BitLocker Drive Encryption
Windows Server 2012 Security – BitLocker
Today, approximately 60% of computing devices sold are portable computers. The prevalence of these devices have introduced challenges for IT security professionals, as they are more easily lost or stolen than desktop computers that remain in a physical location. It is also very easy for end users to store sensitive data on a laptop for convenience and overlook the security concerns. For many companies, this sensitive data is subject to regulatory compliance laws that may include severe monetary penalties for incompliance. Should an information breach occur, business reputation could be severely degraded, as seen recently from the Target breach. Microsoft has taken several strides in assisting IT security professionals to mitigate these risks by introducing several enhancements in its BitLocker drive encryption offering in Windows Server 2012.
BitLocker drive encryption was first introduced by Microsoft in Windows Vista. BitLocker is a full-featured drive encryption option for protecting computers from attacks to which a system is vulnerable when the attacker has physical possession of the computer. In Windows 7 Microsoft introduced BitLocker To Go, which added the ability to encrypt removable drives including USB flash media and external hard drives. The deployment process was also improved to automatically leverage Microsoft’s Active Directory environment. BitLocker uses the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit or 256-bit key. AES is the encryption algorithm adopted by the U.S. government.
With the introduction to Windows Server 2012, Microsoft has made several important enhancements to the product that makes BitLocker easier for IT security professionals to deploy and manage. BitLocker is now available to be used with Windows 8, Windows 8 Pro, and Windows 8 Enterprise along with the server 2012 versions.
Enhancements to BitLocker in Windows Server 2012
Self-Encrypting Drive Support:
In previous versions of BitLocker, the technology did not support the use of a hardware-encrypted hard drive as the boot drive. This has changed, and now you can use drives with built-in hardware encryption (often called Self-encrypting drives or SEDs). A wide variety of drive types are supported, including IDE, ATA, SATA, eSATA, SAS, and SCSI, as well as IEEE 1394 and USB. Windows Server 2012 takes it a step further and supports BitLocker on Fiber Channel and iSCSI drives. You can also use BitLocker with hardware-based RAID arrays (but not software-based RAID).
Another new feature in the Windows 8 and Server 2012 version of BitLocker is network unlock. This feature is aimed at enterprise environments, specifically at systems that belong to a Windows domain. This will automatically unlock BitLocker-protected drives when the computer is rebooted, as long as the machine is connected to the corporate network via a wired connection (does not occur with Wi-Fi or remote connections). This avoids the problem of users forgetting their PINs or USB keys, when they’re connected to the trusted network (the assumption being that if they are physically on premise with Ethernet plugged in, they are probably the authorized users). It also makes it easier to roll out patches and other updates to unattended desktops that are BitLocker-protected. Of course this is an optional configuration. For better security, organizations can still require that the PIN be entered (and/or USB key inserted) to access the protected drives even when on the corporate network.
Another new BitLocker feature that is aimed at the enterprise is the ability to pre-provision BitLocker, or to provision it prior to the installation of the operating system. Windows 7 already brought the ability to prepare the drive partitions for BitLocker during installation, and Windows 8/Server 2012 allows you to go a step further. By leveraging Active Directory, IT security professionals can configure the environment to deploy systems with BitLocker ready to go.
Protect Boot Process Integrity:
In addition to the benefits mentioned above, another good reason to implement BitLocker is that it can protect the boot process integrity. If the computer is tampered with unbeknownst to the user, such as by an unauthorized installation of a Trojan or other malicious software, the computer will enter the BitLocker recovery environment.
BitLocker and BitLocker to Go are great solutions for stopping unauthorized third parties from recovering data stored on lost or stolen laptop computers or USB storage devices. Given that a number of high profile breaches have occurred and, unfortunately, experts agree that they will continue to happen, using BitLocker and BitLocker to Go to protect sensitive data is something to which you and your organization should give some serious consideration.
If you have further questions on how your company could implement BitLocker, we invite you to request a free consultation or call us at 541.858.4288 to learn more. We’d be happy to help make sure that your business is meeting industry standards for both compliance and security.