value; like product roadmaps, marketing plans, and customer information—sensitive corporate information that I’ve needed throughout my job!
As I’m finding this information, I rest easy remembering that it’s all encrypted, so even if a USB thumb drive or CD somehow finds its way in to a donation box, the device’s data is protected and inaccessible. As I’m pretty sure I’m not the only person to have a mix of personal and corporate information sitting around on a variety of USB sticks, I’m also pretty sure that not everyone has that data protected to the same extent that I do!
So, there’s at least one good thing I can say about moving—it’s served as a good reminder of how important it is to have data protection processes and technologies in place for external media, because you may never know where these devices could end up in an event like a move.
Anyway, that’s enough for now. I’ve got to get busy shredding some of these paper files I’ve got here, so I can throw them in the recycle bin.