Disk Encryption - The Next Generation (Bitlocker Administration and Monitoring)
Throughout the years, certain elements of IT have evolved from a 'nice to have' to 'an absolute requirement'. If one thinks back 10 years ago, the IT landscape looked very different; organizations had issues patching systems (if they were patching at all), configurations were rarely standardized and data was stored in a myriad of different locations. Fast forward to 2011 and we see many improvements; patch management is largely automated, configuration management exists to standardize server and desktop builds and...data is still stored in a myriad of different locations. Like it or not, encryption of data is needed, should be required, and will be here to stay. The fact is that mobile devices are becoming more prominent, more employers are realizing a laptop provisioned to an employee will yield more work out of them when they're at home on the evening and on weekends, coffee shops and airports all over the world and more and more mobile workers are taking data with them as they travel, and often these mobile devices are stolen, left in cabs/airplanes, and exposed to malicious attacks. Few organizations are arguing about the 'why' of data encryption, the focus has now turned to the 'how'.
Out of The Box or Third Party?
Six or seven years ago, disk encryption products were a niche space; vendors like Guardian Edge, Safe Boot and PGP sold disk encryption products that were able to be installed on (then) current machines running Windows XP. Licensing for these products was separate and companies tended to license these products for their mobile devices and segment the mobile device population from the traditional 'stationary' device population.
In 2006, Microsoft came out with Bitlocker Drive Encryption, which was embedded into certain SKUs of the operating system (Windows Vista Enterprise and Windows Vista Ultimate). Due to limited adoption of Vista, Bitlocker only took off in the occasional IT shop. The precedent was set though; was 'out of the box' disk encryption good enough or did IT Pros continue to have to justify the license expense for third-party disk encryption software?
Microsoft offered improvements to Bitlocker in Windows 7, including the ability to encrypt multiple volumes (in Vista, the boot volume is the only one capable of being encrypted). They also added Bitlocker To Go, which allows for encryption of removable devices (e.g.: USB Flash Drives or portable hard drives) that can be accessed on other Windows 7 devices as well as older operating systems (Windows Vista and Windows XP). However, there are still some shortcomings in Microsoft's out of the box solution; specifically, reporting and integrated management.
It's About Integration
The hard reality that many IT shops are facing is clear; as the company grows and the environment becomes more sophisticated, integrated, and turn-key, solutions that help reduce cost and eliminate complexity are becoming not only attractive, they're becoming a necessity. As security vendors began to realize this integration vision, they acquired disk encryption 'point solutions' (e.g.: McAfee's acquisition of Safe Boot) and integrating it into their suite. M\Offering management through their centralized console and marketing the disk encryption solution as a competitive differentiator went over great with customers. But what about the IT shops that can't afford or continue to justify the cost of these solutions? Does Microsoft have a competitive offering for their 'out of the box' technology?
With many IT Pros building and deploying their new Windows 7 images now, these questions are surfacing and it is time to take a hard look at what Microsoft has to offer in this space. Microsoft has added more control over Bitlocker through the Microsoft Bitlocker Administration and Monitoring (MBAM) solution, which is in beta (available here). Microsoft has been criticized for not providing a full solution for the enterprise to report on the status of disk encryption and this is their entry into the space.
MBAM - High Points and Low Points
There are a few things that really stand out with MBAM. First and foremost, the integration into Windows 7 for building and deploying an image is extensive. There is an MBAM 'client' that can be leveraged with your deployment tool of choice that can be used to automate the encryption process as the system is imaged / rolled out. As a result, targeting is also very efficient as well; if you want to only target a subset of devices, such as certain laptop models issued to executives that is no problem. It is recommended that you start with a disk encryption baseline across all devices that support it, even your desktops. Just because a device may not be 'mobile' doesn't mean it can't walk off, especially in a physically insecure area.
The reporting is quite thorough as well. The report engine is built on top SQL Reporting Services. As you can see in Figure 1, sorting by operating system, compliance status, computer type, etc. is all easily sliced in the browser view. The quick view of whether a device is 'compliant' or 'non-compliant' is helpful, as well as quickly identifying the root cause of a device being out of compliance.
Figure 1: A compliance report powered by SQL Reporting Services Source.
Key escrow and management is greatly improved, another gripe from the 'out of box' Vista/Windows 7 disk encryption offering with Bitlocker. Bitlocker supported Active Directory-based key escrow, but questions arose around segmenting access to this valuable private key information. Is Active Directory really the best place to store that for all organizations? How would organizations handle chain of custody for the keys from a compliance perspective?
With MBAM, key escrow can now be transmitted to an encrypted SQL database instead of Active Directory. This gives more precise access control capability over the key material. Removing access to Active Directory for teams like the helpdesk or desktop support team is an attractive feature of MBAM. Key recovery is also greatly improved as well; a user can now perform key recovery via a web page. Of course, they'll require a separate machine to do this if their machine is sitting at the 'pre-boot' Bitlocker Recovery console.
Microsoft has also made some great improvements in the Bitlocker experience for organizations that are deploying their Windows 7 image as a 'standard' user; end users can now kick off the encryption process ('out of the box' Windows requires this to be done by an Administrator). Same thing goes for administrative tasks like changing the start-up PIN.
There are a number of downsides to MBAM as well. For one, it's not released in a production version yet. It's currently available for evaluation in beta form with an expected ship date of later this year. MBAM will also not be a free add-on; Microsoft is including it in the Microsoft Desktop Optimization Pack (MDOP), which includes functionality such as Application Virtualization and the Diagnostics and Recovery Toolset (DaRT). This is an extra subscription service required on top of the Windows Client purchase.
Whether you stick with your existing 'add-on' product or look to evaluate an 'out of the box' solution with Windows, disk encryption is a necessary component of every OS build. This reviewer feels that MBAM is making good progress with the '80/20' rule, providing key reporting and management functionality that may very well be good enough for many enterprises looking to cut cost and leverage the integrated functionality of the operating system. Let us know what you think: is MBAM right for you or are you sticking with your existing solution?