We’ve already talked about BitLocker, but I wanted to provide an overview of the other encryption solutions for Windows Vista, Windows XP and Server 2003 / 2008. If there’s interest, I’ll drill into more detail on any / all of these, so please let me know.
RMS – allows you to encrypt your data while it is in transit. With RMS, your data can circle the globe on the open Internet with little or no risk of compromise. I say little because if someone has physical access to your encrypted data, and enough time and resources, most encryptions can be compromised. Usually we’re talking 10’s or 100’s of man years to break, but it is possible. The best way to protect your data from malicious users is to prevent their physical access to your data. Gee doesn’t that make sense :)? Again, that’s part of our defense in depth. Of course, this is a balancing act, how secure can we make the data while still making it available to the authorized user. BitLocker, and EFS can both be 100% invisible to the end user. RMS has scenarios that are invisible to the end users as well, but usually the best RMS implementation also includes some end user education as well. If you are focused on securing your data, you also need to provide user education to ensure your users know how and when they need to take additional steps to protect their data.
EFS – Encrypting File System allows you to encrypt files while they reside on a hard drive or File Server. The glory of EFS is that a user can store encrypted files on their local machine or a file server and no one but the authorized user can access the file. Even network administrators cannot access EFS files. The network administrator can backup and restore files from the file server, but they cannot read the contents of the encrypted files. There are methods to recover encrypted files if the owner of the encrypt files is no longer able to access them, or if the owner of the encrypt files leaves the company. I’m happy to dig into EFS recovery in the future, but you have the ability to recover data if need be, while ensuring that there is no unauthorized access to the data.
IPSec – While IPSec is in a different category than EFS and RMS, IPSec is another form of encryption that is being used to encrypt data as its being transmitted over your network. IPSec ensures that any unauthorized computers cannot “see” the actual data being transmitted. The malicious computer does not have the appropriate certificates to decrypt the data being transmitted over the network. This ensures that if your data is important enough to be encrypted, it can stay encrypted throughout its journey on the network.
Encryption is more than just “encryption” isn’t it? Remember my earlier blog when I said:
You don’t know how many times I’ve heard “We need encryption”. What does that mean? There’s more to it than just encryption, we need to understand what needs to be encrypted and why?
That’s why I’ve provided brief descriptions of the different forms of encryption. I know this isn’t as simple as just “deploying encryption”, but that’s why we need to understand what type of data needs to be protected and what type of attacks we are trying to mitigate. There is no “one size fits all” when it comes to encryption. Personally, I use BitLocker on my mobile machines and RMS on any data I need to protect while it is in transit. BitLocker and RMS on a secure corporate network provides the best all around solution from “outside” attacks. Deploying EFS and IPSec will help protect your data from “inside” attacks. I’m defiining “inside” attacks as those from other machines connected to your physical corporate network. “Outside” attacks are those that are coming from the Internet or attacks from someone that has physical access to your (stolen) computer.
The down side to deploying EFS and IPSec is that you need to acquire certificates for both of these to function. BitLocker and RMS handle their own encryption and certificate like management. Certificate like functionality does not mean less secure, it just means that they take care of the process end to end. EFS and IPSec can utilize commercial certificates, or certificates generated from any PKI, including certificates created by Server 2003 or 2008 Certificate Authorities.
Until next time!