Approximately 60% of all computers sold today are portable computers. An old truism of computer security is that if an attacker has physical access to a computer, that attacker has access to all the data on that computer. This truism, combined with the prevalence of portable computers in organizational environments, makes life more challenging for today’s IT security professional. Fifteen years ago, it was unusual for someone to take his or her work computer out of the office in the evening. Today many workers expect to have to take their computer with them when they leave for the day.
The problem this poses for IT security professionals is that laptop computers are more easily lost or stolen than desktop computers. Laptop computers can contain tens of gigabytes of organizational data. Tens of gigabytes that may end up in the hands of an unauthorized third party if that laptop computer is left at an airport security checkpoint or is stolen from a bag while the worker is commuting on public transport.
A recent survey by the Ponemon institute found that roughly 5000 laptop computers are left at US airport security screening checkpoints each week. Two thirds of these laptop computers are never recovered and are sold by the airports at auction. Another study of small to medium sized enterprises found that, on average, a portable computer was lost from a SME every four months. The average cost to the organization of one of these lost computers was $50,000 USD. The main cost to the organization is not replacing the hardware or the lost productivity, but the cost of working out what data may have been lost and the effect that may have if that data was recovered by a competing organization.
The primary reason you want to use BitLocker and BitLocker to go on the computers in your organization is to minimize the chance that useful data can be recovered from lost storage devices by a third party. Minimizing the recoverability of data so that only authorized persons can encrypted data limits the cost to the organization of a lost or stolen laptop computer. If a portable computer is protected by BitLocker, you can be almost certain that any data hosted on that misplaced computer will be inaccessible to unauthorized third parties.
Just as, in recent years, there has been a revolution in the type of computer that people are using, there has also been a revolution in the way people use portable storage. Pocket sized USB storage devices and portable hard drives can be many gigabytes in size. The risk to an organization of data being recovered when one of these devices is lost is as substantial as the risk of data being recovered when a laptop computer is lost. BitLocker to Go is a technology available in Windows 7 that can be used to BitLocker encrypt USB storage devices and portable hard drives. Data stored on a USB storage device protected by BitLocker to Go cannot be recovered if the misplaced storage device is found by unauthorized third parties.
On top of the protection it provides for data, a cool feature of BitLocker to Go is that you can configure group policy to limit computers running Windows 7 so that they can only write data to BitLocker encrypted USB devices that have a specific configured organizational identifier. Configuring BitLocker to Go in this way has several benefits.
· Staff are only able to write data to devices that are protected by BitLocker to Go. In the event that they lose the device, the data that is stored on it cannot be recovered from the device by unauthorized third parties.
· You can control which devices can be used to store data by only allowing authorized personnel to configure USB storage devices with BitLocker to Go.
In many organizations, people are able to write gigabytes of confidential organizational data to USB devices that they have purchased from their local office supplies superstore. People that lose their own USB devices do not always inform others within the organization, even when they have lost organizational data. Configuring BitLocker to Go to restrict USB write access to approved devices minimizes the chance that confidential organizational data will be recovered by unauthorized third parties in the event that the device hosting that data is stolen or misplaced.
To configure a Windows 7 computer to only allow data to be written to specially configured USB devices, configure the following group policy items:
· Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Provide The Unique Identifiers For Your Organization
When configuring this policy, specify the BitLocker Identification Field and the Allowed BitLocker Identification Field.
· Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny Write Access To Removable Drives Not Protected By BitLocker
When configuring this policy, enable the Do Not Allow Write Access To Devices Configured in Another Organization.
To ensure that users are not able to configure their own USB devices to support BitLocker to Go, configure the following policy:
· Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Control Use Of BitLocker On Removable Drives
Another big advantage of BitLocker and BitLocker to Go over competing full disk encryption and USB encryption products is that it is easily integrated into Active Directory for the purposes of data recovery. Group Policy can be configured to back up BitLocker passwords as well as configure data recovery agents. This means that in the event that an individual laptop owner loses or forgets their encryption password, it is still possible for a specifically authorized person in the organization to recover the encrypted data. It can be challenging to centralize password recovery for competing encryption products. Whereas you can configure group policy to stop the deployment of BitLocker on a computer in the event that the recovery keys do not back up to Active Directory,
To configure BitLocker to back up keys to AD before allowing encryption, configure the following policy:
· Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Store BitLocker Recovery Information in Active Directory Domain Services
Ensure that you select the Require BitLocker Backup to AD DS option.
To configure an authorized BitLocker Data Recovery Agent, which will allow data to be recovered from BitLocker encrypted drives without access to recovery passwords, configure the following policy:
· Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption
Users can often become confused about when different encryption solutions stop protecting data. It is important as an IT professional to explain to users that while data is encrypted when stored on a BitLocker protected hard drive, that same data becomes decrypted when they upload it to a cloud storage device, e-mail that data or copy that data to a storage device not protected by BitLocker.
When discussing the protection of documents transmitted through email or uploaded to a cloud storage location, you should inform people that they need to use an additional encryption solution. At a most basic level it is possible to use the document password protect features available within Microsoft Office to encrypt documents transmitted over email or stored in the cloud. When transmitting a sensitive document to a third party, you should instruct users to use an “out-of-band” method to transfer the password to the intended recipient of the document, such as leaving a message on voice mail or sending an SMS. Sending the password to the document in the same email that contains the document will do little to protect the document if it is intercepted in transit.
A final reason to implement BitLocker is that BitLocker protects the integrity of the boot process. This means that the user of a computer protected by BitLocker will be aware in the event that their computer is tampered with, such as someone installing Trojan software. If the boot process of a computer is tampered with, the user will be forced into the BitLocker recovery environment. Although this can appear at first to be inconvenient, it makes it difficult for an attacker to install key logging or other malicious software.
BitLocker and BitLocker to Go are great solutions for stopping unauthorized third parties from recovering data stored on lost or stolen laptop computers or USB storage devices. Given that an organization’s data is one of its primary assets, using BitLocker and BitLocker to Go to protect this data is something to which you and your organization should give serious consideration.