Educause Security Discussion mailing list archives
Re: BitLocker
From: "Camacaro Latouche, Jose David" <jcamacar () IU EDU>
Date: Mon, 8 Jul 2019 16:25:53 +0000
I was wondering if your institution is using BitLocker? Yes, it is. How was your rollout process? And how is the general operations of BitLocker going? Keeping in mind a decentralized IT community within my institution, I will speak about the two I know: * The predominant method: The majority of Windows workstations are built via System Center Configuration Manager before handing them to end-users. During the build process, IT professionals go through the set of prompts, which includes encryption options. Encrypting the OS volume with BitLocker is set to "Yes" by default, so if IT professionals would like to NOT encrypt the OS volume, it would have to be a deliberate decision. If all conditions are met during OSD, the recovery key is escrowed in Active Directory Domain Services. * The decentralized method: A few IT shops create and manage their own BitLocker GPOs. Are you using TPM? (+ PIN)? (or did you consider using +PIN and didn't implement in the end? Why?) Since I am heavily involved on the predominant method described above, I will speak to that one only: TPM only. No PIN, because our SCCM's OSD process caters for a large diversity of IT professionals, who in turn serve to an even higher diversity of end-users (e.g. academia, research, administration, healthcare, etc.) with their own set of IT policies and standards. Do user lose their PIN all the time? See previous answer. Is the PIN useless because users put their laptop into sleep mode? See previous answer. We are also looking for Best Practices. Is there a "best practice"? Or it really depends on our risk appetite? A few personal notes and observations from my own experience (and by no means do I treat them as "absolute truths"): * Managing power/sleep configurations is much easier than managing end-users' PINs. And frankly, safer and greener. * Escrowing the recovery key in AD and using PTM is clean, easy and secure. * Can you control who the end-users share the PIN with (even if they have been instructed not to)? Most likely not. * Can you control management of recovery keys in AD? Most likely yes. * Will end-users perceive a pre-boot PIN prompt as a 2nd authentication layer of inconvenience, more than an additional security control for defense in depth? Perception is reality, and if it is academia we are talking about, I'd said most likely yes. * Our default encryption choice encrypts used space only [1], which is sufficient for new, out of the box devices. But in the encryption settings of our OSD process, we provide an additional option for "full encryption", which makes the OSD process take much longer, since the volume is fully encrypted before carrying on with next steps of the OSD. We recommend this option for IT professionals who are re-building re-purposed endpoints, where there is knowledge or uncertainty that previous end-user had sensitive data stored on it. Whether this constitutes an alternative to other disk wiping methods (e.g. DBAN) or not, depends on the flexibility of your own IT policies and guidelines. * Over the past few years, hardware has evolved with a focus on security: newer versions of TPM, UEFI, firmware, etc. Which in turn allows us, IT security professionals, to rely less on how safe end-users keep their PINs, and to rely more and the layers we can actually control. I do not mean to diminish end-users ability to be digitally safe, but statistically speaking, it's about risk mitigation: exploiting vulnerabilities in TPM, are way less likely than stealing a misplaced (or neglectfully shared) PIN. I hope this helps. Sincerely, Jose Camacaro Latouche UITS Leveraged Services Endpoint Management INDIANA UNIVERSITY Further reading: [1]: https://docs.microsoft.com/en-us/windows/security/information-protection/bit locker/bitlocker-device-encryption-overview-windows-10#used-disk-space-only- encryption From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of St-Jean, Daniel Sent: Friday, June 28, 2019 5:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] [SECURITY] BitLocker This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources. I was wondering if your institution is using BitLocker? How was your rollout process? And how is the general operations of BitLocker going? Are you using TPM? (+ PIN)? (or did you consider using +PIN and didn't implement in the end? Why?) Do user lose their PIN all the time? Is the PIN useless because users put their laptop into sleep mode? We are also looking for Best Practices. Is there a "best practice"? Or it really depends on our risk appetite? Thank you in advance, Daniel St-Jean Senior Systems Analyst Banff Centre for Arts and Creativity 107 Tunnel Mountain Drive Box 1020, Banff, Alberta Canada T1L 1H5 Tel: 403.762.6263 <http://www.banffcentre.ca/> banffcentre.ca <https://www.facebook.com/BanffCentre> Facebook | <https://twitter.com/BanffCentre> Twitter | <https://www.instagram.com/banffcentre/> Instagram | <https://www.linkedin.com/school/banff-centre/> LinkedIn Banff Centre for Arts and Creativity is located on the lands of Treaty 7 territory. We acknowledge the past, present, and future generations of Stoney Nakoda, Blackfoot, and Tsuut'ina Nations who help us steward this land, as well as honour and celebrate this place. This message has been sent by an employee of Banff Centre. If you have received this communication in error or do not wish to receive electronic communications from this individual in the future please respond by simply typing 'unsubscribe' in the subject line and returning to the sender. Subsequently you will not be contacted without reason.
Attachment:
smime.p7s
Description:
Current thread:
- Re: BitLocker Camacaro Latouche, Jose David (Jul 08)