LOS ANGELES – BitLocker drive encryption on Windows Server 2008 is a promising means of protecting data in branch offices or anyplace that does not have a lot of physical security.
But before Windows Server 2008 becomes available early next year, there are a number of steps IT managers should take to determine whether this technology will be truly useful for security in lightly protected locations.
BitLocker drive encryption in Windows Server 2008 is an optional technology where additional bits must be installed to make it work. BitLocker requires the Trusted Platform Module (TPM) 1.2 chip on the motherboard or a BIOS that supports reading a USB device. Two NT file system partitions are also needed on the hard drive, according to Tony Ureche, a program manager for Microsoft, speaking at the Windows Hardware Conference here last week.
For IT managers, there are various aspects to the planning process, Ureche said. First, an IT shop must conduct an informal audit to see what kinds of hardware they have. "Is this the time to purchase new hardware," he said. "Will you do it soon?"
Also, it's important to take an inventory to determine what types of security policies are in place and what you have for existing security tools. IT managers must also ask themselves what type of authentication they want. Some departments need just baseline security, while other departments may need more levels of encryption, Ureche said.
Data security strategy: Do you want users to create keys?
There is also the need to determine a key management and recovery procedure. Do you want users to create keys? As far as a recovery strategy is concerned, IT shops must map out a plan for when something goes wrong, he said.
Although BitLocker is available only on Windows Vista Ultimate and Enterprise editions, it is available on every version of Windows Server 2008, Ureche said. All of the specific SKUs for Windows Server 2008 have not yet been disclosed by Microsoft.
There are three new BitLocker features for Windows Server 2008 that do not exist in Windows Vista, he said. There is support for Data Volumes, which are any partition that does not contain the current operating system. Data Volumes require BitLocker to be enabled on the operating system volume.
There is also support for authentication of TPM, USB and PIN, which is three-factor authentication, and UEFI [Unified Extensible Firmware Interface] for 64-bit machines only are supported.
BitLocker is a good idea for protecting physical data in data centers at unsecured sites -- at least in theory. Whether it works as advertised remains to be seen, said John Enck, an analyst at Gartner Inc. in Stamford, Conn.
On client machines, BitLocker drive encryption is helpful particularly in the case of protecting laptops, Enck said. It's also useful on servers in transit, where IT managers can encrypt the data on the server before it is sent and then send the key out of band for a far-flung retail location or any lightly protected area. Enck said he has yet to perform a real world BitLocker evaluation on the server.