Jun 01 2010

Secure Transport

While BitLocker To Go can help protect data in transit, make sure to establish security rules of the road specifically for your users.

Privacy and security should be front and center for the IT team every time your company’s employees have to take confidential information offsite to work from home or while on the road.

For Windows Vista, Microsoft introduced BitLocker Drive Encryption, which reduces the risk that sensitive information will be compromised should a user’s notebook be lost or stolen. In Windows 7, Microsoft extends this feature with BitLocker To Go, which lets users encrypt USB flash drives and other USB removable storage devices to safeguard confidential information stored on the devices during transit.

Here are five best practices IT staffs may want to consider before allowing the use of BitLocker To Go by users.

One: Educate Your Users

Even if you have security policies that call for encrypting data in transit, it’s wise to write up a policy that explains BitLocker To Go and how to use it properly.

Be specific. Make sure users are aware that they should access BitLocker-protected flash drives only from computers they trust. If their computer is compromised and they open a file on a protected flash drive from that computer, the file is also considered compromised.

Two: Encrypt Before Use

Ensure that users encrypt their flash drives before they copy any sensitive information onto these devices. Better yet, preconfigure the drives before companywide distribution.

Flash drives consist of erasable memory segments that support a limited number of rewrite cycles. To lengthen their usable life, device makers use a process called wear-leveling, which distributes rewrites across the entire drive. But some wear-leveling algorithms can expose data previously stored as plain text. If you encrypt drives before use, there won’t be any plain text to begin with.

Three: Use Group Policy

Windows 7 provides half a dozen Group Policy settings for managing different  aspects of BitLocker on removable storage devices. Administrators should familiarize themselves with these and then configure appropriately for the specific user environment.

For example, if the company doesn’t want users to access data stored on encrypted drives from earlier versions of Windows, such as Vista or XP, then enable that policy in the Group Policy pane.

Four: Create a Recovery Policy

An administrator needs to be able to recover data stored on a protected drive if the user forgets the password or loses his or her smart card. To do this, the administrator needs a recovery policy.

Some best practices include requiring  BitLocker to generate both a recovery password and a recovery key; preventing users from specifying recovery options themselves when they enable BitLocker; storing recovery information in Active Directory; and preventing users from encrypting drives until recovery information has been saved in Active Directory.

Five: Take Care with Smart Cards

Smart cards offer a great way for performing authentications, but the IT team must think through enabling their use for encrypting removable drives — the reason being that the public key and certificate thumbprint are stored in unencrypted form within the metadata on the drive, and this metadata itself is stored on an FAT32 volume that BitLocker To Go creates.

This volume is hidden on Windows 7 but visible on earlier Windows versions. Someone who steals the device could use it to determine an organization’s certificate authority.  By itself this may not mean much, but it’s a step toward the breach.

Mitch Tulloch, a Microsoft Most Valuable Professional (MVP), is lead author of the Windows 7 Resource Kit from Microsoft Press. Learn more about him at www.mtit.com.