Tactical Advice

Secure Transport

While BitLocker To Go can help protect data in transit, make sure to establish security rules of the road specifically for your users.
This story appears in the June 2010 issue of BizTech Magazine.

Privacy and security should be front and center for the IT team every time your company’s employees have to take confidential information offsite to work from home or while on the road.

For Windows Vista, Microsoft introduced BitLocker Drive Encryption, which reduces the risk that sensitive information will be compromised should a user’s notebook be lost or stolen. In Windows 7, Microsoft extends this feature with BitLocker To Go, which lets users encrypt USB flash drives and other USB removable storage devices to safeguard confidential information stored on the devices during transit.

Here are five best practices IT staffs may want to consider before allowing the use of BitLocker To Go by users.

One: Educate Your Users

Even if you have security policies that call for encrypting data in transit, it’s wise to write up a policy that explains BitLocker To Go and how to use it properly.

Be specific. Make sure users are aware that they should access BitLocker-protected flash drives only from computers they trust. If their computer is compromised and they open a file on a protected flash drive from that computer, the file is also considered compromised.

Two: Encrypt Before Use

Ensure that users encrypt their flash drives before they copy any sensitive information onto these devices. Better yet, preconfigure the drives before companywide distribution.

Flash drives consist of erasable memory segments that support a limited number of rewrite cycles. To lengthen their usable life, device makers use a process called wear-leveling, which distributes rewrites across the entire drive. But some wear-leveling algorithms can expose data previously stored as plain text. If you encrypt drives before use, there won’t be any plain text to begin with.

Three: Use Group Policy

Windows 7 provides half a dozen Group Policy settings for managing different  aspects of BitLocker on removable storage devices. Administrators should familiarize themselves with these and then configure appropriately for the specific user environment.

For example, if the company doesn’t want users to access data stored on encrypted drives from earlier versions of Windows, such as Vista or XP, then enable that policy in the Group Policy pane.

Four: Create a Recovery Policy

An administrator needs to be able to recover data stored on a protected drive if the user forgets the password or loses his or her smart card. To do this, the administrator needs a recovery policy.

Some best practices include requiring  BitLocker to generate both a recovery password and a recovery key; preventing users from specifying recovery options themselves when they enable BitLocker; storing recovery information in Active Directory; and preventing users from encrypting drives until recovery information has been saved in Active Directory.

Five: Take Care with Smart Cards

Smart cards offer a great way for performing authentications, but the IT team must think through enabling their use for encrypting removable drives — the reason being that the public key and certificate thumbprint are stored in unencrypted form within the metadata on the drive, and this metadata itself is stored on an FAT32 volume that BitLocker To Go creates.

This volume is hidden on Windows 7 but visible on earlier Windows versions. Someone who steals the device could use it to determine an organization’s certificate authority.  By itself this may not mean much, but it’s a step toward the breach.

Mitch Tulloch, a Microsoft Most Valuable Professional (MVP), is lead author of the Windows 7 Resource Kit from Microsoft Press. Learn more about him at www.mtit.com.
Sign up for our e-newsletter

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...