Windows BitLocker: Enabling disk encryption for data protection

We have seen the fallout of data breaches repeatedly over the past couple of years. Laptops containing tens of thousands, or even millions, of customer account records have been lost or stolen, potentially compromising the personal information of every one of those customers, nevermind the ramifications of losing other kinds of sensitive information like trade secrets or employee records. Enterprises have plenty of incentive to protect device data at all times.

Encryption of files and folders can help, but it has two inherent flaws. First, it relies on the user to encrypt data, or to at least ensure that all sensitive and confidential data is placed into the appropriate folder where it will be encrypted. Second, attackers may still be able to circumvent or break the encryption in some way if they can access the encrypted files. To ensure hard drive data is protected, the entire drive must be encrypted.

What BitLocker can do
With Windows Vista Ultimate and Vista Enterprise, Microsoft introduced a whole-disk encryption mechanism called BitLocker. With BitLocker, users can basically encrypt hard drive contents -- a small partition of the hard drive must remain unencrypted to house the core system files necessary to start the operating system -- and ensure that unauthorized users cannot access it.

A TPM (Trusted Platform Module) chip is required to make use of BitLocker's full functionality, including the additional security of pre-startup system integrity verification. The TPM is a special cryptoprocessor mounted on the motherboard that creates unique encryption keys that are tied to the hardware architecture of the system. In a nutshell, encryption and decryption is tied to ...

In the absence of a TPM chip, BitLocker can be enabled using a USB flash drive that holds the encryption keys. Setting up BitLocker without a TPM requires some modification of the default behavior, though, either through Group Policy, or by using a script to redirect the storage of encryption keys to the USB flash drive.

When configured in this way, the USB flash drive must be present in order to unlock the data stored on the encrypted volume(s). Because the operating system drivers, however, will not yet be activated, the hardware being used must be capable of enabling the flash drive at the BIOS level.

What BitLocker can't do
The concept of BitLocker is good. Encrypting the entire disk volume by default, and tying the encryption keys to the local hardware via the TPM chip (or at least to hardware authentication via a USB flash drive) helps to protect data more seamlessly and comprehensively than file and folder encryption offerings. However, BitLocker is still lacking in some areas.

BitLocker has a limited scope of operating system compatibility, working only on Vista, and now on the newly released Windows Server 2008. It also has a narrow range of information it will encrypt or protect. The version found in the original Windows Vista only encrypts the bootable volume only, leaving other partitions unencrypted and vulnerable. With Vista Service Pack 1 (SP1) and the version of BitLocker included in Windows Server 2008, Microsoft has expanded the capability to enable BitLocker to encrypt any volumes found on the drive. However, BitLocker still does not protect data on removable media, such as USB flash drives or recorded CDs and DVDs, or provide a method to securely share data with third parties such as vendors or suppliers.

Law enforcement and government agencies may have an issue with BitLocker as well. There is no key escrow or secret uber-key to allow police or government officials to decrypt the data. That means that the encrypted data of a criminal or terrorist is just as secure as a Vista user's encrypted data, and Big Brother won't be able to keep tabs on any BitLocker-protected volumes.

One other issue with BitLocker is the use of the USB flash drive as a TPM alternative. Many users carry USB flash drives, so the idea of a USB backup seems to make sense. However, most people will simply carry the USB flash drive in their bag with their laptop. This is the equivalent of locking your car, but leaving the keys hanging from the door.

The future of BitLocker
Microsoft definitely took a step in the right direction with BitLocker, but the encryption tools need to mature and evolve in order to be a viable part of an enterprise data protection strategy. Third-party products that offer similar functionality to BitLocker include those from McAfee Inc. (which purchased SafeBoot), or Check Point Software Technologies Ltd. (which purchased Pointsec). These products also function beyond Windows Vista and provide methods to protect data on removable media.

Organizations that are exploring their options as part of a hardware refresh, or upgrading their desktop operating systems, should be aware of the functionality provided by BitLocker. Enterprises that have deployed Windows Vista can benefit from the added security of drive encryption without the added cost of investing in and deploying a third-party product. The updates to BitLocker included in Vista SP1 and in Windows Server 2008 eliminate the limitation of only encrypting the bootable volume, making BitLocker a viable and compelling offering for organizations seeking to protect client data.

About the author:
Tony Bradley is a security consultant with BT INS in Houston. He is also a prolific writer with a focus on network security, antivirus and incident response. He is recognized by Microsoft as an MVP in Windows security. Tony is author of Essential Computer Security, and has co-authored or contributed to a number of other books. He also contributes frequently to other industry publications. For a complete list of his freelance contributions, visit his site, S3KUR3.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Operating System Security,   Application and Platform Security,   Windows Security: Alerts, Updates and Best Practices,   Enterprise Data Protection,   Disk Encryption and File Encryption,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Screencast: Smoothwall offers firewall defense in lean times Windows Security: Alerts, Updates and Best Practices Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.