It has been over seven years in the making, but Microsoft's BitLocker Drive Encryption may finally be enterprise-ready. Having studied BitLocker, I just haven't been a big fan of using it in the enterprise. Microsoft BitLocker simply lacked the flexibility to be worthwhile in environments with more than a few dozen computers. But every technology matures, and Windows 8 BitLocker is a good example of that.
Microsoft has added some new features to BitLocker for Windows 8 (and Windows Server 2012). They can seriously benefit organizations, and here are some several of the most noteworthy features:
- The ability to enable encryption on drives via the Windows Preinstallation Environment (Windows PE) before Windows 8 is actually installed. This feature can help save a tremendous amount of time and effort in larger businesses and ensure that systems are protected from the beginning.
- BitLocker Network Unlock (aka. "preboot authentication"), which automatically unlocks the hard drive onWindows 8 systems based on the Unified Extensible Firmware Interface connected to a Windows Server 2012 domain. This facilitates not only the authentication process but also unattended patch deployment and remote management.
- The ability to encrypt only the used space on the drive -- encrypting new data on the fly as it's added. There has been a lot of hype around this feature, as if long encryption times are justification enough to forgo full-disk encryption. Even if encryption takes more than 10 hours per system, that shouldn't matter if security is important enough to the enterprise.
- The ability for non-administrator-level users to reset their BitLocker PINs or passphrases, with complexity requirements enforceable via Group Policy.
- The ability to prevent data from being written to storage media that are not protected with BitLocker via the "Deny write access to fixed drives not protected by BitLocker" and "Deny write access to removable drives not protected by BitLocker" policy settings.
Even with these new features, Windows 8 BitLocker has its limitations. You're still going to need computers that have a trusted program module (TPM) if you're going to experience any reasonable (hands-off) means of managing BitLocker in the enterprise. Without a TPM, you'll have to store to the BitLocker startup key on a USB flash drive. You'll also need to ensure that additional security controls are enabled, such as strong Windows passphrases and timely screen locks. No level of full-disk encryption will protect you from these security oversights.
I'm all for Microsoft continuing to improve BitLocker. It's good for IT, security and (especially) business. The worst thing that BitLocker currently has going for it is the reputation of Windows 8. Perhaps Windows 8.1 will help Microsoft redeem itself.
So, is BitLocker ready to take on the big players in the full-disk encryption space, such as Symantec and WinMagic? Depending on the specific needs of the organization (i.e., for all Windows 7 or 8 shops with no legacy Windows systems or Macs), maybe so. Some third-party players will no doubt continue to stay years ahead of Redmond when it comes to innovation.
More on Windows 8 BitLocker and security
How to find the best Windows 8 BitLocker alternatives
Configuration weaknesses can affect whole-disk encryption
Microsoft improves BitLocker, but security gaps remain
Learning the basics of Microsoft BitLocker
There's a lot to learn about Windows 8 BitLocker. This Microsoft FAQ is a good starting point. As you move forward with whole-disk encryption plans, don't focus on the fact that BitLocker is "free" and therefore the only option. Instead, look at user habits, your business needs and your own unique set of risks, and then make the decision on whether or not to roll out BitLocker in your enterprise.
An unencrypted laptop is arguably one of the greatest IT risks in any given business. An encrypted laptop, when lost or stolen, is a mere physical loss and an insignificant financial hit in comparison. Windows 8 BitLocker or not, the most important thing is to be thinking about full-disk encryption for laptops and desktops that are in harm's way, and do something about it soon.
This was first published in July 2013