• Share
  • Email
  • Embed
  • Like
  • Private Content
Bit locker Drive Encryption: How it Works and How it Compares
 

Bit locker Drive Encryption: How it Works and How it Compares

on

  • 3,254 views

Endpoint security is a rat’s nest of issues, risks and attack vectors. But one thing’s for sure, there is no substitute for encryption - both of local hard drives and removable storage devices. So ...

Endpoint security is a rat’s nest of issues, risks and attack vectors. But one thing’s for sure, there is no substitute for encryption - both of local hard drives and removable storage devices. So why are so few of us using encryption at the endpoint?

View this presentation as Randy Franklin Smith from Ultimate Windows Security discusses:
* How to effectively deploy BitLocker and BitLocker To Go
* How well BitLocker To Go does at protecting data on removable devices
* Why you need to go beyond encryption and think about how to manage endpoint security holistically

Statistics

Views

Total Views
3,254
Views on SlideShare
3,253
Embed Views
1

Actions

Likes
1
Downloads
32
Comments
0

1 Embed 1

http://us-w1.rockmelt.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Bit locker Drive Encryption: How it Works and How it Compares Bit locker Drive Encryption: How it Works and How it Compares Presentation Transcript

    • BitLocker Drive Encryption: How it Works and How it Compares Made possible by: © 2011 Monterey Technology Group Inc.
    • Brought to you by http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspxSpeakers Chris Merritt Director, Solutions Marketing
    • Preview of Key Points How BitLocker works Implementation steps Caveats!© 2011 Monterey Technology Group Inc.
    • How BitLocker WorksBitLocker For fixed disk Full volume encryptionBitLocker To Go For removable disksTrusted Platform Module (TPM) Secure, tamper resistant key storage Takes system measurements and can prevent system booting if possible tampering detected
    • How BitLocker WorksRisks addressed BitLocker on system volume • Protect data stored there-in • Protect OS from tampering BitLocker to Go • Prevent data leakage to removable drives • Combine with group policies that prevent writing to unprotected removable drives
    • How BitLocker WorksEntire volume encrypted with an AES symmetric keyAES key encrypted with Start up key Recovery key(s)
    • How BitLocker WorksStartup key options Stored in the TPM (Trusted Platform Module) Stored on USB driveOptional additional protection PINMost common scenarios TPM only USB drive with PINDon’t do this! • USB drive without PIN
    • How BitLocker Works Data recovery options  Recovery password (48 digit) • Can be printed or saved as text file to shared folder • Better: can be backed up to that computer’s account in AD  Best for remote, phone based support  Recovery key • 256-bit key saved to USB drive • Many keys can be stored on one USB flash drive which is then physically secured  Data recovery agent • Data recovery certificate pushed to all systems via group policy • Volume encryption key encrypted with public key of certificate • Can be recovered by someone with the private key
    • How BitLocker WorksData recovery optionsRecovery method Advantages DisadvantagesRecovery password Can be backed up to AD DS Not FIPS compliant Does not require IT physical presence 48-digit password can be read over the phone by a help desk attendant Users can print or save recovery passwords to a file, or this functionality can be disabled by Group PolicyRecovery key FIPS compliant Cannot be backed up to AD DS Users may store USB drives with their computer If the key to unlock the operating system drive is stored with the computer, the protection is rendered useless USB drives could be lost If users lose the USB drive with their recovery key, they will not have a recovery methodData recovery agent FIPS compliant IT department personnel must be physically present Automatically applied to drives The private key must be used to recover the drive The operating system drive must be installed on another computer running Windows 7 as a data drive - From TechNet: BitLocker Drive Encryption Design Guide for Windows 7
    • Implementation StepsPrep AD schema if Win2003Configure group policyEach PC Enable TPM in BIOS (physical touch?) Activate TPM Enable BitLockerVerifyRecovery
    • Implementation Steps Configure group policy Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption User restrictions • PIN requirements • Can user configure BitLocker and/or recover data? Key backup and data recovery options • Require successful backup to AD before locking drives TPM options
    • Implementation StepsEach PC Enable, activate TPM, take ownership, generate random password Enable BitLocker By script • Manage-bde • EnableBitLocker.vbs Options • Startup script pushed out by group policy • SCOM • Et al
    • Implementation StepsVerify Check individual PCs via WMI GetProtectionStatusRecovery and trouble shooting Use BitLocker Recovery Password Viewer for Active Directory (part of RSAT) Repair-bde
    • Caveats Win7 Ultimate and Enterprise only  Read only access of BitLocker to go on pre-Win7 Things that can mess up the TPM and prevent booting  Docking stations  CD ROMs  Smart batteries  Moving the BitLocker-protected drive into a new computer.  Installing a new motherboard with a new TPM.  Turning off, disabling, or clearing the TPM.  Changing any boot configuration settings.  Changing the BIOS, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data
    • BitLocker To GoRemovable storage encryption No support for DVD/CDsAuthentication Options Password SmartcardPolicies to prohibit usage of unencrypted devices but can’t force encryptionRead only support for pre Win7 with BitLocker To Go Reader
    • CaveatsHardware TPM 1.2BIOS configuration Trusted Computing Group (TCG)-compliant BIOS The BIOS must be set to start first from the hard disk, and not the USB or CD drives The BIOS must be able to read from a USB flash drive during startupPhysical touch to enable?
    • CaveatsBitLocker To Go Cannot force encryption for removable devices Does not protect media (e.g., CDs / DVDs) as well as UFDs
    • CaveatsNo centralized reporting or visibility in to usage and status Deployment and monitoring Safe harbor – lost opportunity to reduce breach notifications and associated costs 2/3 all breaches reported • Lost devices or endpoints • 85% of records • Encryption would have negated huge chunk of costs and vast majority of cases
    • Brought to you by http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspxSpeakers Chris Merritt Director, Solutions Marketing