Chapter 5: Choosing the Right Solution
Published: April 04, 2007
To choose the appropriate combination of encryption technologies, you need to understand the risks to the data that needs protection. You can then assign a value to that data (ensuring that you include both direct and indirect costs) and choose a solution that provides the best return on your investment while also providing an adequate level of protection.
The following Risk Mitigation Summary table lists data risks and indicates whether one or a combination of the encryption technologies described in this guide mitigates each risk. Risks that are mitigated for specific options are marked with the letter Y. Hyphens - indicate risks for which the specific option provides little or no mitigation.
Table 5.1. Risk Mitigation Summary
Using the Risk Mitigation Summary Table
The table can be used to select the appropriate technologies and configurations that you need to deploy to achieve your organization's desired security posture. Because the encryption technologies are also affected by operating system configuration and policy, the table and the risks can also be used to understand the impact of other security policy on the encryption solution.
For example, one observation from the table is that for almost every option organizations must do something to configure “resume from standby” functionality to achieve a reasonable security level with any of the Microsoft technologies described in this guide. The system setting that is displayed in the user interface as Prompt for password when computer resumes from standby can be configured either through Group Policy or by running scripts that adjust registry settings.
Adding Security in Low-Threat Environments
Some organizations have relatively modest security requirements, but they still want the additional protection of knowing that data on their mobile PCs is encrypted. For these organizations, BitLocker with a TPM and PIN will provide strong security with minimal operational overhead (apart from the requirement to ensure that protected data is recoverable by authorized users). If your organization is not able to deploy BitLocker, EFS will mitigate the threat of data access by authorized users on both Microsoft Windows® XP and Windows Vista™. Running EFS on Windows Vista will also help mitigate the risk of data leakage from the system paging file. However, you will still need additional mitigations to protect against other attacks, including offline attacks against the operating system and attempts to steal key material.
Protecting Personally Identifiable Information
If your organization needs to protect personally identifiable information (PII) on employee laptops from outside threats and your risk assessment indicates that protection against medium-difficulty attacks is adequate, you could choose to deploy BitLocker with a TPM and PIN. With this solution, the main risk from outsiders that requires additional mitigation is when a computer is left in unprotected standby or sleep mode, which can be mitigated through Group Policy or scripts that adjust registry settings.
For environments in which you need to protect PII but cannot use BitLocker with a TPM, you should consider deploying EFS in conjunction with the Microsoft Encrypting File System Assistant tool (EFS Assistant). This option helps protect against a number of low-difficulty attacks, and for additional security you can require the use of EFS with smart cards to add an authentication factor.
However, when you deploy EFS with software key storage, remember that the security of the EFS-protected data depends on the ability of a user to log on. Weak logon passwords, shared computer accounts, or other security weaknesses can reduce the security of your EFS deployment, and you should mitigate those weaknesses along with your EFS deployment.
Protecting Extremely Sensitive Data
For organizations that require the very strongest security protection against both insiders and outsiders, a solution that combines BitLocker and EFS will protect against moderately difficult to very difficult attacks as discussed in this guide. For example, if your organization has particular restrictions or requirements for key space sizes, you can combine the adjustable key length of EFS with the full-volume encryption capabilities of BitLocker to effectively mitigate a wide range of threats.
The two technologies described in this guide, BitLocker and EFS, are different but complementary approaches to data encryption. EFS protects data in files and folders on a per-user basis, and BitLocker provides full-volume encryption for the system volume on Windows Vista computers. BitLocker provides pre-boot integrity checking and encryption, and it protects the system volume against a wide range of offline attacks, but it does not provide user authentication. EFS complements BitLocker by restricting access to encrypted files to properly authenticated users on a running computer.
This Security Analysis guide describes how BitLocker and EFS can be used to mitigate a range of security risks. By carefully evaluating the actual risks in your organization and the mitigations described in this guide, you will be able to choose a combination of technologies and options that provides the necessary protection for your sensitive data.