BitLocker: Encryption for Critical Business Data

Encryption has become the most effective way for businesses of all sizes to best secure critical data. While it doesn’t prevent data from being accessible, it does render data unintelligible unless you have a secret key or password to decrypt or make the information readable.

With the introduction of Microsoft’s Windows BitLocker, business hardware (like servers, workstations, backup drives, etc.) can be protected by encryption; drastically improving the threat of data being stolen or exposed when a computer is lost or stolen. Encryption plays a significant role in data confidentiality on hardware and can be utilized in a variety of organizations including law firms, doctor office’s or businesses that supply laptops for employee’s use.

Encryption Fundamentals

Protecting critical business data, as with other security measures implemented, should be approached in a layered manner for best protection. It’s also important to emphasize that the protection that encryption provides is only as strong or secure as the password used to decrypt the data.

Data In Transit

When data is actively moving from one location to another, or in transit, encryption can be deployed to prevent the session from being exposed. You’ve likely seen data in transit encryption deployed in several private communication tools like WhatsApp, Facebook Messenger, or Gmail  in addition to being deployed to countless websites via a SSL certificate.

Data At Rest

When data that is stored physically on a device and the devices is inactive it can be protected with data at rest encryption. Mobile devices like Apple’s iPhones are actively using this method of protection in its authentication process (i.e., enabling access to your device with your PIN or fingerprint). Data at rest encryption, (encryption type used by BitLocker) is only active when your logged off or device is powered off. Therefore once you’ve successfully decrypted the data stored on the device through a successful log -in, your data will then be vulnerable to other attack vectors (infected links or e-mail attachments, viruses, key loggers etc.).

Requirements for Bitlocker

Most new computers ship with Windows 10 and therefore include BitLocker Drive Encryption for Professional, Enterprise and Education editions of Windows 10. Your Windows PC will also need a storage drive with at least two partitions and a Trusted Platform Module (TPM) where the decryption key is stored. TPM is the chip that runs an authentication check on your hardware. If it detects an unauthorized change, your PC will boot in a restricted mode to deter potential attackers.

How It Works

Bitlocker enhances your hardware protections and helps render data inaccessible by ensuring the integrity of the boot process. Only someone who has your password and recovery key will be able to get to your data once the drive is properly secured. Once Bitlocker has been activated on a user’s device, the startup experience will prompt you for the unlock method (password). Bitlocker then decrypts the drive and loads Windows.

Things to Consider

Encrypting is a significant change to your computer and therefore has risks associated with it. Be sure to make a full backup of your system prior to making any such major modifications. Other important factors to consider when encrypting include:

  • Store a backup of your recovery key as an additional safety measure. This critical information can be stored on a USB device, printed out and stored in a safe location or saved to your Microsoft account online. If this recovery information is lost, your encrypted drive will be unrecoverable.
  • The length of time it takes BitLocker to fully encrypt your files depends on the size and speed of your drive, and how much data you are encrypting.
  • Enabling data encryption may slow down your system’s performance slightly. The initial encryption will occur in the background of your computer and your system remains usable and allows you continue to work. However, protecting sensitive information will likely be worth the minor trade off.
  • Data encryption should be just one part of your company’s security strategy. Antivirus and Anti-spam software along with other intrusion protection methods should still be utilized.
  • Bit locker is closed-source offering which means Microsoft has exclusivity on this proprietary program. Any software bugs and subsequent fixes will be the sole responsibility of Microsoft to address. The closed-source nature of this feature concerns some extremely privacy minded users as there is no guarantee that Microsoft hasn’t issued some kind of backdoor into the program amid pressures from the United States government.

As our dependence on technology continues to grow, it becomes more crucial than ever before to protect critical business data from falling in to the wrong hands. As the typical office space transforms from cubicles and boardrooms to remote locations, mobile workplaces and digital conferences the risk of hardware being lost, stolen or maliciously breached can and should be addressed proactively.

(image via flickr/Blue Coat Photos)