​Compliance & GDPR​

Even if you are lucky not being in a regulated market, you still need to define your own security policies and comply to governmental regulations like the EU GDPR. Vendor compliance often demand from any relevant supplier AES-256 encryption including strong authentication (two-factor, multi-factor).

The EU GDPR enforced state-of-the-art security methods to be implemented if you store or process personal data. State-of-the-art security imply encryption by any means.

The German BSI (Federal Office for Information Security) defines state-of-the-art client encryption using AES-128 or AES-256 plus an explicit user authentication using a strong password or a cryptographic key media. Therefor transparent authentication of an encryption solution does not comply to state-of-the-art security.

Learn more on public available references:

• German BSI - IT-Grundschutz M4.337: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04337.html
• SEC4YOU: https://sec4you.com/dsgvo

To access confidential or sensitive encrypted data the user need to authenticate himself using one-factor authentication (e.g. password) or multi-factor authentication (e.g. password plus smart card or password plus smartphone asset). The user name is not counted as authentication factor, but sometimes the mobile device - tablet or notebook - is seen as an additional factor in user authentication.

Any transparent authentication of an encryption solution bypasses the declaration of a users intent to activate access to confidential data, therefore Secure Disk for BitLocker refrain from transparent authentication and offers crypt​ographic encryption only.

Our recommendation is:

1. Use user defined credentials only, instead of companywide BIOS boot password or TPM-Pin
   
2. Consider strong encryption authentication, like smart phone multi-factor authentication, smart card or PKI/token authentication, or biometric ​methods
3. Stuck to cryptographic standards! A password can calculate a cryptographic key to be used for encryption, a smart card or mobile app also can hold a cryptographic key.
4. Don't try to hide secrets! If you try to hide key in applications, the filesystem, or you obfuscate passwords, that all is a bad idea. Attackers have loads of time and resources to break your trick!

​BitLocker Management - ​Effective Encryption Operation

To enroll BitLocker Microsoft offers Power​Shell scripts that need to be enrolled. As native BitLocker requires Trusted Platform Modules (TPM) to be available on all clients, the script first need to activate and initialize the TPM on the motherboard. In heterogeneous enterprise environments typically 10% of the ​initialization fail due to incompatible TPM modules or missing/wrong/old drivers. If the TPM ​initialization is successful the user need to define the TPM PIN, as companies choose secure encryption operation. Then GPO defined BitLocker settings are enrolled on the client network.

If you are lucky, to have MBAM licensed. Microsoft MBAM allows you recovery key management and compliance reports. Still user help desk is only available based on the 48 hex-digit BitLocker recovery key.

Choosing Secure Disk for BitLocker give you all BitLocker management functions you are missing now:

• TPM-free BitLocker operation to get rid of all TPM related issues
  
• Worry free self-enrollment process - proven in rollout scenarios of 100.000+ clients!
• Central management of security policies, based on Active Directory groups
• Online help desk and challenge/response offline help desk
  
• Central security dashboard including a secure wipe function
  

​Best Protection Intellectual Property

​Organizations today need to secure their intellectual property (IP) from any unauthorized access and usage. Company IP include trademarks, copyright, patents, industrial design rights, industrial ​recipes, manufacturing processes, ​calculations, customer base, and many ​other company internals and secrets.

As many of ​that intellectual property information are stored on workstation, notebooks and tablets or held on clients in the users synchronized mailbox, this information need an excellent encryption protection​.

​Secure Disk for BitLocker offers a one-stop ​endpoint encryption management with auditable security controls. An ideal solution to enforce encryption in enterprises to protect intellectual property.

​​​​User Acceptance ​- UX Matters!

​Most important for the user acceptance is an intuitive and supportive software. Even complex tasks like data encryption or user authentication need to be as simple as possible.

​Organizations using Secure Disk for BitLocker ​typically inform their users only days prior the rollout. The user credentials required for encryption authentication is captured in the "self-init mode" fully automated and transparent to the user. After credential capturing every single reboot is authenticated in the pre-boot phase.

If multi-factor authentication (smart card, PKI/token, biometric, smartphone app) is enabled, all authentication steps intuitively can be performed without user training.

​Operational Cost Reduction

​The ​operational costs of BitLocker are ​underestimated by most companies. Not including the ​initial rollout costs or hardware investments in the client infrastructure the operational costs are:

• TPM integrity check related support issues
  
• ​Forgotten TPM pin
  
• ​Forgotten BitLocker password
  
• Support costs for BitLocker recovery key handling
  
• Data recovery on defective client hardware
  
• Disk wipe on client withdraw
  

​With Secure Disk for BitLocker we ​eliminate all typical operational costs to a minimum:

• ​Eliminate TPM related costs by using the TPM-free protector of Secure Disk
• Use Secure Disk effective online and offline help-desk for lost passwords and data recovery
• Fully integrated recovery key handling - central managed and transparent to the users
• Secure wipe by a simple mouse click including a deletion confirmation
  

​Increased Efficiency: User and Clients

​​Efficiency tools like "Network Friendly Mode" and Online Helpdesk will help users to manage their encrypted client easily and without time lost.

Using "Network Friendly Mode" in industrial clients gives the advantage to boot a client automatically if the client is not manipulated in the secure LAN or WLAN.

Any lost or forgotten password or authenticator can be bypassed using highest crypto​graphic methods using the user friendly help-desk features. This includes a forgotten Windows password which often is a dead end for mobile users.

​Regain Control of Your Data

​As sensitive ​and confidential data is spread over hundreds or thousands of clients, most companies lost control of the locations these intellectual properties are stored. Windows passwords on client machines does protect local stored data from normal users only. Professional attackers will use alternate boot systems or password reset tools to bypass any Windows password protection installed. After​ the attack every single file is exploited to either blackmail the ​organization or is sold for espionage reasons.

By the ​[#1] use of full-disk-encryption ​organizations can enlarge ​a well-defined secure zone to all client machines, including Windows desktops, notebooks and tablets. Now companies can safely store their ​confidential data on ​encrypted clients, even if these devices are sometimes lost or stolen.

​Full-disk-encryption need to be supported additional security controls to regain control of your data:

• ​​[#2] Security policies for data exchange by email, often supported by email encryption solutions
  
• ​​[#3] Encryption for cloud storage and cloud servers
  
• State of the art ​[#4] security controls including SIEM analysis and ​[#5] regular security audits.