The seemingly never-ending torrent of high-profile data breaches has encouraged companies to evaluate their security fundamentals, and explore the implementation of full-disk encryption (FDE) across their enterprise servers, laptops and other devices.
For many, Microsoft’s BitLocker is seen as a great encryption solution to the data breach challenge, as it is included in Windows Vista onwards. Many security companies offer encryption solutions, but the management of encryption keys can be challenging with functionality limited to supporting their encryption technology. This is the case with BitLocker.
Microsoft’s solution for BitLocker management is Microsoft BitLocker Administration and Monitoring (MBAM). On the surface, it is easy to see why an IT manager or administrator might consider partnering this tool with BitLocker as a way to overcome the challenge of protecting data at rest in the enterprise with no additional investment required.
If you are a ‘pure Microsoft shop’, and by that, I mean across all servers, desktops and mobile devices, then MBAM is a valid starting point for managing FDE encryption across your enterprise, but as soon as you start to introduce Apple, Linux-flavors or Android to name but a few, then it is no longer managing the ‘enterprise’ – simply the Microsoft estate within it. At that point, you have started fragmenting and complicating your management strategy.
As anyone working in security knows, complexity leaves the door wide open for the kind of human errors that can get you in the boardroom, and the headlines, for all the wrong reasons!
The best approach is to employ management tools that are platform agnostic, allowing you to manage FDE and other forms of encryption across different operating systems, devices and the cloud. To be absolutely clear, BitLocker is a valid component of the solution for enterprise protection, but there are a number of considerations you must take into account before jumping in.
Ingredients for a successful deployment come at a cost
IT professionals understand that BitLocker does not manage itself. Microsoft users subscribe to Microsoft Desktop Optimisation Package (MDOP) to receive MBAM which requires a SQL Server installation (typically SQL Server 2008 R2), as a proper MBAM deployment that will rely on two separate SQL databases.
The first, a compliance audit database, provides an audit trail of BitLocker usage that can be queried as needed. The second maintains the BitLocker key recovery and hardware database. More servers are needed for every domain within a given enterprise environment, adding to the unexpected cost and management woes. Take the time to evaluate the true cost to your business of additional hardware and software.
Resetting lost password will need a secure process
Users often forget passwords. One of our own customers fielded 200 calls per month from forgetful users requesting password resets, in the short period after deploying BitLocker. In each case, the admin fielding the password reset request had to access the BitLocker key recovery database to provide the recovery key to the end user. This is time consuming and costly.
A great deal has been written about BitLocker key recovery in the MBAM online documentation. The ideal deployment relies on a SQL server instance to store the recovery key created when BitLocker is deployed — primarily because the key is encrypted within the server. An easier route is to store the key in Active Directory, however this would store the key in plain text, potentially violating various IT security policies or compliance requirements.
Be prepared to handle BitLocker recovery lockouts
BitLocker recovery is the process by which you can restore access to a BitLocker protected drive when you cannot unlock the drive normally. This involves having the user enter a lengthy 48-character recovery password which can be quite time consuming and is prone to repeated keying errors. There are a number of situations that can lead to a lockout, and some can be caused by IT staff or users going about their normal business. You need a process to get them back online quickly. Below is a list of causes of BitLocker recovery:
• Adding or removing hardware on the machine
• Changes to the boot order, partition tables or Master Boot Record on the machine
• Docking or undocking a computer
• Making BIOS changes
• Changing TPM configuration or firmware
• Changes or depleting the charge on a smart battery on a portable computer
Costs of hiring external support for your MBAM deployment
Many IT professionals bemoan the lack of support material for MBAM installation. Microsoft TechNet provides online documentation for the brave-at-heart and seasoned administrator, but it’s hard to find step-by-step instructions.
You’ll also need to brush up on your wider skills such as scripting, and have a better than basic understanding of a wide-range of Microsoft server stack products. For this reason, it is highly recommended that companies consider hiring a third-party consultant to manage the deployment and configuration of MBAM, and factor this into their costs.
Protect against tampering
When using BitLocker, there are ways a would-be attacker can try to circumvent the encryption, including extracting the encryption keys that are often stored in a Trusted Platform Module (TPM) chip on the system board, or in a separate USB device – this has been demonstrated by security researchers.
In our view, encryption keys should not be stored with the data they are protecting, so other approaches such as encryption key management solutions should be considered as a way to remotely store encryption keys, away from the hardware. You should also use tools that stop actions that could be part of an attempt to usurp encryption such as preventing user access to ManageBDE.exe and stopping the system entering BitLocker suspend mode.
You don’t need to make sacrifices
Once deployed, with good management tools in place, BitLocker can be very effective. The overriding advice is that “nothing in life is free”, so take the time to consider the points raised above and how BitLocker will fit into your wider security and enterprise management strategies. How does what you gain impact the way admins keep the wheels of your company turning, and the friction employees experience day-to-day with their IT? Taking the right management strategy will reduce that friction, and get the very best from BitLocker.