The constant stream of data breaches in the news means that companies are re-evaluating their security fundamentals now more than ever. Among them is Full Disk Encryption (FDE), a security best practice that protects information on servers, laptops and other devices while they are at rest.
Microsoft offers a software encryption method in Microsoft BitLocker, and the company has aggressively promoted BitLocker to bolster the security credentials of its operating system.
Microsoft BitLocker’s Emergence
The BitLocker FDE feature is not new; it is offered in many versions of Windows.
BitLocker is one of many encryption schemes that IT pros could consider as part of their FDE strategies. However, it goes without saying that BitLocker does not extend beyond Windows devices, so companies need to consider it alongside other encryption options. Given the ongoing prevalence of multiple operating systems within enterprise computing, it is in the best interests of IT staff to evaluate OS-agnostic FDE management solutions.
MFG Managed Encryption’s FDE solution manages BitLocker. Our engineers speak every day to IT and security professionals evaluating BitLocker or preparing for its deployment. We therefore hear of and encounter areas of concern that enables us to offer the following tips to those considering or deploying BitLocker.
1. Check all the ingredients are available
Make sure you first have all the ingredients needed for a proper BitLocker deployment
Any company deploying BitLocker—or considering it—understands that BitLocker won’t manage itself. Microsoft Bitlocker and Monitoring (MBAM) is required for managing BitLocker deployments. However, subscribing to Microsoft Desktop Optimisation Package (MDOP) is first required in order to receive MBAM. Unfortunately MDOP is only the first in a series of purchases necessary to ensure a proper BitLocker deployment.
BitLocker also relies on a trusted platform module (TPM) chip that needs be installed on each encrypted machine. The chip is inherent to the hardware and/or firmware of a machine, so a PC supplier will know if it’s included on its hardware.
MBAM requires a SQL server installation (typically SQL Server 2008 R2), as an efficient MBAM deployment will rely on two separate SQL databases. The first, a compliance audit database, provides an audit trail of BitLocker usage that can be queried as needed. The second maintains the BitLocker key recovery and hardware database. Additional servers are needed for every domain within a given enterprise environment, adding unexpected cost and management.
For many IT pros, the costs associated with these BitLocker ingredients are ‘hidden’ or often not included ahead of a BitLocker deployment, ultimately creating a barrier to an efficient and managed deployment.
2. Consider your processes for lost passwords
Establish an easy process for managing lost password requests
Users always forget passwords. One recent customer noted that they had fielded 200 calls per month from forgetful users requesting password resets in the short period since deploying BitLocker. In each case, the admin fielding the user password reset request, must access the BitLocker key recovery database to provide the recovery key to the end user.
Password Resets: The not-so-hidden expense of FDE
A significant amount of IT time and resources are spent each year catering for end-user password reset requests. It has been evaluated that a mid-sized company with nearly 7,800 employees and found that password resets cost nearly $177K per year just in IT time.
MFG Managed Encryption’s FDE management solutions dramatically reduces the cost of password resets. With out managed solution, resetting the password of an encrypted machine is the same as resetting the password of a non-encrypted machine.
Microsoft did not offer an automated self-service portal for password resets until MBAM 2.0, and the method introduces a security risk. Users must access the portal externally using a webpage, providing an attack vector to the Active Directory (AD) domain.
A great level of detail is written in MBAM online documentation on the issue of BitLocker key recovery, suggesting it’s an area where issues arise. The ideal deployment relies on a SQL server instance to store the recovery key created when BitLocker is deployed—primarily because the key is encrypted within the server. An easier route is to store the key in AD, however this would store the key in plain text, potentially violating various IT security policies or compliance requirements.
3. Prepare for TPM chip resets
Be prepared for TPM chip resets
The ultimate failsafe for forgotten BitLocker passwords is to reset a user’s TPM chip, and IT pros should familiarise themselves with the process for a TPM reset.
Beyond password concerns, TPM chips can sometimes lock out, or the recovery information used in conjunction with the chip can become corrupted. In certain cases, this renders the machine inaccessible. Resetting a TPM chip, obviously requires either accessing the end-user’s machine or removing the user from TPM and re-adding them, or both.
4. Hire an expert to install MBAM
Hire an expert to help install and configure MBAM
Many IT pros suffer from the lack of support material for MBAM installation. Microsoft TechNet provides online documentation for the seasoned administrator, but it’s hard to find step-by-step instructions.
Deploying MBAM and enabling BitLocker management is not easy. For that reason, it is recommended that companies hire a third-party consultant to manage the deployment and the needed configuration of MBAM.
5. Brush up on MS Windows IT Pro
Brush up on your full Microsoft Windows IT Pro skill set
Deploying BitLocker is not as easy as a deployment script. It requires some understanding of a machine’s hardware, the specific configurations of an organisation’s Microsoft software deployments, and a good knowledge of a wide range of Microsoft applications, including SQL server, SCCM (System Center Configuration Manager), AD (Active Directory), GPO (Group Policy Object) and IIS (Internet Information Services). As each of these components aids or complements MBAM, each is a point of failure.
Bear in mind that MBAM by itself represents a new software tool to learn and experiment with.
Managing and deploying a FDE solution yourself is not free. It requires learning new IT skills, considering software and hardware requirements for a FDE approach, and deploying new processes to address the end-user impact.
The Best Management Solution For Bitlocker & All Other Encryption Needs
MFG Managed Encryption greatly reduces the cost and hassle of managing BitLocker. With MFG, organisations can take advantage of the native OS encryption provided by BitLocker while gaining increased security through improved authentication. In addition, MFG manages other encryption methods, such as those provided by other OS environments, plus emerging hardware-based solutions like SEDs and TPM.
MFG Managed Encryption addresses the concerns we hear every day from security professionals considering BitLocker or those already managing a BitLocker deployment:
- MFG Managed Encryption provides alternative key management option for BitLocker, and it can manage all other encryption methods seamlessly.
By introducing Managed Encryption’s key management method for BitLocker, end users avoid the need for TPM chips and other software licensing required for MBAM. Moreover, our Managed Encryption solution can be implemented on other OS environments such as iOS, Android and Linux. MFG easily and seamlessly manages BitLocker deployments alongside other deployed encryption methods such as Self Encrypting Drives and Mac’s FileVault 2.
- MFG Managed Encryption dramatically simplifies password resets
MFG’s pre-boot authentication technology completes user authentication before booting up a machine’s hard drive—a concept with far-reaching administrative implications. Amongst the advantages, security administrators can reset or change a user’s password—even in an automated way—without physically accessing that user’s machine or needing the user to complete a challenge phrase process. MFG simplifies user provisioning without hindering security in any way, as authentication is completed before any sensitive information is decrypted.
- MFG provides encryption experts to guide companies every step of the way.
Data security is important enough to an organisation that it should be handled by a data security company. MFG Managed Encryption is often called into an environment that is having problems managing a given encryption method. In addition, Managed Encryption supports companies through the complete encryption deployment process.
MFG Managed Encryption offers the best solution in the industry at managing BitLocker deployments, offering innovative features in combination with Windows native encryption. It’s the best of both worlds for customers that want a more robust management solution for their BitLocker deployments.