Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECCT10: BitLocker™ Drive Encryption Deployment

Similar presentations

Presentation on theme: "SECCT10: BitLocker™ Drive Encryption Deployment"— Presentation transcript:

1 SECCT10: BitLocker™ Drive Encryption Deployment
Russell Humphries Senior Product Manager – Window Vista Security

2 Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial release of the software described herein. The information contained in this presentation represents the current view of Microsoft Corporation on the issues discussed as of the date of the presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of the presentation. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this presentation. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this information does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2006 Microsoft Corporation. All rights reserved.

3 Legal & Regulatory Compliance
Information Loss Is Costly Information loss – whether via theft or accidental leakage – is costly on several levels Financial The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004 Loss of revenue, market capitalization, and competitive advantage Legal & Regulatory Compliance Increasing regulation: SOX, HIPAA, GLBA Bringing a company into compliance can be complex and expensive Non-compliance can lead to significant legal fees, fines and/or settlements Image & Credibility Leaked executive s can be embarrassing Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibility

4 “BitLocker Drive Encryption provides stronger protection for data stored on your Windows Vista ™ systems – even when the system is in unauthorized hands or is running a different or attacking OS. BitLocker does this by utilizing full volume encryption; this prevents a thief who boots another OS or runs a software disk inspection tool from breaking Vista file and system protections or even the offline viewing of data files.”

5 BitLocker Drive Encryption
BitLocker Drive Encryption fully encrypts the entire Windows Vista volume. Designed specifically to prevent the unauthorized disclosure of data when it is at rest. Provides data protection on your Windows client systems, even when the system is in unauthorized hands. Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication BitLocker

6 Security Management secure usable affordable
Adapted from Jesper M. Johansson, “Security Management”, Microsoft TechNet

7 Who are these people? National Interest Personal Gain Personal Fame
Curiosity Spy Thief Trespasser Vandal Author Script-Kiddy Undergraduate Expert Specialist

8 Who are these people? Largest area by $ spent Largest area by $ lost
National Interest Personal Gain Personal Fame Curiosity Spy Largest area by $ lost Thief Fastest growing segment Trespasser Vandal Author Script-Kiddy Undergraduate Expert Specialist Largest area by volume

9 Spectrum of Protection
BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with.

10 BitLocker disk layout

11 Ease of Deployment Integration with existing infrastructure
Deployment features Functionality fully exposed by WMI Supplied MMC plug-in Integrates with Group Policy Active Directory Seamless integration with Longhorn Server Schema extensions available for Server 2003 sp1 and higher Auto-escrow of recovery keys enabled by default Confidential bit set on keys; read-only by admin only

12 BitLocker TPM Administration Storyboard – New Machine
4 1 1 2 3 Note: Steps 1-3 can be pre-config’ed (OEM, SP) ********* Basic TPM Administration/Deployment Machine arrives at enterprise in un-initialized state. Turn TPM On Check for physical presence by rebooting the machine and prompting user at BIOS screen for key press. Log back into Windows Vista Take Ownership of TPM Check for existence of Endorsement Key (Provided by OEM) Create TPM Administration Password. Commit changes to TPM and initialize. Publish TPM Administration Password to AD/File TPM Initialization Complete 9 10 5 ********* 8 7 6

13 BitLocker Enterprise Machine Deployment with TPM
Active Directory is prepared for BDE Keys Windows Vista Install BDE installation Active Directory prepared for CS keys Windows Vista Install BDE is only available in the Enterprise and Ultimate versions of Windows Vista. BDE requires a partition separate from the Windows Vista OS partition with a min free space of 350Mb. During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play. TPM & BDE drivers are installed. BDE Initialization Scripted initialization of TPM. TPM Ownership password saved to Active Directory Remote executed Script BDE Policy saves recovery key to AD System encrypted Inspect audit logs for successful end to encryption. 2 Store TPM Ownership Password 1 TPM Script Initialization 2 Store BDE recovery key 3 BDE script setup 4 5

14 BitLocker BitLocker Recovery
2 1 2 1 4 5 6 Example Recovery Scenario Feature turned on. AD access via network. Recovery key escrowed to AD and/or USB dongle. User drops laptop and breaks motherboard. HD from old broken machine put into new laptop with BDE enabled. BDE can’t access HD because the TPM key in new laptop is different. User launches BDE recovery: User uses USB dongle to recover the drive. -or- User calls admin and Administrator authenticates user. Admin gets correct recovery key from AD. Admin reads key to user over the phone. User types in recovery key. Recovery key is used to recover the drive 3 3 7a 7b 8 8 7e 7D 7d 7c 7C

15 System Upgrade with BitLocker™
Upgrading computers with BDE Turn off BitLocker Upgrade system Updated BIOS -- or -- Install Service Pack Turn On BitLocker – no encryption required * If doing an update using Windows Update Services, the hash of the new component will already be calculated, so BitLocker will not need to be disabled to do the update. 1 2 3



18 ©. 2006 Microsoft Corporation. All rights reserved
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. 18

Download ppt "SECCT10: BitLocker™ Drive Encryption Deployment"

Similar presentations

Ads by Google