Secure Your Laptops, Protect Your Data – with Windows Vista BitLocker Drive Encryption.

Hi,

Due to the level of public scrutiny of securing customer data at the moment in Ireland I wanted to reach out and share with you a an easy way to best secure all of your data on Laptops and PCs.

Simon McCourt, our local Security Technology Specialist has written a short article (below) on Windows Vista BitLocker - which is our out of the box full drive encryption solution that is “best practice” in preventing data falling into the wrong hands, in the event of a computer being lost or stolen. You get BitLocker as a feature of both Windows Vista Enterprise and Windows Vista Ultimate editions.

As ever, if you’ve any further questions or would like additional assistance on this important topic, just drop me an email.

Enjoy the article!

Colm Torris

Secure Your Laptops, Protect Your Data – with Windows Vista BitLocker Drive Encryption

By Simon McCourt

While most organisations will be concerned about the loss of sensitive information, such as intellectual property, company financial data etc., perhaps the greatest concern is the risk to customers’ personal information, which is subject to legal protection under the Data Protection Acts 1988 & 2003. Not only should organisations be acutely mindful of their responsibilities to their customers with respect to personal data, but they should also be keenly aware of the risk to their bottom line; any person suffering damage through the mishandling of their personal information is entitled to claim compensation through the Courts, as outlined in Section 7 of the Data Protection Acts, 1988 and 2003.

In a nutshell, BitLocker is a fully Active Directory-integrated technology that encrypts the entire hard drive, protecting data on lost or stolen machines. It’s even effective in 'offline' attacks, whereby an attacker tries to boot the machine using a non-Windows operating system in an attempt to bypass Windows security. With effective full drive encryption in place, it’s simply not possible to access data without proper authorisation. All that is lost when a computer goes missing is the cost of the hardware itself and the time it takes to get the user in question back up and running. (Assuming an effective data backup/restore process is in place, user impact can be greatly minimised.)

A recent case that achieved high visibility was that of the Northern Ireland Civil Service (NICS). In response to a number of security incidents in the UK government involving lost and stolen laptops, NICS made a decision to roll out Windows Vista with BitLocker. Microsoft is currently rolling out 4,500 of NICS’ laptops over a three-month project duration, testament to the fact that Windows Vista with BitLocker can be deployed very quickly.

Public references below:

Read the NICS news story

Read the UK government news story

While there are other vendors who have drive encryption offerings, it’s important to highlight the fact that implementing these 'bolt-on' solutions can be a very expensive approach – software costs can be high, not to mention there is significant ongoing management overhead associated with solutions that have to be layered on to Windows. As BitLocker is fully Active Directory-integrated, it is far easier to manage and can be rolled out using Microsoft zero touch deployment technologies, such as System Centre Configuration Manager.

See below for a quick overview of BitLocker. You can also check out a 35 minute video here.

BitLocker Drive Encryption

BitLocker Drive Encryption is an integral security feature of Windows Vista that provides considerable offline protection for data and the operating system. BitLocker helps ensure that data stored on a computer running Windows Vista is not revealed if the computer is tampered with when the installed operating system is offline. It optionally uses a Trusted Platform Module (TPM) to provide enhanced protection for data and to help ensure the integrity of early startup components. This can help protect data from theft or unauthorised viewing by encrypting the entire Windows volume.

Overview of BitLocker Drive Encryption Functionality

BitLocker offers a seamless end-user experience with systems that have a compatible TPM microchip and basic input/output system (BIOS). A compatible TPM is defined as a version 1.2 TPM with the appropriate BIOS required to support the Static Root of Trust Measurement, as defined by the Trusted Computing Group (https://www.trustedcomputinggroup.org). The TPM interacts with BitLocker to help provide seamless protection at system startup.

BitLocker also offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a universal serial bus (USB) flash drive that contains a startup key. These additional security measures provide multifactor authentication and higher assurance that the computer will not start or resume from hibernation until the user presents the correct PIN or USB flash drive.

Figure 1 shows a summary of the BitLocker components.

Figure 1. Summary of components in BitLocker

BitLocker enhances data protection by bringing together two major functions: full drive encryption and the integrity checking of early startup components.

Full Drive Encryption

Drive encryption helps mitigate unauthorised data access by unauthorised users from breaking the Windows Vista file and system protection on lost or stolen computers. This protection is achieved through the encryption of the entire Windows Vista volume and any additional volumes on the hard drive. With BitLocker, all user and system files are encrypted, including the system memory paging and hibernation files.

Integrity Check of Early Startup

An offline attack is a scenario in which an attacker starts an alternative operating system to gain control of a computer system. Integrity checking the early startup components helps to ensure that data decryption is performed only if those components appear unmodified and that the encrypted drive is located in the original computer. BitLocker stores measurements of core startup components in the TPM chip. Every time the computer is started, Windows Vista verifies that the startup components have not been modified. If the files have been modified, Windows Vista alerts the user and refuses to release the key required to access the Windows partition. The system then goes into a recovery mode, prompting the user to provide a recovery key to allow access to the startup volume.

The system also uses recovery mode if a disk drive is transferred to another system. Recovery mode requires a recovery key that is generated when BitLocker is enabled, and that key is specific to one computer. As a result, BitLocker is intended for enterprises with a management infrastructure in place to store the recovery keys, such as Active Directory. Otherwise, the potential exists for data loss if a computer enters recovery mode and the recovery key is unavailable.

BitLocker can also be used on computers without a compatible TPM. Using BitLocker in this way provides the volume encryption capabilities but not the added security of integrity validation on early startup files. Instead, a USB flash drive provides the encryption key at startup.