Lack of management tools slows BitLocker adoption

SA Mathieson

Organisations are taking a cautious approach to adopting BitLocker, the hard-disk encryption system built into Microsoft’s Vista operating system. This is due to its lack of management tools, according to one firm seeking to fill this gap.

Alex van Someren, chief executive of UK encryption vendor nCipher, said his firm is planning to release an appliance for BitLocker, but not this year. “Realistically, the pace of the deployment [of BitLocker] means that will not be by any means too late,” he said.

Van Someren said that those making use of Microsoft’s encryption system were tending to do so for very small numbers of users. “Big institutions are just not turning BitLocker on yet,” he said, adding that the product “is struggling to deploy, as it’s got no management tools”. Organisations risk losing all the data stored on computers with full-disk encryption if an employee loses the key, or leaves without disclosing it, he added.

Joe Wilcox, editor of the Microsoft-Watch.com blog and formerly an analyst for Jupiter Research, said BitLocker does have limited management options, but these are controlled by individual users. They can copy encryption keys to other locations, including to ActiveX directories.

“What IT organisations need to understand is how they manage BitLocker in a broader way,” said Wilcox. “If you’re a company managing 4000 or 5000 notebooks, all BitLocker encrypted, that’s a lot of keys to manage.” As a result, organisations are preferring piecemeal deployment, he added.

Microsoft were not able to provide comment by 15 June.

Van Someren said that nCipher, which built its business over the last decade primarily on encryption hardware sales, expects to see growth through its Key Authority key management software, released last year. On 1 June, the firm announced a sale of this product to a New York financial firm, which van Someren said was the product’s “first really big installation” worth more than half a million dollars, following a few smaller sales.

He added that the UK’s activation of part three of the Regulation of Investigatory Powers Act 2000, allowing law enforcement access to encryption keys, will also require police forces to manage keys properly. As a result, both organisations and police forces represent a future market for the software. “Have I tried to sell to police forces? I have started, yes,” he said, although no sales have yet resulted.