Sunday, March 5, 2017

Securing data on local storage devices

Mad genius cybercriminals exist mostly in movies and pulp fiction. In reality, your data is more likely to be stolen by an old-fashioned thief, with no technical skills required. As we increasingly rely on mobile devices, those risks increase.

If someone walks away with a laptop or tablet stuffed with confidential corporate information, you’ll be able to sleep better if you know that the data on that device is encrypted and protected by a strong password. You’ll get an even better night’s sleep if you’re able to wipe the confidential data clean remotely, from an administrative console.

In certain regulated industries, having a comprehensive and effective data-protection plan isn’t just a good idea, it’s mandated by law and backed by threats of fines and jail time.

As a direct response to those realities, Windows 10 incorporates robust data-encryption options that encompass a full range of devices. Device encryption is now a standard feature in all editions of Windows (provided that the underlying hardware supports it). That’s a significant change from previous versions, which traditionally reserved that feature for business/enterprise editions. Encryption is enabled by default on Windows 10 Home devices that include a TPM. Pro and Enterprise editions can be configured with additional BitLocker protection and management capability.

Device encryption
On any device that supports the InstantGo (formerly Connected Standby) standard and is running Windows 8.1 or Windows 10, data is encrypted by default. On a device that clears those two hurdles, even one intended for casual use by consumers, encryption is automatically enabled for the operating-system volume during setup.

This encryption initially uses a clear key, allowing access to the volume until a local administrator signs in with a Microsoft account and, by so doing, automatically turns on encryption. The recovery key for an unmanaged system is automatically stored in the user’s OneDrive storage in case an administrator needs to recover the encrypted data later (in the event of a hardware failure, for example, or a complete reinstall of Windows 10). If you need to reinstall the operating system or mount the drive on a new PC, you can unlock the drive with the recovery key (which is stored at and reseal the drive with a key from your new machine.

BitLocker Drive Encryption
From a technological standpoint, Device Encryption and BitLocker are identical. Both device encryption and BitLocker default to 128-bit Advanced Encryption Standard (AES), but BitLocker can be configured to use AES-256.

The most important advantages for BitLocker in enterprise scenarios involve control and manageability. BitLocker comes with a long list of features that are appropriate for enterprise-class data protection, including the capability to store encryption keys using Active Directory (for data recovery if a password is lost, for example, or an employee leaves the company and management needs to access encrypted files on a company-owned device). The Network Unlock feature allows management of BitLocker-enabled devices in a domain environment by providing automatic unlocking of operating-system volumes at system reboot when connected to a trusted wired corporate network.

Normally, BitLocker uses software-based encryption to protect the contents of Windows operating-system and data volumes. On devices without hardware encryption, BitLocker in Windows 10 encrypts data more quickly than in Windows 7 and earlier versions. With BitLocker in Windows 10, you can choose to encrypt only the used space on a disk instead of the entire disk. In this configuration, free space is encrypted when it’s first used. This results in a faster, less disruptive encryption process so that enterprises can provision BitLocker quickly without an extended time commitment.

An administrator can use Group Policy settings to require that either Used Disk Space Only or Full Encryption is used when BitLocker Drive Encryption is enabled. The following Group Policy settings are located under the Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption path of the Local Group Policy Editor:

■ Fixed Data Drives > Enforce drive encryption type on fixed data drives

■ Operating System Drives > Enforce drive encryption type on operating system drives

■ Removable Data Drives > Enforce drive encryption type on removable data drives

For each of these policies, you can also require a specific type of encryption for each drive type.

In Windows 8 and later versions, BitLocker supports a new type of storage device, the Encrypted Hard Drive, which includes a storage controller that uses hardware to perform encryption operations more efficiently. Encrypted Hard Drives offer Full Disk Encryption (FDE), which means encryption occurs on each block of the physical drive rather than data being encrypted on a per-volume basis.

Windows 10 is able to identify an Encrypted Hard Drive device, and its disk-management tools can activate, create, and map volumes as needed. API support in Windows 8.1 and later versions allows applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption. The BitLocker Control Panel allows users to manage Encrypted Hard Drives using the same tools as
on a standard hard drive.

Remote business data removal
In Windows 8.1 and later versions, administrators can mark and encrypt corporate content to distinguish it from ordinary user data. When the relationship between the organization and the user ends, the encrypted corporate data can be wiped on command using Exchange ActiveSync (with or without the OMA-DM protocol). This capability requires implementation in the client application (Mail, for example) and in the server application (Exchange Server). The client application determines whether the wipe simply makes the data inaccessible or actually deletes it. This feature includes support for an API that allows third-party apps to adopt the remote-wipe capability.

Source of Information : Microsoft Introducing Windows 10 For IT Professionals

No comments: