Full Disk Encryption (FDE) - getting off on the right foot protecting data
Full Disk Encryption (FDE) - getting off on the right foot protecting data

Consider the sheer damage a data breach can cause – stolen proprietary documents and data, bad publicity, lost business, and potentially massive fines that ultimately cripple your business. Most breaches could easily be avoided with some very simple precautions, with many companies opting to deploy the full disk encryption (FDE) capabilities built into their operating systems as an enterprise standard. For enterprises dominated by the Windows Operating System, Microsoft's BitLocker has been naturally adopted to encrypt user devices, including PCs and laptops. BitLocker is supplied with select editions of Microsoft Windows, and offers excellent performance and compatibility with the widest range of hardware.

It's a great solution, but not a complete one, and comes with some hidden considerations. For example, standardising on BitLocker may require you to upgrade some of your enterprise Windows licences or make sure you have additional Microsoft software to support Microsoft BitLocker Administration and Monitoring (MBAM).

Another issue is that BitLocker doesn't support workstations running older versions of Windows.  Although most organisations have likely migrated from XP by now, many deployments still exist. The biggest issue though is that of managing encryption on non-Windows devices. These days it is much more common to see mixed-OS environments with many companies possessing a hotpot of Linux, MacOS, iOS and Android, especially on mobile devices – and it only takes one unprotected system to offset all of your FDE and file-level encryption efforts. Unless you can ensure that only supported Windows OS devices will be used in your organisation or connect with your enterprise network, you will have to provide for those other platforms with third-party encryption software to adequately manage non-Windows devices alongside those encrypted by BitLocker.

This is where careful choices need to be made, as a complex encryption and management environment can lead to a false sense of security, pun intended!  One mistake often made is to have a security strategy that, on paper at least, provides multi-layered protection, but is not interconnected in any way.  In the same way that management tools have played a key role in allowing IT departments to better visualise and manage the deployment of virtual machines over last 10 years, they can play the same role for encryption across the whole business whether on-premise, virtualised, or in the cloud.  A lack of that visibility can easily lead to human error and according to the 2016 Verizon Data Breach Investigations Report, 34 percent of breaches could be linked to miscellaneous errors, insider and privilege misuse.

Without question BitLocker is an excellent step on the route to providing the kind of protection that ensures sensitive data is protected.  Careful consideration is needed of the overall technology infrastructure, how it will change in the future, the needs of the users and processes required to make its deployment efficient.  These last two points are particularly important, as FDE and encryption in general can become a barrier to productivity in the workplace if they are not taken seriously.  If on-demand encryption/decryption is made easy, even transparent for employees, across their devices, then their productivity is maintained whilst better protecting the organisation.  As IT professionals, we all know from experience that when things are made hard for users in terms of complexity or simply slowing them down, then they start to look for hacks around the problem or barrier.

Each FDE solution has its own way of managing forgotten passwords or lockouts caused by updates or hardware changes.  Of course, there will also be times when administrators need to act quickly to lockout employees, re-assign corporate hardware to a new user, wipe lost devices, or change privileges. It is critical that an IT department has given careful consideration to how they will manage those processes quickly, with minimum impact to employees regardless, whether they are on the corporate network or working remotely.  It's incredible how often IT departments forget that emailing the helpdesk is not always an option!

Ultimately, BitLocker is a fine encryption engine for Windows but it has serious deficiencies when it comes to enterprise management and a lacks support for non-Windows devices like Macs and Linux servers. Taking the time to think about how the issues raised impact your business will help ensure a smooth deployment, lower the long-term risks of exposure to data breach, and keep your users happy!

Mark Hickman, Chief Operating Officer at WinMagic.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.