A lot of organizations have either started or are starting to migrate to Windows 7. With that comes BitLocker – and I’ll take a look here at some of the strengths of BitLocker – and some of the areas to be aware of. I’d like to give you some tips and tricks as well, and some of the things that you ought to bear in mind as you plan for your BitLocker rollout, and as you plan for management of BitLocker within your broader security environment.
WINDOWS 7 MIGRATION
As I look at Windows 7 migrations and what’s happening in the market, in general, most organizations seem to be on about a 4 to 6 year cycle for refreshing hardware. That means there’s a lot of Windows hardware still out there that’s running XP or Vista – it’s older hardware and maybe time to go ahead and refresh those PC’s and look into new desktops and laptops. Of course, there are significant cost and security benefits to adopting Windows 7 – and I’ve seen some reports indicating that right now, about 60 percent of organizations have already begun to deploy Windows 7, though of course it may not be full deployment as yet.
MIGRATING TO WINDOWS 7/SOME KEY FEATURES
As I look specifically at the security elements of Windows 7, it certainly brings with it a lot of enhancements over what we had previously with XP or with Vista. User account control will help you defend your PCs against hackers and malicious software by basically allowing you to set everybody up with standard user privileges, rather than local administrator privileges. If you’re going to go down that road it certainly is the recommendation of Gartner that you do so – but – for various reasons, a lot of organizations continue to give employees local administrator rights rather than having standard user permissions!
There are other pretty important systems in play as well. One are to take advantage of is group policy, to get some centralized management and configuration based on active directory. AppLocker, for instance, is a pretty neat little tool that basically allows you to specify which software is allowed to run by managing it through group policies. There are a number of other key security enhancements that are available, but as I think about BitLocker in particular, a couple of things come to mind.
The first one is that BitLocker is not available with the Professional version of Windows 7 – In fact, BitLocker is only available with either the Enterprise version, or with the Ultimate version. This is an important distinction – and, of course, the Enterprise & Ultimate versions of Windows 7 require that you have the appropriate licensing … Volume licensing for Enterprise – or with the Ultimate version, it’s either retail or OEM licensing, which may not be appropriate for an organisation-wide deployment.
WHAT IS BITLOCKER?
Let’s take a deeper dive into BitLocker and what it really is. As mentioned, it’s intended for Ultimate and Enterprise editions only, for Windows 7 and for Windows Vista, and it can run on Windows Server 2008. The Windows BitLocker drive encryption does support both 128 bit and 256 bit encryption keys. Certainly the longer encryption keys increase security. But they also, as Microsoft will tell you, can cause slower encryption and decryption of data. BitLocker has a diffuser algorithm that is intended to help protect the system, so by default with Windows 7 the encryption is AES 128. That may or may not be appropriate, but it is possible for you to go back and change that to 256 bit should you choose to. That’s just one of the things to bear in mind as you begin to look at BitLocker.
What are some of BitLocker’s strengths? Certainly it is a strong encryption solution – a volume based solution that will work well encrypting data on fixed drives. For instance, a lot of users out there have desktops and BitLocker might be a very good solution – though you may want to think twice about the BitLocker-to-go removable media option for those systems (more later).
The Windows 7 implementation has certainly improved over the Windows Vista version, and it does leverage the newer technologies such as the AES processor and the Trusted Platform Module (TPM). However, that actually requires that you have TPM version 1.2. As you move toward a Windows 7 rollout and installing new machines, the likelihood is that you’ll be in great shape! Pretty much all of the new laptops and desktops out there come with TPM 1.2 … but you may not be quite as well positioned to roll BitLocker out to older systems already in your environment, as part of your Windows 7 upgrade.
Let’s move on from BitLocker’s strengths to some of the areas to be aware of.
When it comes to how users authenticate, there are a few different options. You’ve got the TPM, you’ve got a PIN or enhanced PIN, and you’ve got USB device as options. The recommendation from Microsoft and from us as well, would be to use multifactor authentication because it does increase the drive security. You can use these sort of authentication methods in any number of combinations. You can use TPM with a PIN / You can use the TPM and a stored key kept on a USB flash drive / You can use a starter key and the PIN and the TPM … You’ve got lots of options there. (Note – If you do decide to use enhanced PIN it does require that the Bios version support full keyboard in pre-boot mode)
But, the thing to remember as you look at multifactor identification is that it’s vitally important you communicate and train your users on what it is that they’ve got to do! For instance, if they are required to have a starter PIN and a USB key, you’ve got to remind them that they should NOT be keeping their BitLocks or authentication key in an easily accessible location, like on a sticky note or a USB stick that’s sitting right beside the laptop. It’s important to be sure you store the keys separately from the data because you potentially have a problem otherwise.
WHAT IS THE TPM?
It is an onboard system that provides a root of trust that seals the encryption keys and can protect against off-line attacks. As already noted, the thing to remember with TPM, if you’re going to use it, is that it must be version 1.2. (If you’re on a newer system, you’re probably in great shape.) For some older systems you might need to look back and see whether this is still a viable option.
One other thing to bear in mind regardless of how users are authenticated – you will need to disable the use of standby mode for any portable computers. For any laptops with BitLocker on the OS, it’s only in effect when the computer is turned off or in hibernation mode. So, no sleeping for you road warriors.
WHAT IS THE RECOVERY PASSWORD OR KEY?
The next thing after authentication is to plan for recovery key management. It’s a 48 digit randomly generated number and it’s created during BitLocker setup. If the computer enters recovery mode the user will need to type in this password in order to recover data. It will be required if the machine goes into recovery mode.
WHAT MIGHT CAUSE IT TO GO INTO RECOVERY MODE?
There are a number of different things that could do it. An update to the Bios could potentially do it, updating the option ROM, upgrading any early boot components that potentially cause a problem, or forgetting the PIN, simple as that. A user who has forgotten the PIN when PIN authentication has been enabled can potentially trigger a recovery process.
If you do have a recovery process, now the user needs to have the key. If they have the key, that’s perfectly fine, but how do they store it? Again, key security becomes very important to bear in mind. If a user is worried that they’ll need the key, he or she is probably going to keep it pretty close to the laptop/desktop, and that will potentially give you 1) – a management headache, and 2) – a key security headache.
Are those keys actually secure? Written down on a sticky pad, or printed off and tucked away in the same briefcase as the laptop containing the data!?
WHAT ABOUT REMOVABLE MEDIA?
Another thing to consider is removable media. BitLocker does come with a solution called BitLocker-To-Go, which allows you to encrypt data on removable media. But one of the problems with BitLocker-To-Go is that it can be very slow in provisioning larger capacity drives. I’ve seen a 1 GB or 2 GB USB stick take up to a half an hour to format. And if you think about a user who is sticking in a USB stick, they’re not going to wait 20 minutes or half an hour for that stick to be formatted ready for encryption. What might happen is they will pull the USB stick out because they’re frustrated. And that, by the way, will corrupt all of the data. That’s a problem!
One of the other things is that a lot of people have 1 TB external drives they use for backups connected via a USB stick. If I were using BitLocker-To-Go, I don’t know if I would have the patience for the provisioning time, let’s put it that way. Removable media is an area that you need to consider because of large external drive capacities and also because of the use scenario for the end user. If they’re waiting 15 or 20 minutes to half an hour or longer for a USB stick to be formatted, they’re going to get frustrated and they’re going to find other ways of sharing data. For that reason, BitLocker-To-Go may not be the ideal solution for most users.
WHAT ABOUT ENCRYPTING NON-WINDOWS 7 MACHINES?
Now let’s visit encryption for non-Windows 7 machines. There’s very little likelihood that the Windows 7 environment is going to be entirely Windows 7. In most organizations there is still a fairly sizeable population of Mac OS users – and in some cases that number is growing. Mac users tend to be big fans and they tend to want to keep their Macs. And it may be in the creative department. It may be at the management level. It could be anywhere. Mac OS is a substantial platform that exists within a lot of environments, 10 to 15 percent of some environments in fact. That’s something you need to consider as you look at complying and protecting data across the entire organization.
Windows 7, of course, is not the only Windows version that’s out there today. If your organisation is in line with market norms, you’ve still got Windows XP on up to a third of the machines out there in your environment. I don’t know how fast you’re able to get the transition to happen, or whether you might want to reuse and recycle some of those machines for lower-end users … In either case, you need to consider protecting the data on those devices as well.
Additionally, you’ve got a growing population now of mobile OS platforms that are becoming more and more of an issue that you need to consider as you look to the future and protecting data across your entire organization.
If we take a look at a few stats that were released last year, the vast majority of organizations have multiple administrators managing encryption keys and integrating security into your existing IT processes. Integrating all of those security admin jobs into the ability to manage everything in a single pane of glass can bring with it enormous benefits. It’s both a reason to move to BitLocker and also to look at how you manage BitLocker. A lot of organizations have multiple different encryption technologies in place with three or four or five different management consoles. If you’re able to integrate there and find the opportunity with BitLocker and the other systems in your environment to manage it all centrally, then you’ve certainly driven some benefit for your organization and for end users, and of course for compliance reporting.
WHAT ABOUT COMPLIANCE?
This brings me to the next point – about the need to understand your compliance environment. Data encryption is specifically mandated under various regulations – and even where it not mandated, there’s a strong emphasis on encryption as a recommended best practice under various regulations. HIPAA and HITECH for instance do not mandate encryption – but it does give you safe harbor should a USB stick or a laptop with sensitive data on it be lost. If that data is encrypted then you don’t have the same notification requirements that are in place for non-encrypted data.
Something else to think about is what kind of reporting you’ll need. Is it organization-wide? Possibly. The ability to report to auditors and to management in the organization as to our data protection status is often crucial in regard to the number of endpoints, the types of endpoints and types of devices where data is flowing to – and the ability to enforce encryption of the data as it moves about. Management will want reporting and outside auditing agencies will want it as well. They will want to see that you are putting the right security profile in place.
FIPS compliance is another very important factor for some organisations, and while BitLocker does allow you to achieve FIPS compliance, it is only possible to do so if users do NOT create recovery passwords. The fact that these passwords are going to be, most likely, very close to the machines is, I guess, one important reason that FIPS compliance is gone – but there’s also the fact that the recovery keys can be stored in clear text within active directory, which again loses your FIPS compliance. So is FIPS compliance an important factor for you? Certainly worth thinking about.
CREDANT BITLOCKER MANAGER
Credant BitLocker Manager is a solution that’s available that gives you a single management console for all of your data protection requirements. You’ll have full management control not only of your Windows BitLocker machines, but also potentially of all of the endpoints in your environment. We are able to give you full management and control of BitLocker itself including automation of the TPM initialization and management. You can leverage group policy settings to set features around encryption strength. Drive access controls. Drive recovery. Deployment options. We’re able to help you in terms of rolling this out and setting up your policies and then managing those policies. We’ll give you standardized recovery key management. All of the recovery keys are securely escrowed and encrypted, so that you’ve got much more security – and you retain FIPS compliance if that’s of concern for you. Credant offers automated management of the trusted platform module, and very flexible management in terms of the ability to manage different groups, different users, all the way down to the individual user and the individual device.
As I look to what the biggest benefit here is, it’s hands down around integration. The BitLocker manager solution will help you to manage all of those BitLocker devices. You can integrate it with the Credant Enterprise product that will allow you to manage all of the other devices in your environment. It will allow you to manage all of your old Windows XP, Windows Vista or Windows 7 non-BitLocker machines and it will also allow you to manage all of your Mac OS machines – all from a single pane of glass!
Additionally, instead of using BitLocker-To-Go with it’s many issues – the Credant external media solution is best solution in the market for protecting data on external media devices. It gives users quick and easy protection for data on any of their external media devices; ensures very comprehensive visibility and reporting capabilities for management; and gives IT the ability to set policies around what kind of data can be moved to external media.
We can integrate all of that into one pane of glass so that you get much simpler management, much more complete reporting and auditing. There’s a lot lighter workload for compliance related auditing because compliance reporting is built into the solution and will allow you to generate reports at a companywide level down to an individual user level. When the CFO calls and says, “I lost my laptop at O’Hare on my last business trip, can you tell me what’s up?” You’re able to very quickly go in and take a look and confirm that the encryption was in place. While the CFO is going to be unhappy that he has to get a new laptop and configure it, he can be very happy that all of the sensitive data on his laptop was not lost.
Again, integration is probably the biggest area of concern for a lot of our customers. It is an area that the Credant Manager for BitLocker is able to provide you support on so that you get a lot lower gaps in your coverage.
FULL STEAM AHEAD
So – as I’ve discussed, BitLocker does have some clear advantages – and with your Window 7 rollout either in process already, or going to be in process very soon as you look at refreshing your PCs, BitLocker does work very well for some users. However, BitLocker does have some limitations. It’s important to think about what your authentication policy’s going to be. It’s important to think about what your recovery key management policies are going to be. Very important to consider removable media. Compliance is a key driver for a lot of organizations. It’s important that you understand which regulations you’re held accountable for – and what’s required in order to achieve compliance.
As you roll out Windows 7 you’re going to get the benefit of enhanced security in a number of ways and enhanced performance over some of those older Windows XP machines. There are a lot of great, positive things to do with the Windows upgrade.
So full steam ahead, but just remember some of these tips and tricks and try to make sure that you’re able to integrate and save on the management cost as well as on the end user side making it as transparent and as easy for the user as possible.