Admins must determine which path they're going to take to protect their users' laptops and the personally identifiable information stored on them.
When it comes to Windows desktop protection, just because a security control such as Microsoft's BitLocker full-disk encryption is free doesn't mean it isn't a good fit. From hidden costs to known vulnerabilities, however, there have always been a lot of reasons why BitLocker, a Windows extension that delivers on-disk encryption, was not a great fit for the enterprise -- especially back in the Windows Vista and early Windows 7 days. Third-party vendors, such as Symantec and WinMagic, also provided viable alternatives to BitLocker full-disk encryption.
That was then and this is now. Find out how BitLocker currently fits into the enterprise and whether or not it's ready for prime time.
Why full-disk encryption is necessary
First things first, the risk of unencrypted laptops or other physically vulnerable workstations is quantifiable and undeniable. Perhaps IT has compensating controls such as data loss prevention and cloud access security brokers to mitigate these risks. Both are useful controls, but there is no replacement for full-disk encryption because it serves as a great last line of defense when everything else fails on Windows endpoints.
There are still quite a few businesses, both large and small, that have yet to tackle full-disk encryption. It is very shortsighted of them and is one of the greatest facilitators of data breaches and the problems that come with them.
What makes Microsoft BitLocker an enterprise fit?
Given its improvements in Windows 8 and, more recently, Windows 10, there's no reason admins shouldn't consider BitLocker full-disk encryption. It's obviously not perfect for every situation, but it can be a very strong option for Windows shops looking for some extra security.
BitLocker's latest improvements and features eliminate many concerns around exploitable vulnerabilities and a lack of centralized management. Notable features include:
- Direct Memory Access (DMA) port controls that help prevent the long-standing cold boot attack against encrypted drives.
- Azure Active Directory (AD) which allows admins to encrypt recovery keys for Windows 10 systems that are joined to Azure AD domains.
- XTS-AES encryption support that helps prevent known cipher text attacks and assists organizations looking to be compliant with Federal Information Processing Standards.
Quiz: Test your knowledge of Windows security features
How much do you know about securing Active Directory and Microsoft Azure? This quiz will test your knowledge on the best tools to protect Windows.
These features are nice, but it's Microsoft BitLocker Administration and Monitoring (MBAM), a System Center Operations Manager management pack, that puts BitLocker squarely in the enterprise conversation. MBAM provides admins with a centralized tool for configuring, administering and enforcing encryption policies. There are also numerous group policies and PowerShell cmdlets admins can use to manage BitLocker protected endpoints.
Intune supports BitLocker encryption
Seven criteria for picking a full-disk encryption product
Compare the top full-disk encryption options