Is Microsoft really claiming pre-boot authentication (PBA) for Full Disk Encryption (FDE) is not necessary? One could certainly get that impression from recent articles (HERE and HERE) posted by the organization. The first article on “Types of attacks for volume encryption keys” lists a few known historical attacks that “could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution”, and the second makes statements like “For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented.”
Back in November of last year, I was part of a conference call with a European customer who needed some high level reassurance from us. As part of that request, they mentioned that our customer portal could not help them properly manage support tickets. Thus, I hijacked the call and started a GoToMeeting session from my desktop. I gave them the opportunity to walk me through exactly what they found problematic about our customer portal. For the next 20 minutes they did a masterful job of highlighting what areas of the customer portal simply weren’t working for them. And If put myself in their shoes, I could see that they were not only right, but it was likely that other customers felt this way and had never said anything to us.
With this knowledge, I did something radical, which was to hold many meetings over the next two months where I would bring a proof of concept to the table, and have the customer critique it. This helped us to get to where we are today. Which is, to announce the release of Phase One of our enhanced customer portal.
In April 2015 I wrote about “Intelligent Key Management for the Cloud”. In that blog I described the various models for encryption and key management for virtual workloads running in IaaS including:
Recently, I was on the phone with a customer who asked me this question: “How can we better help you to help us?” That’s a question that I was not used to getting. But it made me think about what customers could do to get better tech support. I ended up taking a day or two for me to really think about it, but I came up with the following which I decided to share with you:
In the past I have tried to make the case for encrypting physical servers on premise. The argument for not needing to encrypt them is usually that these servers run for weeks, months or even years without being brought down, and that they are physically protected within a well-fortified data center. The protection that FDE (Full Drive Encryption) brings only really applies to data at rest and it seldom is at rest on these servers. I would counter that all drives eventually leave the data center for repair or disposal and having them encrypted protects you from having your old drives with your customer data on them show up on eBay. An encrypted drive can be quickly and easily crypto-erased if it is still operational, and if not, the data is still not accessible without the encryption key.
Today with virtualization and especially with hyperconvergence infrastructure (HCI) the attack surface has greatly expanded and therefore the need for FDE has greatly increased. But before I make my case, here is some background on HCI:
A hyper-converged system is a pre-configured virtualized server platform that combines compute, storage, networking, and management software in a single appliance. Hyper-convergence enables customers to simply and rapidly deploy mixed-workload and virtual desktop integrated infrastructure solutions across local or remote locations. i.e. it is a mini Cloud in a box that can be connected to other HCI boxes.
HCI boxes are still physical things kept on premise, and the argument above for protecting them with FDE still applies. However, the argument for not encrypting them doesn’t. HCI workloads run in Virtual Machines (VM) on top of the hypervisor, not directly on the physical hardware. It is the VM and its data that needs protecting. In today’s fast moving environment the VMs come up and go down much more often than physical machines. In some cases VMs come and go several times a day. When an admin takes a snapshot of running machine or turns it off, the VM is at rest and a VM at rest is just a big file. It can be copied onto a USB memory stick or over the network. In fact one of the advantages of HCI is that workloads (or VMs) can be moved around easily from HCI node (box) to HCI node. Looking forward, HCI vendors are working with the public cloud providers, such as Google, to move workloads seamlessly back and forth between on premise and the public cloud. So unlike physical servers VMs can move around a lot and often are in a data at rest state. This is the perfect application of FDE, but not at the physical (hardware) level. If we encrypt only at the physical level, the only protection we get is for the disposal or loss of the physical drive. However, the VM, is easy to move around, and is still in plain text if copied even when using physical level FDE. The answer then is to encrypt the VM itself, preferably with in-guest encryption that is independent of the hypervisor with the key under the control of the enterprise. This way even if the VM is moved to another HCI box – perhaps in another country or even into a public cloud – the customer keeps control of the data, because it can decide to provide the key or not to decrypt and unlock the VM.
Advantages of VM encryption for HCI include:
- Scalability: VM-level Encryption is highly scalable. It is protection that actually resides with your data and scales with each new VM brought up.
- Security: Physical level Encryption protects against lost or stolen physical drives. VM-level Encryption protects against lost or stolen physical drives, unauthorized data movement, access, replication, etc.
- Continuity: With physical level Encryption, workloads are decrypted (unprotected) in-transit – no continuity in security model. VM-level Encryption protects workloads continuously, persistently as they move, clone, snapshot across your infrastructure
- Portability: Physical level Encryption is reliant on exactly that, your hardware – but what about hybrid IT and workloads in-transit. VM-level Encryption eliminates lock-in to hardware, hypervisors or cloud providers – it’s completely portable protection
- Flexibility: VM-level encryption allows you to encrypt sensitive workloads and run them securely alongside your non-sensitive workloads. Different keys and policies can apply to different VMs
- Governance: VM-level Encryption enables boot-based policies so you can control, who can access your data, where your data resides and how it is protected
- Termination: VM-level Encryption allows you to securely terminate individual workloads as you’re finished with them – it’s simple
To summarize, in the old world some can rationalize not encrypting their physical servers, because there are compensating physical controls such as locked doors and sturdy walls. In today’s world with HCI and virtualization, workloads are virtual, dynamic, mobile, scalable and vulnerable. The solution is to protect them with in-guest encryption with keys under the control of the VM owner.
So you’ve heard – Windows 10 has hit the PC world by storm, with widespread adoption in the private and public sector catching up to the consumer side. According to Gartner, the adoption of Windows 10 is faster than previous OS and the traditional refresh cycles are shortening. What’s driving the movement? Well, it’s a combination of events really, all based on one common need – Security.
One of the things that is unusual about me is the fact that I like to take customer support calls. Now you might find that weird as I do run a global support organization, and presumably I have better things to do than to take tech support calls when I have a staff that I have hired to do that for me. However, I feel that in the interest of making my support organization better, I need to be on the phones from time to time, digging into cases that get submitted via our customer portal, or by e-mail. Here’s why:
Our Product Marketing Manager, Aaron, and I had a watercooler chat the other day about taking a fresh approach to a corporation’s IT Security in the likes and regularity of spring cleaning. An approach like this would be ideal – you would have an up-to-date inventory of your hardware, you would have up-to-date software, and a complete 360 view of your organization. After completing what might be an onerous task, you would be able to identify the robustness of your environment, where your gaps might be, and where you have room to improve. In general, one might argue you would feel ‘in control’.
Canada’s economy is built upon the success of our citizens, their ingenuity and innovations. WinMagic CEO, Thi Nguyen-Huu speaks of his passion for innovation in building WinMagic, its comprehensive data security solutions, and the value that we bring to our customers in this video produced by Collins Barrow, one of Canada’s largest associations of chartered accounting firms, in celebration of Canada’s 150th birthday!
Businesses and Organizations in the U.S. Healthcare Industry are arguably subject to the most stringent data privacy and security laws on the planet. If you’re a Healthcare IT leader involved in compliance efforts – we certainly sympathize with you. Recently, Aaron McIntosh and I held a webinar on HIPAA Compliance for 2017 and Beyond in partnership with HiMSS – a 60,000+ member not-for-profit organization dedicated to improving healthcare through the best use of IT1. Our aim was to improve Healthcare IT leaders’ understanding of HIPAA in the context of the trends, breaches and common compliance issues we’re seeing across the industry so far in 2017. But it turns out that we gained far more insight than we shared with our audience of more than 140+ IT and Compliance leaders.
Recently I was on a call with a customer where one of my Team Leads and the Support Agent did most of the talking. Part way through the call, the customer asked me why I wasn’t saying anything. My response was that both my Team Lead and Support Agent had a plan that made sense and could speak to that plan. On top of that they had the ability to make decisions and adjust the plan without running it by me. Finally, I had complete confidence and faith in their abilities. The fact that I was willing to put that much faith in my people and give them that much latitude was surprising to the customer. And it’s likely surprising to you as well. But I see making the people who report to me as independent as one of the keys to having a world class support organization. To that end, here’s what I do to encourage independence within the Tech Support organization at WinMagic.
As an enterprise, you should not need an occasion to ensure that your security practices are up-to-date, fine-tuned and resilient. However, when immersed in the day-to-day it’s easy to overlook or neglect some of the standard best practices to securing your environment. The first signs of spring seem to trigger an inherent need to clean, and it’s no longer isolated to the garage or the cottage. It’s easy and worthwhile to apply the concept of spring cleaning, an annual event, to getting your security house in order too.
Here’s a 6 point checklist to get you started!
Throughout our 20 years of experience in the endpoint encryption market, who do you think our biggest competition would be? Symantec? McAfee, maybe? Wrong, and wrong again. Native crypto solutions like BitLocker and FileVault 2 dominate the endpoint encryption market. After all, why wouldn’t they? They’re free, they’re integrated into the operating system, and they do their job well. But are they really our competition?
From May 17th to 19th, I had the pleasure of attending the Fifth International Cryptographic Module Conference (ICMC 2017) with my colleague, Alexander Mazuruc. Alex usually attends this conference which focuses on cryptographic modules and FIPS 140 type issues, but this year there were 8 tracks on related subjects such as Quantum-safe crypto (yes, that is a thing), and Common Criteria. The conference had about 35 different sponsors including the Trusted Commuting Group. Overall I found the conference very informative and a good place to network in the community.
We often talk about flexibility in IT in instances of user-friendly experiences like knowing your Microsoft Word doc will open in Apple’s Pages, or the ability to accept or decline a meeting request from your iPhone with an Outlook account. But, what is being developed behind the curtains for IT flexibility is going to change how the world uses technology.
As data privacy concerns and supporting regulations escalate, are companies really prepared to ensure protection of their customers’ personal identifying information (PII) and to quickly and accurately report a breach should one occur? WinMagic recently conducted a survey of IT decision makers in the U.S., UK, France and Germany to assess their companies’ capabilities in these areas – and the findings should raise some red flags.
To be frank, I wouldn’t be where I am right now if I didn’t cross paths with people who believed in me and gave me a chance. Thus I need to send the elevator back down to bring the next generation of talent up to where I am. That’s why I was thrilled to have been invited to represent WinMagic at the Glenforest STEM (Science Technology Engineering Math) Conference as a “speed mentor.” That meant that I would be set up in a room, and high school students in groups of three to five will come in and be seated with a mentor. From there, the students will be given five minutes to ask questions pertaining to my career before rotating to another mentor. The logic was that by doing these “speed mentoring” sessions, the students would get an amazing opportunity to learn more about the STEM careers available to them as well as to ask questions in a more personal environment. Thus I agreed to be a “speed mentor” for roughly 1000+ students.
In May 1986, a little-known Swedish band called Europe released their international breakthrough album, The Final Countdown – topping the charts in 25 countries. Thirty years later in May 2016, the European Commission released the official EU General Data Protection Regulation (GDPR) – another international breakthrough with a far greater global impact, albeit on the data privacy and protection landscape. But when legislation becomes law on May 25th 2018, will you be prepared? With just one year left, it’s the final countdown.