I have always been a proponent of doing a security risk assessment in order to determine the amount and depth of controls required to protect information appropriately. Risk is a function of the probability and the impact of a successful attack. The higher the probability, and the higher the impact, the higher the risk.
For a given attack to be probable there needs to be some vulnerability to exploit and a threat. NIST defines threat as “Any circumstance or event with the potential to adversely impact organizational operations … through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.” ( https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf )
A threat becomes real when there is someone willing to exploit a vulnerability. NIST would call this person a Threat Actor defined simply as “An individual or a group posing a threat.”
Now what does a Threat and a Threat Actor look like in the world of Full Disk Encryption (FDE)? FDE is a control whose purpose is to “addresses the primary threat of unauthorized disclosure of protected data stored on a storage device. If an adversary obtains a lost or stolen storage device (e.g., a storage device contained in a laptop or a portable external storage device), they may attempt to connect a targeted storage device to a host of which they have complete control and have raw access to the storage device (e.g., to specified disk sectors, to specified blocks).”
https://www.commoncriteriaportal.org/files/ppfiles/CPP_FDE_EE_V1.0.pdf
This is where I think it is useful to define two different types of Threat Actors or, as I will call them, adversaries in the context of FDE:
The opportunistic adversary is trying to compromise a machine and/or data but they are not targeting a specific user or enterprise, and they are not going to steal the user’s machine to just obtain the user’s data. An example of an opportunistic adversary would be a thief that steals your laptop bag off the front seat of your car because you forgot to lock the car doors. If the opportunistic adversary does steal a device and the user’s data is in the clear, the opportunistic adversary may take it and try to sell it too.
The dedicated adversary may target a user or an enterprise specifically for attack. They are willing to steal devices to recover data or account credentials (not just to re-sell the device to make money). They may also be prepared to research attack methodologies and tools and spend considerable time and resources to get the data.
So when doing your risk assessment think about which kind of adversary you are facing. Even if you have already determined that you need FDE as a control it still can make a big difference in how you deploy it. The level of authentication required, the level operational overhead and the level of inconvenience that the user must endure differ depending on whether you are protecting against the opportunistic adversary or the dedicated advisory.
For example WinMagic’s SecureDoc Enterprise Encryption management platform has a comprehensive set of FDE solutions (or controls) for the enterprise. These include the unique capability of layering a full-fledged PBA (Pre-boot Authentication) layer on top of BitLocker. This solution, we call it SDOT for SecureDoc On Top, completely takes over the pre-boot authentication for BitLocker. Each user has unique login credentials with password quality policy applied or even a smart card for MFA (Multi-factor Authentication.) This PBA will frustrate even the most dedicated adversary but it does require the user to deal with PBA and the organization to manage it. The PBA runs on the machine before the OS is even decrypted and loaded making it very secure but also increasing the sensitivity of the PBA to different hardware models, NIC cards and even BIOS revisions.
On the other end of the spectrum the SecureDoc Enterprise Encryption management platform has a capability for managing BitLocker without any PBA at all. We call it SDBM (SecureDoc BitLocker Management). SDBM can be configured to manage BitLocker in its default mode of TPM-Only. As we have written in the past https://winmagic.com/blog/pre-boot-authentication-wisdom-in-security/ this is the least secure way to manage FDE or as Microsoft writes TPM-only mode is for “Attacker(s) without much skill or with limited physical access”. Yet if you do your risk assessment this may well be good enough to protect against the opportunistic adversary who is stealing the machine to resell it but will be easily discouraged if a cursory attempt to read the data fails. And the benefit? Almost complete transparency for the user and much less hardware and BIOS compatibility issues for IT departments with limited resources to master.
To recap, do a risk assessment. Maybe not all machines in your enterprise need to be protected with the highest level of PBA. Some might need full-fledged SecureDoc PBA and IT can focus those PBA deployments on a smaller number of machines that are known to be compatible. And if there is a compatibility problem or the risk assessment doesn’t mandate it consider a lighter touch approach for those machines and use SDBM.
