Security
BitLocker by default is designed for opportunistic adversary and not the dedicated adversary. Enterprises need to understand that! Microsoft’s default setting is TPM-only mode as it’s convenient for Single Sign-on. While convenient for users, its likely to fail the security sniff test with some data privacy regulations as it doesn’t do enough to protect data; failing to address many of the needed solutions to protect machines. Having SecureDoc on Top for BitLocker will protect your intellectual property and sensitive data from a dedicated adversary who has skill and lengthy physical access, much more effectively than TPM-only mode, as our pre-boot agent sits on top of BitLocker enabling user-based Pre-Boot Authentication with Single Sign On, making the authentication process much more secure.
Definitions
We consider two different kinds of adversaries:
Opportunistic Adversary
The opportunistic adversary is just trying to compromise an individual user’s machine and/or data. They are not targeting a specific user or enterprise, and they are not going to steal the user’s machine to obtain the user’s data. If the opportunistic adversary does steal a device and the user’s data is in the clear, the opportunistic adversary may take it. This maps to Microsoft’s “Attacker with skill and lengthy physical access”.
Dedicated Adversary
The dedicated adversary may target a user or an enterprise specifically for attack. They are willing to steal devices to recover data or account credentials (not just to re-sell the device to make money). This maps to Microsoft’s “Attacker with skill and lengthy physical access”.
For a high security or highly regulated environment, where there are a mix of devices within the protected walls of the business, and outside of it, using SDOT shows auditors that the organization has taken the simple steps to go above and beyond basic protection.
By applying TPM + PIN, you’re adding in a risk variable of password sharing, and password access. These clearly go against the security principles. The best way to overcome your concerns on security principles is by adding an additional layer of security like SecureDoc on Top for BitLocker. This will help ensure that each user will have their own unique password to sign on at pre-boot.
By using SecureDoc’s Pre-Boot Network Authentication feature – PBConnex – the user access policies and credentials are verified over the network at pre-boot before the keys are delivered to the device.
Yes, data should always be protected unless its being used by the CPU. WinMagic’s SecureDoc helps solve this issue with our Simplified Patch Management via Pre-Boot Networking. This allows IT admins to rollout unattended software updates and patches in scenarios such as Wake-On-LAN (WOL) without having to temporarily suspend BitLocker, and without any costly or complex hardware.
Compliance
Unfortunately, with BitLocker only, this is not very easy. With SecureDoc on Top for BitLocker, we offer real- time compliance reporting and client pre-boot login auditing to help you figure out who the culprit was.
You need to be able to prove that the device was encrypted and have the auditing trail to avoid a breach notification. With SecureDoc, you can prove the device was always in an encrypted state.
With SecureDoc’s BitLocker Tamper Protection feature, your BitLocker-enabled devices are monitored in real-time. through the SecureDoc Enterprise Server. If a user attempts to disable or suspend BitLocker encryption, SecureDoc will automatically block and reverse these actions to ensure the system is always in a secure state. These actions are logged and auditing for records purposes.
Manageability
With SecureDoc on Top for BitLocker, resets are easy. Admins can reset passwords directly from Active Directory. There is also an audit trail for all activity.
With SecureDoc On Top for BitLocker, mobile or remote users can leverage Password Sync to Single-Sign On(SSO) while off the network, and users on the network can bypass pre-boot when connected to authorized wired or wireless networks for ultimate flexibility in your mobile work environment.
SecureDoc can take over your BitLocker-protected devices from MBAM without ever having to decrypt.
WinMagic offers a multiple-OS FDE solution that includes SD Linux, OSA, Windows and FileVault 2.
SecureDoc provides several deployment methods that can adapt to the organizations’ needs: For example, customers may deploy via SCCM, GPO, or the admin. Each of these methods determine how user/owner is staged. With our KeyFile Deployment and Zero-Touch Deployment IT Admins can deploy BitLocker-protected devices with no user interaction if in TPM-only mode, or minimal interaction in TPM+PIN mode. Keys are transparently transferred, designating the user as the device owner when they login to Windows.
Improve user productivity and collaboration between Windows and macOS by allowing users to securely share encrypted removable media between operating systems. WinMagic’s RMCE provides OS-agnostic removable media protection for Windows and macOS, ensuring that access to data is secure, seamless, and not limited by the operating system.
Comprehensive Encryption
Yes however, SecureDoc Enterprise Server offers a one-stop shop for all device-level encryption. Organizations can simply manage and protect all their devices – Windows, macOS and Linux – while reducing dependence on specific hardware configuration requirements.
Yes, you will, however, SecureDoc Enterprise Server offers a one-stop shop for all device-level encryption. Organizations can simply manage and protect all their devices – Windows, macOS and Linux – while reducing dependence on specific hardware configuration requirements.
WinMagic through its SecureDoc SED Compatibly Program works with almost all of the leading SED manufacturers to ensure standard TCG Opal drives are compatible with SecureDoc. PC OEMs look for WinMagic compatibility certification before qualifying OPAL SEDs to be shipped in their devices.
See https://winmagic.com/partners/certification-program for a list of drive partners and a long list of tested and compatible drives.