On one hand, Microsoft says that BitLocker with pre-boot authentication (TPM + PIN) is the recommended best practice (See Here). On the other, Microsoft admits that BitLocker with their pre-boot authentication “inconveniences users and increases IT management costs.” A mixed message for any IT pro responsible for keeping devices compliant and secure.
Read on to discover the compliance shortfalls of BitLocker and how to address them.
The Rise of Windows 10.
Just three short years ago – on July 29, 2015 – Windows 10 burst onto the scene with businesses adopting it faster than ever before. Today, focus lies on the threat landscape, as regulatory pressure for data privacy and security increases. You’ve got new regulations coming from the EU (e.g. GDPR), while current standards – such as HIPAA, PCI DSS and FISMA – are constantly evolving and consistently reference encryption as an effective control to help achieve compliance.
Microsoft’s answer to this building pressure is to use what is already in their toolbox, namely BitLocker and MBAM (Microsoft BitLocker Administration and Monitoring). However, that is not enough to be either compliant or secure.
Start With BitLocker
Let’s be honest, the main reason anyone looks to deploy encryption is for compliance, and BitLocker is a starting point. It offers fast, OS built-in encryption to mitigate unauthorized data access on lost or stolen devices. But does Microsoft BitLocker alone offer good enough protection? Simply put, no. In fact, a large financial customer of ours recently put BitLocker to the test, concluding it could not meet their security needs, even with MBAM.
Here were their findings:
FIPS 140-2 / PCI DSS
Federal Information Processing Standards (FIPS) Publication 140-2 is the U.S. government standard for approved cryptographic modules. It’s the first box any business looks to check when looking at encryption. Full disk encryption protects data on your drive, but it’s only effective when the encryption key is protected with strong authentication. BitLocker offers multiple options for authentication, yet it is not FIPS 140-2 compliant in TPM + PIN or TPM + Network Unlock mode (See Here). But the alternative – using TPM protection only, without user authentication – conflicts with PCI DSS requirements, since logical access must be separate from the native OS and access control mechanisms (See Here).
“Not requiring pre-boot authentication improves the user experience and speeds up boot times. However, doing so significantly deteriorates our defense-in-depth strategy negatively impacting compliance.” – Internal findings with a large enterprise
One of the simplest methods to improve security is with password policies. But to be effective, passwords need to be strong and updated periodically. BitLocker – with or without MBAM – cannot enforce PIN complexity, only PIN length. Even worse, BitLocker PINs are based on the machine not the user, so users will need to share PINs and remember different PINs for every device they have access to. Not only are these poor password practices, they also don’t meet compliance requirements, including PCI DSS (See Here).
Reporting and Audits
When it comes to compliance, you need 1) protection and 2) proof. In this customer’s case, BitLocker clients only reported active encryption status when the system checked into MBAM. What about historical data? This reveals serious gaps in visibility, since devices could be decrypted, and they – like most businesses – need more than just real-time reports for audit; they need proof from the time a device is provisioned to its end-of-life.
“MBAM reporting doesn’t provide the required level of assurance of encryption status. “ – Internal findings with a large enterprise
Most obviously, BitLocker is designed for Windows, and will only ever support Microsoft hosts, so additional full disk encryption and key management products must be calculated into security costs for macOS and Linux systems. Beyond endpoints, BitLocker must be managed via scripts on servers and virtual machines – whether on-prem or in the cloud. The result is multiple siloes in encryption and gaps in compliance visibility.
“Deploying MBAM to manage BitLocker would require us to employ at least two additional independent solutions for macOS and Linux impacting our compliance visibility.” – Internal findings with a large enterprise
It Gets More Serious
As the threat landscape evolves, businesses must take note of threats posed against not just their data, but also the security they employ to protect it. BitLocker is no exception.
Microsoft says this about BitLocker, “pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs” (See Here). Hence, why most businesses opt for TPM-only, but Microsoft also states that “TPM-only authentication method offers the lowest level of data protection,” which “can be affected by potential weaknesses in hardware or in the early boot components.” (See Here). So what choice do businesses have? They can either inconvenience users, or leave vulnerabilities to cold boot and memory remanence attacks. In this case, our customer wasn’t willing to compromise.
“Without pre-boot authentication, compliance and security becomes solely reliant on the future state of Windows security and the specific hardware operating environment.” – Internal findings with a large enterprise
User Tampering / System Updates
When businesses deploy a security solution, they expect it to actively protect their systems and data at all times. However, BitLocker allows any user or application with elevated rights to suspend key protection or even decrypt the drive. Users can simply access Control Panel, Command Prompt or Windows PowerShell to tamper with encryption status or key protectors. In this customer’s case, there are over 14,000 users with local admin rights and frequent system updates. BitLocker on its own was just not enough.
”The fact that any user with administration rights can suspend BitLocker encryption creates a significant risk.” – – Internal findings with a large enterprise
Close the Gaps with SecureDoc
We know BitLocker works seamlessly with Windows, offering fast encryption built-in to your Windows licenses. Yet, we also know that your business doesn’t operate on a single platform, and not everyone has access to the licensing required for MBAM. Even for those who do, experience shows that enterprises are not just looking for “administration and monitoring,” they require a trusted layer of security control and compliance.
WinMagic is helping businesses get the most out of BitLocker. Our solution doesn’t just manage BitLocker, it makes it smarter, simpler and more secure. We know the main reason anyone looks to deploy encryption is compliance, not user productivity. But the best part about SecureDoc is that it’s designed so you can have both. Most notably, our user based PBA provides best practice authentication and market-leading tamper protection for BitLocker eliminates the risk of user tampering, providing enterprises the compliance assurance need.
For more on this topic see: https://winmagic.com/blog/2018/03/27/microsoft-really-claiming-pre-boot-authentication-full-disk-encryption-not-necessary/