1.1 Data Encryption Solution
Full disk encryption (FDE) also known as Whole Disk encryption (WDE) is a security safeguard that protects all data stored on a hard drive from unauthorized access using disk-level encryption 1. To protect sensitive university data, encryption is necessary and should be implemented appropriately by combining appropriate access controls. When FDE is employed, all data is encrypted by default, taking the security decision out of the hands of the user. A good encryption software solution should be able to do a wide range of tasks including drive encryption, file and removable media protection and also be able to manage native encryption functionality offered by Apple’s FileVault 2 on Mac OS X and Microsoft’s BitLocker on Windows platform. The purpose of this report is to provide directions and ideas for implementing a full disk encryption in a college department setting, and also identify bad practices when it comes to securing confidential data. The following topics are covered in this report: · An Overview of BitLocker Encryption (Windows). · An Overview of FileVault 2 Encryption (Mac). · Finding a Good Encryption Solution. · WinMagic’s SecureDoc Enterprise. · What I think of Using SecureDoc by WinMagic. · Barriers to Finding a Good Encryption Solution. This document applies to all devices and computers storing or transmitting college or departmental data belonging to the university. 1.2 When Storing Sensitive Data (i) Full Disk Encryption Sensitive university data must be encrypted (using whole disk encryption when technically feasible) if stored on a portable device such as, i.e. laptops, iPads, phones, etc. (ii) File Level Encryption This level of encryption is appropriate when storing sensitive university or institutional data on portable media such external drives and USB drives. Employing any kind of encryption program or software like BitLocker or FileVault 2 is bound to be a very daunting task and process. In this report, I will explain the benefits of the proposed solutions, and present the risks so as to help all those trying to make a decision in finding a better solution for encrypting computer drives both on Mac and Windows platforms. This report will also look at the risks of BitLocker and FileVault 2 encryption and how they can be resolved by presenting a number of solutions that can be implemented. It will also look at a hybrid solution where other encryption software programs or solutions can be used to manage or facilitate the native encryption programs already available in Mac OS and Windows operating systems.
2.0 Overview of BitLocker Drive Encryption (Windows)
In this section I will present an overview of two of the commonly used encryption programs – one for each computer platform (Mac OS and Windows). Therefore, I will first describe BitLocker in its most obvious Windows setting and then provide an overview of FileVault 2 on the macOS platform. Windows 10 operating system and other Windows OS editions contain an encryption feature called BitLocker drive encryption which encrypts all data on the system volume. As all other encryption software, BitLocker imposes some security requirements when one tries to encrypt a system drive. Sometimes this may create or cause real problems and headaches when it comes to making a decision to encrypt a drive.
2.1 What Does BitLocker Do
BitLocker technology, like other encryption technologies, targets a very specific security situation –that of trying to lower the probability of having a computer containing confidential or sensitive data getting stolen or lost. Statistically, the Federal Bureau of Investigation reports that on average a laptop is stolen every 53 seconds and that 1 in 10 individuals will have their laptop stolen at some point 6. The recovery statistics of stolen laptops is even worse, with only 3% ever being recovered. This means 97% of laptops stolen will never be returned to their rightful owners. Most laptops belonging to the college departments contain confidential information, in the form of documents, presentations, emails, cached data, and network access credentials. This institutional data is typically far more valuable than the computer hardware itself and it is worth protecting it. The university can easily replace a lost laptop at a moderate cost, but the cost of a compromised information can be way greater than that. So when deployed, BitLocker can make it difficult for any unauthorized people to access this confidential data on a lost or stolen laptop. One advantage of BitLocker is that IT administrators can deploy it easily on university laptops and without much user resistance. On the other hand, as a drawback, hardware-based attacks can hence cripple the configuration of BitLocker program. BitLocker’s continuous improvements and features can eliminate many previously existing concerns which were centered around exploitable vulnerabilities and a lack of centralized management.
2.2 BitLocker’s Main Features
Here is a list of BitLocker’s main features: 1. Direct Memory Access (DMA) port controls that help prevent the long-standing cold boot attack against encrypted drives. 2. Microsoft’s Active Directory (Azure AD) which allows admins to encrypt recovery keys for Windows 10 systems that are joined to Azure AD domains. 3. XTS-AES encryption support that helps prevent known cipher text attacks and assists organizations looking to be compliant with Federal Information Processing Standards. 4. These features are nice, but it’s Microsoft BitLocker Administration and Monitoring (MBAM), a System Center Operations Manager management pack, that puts BitLocker squarely in the enterprise conversation. MBAM provides admins with a centralized tool for configuring, administering and enforcing encryption policies. There are also numerous group policies and PowerShell cmdlets admins can use to manage BitLocker protected endpoints.
2.3 BitLocker’s Security Concerns
Taking into consideration that BitLocker makes use of a tamper-resistant TPM security chip which is now incorporated in most computers, encryption using BitLocker cannot be a software-only technology. Making BitLocker as a software-only solution would make it more vulnerable to software-only attacks. It cannot protect a computer against all possible attacks, i.e. malicious users, or programs such as viruses or rootkits that have access to the computer before it is lost or stolen. BitLocker protection can be compromised if the USB startup key is left in the computer, or if the PIN or Windows logon password are not kept secret. If university data is considered highly confidential on laptops, then BitLocker should be deployed with multi-factor authentication on those laptops. 1) If more than one person is going to use the encrypted machine, then encryption key has to be shared with everyone since BitLocker officially supports one login. 2) BitLocker is secure only if you use a pin or USB stick for authentication. 3) There is no link between your Windows credentials and BitLocker credentials. 4) BitLocker does not support the concept of more than one user. An official Microsoft advice tells users to employ a 6+char pin, plus TPM for authentication and doesn’t recommend TPM-only mode. 5) BitLocker supports only USB storage devices and PINs—no integration with any other token. 6) Active Directory and additional servers are required to administrate BitLocker in a corporate environment. 7) You need extra software to prove BitLocker was enabled and protecting the drive at the time of a theft to claim protection from personally identifiable information laws. With BitLocker, one will need a third-party software to give a real time report on the state of protection of a lost machine. 8) BitLocker encryption and administration supports only Windows—with no support for other operating systems, such as Mac or Linux.
3.0 An Overview of FileVault 2 Encryption (Mac)
3.1 FileVault 2’s Full Disk Encryption Solution
FileVault 2 is an encryption program native to the Mac OS X system, also known as the second generation of FileVault. It encrypts the entire drive on your Mac, protecting your data with XTS-AES 128 encryption, and can also encrypt any removable drive in addition to securing Time Machine backups and other external drives. The original FileVault was introduced with Mac OS X Panther (10.3) 3, and could only be applied to a user’s home directory, not the startup volume. Apple referred to this original iteration of FileVault as legacy FileVault. FileVault 2 protects a whole volume and provides it with a full encryption that can easily be operated by any users regardless of whether they have a dedicated IT staff or not. In using Filevault 2, users need not worry about encrypting each individual file or putting files in specific encrypted containers because all the data on the entire volume is encrypted 4. MacOS High Sierra and newer offer APFS encryption which is a significant redesign of FileVault 2 5.
3.2 APFS and Encryption Concerns
In October, 2017, Apple fixed a Disk Utility Bug in macOS High Sierra which exposed passwords of encrypted APFS volumes in plain text 5. This serious security vulnerability in macOS High Sierra was discovered by a Brazilian developer by the name Matheus Mariano and it exposed passwords of any encrypted APFS volumes in plain text. Apple addressed this bug by releasing macOS High Sierra 10.13 Supplemental Update that was available from Mac App Store. Towards the end of November this year, Apple’s patch to address a serious password bug on macOS High Sierra was reported to have failed to fix the original problem, because the flaw had reappeared again for some users.
3.3 Managing Existing Functionality of Native Encryption Systems
So there has to be a management solution or system out there that users can depend on and trust such that it can be able to manage the existing systems employed by BitLocker (Mac) and FileVault 2 (PC) encryption in case of out of the box limitations presented by these two. This particular management solution should directly address the limitations in both Mac and Windows platforms. For example, a solution or a system that will improve on the functionality of BitLocker and FileVault 2 in such a way as to allow them to be more secure and easier to manage.
4.0 Finding a Good Encryption Solution
4.1 What a Good Encryption Solution Should Be Able to Do
In this section, I am going to present some of the main features that I think a good encrypting software solution should be able to do. It should take into consideration the two commonly used platforms to protect data, i.e. using Microsoft’s native encryption, BitLocker, for Windows and Apple’s active encryption, FileVault 2 for Mac OS. On a Windows Platform, a good encryption solution should be able to: a) Allow an IT administrator to secure and manage all Windows 10, Windows 7 and PCs that support Microsoft BitLocker. b) Manage BitLocker on Windows platform machines running Windows 10, 7 directly from Third Party software like SecureDoc (WinMagic), Symantec, etc. without the need for a separate Microsoft BitLocker Management and Administration (MBAM) server. On a Mac Platform, a good encryption solution should be able to: a) Allow an IT administrator to secure and manage all Mac OS X versions including macOS High Sierra, and Sierra, El Capitan and Mac that support Apple FileVault. b) Allow compatibility with OS X patches, upgrades, and firmware updates. c) Provide single sign-on from FileVault’s pre-boot environment directly into Mac OS X. d) To allow upgrade from one major Mac OS X version to next without having to decrypt and re-encrypt the drive. Similar to BitLocker, FileVault 2 employs Recovery Keys to enable users unlock their encrypted volumes if the disk is moved to a different device or if no user account with ‘unlock’ privileges is present in the system. Once FileVault 2 is enabled, the system creates and displays a recovery key.
4.2 Concerns with FileVault 2
The one problem with FileVault 2 is that it is a “whole disk” encryption, meaning it is either on or off for the entire volume. When FileVault is on, no users can access the data unless one enters a password or key to unlock it. Once the drive is unlocked, the data becomes vulnerable. The new APFS in macOS High Sierra supports full disk encryption 6, but it can also encrypt individual files and metadata, with single or multi-key support. This kind of feature guarantees additional security for your most confidential data.
5.0 WinMagic SecureDoc Enterprise Solution
The WinMagic SecureDoc Enterprise suite of programs is a comprehensive solution that offers full disk encryption (including support for both BitLocker and File Vault 2), File encryption, removable media encryption, Mobile Device Management and a centralized management server. It does this through a number of different products that are used to fulfill the different feature requirements, including 7: a) The SecureDoc Enterprise Server (SES) that offers a centralized location to manage the other encryption components including software-based full disk encryption, native full disk encryption support (BitLocker and FileVault 2), and SED support. b) SecureDoc for Windows and SecureDoc for Apple offer clients that support software encryption native full disk encryption and SED management, File and Folder Encryption (Windows), and Removable Media encryption. c) PBConnex offers Network-based pre-boot authentication.
5.1 One Console for Endpoint Protection and Encryption Management
Use of a one console 7: This console will be the one stop shop, not only for protecting your endpoints from malicious software or targeted attacks but also for compliance reporting and encryption key recovery. Simplicity and ease of management will enable security personnel to stay focused and work efficiently. 5.1.1 Its Main Features · Encryption management from the same cloud or on-premise console you are using for endpoint protection · Uses proven native encryption for Windows (BitLocker) and Mac (FileVault 2) and avoids performance issues, no new agent required · Simple to deploy Full Disk Encryption to endpoints and manage or restore keys from the console · Encryption specific reports that help the university demonstrate compliance · Pre-boot authentication enforcement. 5.1.2 Encryption Benefits (a) Comprehensive data protection for endpoint hard drive · Prevents unauthorized access to all data when laptops are lost or stolen · Highest security certifications for compliance—FIPS, Common Criteria, BITS · Comprehensive platform support—including Windows and Mac OS X. (b) Trusted and proven security for highly-scalable deployments · Proven in data security deployments of more machines in a short time (c) Integrated into Endpoint Security Software Architecture · Combine endpoint full disk encryption software with other endpoint security software, i.e. Windows Defender · Highest security certifications for compliance – FIPS, Common Criteria, BITS · Single-console, centrally-managed endpoint solution.
6.0 What I think of Using SecureDoc by WinMagic
1. Using WinMagic’s SecureDoc software will involve extra cost for the software. There is an initial per-device license cost and a support fee. The support fee covers updates, access to the knowledge base, and access to support technicians. I believe the upper tier of support also covers some online training materials. 2. SecureDoc solution supports Windows, Mac OS X, and Linux in addition to both Domain and Workgroup machines. SecureDoc can meet all the requirements for these operating systems. It doesn’t truly support Linux, but you can support Linux installs on self-encrypting drives that meet the OPAL2 standard. a. Positives: Single management console; Consistent product across on/off domain Windows machines; Excellent support (WinMagic only does encryption, so their resources are very focused); the client program for Windows is highly customizable; Has the ability to require encryption on removable media; Depending on client configuration, it is mostly transparent to the user. b. Negatives: It does not always support OS upgrades immediately (e.g. Creators Update for Windows 10, macOS High Sierra for Mac); Management console is complex and not always intuitive (Interface redesign is due out within the next year); file and Folder encryption is an additional license. 3. End users will not see much of a difference with their configuration. SecureDoc can be set to automatically boot to Windows similar to how BitLocker performs. The only time a user sees a SecureDoc pre-boot login is if they enter their Windows password incorrectly too many times. IT staff can encounter some challenges depending on how diverse their environment is. IT units with consistent purchasing (e.g. similar era Latitudes) would tend to have very few issues. If maintenance is not done properly (BIOS updates, etc.) on computers of varying models, manufactures, consumer and business lines, etc., then users will tend to experience more issues. Here are alternatives to managing the native encryption: • MBAM (BitLocker) – Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. It only supports Windows domain machines and it integrates very well with other Microsoft management tools such as SCCM. For organizations with Microsoft agreements, it is inexpensive to license. • Jamf (FileVault 2) – Jamf (formerly Casper) is a fairly comprehensive Mac management tool that can also manage FileVault 2 encryption. The Jamf software allows you to manage FileVault 2 disk encryption on Mac OS computers by creating and deploying a disk encryption configuration using the Jamf Software Server (JSS) 5. Here at OSU, Jamf is already licensed and in use on Macs by our IT technicians.
7.0 Barriers to Finding a Good Encryption Solution
Encryption is an invaluable security tool to ensure that even in the event of user’s information being compromised, the data cannot be accessed by anyone. So the question now is, why is that IT decision makers don’t choose to employ the best encryption solutions. Here are the things that I think can prevent them from implementing the best solution 9. 7.1 Lack of Budget Lack of funding has been cited by most educational institutions as one of the top reasons. It is truly an understandable concern. But the potential cost of a data breach may outweigh the initial financial budget significantly. So a good encryption solution can be an expensive project. Another way to look at this expense is to consider that a laptop may cost as little as $300, but if the sensitive data on that laptop is breached, the financial repercussions can significantly overshadow the cost of the laptop itself. 7.2 Performance Concerns A popular encryption myth is that it will kill database and application performance. Properly designed and implemented encryption will not only protect your critical data, but will have minimal performance impact that is imperceptible to users. So there is always a concern out there by users that data encryption slows down computer and network performance and reduces user productivity. 7.3 Lack of Encryption Deployment Knowledge Finding the right IT partner will help you to navigate smoothly through the encryption process and deal with questions such as identifying what data needs to be encrypted, where it lives and who needs access to it. Besides having a reputation for being complex and costly, encryption can create major IT headaches because of its difficulty in planning, deploying and maintaining the system. It requires specialists to help with navigating through the encryption process and deal with questions such as identifying what data needs to be encrypted, where to store and who needs access to it.
1 Encryption, “The HEISC Technologies, Operations, and Practices Working Group has Created a page on Full Disk Encryption”. 2 Available at http://www.fbi.gov Available at https://library.educause.edu/topics/cybersecurity/encryption 3 Trusted Computing Group. TCG TPM Specification Version 2.0. Available from www.trustedcomputinggroup.org. 4 Apple Technical White Paper: “Best Practices for Deploying FileVault 2: Deploying OS X Full Disk Encryption Technology”, at https://training.apple.com/pdf/WP_FileVault2.pdf 5 Apple, “FileVault 2 Features”, at http://www.apple.com/macosx/whats-new/features.html#filevault2. 6 Peter Cohen, “APFS: What You Need To Know About Apple’s New File System,” March 27, 2017.Available at: https://www.backblaze.com/blog/apfs-apple-file-system/ 7 “WinMagic SecureDoc”, at http://www.winmagic.com/products/full-disk-encryption-for-mac. 8 Technical Paper: “Administering FileVault 2 on OS X Mountain Lion with the Casper Suite v9.0”, August, 2013. https://resources.jamf.com/documents/technical-papers. 9 Shophos Security Made Simple, “The State of Encryption Today: Results of an Independent Survey of 1700 IT managers,” December, 2015. 10 McAfee Data Sheet: McAfee Complete Data Protection. “Comprehensive endpoint encryption solution.” Available at https://www.mcafee.com/us/resources/data-sheets/ds-complete-data-protection.pdf.