BitLocker’s place in the big picture of encryption and compliance
Here, Garry McCracken VP Technology looks at the bigger picture challenges of encryption and compliance, helping IT departments consider BitLocker’s role in a solid infrastructure.
Extended support for Windows 7 is going to end in January 2020, less than 18 months away. Many companies are of course choosing to get on with the task of upgrading their environment to Windows 10, which offers many advantages for both users and IT departments. A big advantage for the IT department is the inclusion of BitLocker, a Microsoft Full Disk Encryption (FDE) solution that enables IT departments to implement FDE across their endpoints and servers, with the Windows 10 suite. For many, this is seen as a quick, low-cost way to solve some of the big challenges they have around security and compliance, particularly as more stringent regulations have come into force, such as the General Data Protection Regulation (GDPR) and HIPAA. While BitLocker is good at encrypting Windows 10 workloads, what you may not realize is that alone, it has significant deficiencies in security, compliance and manageability.
Being able to implement FDE through BitLocker for an individual device offers a great level of protection, but as many are learning, it is simply not true that it is a silver bullet for meeting encryption and compliance needs. There are four areas IT departments need to consider in their encryption strategy. Failing to address these areas may result in falling short of protection expectations, or worse still, finding themselves exposed to security and compliance threats they believed they had covered with BitLocker alone.
We know that BitLocker is a solid starting point for encryption, but it’s simply not enough to meet compliance requirements. For that, you need a management tool capable of delivering encryption management and reporting for audits. Organizations have traditionally relied on three options for managing BitLocker: manually via Active Directory Domain Services (AD DS), via cloud-based management with Azure Active Directory (Azure AD) and Microsoft Intune, or the Microsoft-recommended way, with Microsoft BitLocker Administration and Monitoring (MBAM).
Each of these options comes with its own benefits and problems, and ultimately is only effective for the management of BitLocker in the Windows environment. While for some this will be satisfactory, most organisations have a hybrid OS environment across desktop and mobile devices. In these cases, MBAM simply adds complexity, as it becomes one of multiple management and compliance tools.
Beware the hidden costs
BitLocker is included in Windows 10, or low cost on Windows 7 or 8. However, there is a cost with implementing the management elements with MBAM, such as additional SQL Server and other Microsoft licenses. Skilled resources also add to costs. Whether it is bringing in new admin staff or training up those already in roles, these costs may be indirect, but they can’t be ignored. And remember, MBAM is only ever going to manage your Windows estate, leaving other devices and operating systems out in the cold.
Compliance cannot be achieved with BitLocker alone
While BitLocker offers FIPS 140-2 compliant encryption for Windows 10 devices, it cannot provide organisations with the proof needed to demonstrate to regulators, that encryption is in place everywhere it is needed, and is appropriated managed and monitored. Additionally, many regulations require companies to not share passwords or rely on Windows OS alone for security (PCI-DSS for example), leaving organizations to compromise on security with either shared BitLocker PINs or TPM-only. Other issues, such as the ability to easily suspend or disable BitLocker, and its lack of enforcement on removable media such as USB drives, means the level of compliance offered by BitLocker alone is meagre at best.
It should also be noted that, at the time of writing, MBAM tools do not offer historical reporting for audit purposes, so to be compliant, businesses need a tool that can monitor and report encryption in real-time and produce out-of-the-box audits at any point in time.
Users find BitLocker challenging to use
Resetting accounts can be a labour-intensive process that requires users to enter a complex and lengthy string of characters sent to them by IT staff. Because unlocking devices cannot be managed remotely by the IT department, users can find themselves struggling to get back online. This is just one example of how users can find themselves hampered, rather than helped by BitLocker. Ultimately, frustration leads to them looking for ways around the technology, such as disabling it, which undermines enterprise security and compliance – and ultimately defeats the purpose of encryption altogether. Encryption should always be as transparent and frictionless as possible, if it is to be useful.
Getting the best from BitLocker
BitLocker is a good starting point for encryption in your enterprise if you are a Windows-only shop. However, it should not be viewed as a complete solution to the challenges that IT departments face in terms of compliance, cost, complexity and user adoption. Don’t fear though, these can all be overcome by using the right platform agnostic management tools to get the best from the technology. The important thing is to know where BitLocker fits in the bigger picture, its benefits and pitfalls, and acquiring the additional support technology, such as management tools, to ensure your business is secure, compliant and getting the most from BitLocker.