Throughout our 20 years of experience in the endpoint encryption market, who do you think our biggest competition would be? Symantec? McAfee, maybe? Wrong, and wrong again. Native crypto solutions like BitLocker and FileVault 2 dominate the endpoint encryption market. After all, why wouldn’t they? They’re free, they’re integrated into the operating system, and they do their job well. But are they really our competition?
Our teams at WinMagic have recently noticed a trend of IT security professionals asking, “Should I use BitLocker or [Fill in the Blank]?” We’d like to challenge that logic by answering your question with another. “Why should you have to choose?” Both offer unique benefits, so what if you could have the best of both?
Let’s start with BitLocker
BitLocker is integrated with Windows operating system, doesn’t require any additional software, and it’s actually pretty simple to operate. It’s designed to protect the integrity of the operating system, and it does exactly that with AES-128 bit or 256 bit (default) encryption. Overall, a solid starting point.
BitLocker – in most scenarios – requires TPM version 1.2 or higher to protect against any hardware or firmware tampering. Do you have a TPM chip in your laptop? Most likely. It’s a fairly universal technology nowadays. Even if you don’t, Microsoft gives you the option of using a USB device instead. In fact, BitLocker provides five different authentication methods, so let’s quickly walk through them:
- TPM + PIN is the Microsoft recommended option, but requires users to login twice – once at BitLocker pre-boot and again at Windows. Windows credentials and BitLocker credentials aren’t linked, so this option is secure, but not exactly user friendly, because there is no option for Single Sign-On (SSO)
- TPM + Network key allows Network Unlock, but requirements for a WDS server, UEFI and a wired network connection make it complex and just not viable in many IT environments
- TPM + Startup Key or Startup Key-only both require that each user carry a USB device containing the same encryption key – creating potential security and usability concerns
- TPM-only, the most widely used option in our interactions with customers, requires no user interaction whatsoever, but even Microsoft warns that it “offers the lowest level of data protection” and “can be affected by potential weaknesses in hardware…”
BitLocker offers flexible choices for authentication, but each seemingly comes with a compromise. Most players in the encryption market offer basic management of BitLocker, but is management really the issue here? I don’t think so. I think it’s the compromises. It’s forcing the choice between security and usability. BitLocker does not support the concept of more than one user. Even more importantly, password-sharing practices as a result of device-based PINs present a serious risk. And TPM-only is prone to Cold Boot, Firewire and other known attacks, never mind that it does not meet certain compliance requirements, such as PCI DSS. Oh, and did I mention smart cards are not supported for pre-boot. But I thought BitLocker was a “solid starting point”? If it is, then where do we go from here?
Let’s Dream for A Moment
Picture the Best of Both Worlds. Smooth, integrated, and high-performance encryption, all without compromise. Security and Usability – Together. What would it take? Well…
Bring Back the User
First things first. Bring back the user. If multiple users can login at Windows, then why should it be any different with encryption? Let’s give users one username and password for any device. Better yet, let’s allow unlimited users per device, without the need to share a password.
Next, let’s re-connect. Networking since its inception, has done wonders for computers, expanding their functionality beyond hardware limitations. Why should it be any different at pre-boot? Let’s leverage wired and wireless connections for fast, simple and secure authentication.
Now…What about Multi-Factor Authentication or MFA? No problem, let’s integrate with smartcards, tokens and biometrics. And what if a user accidentally or intentionally Decrypts or Suspends BitLocker? Simple. Let’s stop them in their tracks and re-encrypt automatically.
Never mind the users. What about IT? Let’s reduce time spent on provisioning and password resets with simplified processes. And why manage encryption differently on Macs than on PCs, or on Endpoints and in the Cloud. Let’s bring them all under one security umbrella.
Best of Both Worlds. It’s Reality.
Let’s start with what we now know. Third-party encryption vendors, including WinMagic, are constantly working to keep up with Microsoft system updates. On the other hand, BitLocker works seamlessly with Microsoft system updates, and it’s equipped with a fast, secure encryption engine.
But what if I want the best of both worlds? After all, third-party encryption and key management solutions offer many advanced features and cross-platform compatibility that BitLocker – with or without MBAM – simply cannot. What if I want high-grade security combined with the utmost flexibility and ease of use? Am I dreaming? Not today.
WinMagic’s SecureDoc On Top (SDOT) for BitLocker combines productivity and security for the ultimate enterprise solution. Now IT security professionals don’t ever need to ask, “Should I use BitLocker or [Fill in the Blank]?” Contact us today to make the Best of Both worlds a reality for your enterprise.