Introduction
Organizations are facing a data security crisis. Despite decades of investment in security,
breaches of sensitive information continue to dominate the headlines.
While advances have been made in the way in which businesses manage and protect
informational assets, attackers continue to advance their capabilities, developing highly
customized malware and exploiting any vulnerabilities in systems in order to steal data.
At the same time, the regulatory landscape has also evolved, with ever-more stringent and
broad industry and legal mandates placing even more pressure on organizations to meet
security standards, protect information, and report breaches, should they occur.
In response to this, a more data-centric approach to security has developed, focused on layering
protection around the information itself, placing encryption at the very heart of this strategy.
Encryption provides both a last line of defense in the case of an attack, as well as protecting
information in the event of an accidental breach or disclosure.
As a result, many have welcomed the inclusion of encryption technology in Microsoft Windows 7
®,
which is rapidly becoming the prevalent desktop operating system for organizations of all kinds,
and equally importantly, its availability for Windows Server 2008 R2
®.
By building encryption technology into the operating system, Microsoft has provided many
organizations, which had previously not deployed encryption, a way to quickly and easily start
protecting their critical information. This whitepaper will examine some best practices for
managing BitLocker
®, as well as discuss how to more easily integrate BitLocker encryption into
STRENGTHS OF BITLOCKER
BitLocker is a data protection technology integrated with some of the more recent versions of the Win-dows operating system, providing protection in the event that the system is lost, stolen or otherwise accessed in an unauthorized manner. It provides vol-ume-level encryption which protects both user files and system files and renders them both unreadable unless the appropriate decryption key is available. One important feature of BitLocker is that it works with a hardware component called the Trusted Plat-form Module (TPM) which is now standard in many types of newer computers. This TPM helps prevent access to information in the event that the system was tampered with while on or offline (such as being booted from another system or even having the hard disk removed and placed in a different computer). Systems without a TPM can still use BitLocker, but they require the use of a USB startup key (and lose the protection from tampering provided by the TPM). Finally, BitLocker offers administrators the option to require the use of the USB startup key or force the user to enter a secret personal identification number (PIN) before the system can continue to boot. All of these combined capabilities mean that BitLock-er provides a good degree of security for the system in the event that an unauthorized user attempts to gain access, which is exactly what a good encryption system should do.
However, before deploying BitLocker, it is important to know that, like any security solution, it requires careful management to ensure that you provide the level of protection that you need for sensitive data. Furthermore, there will be some areas where the use of BitLocker is more appropriate than others, and you will need to consider how to integrate BitLocker with the rest of your encryption solutions as well as the broader security and compliance infrastructure.
WHEN TO USE BITLOCKER
BitLocker is standard in certain versions of Microsoft Windows®. These are Windows Vista® and Windows 7
Ultimate and Enterprise editions, and Windows Server 2008 R2.
BitLocker therefore makes sense to deploy in envi-ronments that are predominantly using these ver-sions, however, integration with other encryption platforms is both possible and relatively easy (as will be discussed later) so using BitLocker within a subset of your infrastructure is entirely feasible.
BitLocker uses an approach called “volume-level encryption,” which is similar to traditional “full disk encryption” but this approach can encrypt multiple volumes on the same physical disk, or encompass multiple physical disks when logically grouped into one volume. This means that BitLocker uses a volume master key (VMK) to encrypt the entire volume. (As part of this approach, BitLocker on Windows 7 requires a startup partition, so having sufficient free space is important when preparing to deploy and use BitLocker).
As BitLocker provides volume-level encryption (rather than a file-based approach), this has some implica-tions for the type of user, system and data that are most appropriate for BitLocker usage.
the volume is not usable in the event that the laptop is lost (a surprisingly regular occurrence in most enter-prise environments).
However, there will also be circumstances where the “all or nothing” approach is not desirable. This is especially true in the following situations:
›
› When information on the system is highly sensitive (and must be safeguarded against access from unau-thorized insiders)
›
› When the system must be shared by multiple users and access to information on the volume must be controlled
In the first instance, the real risk comes primarily from a privileged insider, such as an administrator. Often administrators will need to have access to a system in order to perform routine maintenance, upgrade software, or fix a problem. In these events, if volume-based (or full-disk) encryption is used, then the admin-istrator will also have access to sensitive information, as everything on the volume is decrypted at the same time. If information on that system is highly sensitive, it might be better to consider policy-based encryption rather than disk- or volume-based.
In cases where the system must be shared by mul-tiple users (often the case in the healthcare industry, for example), the same considerations apply. If infor-mation needs to be protected from different users on the same system, then volume-based encryption, such as is provided by BitLocker, may not be most appropriate. Again, a policy-based approach should be considered, as this will allow encryption for different users on each system to be maintained using different keys, thus preventing one user from viewing another user’s sensitive information.
For many other users, however, BitLocker’s approach may be entirely appropriate and will provide a
foun-dational level of protection that will keep information secure in the case of, for example, a laptop being stolen or lost.
PITFALLS TO AVOID
As already discussed, BitLocker will provide your users with a secure encryption method for data on their systems. However, to fully utilize this solution, and to ensure documented and provable compliance with regulations for information security and privacy, there are a number of important considerations. These become especially significant in large organizations where there may be a large number of users, where systems are highly heterogeneous, where mobile de-vice and removable media securities are important, or where the workforce is highly distributed. While the following is not an exhaustive list, it will cover some of the more important things to plan for when using BitLocker in large enterprise environments:
› › Key Management › › Key Security › › Compliance Reporting › › Ease Of Management › › FIPS Compliance ›
› Removable Media and Mobile Device Encryption
›
› Integration with Broader Encryption
›
› Biometric Authentication
KEY MANAGEMENT
are available when needed in order to decrypt the data ready for access.
When used with a TPM, BitLocker key management relies on a number of keys to control access to the information on the drive. These include a TPM owner password (which is required to change the configura-tion of the TPM), a recovery key and/or recovery pass-word (used to access the information in the event that the TPM denies access), a PIN and/or enhanced PIN (used to provide access to the system each time it is booted and consisting of 4-20 numbers or characters) and a startup key (stored on a flash drive and inserted each time the system boots).
Users will normally only interact with the recovery keys, PINs and startup keys. Most important of these is the recovery key. This key enables an administrator to access the information encrypted on the drive even if the TPM enters recovery mode (that is, it detects a change that suggests tampering may have occurred). This can happen for a number of reasons, some of which are listed below:
›
› Changing any boot configuration data (BCD) boot entry data type settings of a number of items (for example adding a language pack for all users and system accounts, which the TPM may interpret as a boot attack)
›
› Changing the BIOS boot order to boot another drive in advance of the hard drive
›
› Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD
›
› Failing to boot from a network drive before booting from the hard drive (under some circumstances)
›
› Docking or undocking a portable computer
›
› Changes to the NTFS partition table on the disk
including creating, deleting, or resizing a primary partition
›
› Entering the personal identification number (PIN) incorrectly too many times or forgetting the PIN, or losing the USB flash drive containing the startup key when startup key authentication has been enabled
›
› Turning off the BIOS support for reading the USB device in the pre-boot environment if you are using USB-based keys instead of a TPM
›
› Turning off, disabling, deactivating, or clearing the TPM or updating the TPM firmware
›
› Upgrading critical early startup components, such as a BIOS upgrade, causing the BIOS measure-ments to change
›
› Updating option ROM firmware
›
› Adding or removing hardware. For example, insert-ing a new card in the computer, includinsert-ing some PCMIA wireless cards
›
› Removing, inserting, or completely depleting the charge on a smart battery on a portable computer
›
› Changes to the master boot record or boot man-ager on the disk
›
› Hiding the TPM from the operating system
›
› Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of en-hanced PINs
›
› Moving the BitLocker-protected drive into a new computer
›
›
› Failing the TPM self test
›
› Having a BIOS or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer
›
› Pressing the F8 or F10 key during the boot process
›
› Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards
›
› Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive
For a more complete list of causes for the TPM to enter recovery mode, visit
http://technet.microsoft.com/en-us/library/ ee449438(WS.10).aspx#BKMK_examplesosrec
If the TPM enters recovery mode, the administrator (or user) will have to enter or use the recovery key. While the recovery key can simply be printed out on creation, based on configuration settings, it can also be stored on a USB removable drive (or drives). In an enterprise environment, putting in place a more reliable process and one that is easier to maintain longer term is more likely. The best native approach (without using third-party key management tools) is to have the recovery key stored in Active Directory®.
For Windows 2008 domain controllers, this is pos-sible without changing the Active Directory schema, although changes are required in the schema for Windows 2003® controllers.
While the approach of storing recovery keys in Ac-tive Directory does provide simplified recovery and a reduced likelihood that access to a system will be unavailable; it does open up some additional potential security holes which must be managed.
If an enterprise decides to manage and store recovery keys, maintaining some kind of centralized access to them is important. A critical employee becoming unavailable as a result of leaving the company, for ex-ample, could render vital information on an encrypted system unreadable if a recovery key management strategy is not put in place to prevent this. KEY AND DATA SECURITY
While encryption protects information from unauthor-ized access and disclosure, this technology is only effective if the encryption keys are secured. The use of the TPM provides a high degree of resistance to attacks on the operating system designed to compro-mise keys in use and against the system itself while off-line. However security of the recovery key must also be taken into account. The recovery key will typi-cally be stored in one (or more) of the following:
›
› A Printed Copy
›
› A File on a USB Device(s)
›
› In Active Directory
COMPLIANCE REPORTING
Reporting and auditing are, in many cases, necessary evils for any security organization. Centralized report-ing and auditreport-ing helps reduce the workload in meetreport-ing compliance mandates such as PCI DSS, HIPAA/HITECH, SOX, Data Protection Directives, and so on. The ability to provide documented proof that a system was encrypted at the time of a breach, or to show an auditor which systems are fully encrypted and which are only partially protected, will help simplify and streamline response to audit needs and also provide better visibility into risk for the organization. While BitLocker provides some limited capabilities here, it will be important to understand what reporting requirements must be met, and plan accord-ingly if additional reporting capabilities are needed. EASE OF MANAGEMENT
One of the great benefits of BitLocker is that is comes pre-installed as part of the operating system for some versions of Windows 7 and Windows 2008®. This
en-ables a very rapid ‘roll out’ of encryption infrastructure across the enterprise. There are a few points to take into account. First, that there is often some degree of initialization required for the TPM – and this will generally need to be done with physical access to the system. Secondly, users must be educated if options such as the PIN, and USB Security key are to be used. However, once in place, BitLocker should operate with little hands-on management required.
In instances where users have local administration privi-leges, there is the risk that they will turn-off BitLocker on their local system. In such a case, should the system be lost, information could be exposed and the organiza-tion would potentially be unable to demonstrate compli-ance with the appropriate mandates for data protection. In an enterprise environment, Group Policy Object settings will typically be used to enforce polices for BitLocker management. A list can be found here:
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx at the BitLocker Group Policy reference site.
FIPS COMPLIANCE
For organizations who must comply with the US Fed-eral Information Processing Standard 140-2, BitLocker can provide a viable method of encryption. In this event, users cannot save recovery keys. As such, care should be taken to provide appropriate safeguards to back up sensitive information before BitLocker is used or, more realistically, uses a third-party encryp-tion management system for BitLocker. (Ensure that the encryption management solution provides simple, centrally managed key recovery and is FIPS 140-2 validated).
For more information on FIPS Compliance, see: http://technet.microsoft.com/en-us/library/ ee706536%28WS.10%29.aspx
INTEGRATION WITH BROADER ENCRYPTION While BitLocker will provide relatively simple encryp-tion protecencryp-tion for certain platforms, in most enter-prise environments there will be a number of non-BitLocker protected systems. As a result, integration with the rest of the security infrastructure will provide significant management benefits.
BitLocker will provide coverage for Windows 7 (some versions) and Windows Server 2008 R2. However, the presence of Windows XP® and Mac OS X
sys-tems means that additional encryption tools (beyond BitLocker) must be considered. For removable media, while BitLocker-To-Go provides a degree of protection, a third-party solution should also be considered to pro-vide additional breadth of coverage, especially if the encryption approach is policy or file based rather than requiring the entire device to be encrypted at once. Smartphones now have a significant foothold in the portfolio of corporate, mobile worker’s tools. These devices, often capable of carrying large amounts of sensitive information, must also be secured, which will often mean the use of proprietary encryption technology.
Given the above, there will inevitably need to be additional encryption solutions in place within the enterprise beyond BitLocker. Integrating these encryp-tion soluencryp-tions into a single set of management tools is therefore highly desirable as it provides many signifi-cant benefits:
›
› Simpler Management
›
› More Complete Reporting and Auditing
›
› Less Workload for Compliance-Related Auditing
›
› One Central Repository for Key Escrow, Therefore Reducing Security Risks
›
› Less Chance of Gaps In Coverage
Third-party management tools already exist to inte-grate BitLocker with other encryption solutions to provide the above benefits. As the complexity of the corporate infrastructure continues to grow, and as the need to protect ever greater quantities of information against more complex threats also grows, integrated solutions must be deployed to provide the degree of coverage while reducing the workload for IT security teams.
BIOMETRIC AUTHENTICATION
BitLocker offers no integration with biometric authen-tication products and therefore, if you require these devices in order to enforce two-factor authentication, you should examine third-party encryption manage-ment solutions that can provide such capabilities.
SIMPLIFYING SECURITY WITH
CREDANT MANAGER FOR BITLOCKER
The previous section provided some advice on which areas may require special planning. The extent to which each of these areas is of concern will depend greatly on the type of users you have, the sensitivity of the information you need to secure, your organiza-tion’s risk appetite, complexity of the infrastructure and so on. CREDANT Manager for BitLocker forms part of a single, central management solution which helps address many of the above concerns as well as offer an integrated approach to managing encryption across other, non-BitLocker platforms; physical, virtual and cloud-based.CREDANT Manager for BitLocker provides the follow-ing enhancements:
Key Management
Policy Enforcement
Define and enforce policies from a single, central con-sole. No need to alter your Active Directory schema, or use Active Directory group policies to manage Bit-Locker. CREDANT’s management console provides all the flexibility and control you need, centrally managed for your enterprise.
Automated TPM Management
Enabling the TPM capabilities can require significant setup activities. CREDANT Manager for BitLocker automates TPM initialization, reducing your work and the risk that systems are left unprotected. CREDANT Manager for BitLocker will also store the TPM pass-word for recovery when needed.
FIPS Compliance
Secure, centralized recovery key escrow eliminates the problem that recovery keys are stored in plain text which is not a valid, FIPS compliant approach.
Compliance Reporting
CREDANT Manager for BitLocker provides extensive auditing and reporting capabilities to enable you to easily demonstrate that systems are encrypted, and to provide compliance and audit managers all the infor-mation they need, when they need it, with less work. The solution is designed to enable you to seamlessly integrate BitLocker into your existing encryption needs, and manage BitLocker with the minimum necessary effort while streamlining security and compliance. By facilitating the deployment, configu-ration, management and maintenance of BitLocker, CREDANT Manager for BitLocker will reduce the cost of overall data protection, and the impact of security to your end users, which in turn frees up resources and improves overall business alignment.
CONCLUSION
Integration of basic encryption capabilities into the operating systems represents a good first step in improving the security of critical data, especially for those organizations where BitLocker will meet their compliance and data protection needs. While BitLock-er offBitLock-ers a good, volume-based encryption solution, it will also present some challenges. Specifically:
›
› It is not appropriate for all users (especially if highly sensitive information must be stored and access from privileged insiders is a concern)
›
› It covers only a subset of platforms
›
› Careful management is required, especially of the recovery keys
By utilizing a third-party data security management solution such as CREDANT Manager for BitLocker, these issues can be overcome, and so enable you to take full advantage of the capabilities of BitLocker, to reduce risk to critical data and simplify the security and compliance of your organization.
For more information on how CREDANT can help se-cure and manage BitLocker deployments, please visit
www.credant.com.
