Seven reasons why you need BitLocker hard drive encryption for your whole organization

Michael PietroforteMVP By Michael Pietroforte - Thu, April 1, 2010 - 19 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

Turn-on-BitLocker Perhaps you believe your office is your well-protected castle. You think nobody can access your disks and, because you don’t have laptop users, you don’t need BitLocker disk encryption in your organization. This post provides seven reasons why you are wrong. In my view, hard disk encryption is a must for all PCs in your organization. BitLocker alone justifies the deployment of Windows 7 Enterprise or Ultimate instead of Windows 7 Professional.

1. Confidential data

It is true that the most common use of BitLocker is to protect the data on stolen laptops. Since you are probably an IT pro, you know that anybody can access the data on an unencrypted disk without requiring any passwords by booting up from a second drive. Thus, hard disk encryption is the only way to protect the data on a stolen laptop. However, who says that the disks in your PCs or servers can’t be stolen? Did you ever wonder what a disgruntled employee could do with the easy-to-remove hot-plug hard disks in your servers? If you use RAID, you might not even notice the theft for a while. I suppose, your organization protects all your valuable printed documents in a safe. Do you have the same security precautions for your valuable digital data?

2. System data

Okay, you say you don’t have any confidential data in your organization. Let’s forget for a moment that this is probably only an excuse. But what about the security relevant data that is stored on every system disk? Password hashes for example. Once an attacker has physical access to one of your company’s system disks, this opens a variety of ways to attack your whole network. Brute force attacks to crack cached passwords is only one option. If the stolen computer is a domain member, a hacker can use its trust relationship to access other machines in your organization. However, if the disk is encrypted, the bad guy has little chance to compromise your network.

3. Disk crashes

You think all your disks are physically well protected? Read on. What are you doing with a crashed disk that you just bought a year ago? Right, you send it to the manufacturer so they can verify that the disk is really broken and that the terms of the guarantee are met. Who knows, perhaps it’s only a malfunction of the electronics and they can even repair the hard drive. Now, do you really want to send an unencrypted disk with security relevant data to people you don’t really know? The same applies if you have a support contract with your PC vendor that damaged PCs will be repaired or replaced with new ones. And you don’t really trust the nice guy from UPS who picks up the broken PCs. Do you?

4. Disk disposal

For every hard drive comes the time when the last journey to the scrap yard becomes inevitable. I know, you are a conscientious admin and erase every disk thoroughly with a special hard drive eraser tool. Don’t blush now. You didn’t do that in the past? I know, disposing of a couple hundred PCs is work enough and erasing just one big hard disk can take days. However, if all the disks in your organization are BitLocker encrypted, you can be a conscientious admin without erasing hard disks for weeks before you dispose of them.

BitLocker-Group-Policy

5. Why not a third party drive encryption software?

I hope, I have already convinced you by now that hard disk encryption is a must. BitLocker is certainly not the only encryption solution out there. A popular contender is TrueCrypt. I outlined already a few days ago why I am not really a friend of TrueCrypt drive encryption. Other encryption solutions exist, such as from PGP. However, I wouldn’t use third-party software for this purpose because system drive encryption always requires tight integration with Windows. I could also tell you some stories about former versions of PGP drive encryption. With any Windows update you are in danger that your encryption software breaks and that your PCs become unusable. The problems I had with TrueCrypt demonstrate how difficult it is to integrate drive encryption into Windows. Moreover, if you have more than 50 machines in your network, BitLocker is the best choice because of its good integration in Active Directory.

BitLocker-Recovery-Agent

6. Why not Encrypting File System (EFS)?

Okay, no third party encryption software. But what about the Encrypting File System (EFS)? It is perfectly integrated into Windows and like BitLocker it can be managed centrally. The advantage of EFS is that you don’t need Windows 7 Enterprise or Ultimate and you can deploy Windows Professional instead. However, the problem with EFS is that you can’t encrypt the whole system drive. Therefore, EFS doesn’t help with the concerns I outlined above. EFS is useful if you want to encrypt a couple of private files. But it is no option for encrypting a whole disk drive.

7. Sleep well

Okay, I admit it. I made this one up because I needed a seventh reason. All such blog posts about Windows 7 need seven reasons these days. But then, a good sleep is so important. No more nightmares of your CEO’s computer with all the confidential data falling into the hands of a competitor. Isn’t that reason enough to deploy BitLocker? ;-)

-1+1 (+1 rating, 1 votes)
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!

19 Comments- Leave a Reply

  1. pete says:

    bit dissapointing that this doesnt cover some more of the enterprise options and is more of a sales pitch for bitlocker.

    Nor does it cover the some of the major problems with bit locker.

  2. Pete, the main intention of this article is to convince people that hard drive encryption is a must. Discussing the enterprise options would require at least two additional articles. And I am not selling BitLocker. I wish I could. I would be a rich man then.

    Please tell me more about the major BitLocker problems.

  3. Joe says:

    How do you get access to the drive in the case of a failure or disk problem? I frequently use one of a number of the Linux-based CDs to boot up, run CHKDSK repairs, access files from a failed drive, etc. It doesn’t appear that this would be possible with BitLocker in use, correct?

  4. Joe, this is an interesting question. I doubt somehow that you can access a BitLocker encrypted drive from Linux but I suppose it is possible with Windows PE. I will have a look at this problem and post something about it then.

  5. I seem to recall that one of the early issues with BitLocker was that you could encrypt only the C: drive. Is that still the case in the Windows 7 version? In any case, glad to see you preaching the benefits of encryption. Too many organizations overlook this important security step.

  6. BitLocker data drive encryption was introduced with service pack 1 for Vista. I think the main problem with Vista’s BitLocker was that drive preparation was rather complicated once the OS was installed. I think all these teething troubles have been overcome.

  7. Happy Monkry says:

    If some employee cam get his hands on a disc in the raid set in your server room.
    You have a whole other ballpark of security issues.

    I agree on the encryption of clients thoue.

  8. Happy, you would be surprised how easy it is to get physical access to hard disks in most organizations. Small companies often don’t have security guidelines and big companies have the problem that many people simply need access to the server room. And what about you? Can you be trusted? ;-)

  9. kip says:

    Some people might find it interesting that another reason to use Windows 7 is that it is likely to be approved by the government (I am talking UK here) for inclusion on the CESG approved list for restricted data up to IL3 (RESTRICTED). I don’t beleive trueCrypt is approved.

  10. Neil Bartley says:

    I guess if you are deeply paranoid and think the whole world is out to get you, as you seem to be from the tone of your article your points will make total sense. However, using your “expert” knowledge to scare users into implementing your suggestions is not the best way to get people to heed your advice. Do you have any statistics on the likelyhood or risk of this kind of attack within any given business, I think not? How can you possibly make such strong assertions without this kind of data? The risk to Laptops and other mobile devices has been demonstrated and is clear, and your suggestion to encrypt removable H.D.D’s is a good one, that said you seem to be advocating living in a world where businesses do not trust there suppliers staff or customers. I don’t know many people who would want to live in that world. Ultimately What I am saying is as an “expert” why don’t you suggest a more balanced approach to security issues? also there are known issues with the integration of encryption and other technologies especially third party software updates. so encryption is not the all round panacea you seem to be suggesting it is.

  11. JMeister_1 says:

    I’m interested in knowing what you see as the issue and pitfalls of implementing Bitlocker in a very large (50K-100K) client environment.

    It seems that Bitlocker can be a good fit into a small organization (50 users). For large orgs it looks like a solid third party solution would be the way to go.

  12. Neil, I often used the “statistical argument” when it comes to security in the past. Sometimes this argument is valid, for example when it is revealed that the IE has a new vulnerability but nobody knows how many websites are already infected with an exploit. However, in most cases the “statistical argument” is invalid when it comes security.

    Whenever you introduce a new line of defense in your network, you don’t know about any statistical data that would justify the costs. We live in a complex world and you can’t have statistical evidence for everything. Thus sometimes you just have to trust your instincts and the more experience you have the better your instincts are. My instincts tell me encrypting hard drives is a must nowadays. Maybe it is just because I already saw attacks that only worked because the hard drives were not encrypted.

    One thing is for sure. It is true, the whole world is out to get the PCs in your network. The number of computers in botnets is growing every day. And those networks with weak security are the first to be attacked.

    JMeister_1, what makes you think that BitLocker is only for small networks? Why do you think that only Winoows 7(Vista) Enterprise support BitLocker?

  13. JMeister_1 says:

    That belief is based on everything I’ve read about Bitlocker and from some initial testing of the feature. As listed by MS, Bitlocker is only available in the Ultimate edition which for a large volume buy is the Enterprise edition. It is not available in the Pro edition. If you have info that proves that wrong, I would like to see it.

    http://www.microsoft.com/windows/windows-7/compare/default.aspx

    You did not reply with any list of items that would be seen as issues with regard to the implementing of Bitlocker or for that matter, Bitlocker ToGo. I am really interested in seeing what you have to say.

  14. paul o'neil says:

    I’ve implemented several enterprise ready 3rd party solutions: Utimaco, Mobile Armor, Pointsec…

    All are superior to bitlocker in almost every particular. The merits of bitlocker you highlight also exist in the 3rd party products without the issues that limit bitlocker.

    I’m not sure on the motive of your post. Your previous post on bitlocker was much more extensive about how inferior it was. The improvements since, that require Windows 7 among other configuration requirements are substantial but still fall short. For example, for effective enterprise management of Bitlocker you hope SCCM works as advertised. I could go on… lack of PBA single sign-on support…

    If, as you indicated to an earlier comment, “the main intention of this article is to convince people that hard drive encryption is a must”, then change the title, you did no real work here…

  15. JMeister_1, I don’t understand your point. You said that BitLocker is for small organizations and I said that Microsoft thinks it is mostly for big organizations and this is why only the Enterprise (and Ultimate) edition support Bitlocker.

    paul, my motives are very simple. I’ve had bad experiences with third party encryption solutions. The point is that hard drive encryption is like the file system a part of the operating system. You can never be sure that a Windows update will break your third party encryption solution and shuts down your whole network. So I would buy a third party solution even if it has a few fancy additional features. BitLocker can be centrally managed through Group Policy and supports zero-sign on. That is even better than single-sign on. So I still think the title of the article fits perfectly.

  16. JMeister_1 says:

    My point was to elicit from you the bad with the good. You clearly have a fondness for the feature but along with that usually comes some detriments. There have to be some “gotchas” with the feature and you have not enlightened us to them based on your experiences.

    To give you some idea of where I’m coming from, we have 100K+ workstations and some 700+ physical sites. This is a scope that many people simply cannot comprehend. From your point of view a large company is one with 500-1000 systems. Multiply that by 10 and then you have a truly large organization. You should now “understand” the scale we are addressing.

    As you have yet to address the short comings of Bitlocker, here are some things that I’m seeing and maybe you can counter to give me some feedback.

    o Bitlocker is NOT Section 508 compliant in the pre-boot process. This is a critical short coming for companies mandated to implement the Disabilities Act. This one thing is enough to stop Bitlocker from being implemented.

    o Bitlocker does not include any self-help based processes in the pre-boot process. There is a huge cost saving loss here. Large companies implement self-help processes in order to save money and reduce the number trouble tickets/calls into their help desk.

    o Bitlocker recovery key escrow is a semi solution as long as the computer account exists. Once the computer account is deleted, all of the recovery data is lost. Microsoft clearly found this out with their own rollout and has yet to provide an offline solution. Such a solution required extra effort on the consumer side and is those a pitfall.

    o Bitlocker with USB key devices does not support Bitlocker ToGo encrypted USB devices. If a user wants to use the key device with Bitlocker Togo they are out-of-luck. On top of this, the USB device not being encrypted is readily accessible for copying which presents a security hole.

    o Bitlocker does not include any aging processes for PINs. In large organizations, policies are implemented to ensure that passwords and access methods are changed on a regular basis. Bitlocker does not provide any mechanism for this policy compliance.

    o Talking about compliance efforts, Bitlocker does not provide any method for reporting on system configuration so as to determine the state of the system in the event that it is stolen or lost. Actually, there is a total lack of this methodology for the entire Bitlocker process especially for Bitlocker ToGo as to determining is files copied to a device have been encrypted.

    o The bitlocker process is rudimentary and basically a command line process via manage-bde. This to me makes Bitlocker look like an after though for inclusion with the OS. Another hole in the solution is that the recovery data can be displayed using this process. This recovery data should not be available like this!

    o The TPM processes for recovery are separate from the Bitlocker processes which makes for a confusing situation. MS provides no usable solution for the TPM data backed up to the AD. It is not even displayed in the password recovery MMC snapin tab.

    o There is no bypass-reboot process for automated silent installs. A large ORG needs it’s system up and online so that patching and updates can take place. Processes such as SMS, Tivoli or Altiris package distributions need to be able to implement changes and then be able to reboot the workstations so that they can be brought online for future changes. Bitlocker appears to only have a suspend process which does not guarantee that the suspend will be turned off.

    o Renaming computers looks to have an adverse affect on the recovery data in the AD. With 1000 systems a week being either rolled out, reimaged or moved, this could be an issue in a large ORG.

    o Deletion of the computer account from AD deletes all of the recovery data for any device encrypted with Bitlocker ToGo on that system. This plays into the ky escrow issue. On top of that, companies that have policies in place for domain connectivity could have deletes and add on a regular basis. Since Bitlocker does not re-try the recovery data save, these re-added systems will no longer have recovery data available.

    o Bitlocker does not provide a roles based solution for implementation. A large ORG will want limit the access to the Bitlocker processes and Microsoft has not made this possible.

    Just so that you know, we currently employ Guardianedge. I’m looking at Bitlocker because I have to and your BLOG here is one avenue for me flushing out the feature. I tried to extract info from you without getting in your face. From what I’m seeing, Bitlocker ToGo is clearly something that we could not even look at. Bitlocker has its merits but it is still on the young side and is missing some key elements. I hope that you can understand now my perspective and why I believe that Bitlocker is currently limited to small companies. Of course there are a few other things like GPOs and OUs and how that all has to be setup to make things work but that is outside the scope of this BLOG.

    Oh yeah, if you can provide the XP version of the recovery password viewer, I’d appreciate it.

  17. yogesh says:

    How to use bit locker for C:/ drive.?

  18. JT says:

    Installing Bitlocker is he worst decision (after to Lotus Notes) that my company has made. It causes so many issues and so much down-time that is is simply not worth it. FBI? CIA? Yes, they should be using it. Corporate America? No.

  19. Kyle Beckman Kyle Beckman says:

    Hi, JT. Can you be a little more specific about the problems you’re having with BitLocker? In my department at work, we encrypt ALL mobile devices and devices in public areas with BitLocker. When we move to Windows 8, we’ll be encrypting all our devices.

    If you’d like to start a new thread over in the Forums (http://4sysops.com/forums/) about the issues you’re having, we’ll be glad to see if there is something we can do to help.

Please share your thoughts in a comment!

Login

Lost your password?