3 Legal & Regulatory Compliance Information Loss Is Costly Information loss – whether via theft or accidental leakage – is costly on several levelsFinancialThe U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004Loss of revenue, market capitalization, and competitive advantageLegal & Regulatory ComplianceIncreasing regulation: SOX, HIPAA, GLBABringing a company into compliance can be complex and expensiveNon-compliance can lead to significant legal fees, fines and/or settlementsImage & CredibilityLeaked executive s can be embarrassingUnintended forwarding of sensitive information can adversely impact the company’s image and/or credibility
4 “BitLocker Drive Encryption provides stronger protection for data stored on your Windows Vista ™ systems – even when the system is in unauthorized hands or is running a different or attacking OS. BitLocker does this by utilizing full volume encryption; this prevents a thief who boots another OS or runs a software disk inspection tool from breaking Vista file and system protections or even the offline viewing of data files.”
5 BitLocker Drive Encryption BitLocker Drive Encryption fully encrypts the entire Windows Vista volume.Designed specifically to prevent the unauthorized disclosure of data when it is at rest.Provides data protection on your Windows client systems, even when the system is in unauthorized hands.Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authenticationBitLocker
6 Security Management secure usable affordable Adapted from Jesper M. Johansson, “Security Management”, Microsoft TechNet
7 Who are these people? National Interest Personal Gain Personal Fame CuriositySpyThiefTrespasserVandalAuthorScript-KiddyUndergraduateExpertSpecialist
8 Who are these people? Largest area by $ spent Largest area by $ lost National InterestPersonal GainPersonal FameCuriositySpyLargest area by $ lostThiefFastestgrowingsegmentTrespasserVandalAuthorScript-KiddyUndergraduateExpertSpecialistLargest area by volume
9 Spectrum of Protection BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with.
11 Ease of Deployment Integration with existing infrastructure Deployment featuresFunctionality fully exposed by WMISupplied MMC plug-inIntegrates with Group PolicyActive DirectorySeamless integration with Longhorn ServerSchema extensions available for Server 2003 sp1 and higherAuto-escrow of recovery keys enabled by defaultConfidential bit set on keys; read-only by admin only
12 BitLocker TPM Administration Storyboard – New Machine 41123Note: Steps 1-3 can be pre-config’ed (OEM, SP)*********Basic TPM Administration/DeploymentMachine arrives at enterprise in un-initialized state.Turn TPM OnCheck for physical presence by rebooting the machine and prompting user at BIOS screen for key press.Log back into Windows VistaTake Ownership of TPMCheck for existence of Endorsement Key (Provided by OEM)Create TPM Administration Password.Commit changes to TPM and initialize.Publish TPM Administration Password to AD/FileTPM Initialization Complete9105*********876
13 BitLocker Enterprise Machine Deployment with TPM Active Directory is prepared for BDE KeysWindows Vista InstallBDE installationActive Directory prepared for CS keysWindows Vista InstallBDE is only available in the Enterprise and Ultimate versions of Windows Vista.BDE requires a partition separate from the Windows Vista OS partition with a min free space of 350Mb.During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play.TPM & BDE drivers are installed.BDE InitializationScripted initialization of TPM.TPM Ownership password saved to Active DirectoryRemote executed Script BDEPolicy saves recovery key to ADSystem encryptedInspect audit logs for successful end to encryption.2Store TPM Ownership Password1TPM Script Initialization2Store BDE recovery key3BDE script setup45
14 BitLocker BitLocker Recovery 2121456Example Recovery ScenarioFeature turned on.AD access via network.Recovery key escrowed to AD and/or USB dongle.User drops laptop and breaks motherboard.HD from old broken machine put into new laptop with BDE enabled.BDE can’t access HD because the TPM key in new laptop is different.User launches BDE recovery:User uses USB dongle to recover the drive.-or-User calls admin and Administrator authenticates user.Admin gets correct recovery key from AD.Admin reads key to user over the phone.User types in recovery key.Recovery key is used to recover the drive337a7b887e7D7d7c7C
15 System Upgrade with BitLocker™ Upgrading computers with BDETurn off BitLockerUpgrade systemUpdated BIOS-- or --Install Service PackTurn On BitLocker – no encryption required* If doing an update using Windows Update Services, the hash of the new component will already be calculated, so BitLocker will not need to be disabled to do the update.123
Your consent to our cookies if you continue to use this website.