Extended support for Windows 7 is going to end in January 2020, less than 18 months away. Many companies are of course choosing to get on with the task of upgrading their environment to Windows 10, which offers many advantages for both users and IT departments. A big advantage for the IT department is the inclusion of BitLocker, a Microsoft Full Disk Encryption (FDE) solution that enables IT departments to implement FDE across their endpoints and servers, with the Windows 10 suite. For many, this is seen as a quick, low-cost way to solve some of the big challenges they have around security and compliance, particularly as more stringent regulations have come into force, such as the General Data Protection Regulation (GDPR) and HIPAA. While BitLocker is good at encrypting Windows 10 workloads, what you may not realize is that alone, it can’t keep your critical data 100% secure or fully compliant.
Being able to implement FDE through BitLocker for an individual device offers a great level of protection, but as many are learning, it is simply not true that it is a silver bullet for meeting encryption and compliance needs. There are four areas IT departments need to consider in their encryption strategy. Failing to address these areas may result in falling short of protection expectations, or worse still, finding themselves exposed to security and compliance threats they believed they had covered with BitLocker alone.
We know that BitLocker is a solid starting point for encryption, but it’s simply not enough to meet compliance requirements. For that, you need a management tool capable of delivering encryption management and reporting for audits. Organizations have traditionally relied on three options for managing BitLocker: manually via Active Directory Domain Services (AD DS), via cloud-based management with Azure Active Directory (Azure AD) and Microsoft Intune, or the Microsoft-recommended way, with Microsoft BitLocker Administration and Monitoring (MBAM).
Each of these options comes with its own benefits and problems, and ultimately is only effective for the management of BitLocker in the Windows environment. While for some this will be satisfactory, most organisations have a hybrid OS environment across desktop and mobile devices. In these cases, MBAM simply adds complexity, as it becomes one of multiple management and compliance tools.
Beware the hidden costs
BitLocker is included in Windows 10, or low cost on Windows 7 or 8. However, there is a cost with implementing the management elements with MBAM, such as additional SQL Server and other Microsoft licenses. Skilled resources also add to costs. Whether it is bringing in new admin staff or training up those already in roles, these costs may be indirect, but they can’t be ignored. And remember, MBAM is only ever going to manage your Windows estate, leaving other devices and operating systems out in the cold.
Compliance cannot be achieved with BitLocker alone
While BitLocker offers FIPS 140-2 compliant encryption for Windows 10 devices, it cannot provide organisations with the proof needed to demonstrate to regulators, that encryption is in place everywhere it is needed, and is appropriated managed and monitored. Additionally, many regulations require companies to not share passwords or rely on Windows OS alone for security (PCI-DSS for example), leaving organizations to compromise on security with either shared BitLocker PINs or TPM-only. Other issues, such as the ability to easily suspend or disable BitLocker, and its lack of enforcement on removable media such as USB drives, means the level of compliance offered by BitLocker alone is meagre at best.
MBAM tools do not offer historical reporting for audit purposes, so to be compliant, businesses need a tool that can monitor and report encryption in real-time and produce out-of-the-box audits at any point in time.
Users find BitLocker challenging to use
BitLocker can impact users in a number of ways that limit their productivity. It has a significant overhead on boot-up times, and also requires users to remember two passwords, which often lead to them getting locked out of accounts. Resetting accounts can be a labour intensive process that requires users to enter a complex and lengthy string of characters sent to them by IT staff. Because unlocking devices cannot be managed remotely by the IT department, users can find themselves struggling to get back online. This is just one example of how users can find themselves hampered, rather than helped by BitLocker. Ultimately, frustration leads to them looking for ways around the technology, such as disabling it, which undermines enterprise security and compliance – and ultimately defeats the purpose of encryption altogether. Encryption should always be as transparent and frictionless as possible, if it is to be useful.
Getting the best from BitLocker
BitLocker is a good starting point for encryption in your enterprise if you are a Windows-only shop. However, it should not be viewed as a complete solution to the challenges that IT departments face in terms of compliance, cost, complexity and user adoption. Don’t fear though, these can all be overcome by using the right platform agnostic management tools to get the best from the technology. The important thing is to know where BitLocker fits in the bigger picture, its benefits and pitfalls, and acquiring the additional support technology, such as management tools, to ensure your business is secure, compliant and getting the most from BitLocker.
Windows has been offering it’s Bitlocker feature for quite some time now. With Windows 10, this feature has not only improved but offers support for even more devices. Read how you can make use of this feature.
Bitlocker is a program that allows you to encrypt your data. It is an enterprise level feature that is capable of encrypting drives, single files and folders.
Does it work with Windows 10
In previous versions of Windows this feature was limited to ultimate and business editions. Windows 10 also have this feature for Pro and Enterprise editions with more features. Home edition of Windows 10 also supports device encryption but not using Bitlocker exclusively. Like previous versions of Windows, this time Bitlocker does offer you option of locking external drives, internal drives and using USB for authentication key.
Who should use BitLocker
Anyone who wants to secure their files from being modified should use Bitlocker. However most of the business and the users with confidential data use the Bitlocker. You can even use it for keeping some files away from kids or other people from your family.
Note that your Windows credentials and Bitlocker has no connection. So make sure you keep this in mind while setting the password. Bitlocker allows you to access of single user accessing the file at the same time. So multi-user access for encrypted data may not be possible.
What about existing Bitlocker Encrypted Devices
Windows 10 should support your existing drives and files for encryption. Bitlocker 10 backwards compatibility support is available since Windows 7 ultimate version. And if you find it harder to access those files, revert back to the previous OS and decrypt before you upgrade. You can also do the encryption after finishing your upgrade or clean install. When you do migrate to bitlocker with encryption password, make sure you download and keep the file handy or have USB Key ready. These two options work better for quicker access to encrypted drives than printing out the key.
How does it works
Bitlocker is capable of converting NTFS and modern file system to be encrypted. All you have to do is enable the Bitlocker on the drive. You can then either encrypt the files or folder or driver using the interface. You can use USB Key mode, user authentication mode and transparent operation mode. By default most of the OEM installs set the Bitlocker for USB key mode. This mode is really handy if you want to use any external USB for logging into your drive. Bitlocker can be used from GUI interface or command line tool. If you want to secure files from some people then you need this tool.
Learn how to encrypt your drive by following these instructions.
Steps to encrypt your drive using Bitlocker
1. Open Windows Explorer and navigate to the driver you want to encrypt.
2. Right click on the drive and select the menu option – ” Turn on Bitlocker”.
3. Set the password to unlock the drive. (Write this password down at some place where only you can access that).
4. Save the recovery key into file or USB or print it out.
5. Choose from “used drive space’ or “entire disk drive” depending on your choice.
6. Start the encryption process.
7. Restart the computer.
Note: Considering Bitlocker as an admin level feature, Windows 10 will ask you for the UAC permission every time you want to perform some specific tasks related to Bitlocker.
Once you follow the steps explained above you’ll have Bitlocker enabled on your drive. You can also encrypt your existing USB drives too using device encryption feature. When you are using encryption on external devices, you should use Bitlocker to Go feature.
Should you use Bitlocker? If your data is sensitive and you don’t want anyone else to access it, then the answer is yes. Instead of using expensive external encryption programs, you can use this feature offered within the operating system.