With the last several posts being about BitLocker (and especially Recovery Keys) hopefully you now have some idea of the things you will want to think about when planning for a BitLocker deployment.
Beyond that, however, the obvious question that now needs to be addressed is: Where should you deploy BitLocker? After all, if it's built in to Windows 7, (Enterprise and Ultimate) it should be a no-brainer, right?
I think it's fair to say that BitLocker could be perfectly fine for some of your users, or even most of your users, depending on what type of business you are and how sensitive your information is. But probably not all.
As I said, BitLocker provides a good implementation of a well understood and secure algorithm, AES, and as such you can be confident that it provides protection to your data, especially against off-line attacks. And if you address some of the management and security challenges (especially recovery key management and local admins turning the protection off) you've got a relatively solid solution. However, because BitLocker uses a full-volume encryption approach, there will still be places where BitLocker may not be the best fit.
The upside of full volume encryption is that it is conceptually simple and provides a pre-boot authentication requirement (forcing the user to be authenticated before the boot process can proceed). And BitLocker goes even further by leaning on the TPM to provide a root of trust, ensuring that someone hasn't tampered with the system while you were watching re-runs of the royal wedding, for example). Use of the TPM makes BitLocker one of the best full-volume (or full-disk) solutions out there.
The downside to full-volume approaches are, well, just that: full-volume. So once a volume is decrypted (at boot time) it remains decrypted while the power is on. This has a couple of drawbacks. The first is that you must beware of allowing users to put their system into sleep mode. The drive remains essentially unencrypted when the system is in sleep mode, which obviously can be a problem if your users are in the habit of leaving systems sleeping. Microsoft sensibly suggest that you should disable sleep mode through GPO settings to protect against this potential vulnerability.
The second, and probably more significant issue here is that, once again, once you've decrypted the volume, you've decrypted everything. That means that if you have multiple users on the same system (as happens often in the healthcare industry) then there is no protection provided between users by BitLocker. It's all decrypted, all the time. More worrisome still, is the fact that if you have sensitive information on your laptop, and you need someone to work on it, you can't allow them access to just the system.
They have access to everything.
So BitLocker isn't going to provide protection against the prying eyes of an overly curious admin or technician (or contractor) who decides to check out the latest M&A activity or the medical files for that Hollywood starlet getting a nose-job. This is probably one of the most common reasons cited (along with the management challenges) that prevented BitLocker from being widely adopted so far.
So does this mean that BitLocker is a bad solution? Absolutely not. It's a tool. And like any tool, it has a function for which it fits and functions for which it doesn't. (OK and yes, I did once use a screwdriver as a hammer, but the results were sadly predictable.)
BitLocker is definitely a solution you should consider if you:
- Are running Windows 7 Ultimate or Enterprise editions
- Do not store highly sensitive information
- Do not share systems
- Generally operate within your network domain
For users who are handling highly sensitive information or need to share systems, you must think carefully about how, where and what to deploy to prevent a breach or accidental disclosure.
But then again, I'm guessing you probably already knew that.