Determining an Encryption Strategy for Your Organization. Part 2: Laptop Computers

In this series of posts I’m going to cover several different technologies, included by default with Windows Vista, Windows 7, and Windows Server 2008, that you can use to protect your organization’s data.

In the last post I looked at what you could do to protect data on USB devices.

In this post I focus on Laptop computers. Although USB devices are easy to lose, the amount of data that they store pales in comparison to laptop computers. Surprisingly enough, given their size, laptop computers are easy to lose as well. In the last post I mentioned how the British Ministry of Defence had lost 121 USB sticks over a five year period from 2003 to 2008. Would you believe that the same Ministry of Defence managed to lose nearly 650 laptops over the same period? Here is the link again in case you missed it http://news.bbc.co.uk/1/hi/uk/7514281.stm. People seem to lose laptop computers more often than they lose car keys!

Laptops, unlike Windows Mobile devices, cannot be easily wiped remotely. Laptops hold a large number of sensitive documents and e-mail. If someone loses a laptop, it can take you some time to figure out exactly what organizational documents may have been exposed to the public. Generally speaking, the value of the information lost is going to exceed the value of the laptop. It just depends who finds the laptop ...

Just because laptops require a username and password to log on doesn’t mean that they are secure. If they aren’t protected properly, any half decent attacker can boot off a custom USB device and copy the contents of the hard drive. Some tools allow you to boot off a USB device and reset the local administrator password. This is particularly a risk with computers running Windows XP.(That is assuming that you even need a password. A friend of mine has a collection of photographs he’s taken of unattended but fully powered on laptops left idle in airport lounges. )

If the figures from the British MOD are to be believed there is a fair chance that a couple of people in your organization are going to misplace their laptop computers over the course of the next 12 months. So, what can you do about it?

Included with Windows Vista Enterprise and Ultimate editions (and, I assume, the equivalent editions of Windows 7), is BitLocker, a feature that allows a hard disk to be fully encrypted. It won’t save you from an executive who leaves a laptop computer open and logged on at the airport lounge while he wanders off to peruse the buffet, but it will reduce the chance of someone recovering data from a powered off laptop left in the back of a cab. Someone who finds it might get the hardware, but they won’t be able to extract any useful data from the BitLocker encrypted hard disk drive and sell it to your organization's rivals.

The advantage of BitLocker over other solutions, such as TrueCrypt, is that you can fully integrate BitLocker into your Active Directory Infrastructure as a way of centrally managing it. This also allows you to automatically archive BitLocker keys in Active Directory, making recovery simpler. If you need to recover a volume, you can extract the key from Active Directory and then use the BitLocker recovery tool. Windows 7 is reported to simplify BitLocker even more, allowing the use of a single organization wide encryption key.

Given the staggering statistics related to people misplacing laptops, organizations need to ensure that the organizational data that does leave the premises in user laptops is protected in the event that the laptop computer is mislaid. There are other solutions available such as PGPDisk and TrueCrypt, but the advantage of BitLocker is the centralized key archiving. PGPDisk and TrueCrypt are better solutions when you want to protect a couple of computers rather than several hundred.

You can find out more about BitLocker at the following address:http://technet.microsoft.com/en-us/windows/aa905065.aspx