Embed Size (px)
Citation preview
The seemingly never-ending torrent of high-profile data breaches has encouraged companies to evaluate their security fundamentals. One of which is full-disk encryption (FDE), a security best practice that protects information on servers, laptops and other devices while they are at rest. Many security companies offer encryption solutions, but the management of encryption keys can be challenging with functionality inherent to the encryption technology. Such is the case with Microsoft BitLocker. Fortunately, addressing these challenges are easier than security professionals might think when the proper tools are employed.
Microsoft offers a encryption method in BitLocker, and the company has aggressively promoted BitLocker to bolster the security credentials of its operating system. The BitLocker FDE feature is not new; it is offered in many versions of Windows. However, Microsoft continues to shine the spotlight on effective BitLocker management. In fact, BitLocker management was front and center across most of Microsoft’s recently introduced desktop management products.
Microsoft’s solution for BitLocker management is Microsoft BitLocker Administration and Monitoring (MBAM). Microsoft highly recommends for BitLocker users to subscribe to Microsoft Desktop Optimization Package (MDOP) to receive MBAM.
MBAM connects BitLocker use to individual users and their roles. But – as is the case with many vendor-built management tools – MBAM comes up short on delivering comprehensive, intuitive
and user-friendly BitLocker management. Therefore many IT pros look towards WinMagic’s solutions to manage BitLocker. Our engineers often speak to IT and security pros who are evaluating BitLocker or preparing for its deployment and they have heard the same concerns repeated time after time. To IT and security professionals imminently deploying BitLocker, we’re recapping 5 concerns and providing suggestions for better management.
Growing Heterogeneous IT Environments
BitLocker, which is most effective when properly managed, is one of many encryption strategies that IT pros should consider as part of their FDE strategies. Since BitLocker does not extend beyond Windows devices, naturally companies need to consider it alongside other encryption options. This is increasingly important as enterprise adoption for non-Windows machines continues to grow. In fact, a study of IT professionals commissioned by JAMF Software and as reported by InformationWeek, 60 percent of businesses support Macs. Given the ongoing prevalence of multiple desktops and operating systems within enterprise computing, it is in the best interests of IT staff to evaluate OS-agnostic FDE management solutions.
Introduction
A Guide to Better BitLocker Management @WinMagic WinMagicInc | Email: [email protected] | winmagic.com
Password Resets: The not-so hidden expense of FDE
WinMagic commissioned Ponemon institute to evaluate the total cost of ownership of a Full Disk Encryption solution. In the report published in April of 2013, Ponemon found that significant IT resources are spent each year catering to end-user password reset requests. Ponemon evaluated a mid-sized company with nearly 7800 employees and found that password resets cost nearly $177K per year just in terms of IT resource time.
WinMagic’s FDE management solutions dramatically reduce the cost of password resets. With WinMagic, resetting the password of an encrypted machine is the same as reset-ting the password of a non-encrypted machine.
5 Identified MBAM Shortcomings for Better BitLocker Management
Resetting Lost-Password Will Need a Secure ProcessThe Ingredients Necessary for Successful BitLocker Deployment Come with a Cost
IT professionals deploying BitLocker—or considering it—understand that BitLocker doesn’t manage itself. Subscribing to MDOP for MBAM is only the first in a string of purchases necessary to ensure a proper BitLocker deployment. It’s easy to overlook other software and hardware elements.
MBAM requires a SQL server installation (typically SQL Server 2008 R2), as a proper MBAM deployment will rely on two separate SQL databases. The first, a compliance audit database, provides an audit trail of BitLocker usage that can be queried as needed. The second maintains the BitLocker key recovery and hardware database. More servers are needed for every domain within a given enterprise environment, adding to the unexpected cost and management woes.
For many IT pros, the costs associated with the BitLocker ingredients are “hidden” or not considered ahead of a BitLocker deployment.
1 2
Users forget passwords, often. One recent WinMagic customer noted that they had fielded 200 calls per month from forgetful users requesting password resets in the short period since deploying BitLocker. In each case, the admin fielding the user password reset request accesses the BitLocker key recovery database to provide the recovery key to the end user.
As to the general issue of BitLocker key recovery, a great deal is written in MBAM online documentation on the topic, suggesting it’s an area where many misstep. The ideal deployment relies on a SQL server instance to store the recovery key created when BitLocker is deployed—primarily because the key is encrypted within the server. An easier route is to store the key in Active Directory, however this would store the key in plain text, potentially violating various IT security policies or compliance requirements.
A Guide to Better BitLocker Management @WinMagic WinMagicInc | Email: [email protected] | winmagic.com
3
5 Identified MBAM Shortcomings for Better BitLocker Management
Be prepared to handle BitLocker Recovery lockouts
BitLocker recovery is the process by which you can restore access to a BitLocker protected drive in the event that you cannot unlock the drive normally. This process involves having the user enter a lengthy 48 character recovery password which can be quite time consuming and troublesome. Below is a list of causes of BitLocker recovery:
• Adding or removing hardware on the machine
• Boot order changes in the machine
• Docking or undocking a computer
• Changes to the partition tables
• Making BIOS changes
• Changing TPM configuration or firmware
• Changes or depleting the charge on a smart battery on a portable computer
• Changes to the Master Boot Record on the disk
As you can see from the above, simple changes to the computer’s boot up configuration or running out of battery can cause this to happen.
4 MBAM is Complicated - Think Ahead about Hiring External Support for Installation and Configuration
Many IT pros bemoan the lack of support material for MBAM installation. Microsoft TechNet provides online documentation for the brave-at-heart and seasoned administrator, but it’s hard to find step-by-step instructions.
Deploying MBAM and enabling BitLocker management is not easy. For that reason, it is highly recommended that companies hire a third-party consultant to manage the deployment and the needed configuration of MBAM.
5 Time To Brush up on Full Microsoft Windows IT Pro Skill Set
Deploying BitLocker is not as easy as a deployment script. It requires some understanding of a machine’s hardware, the specific configurations of a variety of an organization’s Microsoft software deployments, and a better-than-basic comprehension of a potpourri of Microsoft applications, including SQL server, SCCM (System Center Configuration Manager), AD (Active Directory), GPO (Group Policy Object) and IIS (Internet Information Services). Since each of these components aids or complements MBAM, each is a point of failure. Bear in mind that MBAM by itself represents a new software tool to learn and experiment with.
An appropriately deployed and managed FDE solution is not free. It requires learning new IT skills, considering software and hardware requirements for a given FDE approach, and deploying new processes to address the end-user impact. Most IT pros that speak to WinMagic experts wish they knew of these costs ahead of the BitLocker deployment process.
A Guide to Better BitLocker Management @WinMagic WinMagicInc | Email: [email protected] | winmagic.com
1 2
WinMagic: The Best Management Solution for BitLocker & All Other Encryption NeedsWinMagic’s encryption management solution, SecureDoc Enterprise Server (SES), greatly reduces the cost and hassle of managing BitLocker. With SES, organizations can take advantage of the native OS encryption provided by BitLocker while gaining increased security through
improved authentication. In addition, WinMagic’s solutions manage other encryption methods, such as those provided by other OS environments plus emerging hardware-based efforts like self-encrypting hard drives and TPM.
WinMagic’s SES provides alternative encryption options to BitLocker, and it can manage all encryption methods seamlessly
An easy way to avoid the extra costs and management challenges associated with BitLocker is to deploy WinMagic’s management solution. By selecting WinMagic,end users avoid the need for TPM chips and other software licensing required for MBAM. Moreover, SecureDoc manages other encryption schemes, such as FileVault 2. Additionally, WinMagic easily and seamlessly manages BitLocker deployments alongside other deployed encryption methods.
3
WinMagic SES dramatically simplifies password resets with PBConnex.
SecureDoc’s pre-boot network authentication technology, PBConnex, completes user authentication before booting up a machine’s hard drive—a concept with far-reaching administrative and security implications. Among other advantages, security administrators can reset or change a user’s password—even in an automated way—without physically accessing that user’s machine or needing the user to complete a challenge-phrase process. PBConnex also simplifies user provisioning without hindering security in any way, as authentication is completed before any sensitive information is decrypted.
WinMagic provides encryption experts to guide companies every step of the way
Data security is important enough to an organization that it should be handled by a data security company. WinMagic is often called into an environment that is having problems managing a given encryption method. In addition, WinMagic support aids companies through the complete WinMagic SES deployment process.
WinMagic SES is the best solution in the industry at managing BitLocker deployments, offering innovative features found within SecureDoc in combination with Windows native encryption. It’s the best of both worlds for customers that want a more robust management solution for their BitLocker deployments.
SES addresses the concerns WinMagic experts hear every day from security professionals considering BitLocker or already managing a BitLocker deployment:
A Guide to Better BitLocker Management @WinMagic WinMagicInc | Email: [email protected] | winmagic.com
For more information on
SecureDoc Enterprise Server
contact [email protected] or visit
www.winmagic.com to access
a number of valuable resources.
US & CANADA 1 888 879 5879
UNITED KINGDOM +44 (0) 1483 243511
GERMANY +49 69 175 370 530
INDIA +91 9560785007
JAPAN +81 03 5403 6950
APAC +65 9828 5420
@WinMagic
WinMagicInc
Email: [email protected]
winmagic.com
© 1997-2016 WinMagic Inc. All rights reserved. All trademarks are the property of their respective owners.
Ready to learn more?
WinMagic provides intelligent key management for everything encryption, with robust, manageable and easy-to-use data security
solutions. WinMagic’s SecureDoc secures data wherever it is stored, providing enterprise grade data encryption and application
aware intelligent key management policies across all operating systems. SecureDoc is trusted by thousands of enterprises and
government organizations worldwide to minimize business risks, meet privacy and regulatory compliance requirements, while
protecting valuable information assets against unauthorized access.
