Full Disk Encryption using Microsoft BitLocker
“One of our laptops were stolen! Please help!” Our help desk here at Applied Tech has heard those panicked words from our customers a few times. All too often, the ramifications of losing company assets aren’t considered until after the fact. The loss of the capital expenditure is bad enough, but sometimes the data stored on the hardware is much more costly. Add in the cost of fines and fees associated with data breaches, especially for regulated industries like healthcare (HIPAA), financial services (GLBA), and credit card processing (PCI-DSS), post-incident investigations and auditing, and bad publicity, and you can see the theft is just the tip of the iceberg.
A first step your company can take to prevent data from falling into the wrong hands via physical theft is Full Disk Encryption (FDE). There are several options of software to choose from for this, and one of the most popular options for businesses is Microsoft BitLocker, a feature built into Windows 8.1 and Windows 10 Professional and Enterprise Editions. Leveraging a PIN, password, and/or TPM (Trusted Platform Module) chip, BitLocker renders a computer’s hard drive unreadable to anyone without the decryption key, or if it is installed on another PC. This prevents the thief from booting into another operating system to reset the password, or attaching the hard drive to another PC to read its data. Sure, the thief can wipe the hard drive clean and reuse it, but at least the data is safe. BitLocker may also be used to enforce encryption of USB hard drives, thumb drives, flash cards, and other removable storage.
From an employee’s perspective, the PC simply prompts to enter a PIN or password after powering on before booting into Windows. If BitLocker is protected with TPM-only, the encryption is completely transparent to the user, with no prompts for a PIN or password (however, this offers less protection than if TPM is used in conjunction with a PIN or password). Meanwhile, a copy of the decryption key is backed up in Active Directory, in case the computer user forgets the password, if IT needs to perform data recovery from a damaged computer, or if the employee leaves the company on unfriendly terms.
Microsoft also provides a server-side component of BitLocker, called Microsoft BitLocker Administration and Monitoring Server (MBAM, not to be confused with the popular anti-malware software that shares the same acronym.) MBAM allows automated deployment of BitLocker to all compatible PCs on the network, including PCs added to the network at some point in the future. It also provides a means of self-service key recovery, so employees who forget their password don’t need to contact IT to get logged in. Finally, it provides reports of BitLocker compliance, which is useful for auditing the use of BitLocker on your network, and providing evidence to auditors if and when a theft does occur that you have done due diligence in preventing a data breach.
While other preventative measures are still required for common threats like malware, ransomware, or phishing attacks, Full Disk Encryption such as BitLocker is a simple, effective, and important piece of the information security puzzle. If information security is at the top of your radar, you might also be interested in the following topics: Endpoint protection, software patches, principle of least privilege, backups, Unified Threat Management (UTM) firewalls, Data Loss Prevention (DLP), Mobile Device Management (MDM), or Multi-Factor Authentication (MFA).
For more information, and if you are interested in keeping your devices safe and secure, reach out to Applied Tech at (608)729-1300.
