The business need for mobile computing often outweighs any perceived security risks. This is especially true when it comes to drive encryption for laptops and mobile storage devices. As we've seen on the Chronology of Data Breaches and through numerous regulatory requirements, there's an obvious need for full-disk encryption. And, as many people are discovering, there's a quick fix for that: Microsoft's "free" BitLocker tool.
In the era of eliminating all nonessential expenditures, IT and security managers are looking for ways to keep their mobile data in check and minimize business risks at the same time. What better way to do so than a free tool that's built right into the operating system you're deploying?
Word must be getting around because more and more businesses -- from startups to Fortune 100 companies -- are thinking about using Microsoft BitLocker as the solution to their full-disk encryption woes. In fact, I've heard that certain large corporations considering scrapping their existing commercial full-disk encryption and relying on BitLocker instead. It may sound like a good plan on the surface, but there's more to the story.
The good news is that Microsoft has released Microsoft BitLocker Administration and Monitoring (MBAM), which is part of the latest Microsoft Desktop Optimization Pack (MDOP). MBAM fixes a lot of the problems enterprises have had with managing BitLocker in the enterprise, such as the following:
- Centralized deployment;
- Key management;
- A Web portal for user key recovery; and
- The ability to prove the encryption status of any given system.
Although I commend Microsoft for releasing this tool, you won't hear about BitLocker's hidden costs, such as:
- The requirement for Windows 7 Ultimate or Enterprise licenses to support BitLocker;
- The requirement to have a Trusted Platform Module (TPM) Version 1.2 chip; otherwise, users must carry around their encryption keys stored on a USB or similar external device (likely in their laptop bags);
- The likely need to touch every machine and enable/configure the TPM before drive encryption begins;
- The lack of support for workstations running Linux, Mac OS X and Windows XP; and
- Limited means for enforcing encryption on external storage devices.
I'm not anti-BitLocker, but it does have its shortcomings for the enterprise -- even with the new MBAM features. BitLocker can have its place, however, especially in smaller businesses where the functionality of commercial products isn't needed.
BitLocker's encryption can be cracked with tools such as Passware Kit Forensic, but it's still better than no encryption akin to Wired Equivalent Privacy (WEP) for wireless network security. It all depends on your organization's customer and partner requirements, relevant laws and regulations, and most importantly, your specific business risks. Try assessing at them from an information security perspective, as well as from the perspective of an expert witness working on legal cases involving security due diligence.
I delve deeper into some of these concerns in the white paper "The Hidden Costs of Microsoft BitLocker," but remember, free doesn't always mean free. You have to understand what you're taking on before jumping on the BitLocker bandwagon.
All in all, MBAM is a great step in the right direction, but I'm not convinced that BitLocker is ready for enterprise deployments just yet, especially when cost is a factor. Your mileage may vary -- just know your situation and options going in.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. He has authored/co-authored 10 books on information security, including the best-selling Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach him through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver, and connect to him on LinkedIn.
Dig deeper on Endpoint security management tools