Top 10 Reasons for Deploying BitLocker on Branch Office Servers

Top 10 Reasons for Deploying BitLocker on Branch Office Servers


1. Information Loss is Costly

Information is the key asset of IT industry. Losing this asset or getting it in wrong hands can be equally damaging for all businesses small, medium or large. In 2004, the U.S. Department of Justice estimated that intellectual property theft cost enterprises $250 billion. Whether it’s Personal Identifiable Information (PII), individual health or financial records, employee HR records, organization’s operational data or other intellectual property, losing information can cause lot of damage to an organization. The more sensitive data your organization store the higher the risk. It can cause not only loss of revenue, loss of market credibility, competitive disadvantage but also the non-compliance penalties.


2. Governance & Regulations

Regulations around data protection as in Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and European Data Protection Supervisor (EDPS) are increasing around the globe and non-compliance penalties can be significant. Irrespective of the business sizes, locales or activities regulatory conditions are getting stricter for protecting data at all stages including data at rest, data in transit, hardware transportation and safe hardware disposal. Implications of non-compliance can get severe with the sensitivity of data a business keeps.


3. Equipment theft or loss isn’t limited to laptops or mobile devices

While mobility of a device makes the device much more prone to theft or loss, mobility isn’t the only factor adding to data loss risk. There have been number of incidents reported where theft of IT equipment was committed during a physical break-into a business premise especially for server systems. This is particularly a concern for small and medium businesses and branch office servers. In these businesses, due to the nature of business and IT infrastructure not every server and storage media is enclosed in iron walls. Think of desktops and servers around you and it won’t be hard to realize the potential vulnerabilities in case of physical break-in.


4. Physical protection is not enough

Even when servers are in iron cages and there are resources physically guarding the data, data in clear text remains at risk. Studies have shown that despite the high level of physical protection like in secure data centers, thousands of data drives leave data center on daily basis. While some drives go out for reasons like repair, return or re-provision, others are stolen or lost. In other cases data cloning (e.g. for maintenance or outsourcing) adds to the risk of data loss without the data leaving its secure physical boundary. Essentially data remains vulnerable until the data itself has a protection via encryption or other such techniques. 



5. Safe decommissioning or re-provisioning of disks

Decommission or re-provisioning of a server or its hard drives is part of hardware lifecycle in a business. Ensuring safe decommissioning or re-provisioning is becoming a critical consideration for organizations. This requirement has led organizations to adopt a variety of mechanisms with most being cumbersome. By providing the capability to destroy Volume Encryption Keys, BitLocker provides a reliable and easy way for safe disposal of data. This simple and secure method can save multiple hours of data reclamation efforts and can significantly help in retaining and proving compliance.


6. Safe transportation of pre-configured systems or disks

Transportation of provisioned systems or data drives is a common Branch Office and Enterprise scenario. People carrying their data drives along or sending data drives for repair aren’t uncommon either. In all such scenarios, it’s important to protect the data on the disks so an errant disk doesn’t end up in information loss or theft. BitLocker is the one reliable way to enable Branch Offices and Enterprises to reduce the risk and transport data drives around with higher confidence. With BitLocker data can be protected with a PIN at one end and can then be accessed by authorized personnel at other end.


7. Retain boot integrity and enable multi-factor authentication via TPM

BitLocker has capability to provide authentication for different needs and different security levels needed. It uses TPM (Trusted Platform Module v1.2) to validate boot integrity of the system. BitLocker can also use TPM with PIN or with startup key or with PIN and startup key both. On the other hand, where server systems happen to be headless i.e. no keyboard, mouse and video display, or no USB port or inaccessible, TPM authentication can help avoid the requirements of manual intervention for PIN or startup key.


8. Smooth integration with Active Directory and policy based controls

BitLocker inherently integrates with Active Directory for supporting a number of scenarios like automated backup of certain BitLocker parameters like recovery password. With the use of granular Group Policies, BitLocker deployment can be highly customized for a deployment environment. Fact that Active Directory is mature and well understood technology makes BitLocker integration with Active Directory cause minimal impact to existing ecosystem and helps in reduced learning curve and faster deployments. Familiarity with Active Directory also helps BitLocker deployment professionals in exploring and leveraging information stored in AD for variety of purposes like enhanced logging and auditing.


9. BitLocker is already in the Operating System

With Windows Server 2008 or Windows Server 2008 R2, BitLocker is available as a user-installable feature in all x64 editions. Protection of your data at rest with no additional cost is just a few mouse clicks away.


10. Drive encryption is a one-time task

Enabling BitLocker on a disk volume is a one-time task. Initially when BitLocker is enabled on a disk volume, for the first time BitLocker encrypts the whole volume & later no specific efforts are required for keeping the data encrypted. Depending on the quality of hard-drive the initial encryption time could vary but the benefits simply outweigh this one-time effort.


Useful references:

· BitLocker Drive Encryption in Windows7 - Frequently Asked Questions

· System Integrity Blog for understanding BitLocker knowhow.


Still have questions, feel free to submit here or send my way( - after removing online from this address).


-Tanu Mutreja.