Protect Your SMB with BitLocker

Paul Mah

In an earlier post, Surviving a Stolen Laptop, I suggested enabling BitLocker encryption in order to protect data. While the technology is hardly new, I thought this an area worth looking into, given the dismal security track record of SMBs.

 

Why is data encryption relevant to your SMB?

 

It is a simple matter for a thief to access unprotected data on a hard disk. Regardless of password protection, swapping the disk drive out to another workstation or hard disk enclosure will typically allow authorized persons to access and make a copy of any data on the disk. Even worse is the fact that files that were previously deleted can often be retrieved this way by using data recovery software.

 

Yet the proliferation of laptops today means that a proportionately greater number of these devices will eventually wind up lost or stolen. Legal repercussions aside, the bad publicity can be especially severe for a small and medium-sized business. Clearly, data encryption is no longer a luxury that belongs to the domain of enterprise companies.

 

Fortunately, whole disk encryption technologies such as BitLocker will prevent the above scenarios from happening.


 

How does BitLocker work?

 

Data encryption can be performed either in hardware or software. Leaving hardware encryption aside for now, the software data encryption options found in the

Windows operating system would be the Encrypting File System (EFS) and BitLocker. EFS works on the file level, while BitLocker operates on the disk; we will be looking at the use of the latter here, also known as whole disk encryption.

 

BitLocker protects all the files stored on the drive that Windows is installed on by encrypting the entire system drive. On computers with a microchip called the Trusted Protection Module (TPM), the decryption key will be stored in the chip, and released only after it verifies that the system is not tampered with. Trying to swap the disk drive out to another system will not work, since it does not have the decryption key.

 

On systems without TPM support, the decryption key can be stored on a USB flash drive, which is used as a physical security token. Obviously, the USB flash drive should not be placed in the same bag as the laptop.

 

The beauty with BitLocker is that once authenticated, decryption occurs transparently and all software applications continue to work as normal.

 

Requirements for BitLocker

 

Ironically, the greatest barrier to BitLocker is not hardware related, but in the area of licensing. This is because BitLocker can only be found in Windows Vista Enterprise and Windows Vista Ultimate. Since the Enterprise edition of Vista is sold only to volume customers, most SMBs that want to implement BitLocker will probably have to get Vista Ultimate. The price premium is the reason that SMBs are unlikely to have implemented BitLocker yet.

 

Another requirement to implement BitLocker would be to use it on systems with TPM; alternatively, a flash drive can be used as a physical key.

 

I shall be talking more about the various authentication options for BitLocker as well as my own experiences enabling it in my next blog.



Add Comment      Leave a comment on this blog post

Aug 24, 2009 10:53 AM anne price anne price  says:

Paul, great advice on using the tools in most PCs to protect data. The TPM also can be used to protect passswords and is often used with single sign-on programs. Your readers also might be aware of a growing trend to self-encrypting hard disk and flash drives. These encrypt data in PCs on the fly, with no user intervention and are very difficult to hack or attack.

Reply
Aug 24, 2009 11:59 AM Paul Mah Paul Mah  says: in response to anne price

Hi Anne,

Thanks for dropping by your feedback.  In fact, I should be making a mention of a self-encrypting flash drive in the near future.  I've been told by disk drive makers that FDE solutions are already shipping - would you by chance have any idea of the number of such disk drives that have been shipped though?

Regards,

Paul Mah.

Reply
Aug 27, 2009 4:36 AM Michael Willett Michael Willett  says: in response to Paul Mah

The Trusted Computing Group (www.trustedcomputinggroup.org) that Anne represents has recently published the Specifications for self-encrypting drives (SEDs) for both the laptop and the data center. All drive vendors participated in the Spec development and multiple such vendors have announced and shipped SEDs: Seagate, Hitachi, Fujitsu,  Samsung, and Toshiba, among others. Putting the encryption engine in hardware directly in the storage device has a number of superior properties when compared to indirect, software solutions (eg, BitLocker). Laptop manufacturers have been shipping SEDs for several years now (eg, Dell) and none less than IBM and LSI have announced SED integration into data center storage systems. And, since your topic was encryption for the SMB market ("Mom and Pop" shops), you might be interested in the LSI product (MegaRAID with SafeStore), which integrates SEDs and is specifically targeted for the SMB market:

http://www.lsi.com/DistributionSystem/AssetDocument/MR_Seagate_SED_TechBrief_072009.pdf

SEDs offer the transparency, ease of management, life cycle cost effectiveness, and yet robust protection required for that market. 

The bottom line: Software-based and indirect encryption solutions have been used to encrypt storage historically (if at all), because that is what existed. But the storage industry has vigorously adopted direct, hardware-based self-encryption. That is the future of storage encryption.

Reply
May 23, 2010 6:55 AM SnakZ SnakZ  says: in response to anne price

just to point out TPM is not 100% safe there was someone who did hack the TPM by doing something to it and what in the end made the TPM give up the password

the USB drive i think is the best with out the USB there is no way to unluck it other then the Recovery Key

cops coming after u for copyright ? lol break the USB get it wet making sure it cant work and bang they have no way to get in just got to hope they dont find the Recovery Key lol

http://hackaday.com/2010/02/09/tpm-crytography-cracked/

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data