Gone are the days when the workforce could be contained by physical barriers like walls, or even a network perimeter....
Now, virtually all devices are capable of connecting from virtually anywhere, including Windows-based devices like notebook PCs.
We have seen the fallout of data breaches repeatedly over the past couple of years. Laptops containing tens of thousands, or even millions, of customer account records have been lost or stolen, potentially compromising the personal information of every one of those customers, nevermind the ramifications of losing other kinds of sensitive information like trade secrets or employee records. Enterprises have plenty of incentive to protect device data at all times.
Encryption of files and folders can help, but it has two inherent flaws. First, it relies on the user to encrypt data, or to at least ensure that all sensitive and confidential data is placed into the appropriate folder where it will be encrypted. Second, attackers may still be able to circumvent or break the encryption in some way if they can access the encrypted files. To ensure hard drive data is protected, the entire drive must be encrypted.
What BitLocker can do
With Windows Vista Ultimate and Vista Enterprise, Microsoft introduced a whole-disk encryption mechanism called BitLocker. With BitLocker, users can basically encrypt hard drive contents -- a small partition of the hard drive must remain unencrypted to house the core system files necessary to start the operating system -- and ensure that unauthorized users cannot access it.
A TPM (Trusted Platform Module) chip is required to make use of BitLocker's full functionality, including the additional security of pre-startup system integrity verification. The TPM is a special cryptoprocessor mounted on the motherboard that creates unique encryption keys that are tied to the hardware architecture of the system. In a nutshell, encryption and decryption is tied to the specific hardware containing the hard drive.
In the absence of a TPM chip, BitLocker can be enabled using a USB flash drive that holds the encryption keys. Setting up BitLocker without a TPM requires some modification of the default behavior, though, either through Group Policy, or by using a script to redirect the storage of encryption keys to the USB flash drive.
When configured in this way, the USB flash drive must be present in order to unlock the data stored on the encrypted volume(s). Because the operating system drivers, however, will not yet be activated, the hardware being used must be capable of enabling the flash drive at the BIOS level.
What BitLocker can't do
The concept of BitLocker is good. Encrypting the entire disk volume by default, and tying the encryption keys to the local hardware via the TPM chip (or at least to hardware authentication via a USB flash drive) helps to protect data more seamlessly and comprehensively than file and folder encryption offerings. However, BitLocker is still lacking in some areas.
BitLocker has a limited scope of operating system compatibility, working only on Vista, and now on the newly released Windows Server 2008. It also has a narrow range of information it will encrypt or protect. The version found in the original Windows Vista only encrypts the bootable volume only, leaving other partitions unencrypted and vulnerable. With Vista Service Pack 1 (SP1) and the version of BitLocker included in Windows Server 2008, Microsoft has expanded the capability to enable BitLocker to encrypt any volumes found on the drive. However, BitLocker still does not protect data on removable media, such as USB flash drives or recorded CDs and DVDs, or provide a method to securely share data with third parties such as vendors or suppliers.
Law enforcement and government agencies may have an issue with BitLocker as well. There is no key escrow or secret uber-key to allow police or government officials to decrypt the data. That means that the encrypted data of a criminal or terrorist is just as secure as a Vista user's encrypted data, and Big Brother won't be able to keep tabs on any BitLocker-protected volumes.
One other issue with BitLocker is the use of the USB flash drive as a TPM alternative. Many users carry USB flash drives, so the idea of a USB backup seems to make sense. However, most people will simply carry the USB flash drive in their bag with their laptop. This is the equivalent of locking your car, but leaving the keys hanging from the door.
The future of BitLocker
Microsoft definitely took a step in the right direction with BitLocker, but the encryption tools need to mature and evolve in order to be a viable part of an enterprise data protection strategy. Third-party products that offer similar functionality to BitLocker include those from McAfee Inc. (which purchased SafeBoot), or Check Point Software Technologies Ltd. (which purchased Pointsec). These products also function beyond Windows Vista and provide methods to protect data on removable media.
Organizations that are exploring their options as part of a hardware refresh, or upgrading their desktop operating systems, should be aware of the functionality provided by BitLocker. Enterprises that have deployed Windows Vista can benefit from the added security of drive encryption without the added cost of investing in and deploying a third-party product. The updates to BitLocker included in Vista SP1 and in Windows Server 2008 eliminate the limitation of only encrypting the bootable volume, making BitLocker a viable and compelling offering for organizations seeking to protect client data.
About the author:
Tony Bradley is a security consultant with BT INS in Houston. He is also a prolific writer with a focus on network security, antivirus and incident response. He is recognized by Microsoft as an MVP in Windows security. Tony is author of Essential Computer Security, and has co-authored or contributed to a number of other books. He also contributes frequently to other industry publications. For a complete list of his freelance contributions, visit his site, S3KUR3.com.
See which other security features have been added to Windows Server 2008.